60d8b699fb
Change policy_config_t to a security file type.
...
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
2015-10-23 10:17:46 -04:00
4388def2d9
Add refpolicy core socket-activated services.
2015-10-23 10:17:46 -04:00
bdfc7e3eb0
Add sysfs_types attribute.
...
Collect all types used to label sysfs entries.
2015-10-23 10:17:46 -04:00
f7286189b3
Add systemd units for core refpolicy services.
...
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
fc2de5c21c
Add rules for sysadm_r to manage the services.
2015-10-23 10:17:46 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
3639880cf6
Implement core systemd policy.
...
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
2015-10-23 10:16:59 -04:00
d326c3878c
Add systemd access vectors.
2015-10-20 15:01:27 -04:00
4d28cb714f
Module version bump for patches from Jason Zaman/Matthias Dahl.
2015-10-12 09:31:18 -04:00
2c0e3d9a24
Rearrange lines in ipsec.te.
2015-10-12 09:30:05 -04:00
775b07e60a
system/ipsec: Add policy for StrongSwan
...
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
2015-10-12 09:16:28 -04:00
b3a95b4aeb
Add overlayfs as an XATTR capable fs
...
The module is called "overlay" in the kernel
2015-10-12 09:13:53 -04:00
778dfaf776
Update contrib.
2015-09-15 08:39:38 -04:00
cfaeb62603
Module version bump for vfio device from Alexander Wetzel.
2015-09-15 08:39:21 -04:00
9ae4033beb
adds vfio device support to base policy
...
Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
2015-09-15 08:17:31 -04:00
1d51a2f4c4
Module version bump for APR build script labeling from Luis Ressel.
2015-08-11 08:46:41 -04:00
fd5e40b047
Mark APR build scripts as bin_t
...
I don't know why those are in /usr/share/build-1/ instead of
/usr/share/apr-0/build/ here, but it doesn't appear to be
Gentoo-specific.
2015-08-11 08:42:25 -04:00
c8c2b8b0c8
Module version bump for ssh-agent -k fix from Luis Ressel.
2015-07-20 10:01:52 -04:00
d8071a8e1b
Allow ssh-agent to send signals to itself
...
This is neccessary for "ssh-agent -k".
2015-07-20 09:57:35 -04:00
95248e4919
Module version bump for cron_admin for sysadm from Jason Zaman.
2015-07-17 08:56:43 -04:00
13cfdd788f
add new cron_admin interface to sysadm
2015-07-17 08:13:43 -04:00
d74c9bd6b8
Module version bumps for admin interfaces from Jason Zaman.
2015-07-14 11:18:35 -04:00
0023b30946
Introduce setrans_admin interface
2015-07-14 11:04:44 -04:00
e1f2a8b9d6
Introduce ipsec_admin interface
2015-07-14 11:04:44 -04:00
8bee8e80af
Introduce lvm_admin interface
2015-07-14 11:04:44 -04:00
11697e1a69
Update contrib.
2015-06-09 08:39:51 -04:00
acabb517e6
Module version bump for admin interface changes from Jason Zaman.
2015-06-09 08:39:18 -04:00
9c49f9d7fa
Add all the missing _admin interfaces to sysadm
...
Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.
The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
2015-06-09 08:29:51 -04:00
43da2d2ad0
Introduce iptables_admin
2015-06-09 08:29:51 -04:00
0a088aa8ac
Module version bumps for further init_startstop_service() changes from Jason Zaman.
2015-05-27 14:50:45 -04:00
dd21231043
Add openrc support to init_startstop_service
...
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
2015-05-27 14:37:41 -04:00
45b281db62
postgresql: use init_startstop_service in _admin interface
...
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
2015-05-27 14:37:40 -04:00
a324fab096
logging: use init_startstop_service in _admin interface
...
The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
2015-05-27 14:37:40 -04:00
74bc8b3a55
Update contrib.
2015-05-22 14:27:21 -04:00
a87e54ef07
Module version bump for init_startstop_service from Jason Zaman.
2015-05-22 14:25:04 -04:00
3d174b0481
Introduce init_startstop_service interface
...
This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.
2015-05-22 14:01:22 -04:00
ae1adbe868
Update contrib.
2015-05-22 09:26:46 -04:00
a38c3be208
Module version bump for updated netlink sockets from Stephen Smalley
2015-05-22 08:38:53 -04:00
58b3029576
Update netlink socket classes.
...
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
946d0237d2
Add "binder" security class and access vectors
2015-05-08 08:17:48 -04:00
459a19f18d
Module version bump for debufs mount point fc entry from Laurent Bigonville.
2015-05-06 09:50:14 -04:00
c738343b7f
Add fc for /sys/kernel/debug as debugfs_t
2015-05-06 09:49:40 -04:00
bc4ea17c62
Update contrib.
2015-04-15 12:17:37 -04:00
dcda0459b5
Module version bump for fstools blkid fix from Jason Zaman
2015-04-15 12:17:30 -04:00
9cf1886c68
fstools: add in filetrans for /run dir
...
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.
type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
In permissive:
type=AVC msg=audit(1428948565.919:160149): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149): cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { write open } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc: denied { getattr } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
2015-04-15 12:16:32 -04:00
600f71a2d9
Update contrib.
2015-03-25 08:28:22 -04:00
9a215ef9d9
Update contrib.
2015-02-17 08:35:52 -05:00
f963d6dafa
Fix domain_mmap_low() to be a proper tunable.
2015-02-09 16:02:36 -05:00
5f0e495887
Update contrib.
2015-01-30 09:13:49 -05:00
68f2c6f44c
Add always_check_network policy capability.
...
Disabled by default, as most systems don't want/need this.
2015-01-27 17:25:36 -05:00
Chris PeBenito
Jason Zaman
Alexander Wetzel
Luis Ressel
Stephen Smalley
Laurent Bigonville