The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
These are seldomly-used tools from the util-linux package.
Please check if they are located in /sbin instead of /usr/sbin on other
distributions.
Signed-off-by: Luis Ressel <aranea@aixah.de>
With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Pair of objects which supported by Interbase/Firebird/Red Database:
db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):
dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated).
audit.log contains following AVC:
avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
Currently, the /usr/share/cvs/contrib/rcs2log is only labeled as bin_t
for redhat distributions. Moving this to the general one as it is also
in use on other distributions
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.
Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device. This program works with udev to configure the
new device and uses SysV semaphores to synchronize states. As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
Sven Vermeulen
Chris PeBenito
Luis Ressel
Nicolas Iooss
Jason Zaman
Chris PeBenito
Artyom Smirnov
Elia Pinto
cgarst