a7f2394902
various: Module version bump.
2019-01-20 16:45:55 -05:00
47b09d472e
dbus: allow using dynamic UID
...
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:
type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
subj=system_u:system_r:system_dbusd_t key=(null)
type=AVC msg=audit(1547313774.993:373): avc: denied { read } for
pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
key=(null)
type=AVC msg=audit(1547313774.993:374): avc: denied { read } for
pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
permissive=1
This directory looks like this, on Arch Linux with systemd 240:
# ls -alZ /run/systemd/dynamic-uid
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
-rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306
2019-01-16 22:13:57 +01:00
e8ba31557d
various: Module version bump.
2019-01-06 14:11:08 -05:00
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
09248fa0db
Move modules to contrib submodule.
2011-09-09 10:10:03 -04:00
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
bdc7622e86
Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission.
2011-03-16 08:20:28 -04:00
0419373aa7
Allow system dbus to send messages to it's clients.
2011-03-14 11:52:19 -04:00
dc24f36872
Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia.
2011-02-22 11:36:15 -05:00
f8b9fb9391
patch to make cpufreqselector usable with dbus
...
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
2011-02-22 11:23:10 -05:00
826d014241
Bump module versions for release.
2010-12-13 09:12:22 -05:00
befc7ec99f
Module version bump for Dominick's consoletype cleanup.
2010-10-11 09:27:27 -04:00
8340621920
Implement miscfiles_cert_type().
...
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
98ac98623c
Dbus patch from Dan Walsh.
2010-05-03 09:34:42 -04:00
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
62c80e2546
module version bumps and changelog update for the previous 3 commits.
2009-08-18 13:20:01 -04:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
423a4a3a2c
fix dbus type transition conflict.
...
switch dbus ranged calls from daemon domain to system domain. This works
around a type transition conflict. It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
e04438840b
dbus patch from dan
2009-07-27 09:46:35 -04:00
09516cb4be
remove read_default_t tunable
2009-07-23 08:58:35 -04:00
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
ba796982df
trunk: tweaks from russell and martin orr.
2008-11-06 15:01:15 +00:00
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
0bfccda4e8
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
c0cf6e0a6e
trunk: clean up nsswitch usage, from dan.
2007-12-04 15:05:55 +00:00
bd973e3e68
trunk: remove unused types from dbus.
2007-10-26 18:04:38 +00:00
3c99e5989a
trunk: add /var/lib search for system bus template.
2007-10-22 15:53:31 +00:00
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
3480f3f239
trunk: bump version numbers for release.
2007-09-28 13:58:24 +00:00
8a9d6f6449
trunk: 6 patches from dan.
2007-09-07 13:41:20 +00:00
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00
1900668638
trunk: Unified labeled networking policy from Paul Moore.
...
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
d5b81a81ff
trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern().
2007-06-12 18:46:14 +00:00
0251df3e39
bump module versions for release
2007-04-17 13:28:09 +00:00
8021cb4f63
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
6b19be3360
patch from dan, Thu, 2007-01-25 at 08:12 -0500
2007-02-16 23:01:42 +00:00
Chris PeBenito
Nicolas Iooss
David Sugar
Chris PeBenito
Guido Trentalancia
Dominick Grift
Chris PeBenito