5d345b79ee
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-27 10:51:06 -04:00
6857cda019
Merge pull request #46 from pebenito/systemd-user
2019-04-27 10:50:32 -04:00
da156aea1e
systemd: Add initial policy for systemd --user.
...
This is just a start; it does not cover all uses.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-25 11:18:58 -04:00
ff9bd742b7
systemd: Remove unnecessary names in systemd-update-done filetrans.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-23 15:22:17 -04:00
e2e4094bd4
various: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
a49163250f
Add kernel_dgram_send() into logging_send_syslog_msg()
...
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
2019-04-16 20:51:55 -04:00
df696a3254
kernel, init, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:58:15 -04:00
40bf663090
systemd: Drop unconfined kernel access for systemd_nspawn.
...
Revise kernel assertion to /proc/kmsg to be more precise.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:09:37 -04:00
60b8e08f4f
systemd, udev, usermanage: Module version bump.
2019-03-11 20:59:21 -04:00
e6dcad5002
systemd: Module version bump.
2019-02-24 08:19:27 -08:00
2fb15c8268
Update systemd-update-done policy
...
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:
type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for
pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { write } for
pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for
pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t
tclass=unix_dgram_socket permissive=1
Moreover it creates /etc/.updated and /var/.updated using temporary
files:
type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate }
for pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t tclass=process
permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { read write
open } for pid=277 comm="systemd-update-"
path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { create } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
[...]
type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for
pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
ino=806171 scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 11:08:20 +01:00
98a7f0446d
init, systemd, cdrecord: Module version bump.
2019-02-19 19:31:04 -08:00
b3e8e5a4ba
systemd: Remove unnecessary brackets.
2019-02-19 19:20:57 -08:00
b3cbf00cba
Allow systemd-hostnamed to set the hostname
...
When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.
Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc: denied { sys_admin } for pid=7873 comm="systemd-hostnam" capability=21 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:06:40 -08:00
e727079acc
systemd: Module version bump.
2019-02-09 09:06:37 -05:00
24da4bf370
Separate domain for systemd-modules-load
...
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules. This change sets up a new domain for this service and grants permission
necessary to load kernel modules.
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc: denied { read } for pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc: denied { open } for pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
21351f6bd9
Allow systemd-networkd to get IP address from dhcp server
...
I'm seeing the following denials when attempting to get a DHCP address.
type=AVC msg=audit(1549471325.440:199): avc: denied { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc: denied { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc: denied { net_bind_service } for pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
83ebbd23d3
corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump.
2019-02-01 14:21:55 -05:00
044da0b8b9
more misc stuff
...
Here's the latest stuff, most of which is to make staff_t usable as a login
domain. Please merge whatever you think is good and skip the rest.
2019-02-01 14:16:57 -05:00
30a46e5676
various: Module version bump.
2019-01-23 19:02:01 -05:00
05cd55fb51
tiny stuff for today
...
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.
Lots of little stuff for system_cronjob_t.
Other minor trivial changes that should be obvious.
2019-01-23 18:26:45 -05:00
a7f2394902
various: Module version bump.
2019-01-20 16:45:55 -05:00
238bd4f91f
logging, sysnetwork, systemd: Module version bump.
2019-01-16 18:19:22 -05:00
69961e18a8
Modify type for /etc/hostname
...
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-16 18:13:41 -05:00
353d92a77a
systemd: Module version bump.
2019-01-13 14:59:27 -05:00
966f981fd8
systemd: Whitespace change
2019-01-13 14:47:34 -05:00
c53019f2c3
systemd: add policy for systemd-rfkill
2019-01-12 23:00:29 +01:00
e6a67f295c
various: Module name bump.
2019-01-12 15:03:59 -05:00
e8b70915b1
Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy
2019-01-12 14:55:36 -05:00
da1de46f66
some little stuff
...
Tiny and I think they are all obvious.
2019-01-12 14:16:33 -05:00
c3b588bc65
init: rename *_pid_* interfaces to use "runtime"
...
The name of these interfaces is clearer that way.
This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
2019-01-12 17:11:00 +01:00
85536c64e1
kernel, jabber, ntp, init, logging, systemd: Module version bump.
2019-01-09 19:36:41 -05:00
d2a1333fdc
kernel, systemd: Move lines.
2019-01-09 19:30:15 -05:00
9cb572bd02
mls stuff
...
Here are the patches I used last time I tried to get MLS going on Debian.
2019-01-09 19:20:35 -05:00
e8ba31557d
various: Module version bump.
2019-01-06 14:11:08 -05:00
599112a85c
Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy
2019-01-06 14:07:54 -05:00
ef6c7f155e
systemd misc
...
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
2019-01-06 13:11:51 -05:00
150bd4e179
systemd: allow systemd-logind to use getutxent()
...
systemd-logind reads /run/utmp in order to warn users who are currently
logged in about an imminent shutdown. It calls utmp_wall() in
https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87
This function calls glibc's getutxent() here:
https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401
This function, implemented in
https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b
, opens and locks /run/utmp in order to enumerate the users.
2019-01-06 16:28:32 +01:00
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
e1babbc375
systemd related interfaces
...
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
2019-01-05 14:17:01 -05:00
73f8b85ef3
misc interfaces
...
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
2019-01-05 13:36:20 -05:00
249e87ab73
cron, minissdpd, ntp, systemd: Module version bump.
2018-11-17 19:02:54 -05:00
b4d7c65fc4
Various modules: Version bump.
2018-11-11 15:58:59 -05:00
d5d6fe0046
Allow systemd_resolved_t to bind to port 53 and use net_raw
...
resolved also binds against port 53 on lo interface
2018-11-11 14:27:01 +01:00
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
0252046c95
systemd: Move lines.
2018-06-07 20:17:15 -04:00
f4713393ae
policy for systemd-hwdb
...
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
2408d45a3d
policy for systemd-update-done
...
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
664d932c0f
systemd-resolved uses notify to indicate status
...
type=AVC msg=audit(1528207926.219:1609): avc: denied { write } for pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc: denied { sendto } for pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Chris PeBenito
Chris PeBenito
Sugar, David
Nicolas Iooss
Russell Coker
Laurent Bigonville