RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,415 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

4393 Commits

Author SHA1 Message Date
Kenton Groombridge 998ef975f3 systemd, udev: allow udev to read systemd-networkd runtime 
udev searches for .link files and applies custom udev rules to devices
as they come up.

Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:44 -04:00
Kenton Groombridge 73adba0a39 systemd: add file contexts for systemd-network-generator 
Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:43 -04:00
Kenton Groombridge f2fe1ae154 systemd: add missing file context for /run/systemd/network 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:42 -04:00
Kenton Groombridge 663b62f27c systemd: add file transition for systemd-networkd runtime 
systemd-networkd creates the /run/systemd/network directory which should
be labeled appropriately.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:41 -04:00
Kenton Groombridge 06319896b3 certbot: various fixes 
Allow acme-sh to send syslog msgs and dontaudit reading /proc.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 308ab9f69a term, init: allow systemd to watch and watch reads on unallocated ttys 
As of systemd 250, systemd needs to be able to add a watch on and watch
reads on unallocated ttys in order to start getty.

systemd[55548]: getty@tty1.service: Failed to set up standard input: Permission denied
systemd[55548]: getty@tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied

time->Fri May  6 21:17:58 2022
type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1651886278.452:1770): cwd="/"
type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1651886278.452:1770): avc:  denied  { watch watch_reads } for  pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 5b59c7611b spamassassin: add file context for rspamd log directory 
rspamd's default log location is /var/log/rspamd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge dcc90a0c3c container, podman: allow podman to restart container units 
podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 43a9841746 container: add separate type for container engine units 
and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge eff1b1ecad init, systemd: allow unpriv users to read the catalog 
Label /var/lib/systemd/catalog the journal type, and allow unpriv users
to search /var/lib/systemd. This is to fix this warning when an
unprivileged user uses journalctl:

Failed to find catalog entry: Permission denied

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 001d51d267 systemd: minor fixes to systemd user domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge c2b0d7e7fb ssh: add tunable to allow sshd to use remote port forwarding 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 7624e8dd7d container: allow container engines to manage tmp symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3560273d54 container: allow containers to manipulate own fds 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 1a0acc9c0d sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3cac9e0e5d sudo: allow sudo domains to create netlink selinux sockets 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 6fa7d7349d bind: fixes for named working on dnssec files 
Unbound manages DNSSEC root keys in /etc/unbound. Rewrite these rules so
that the necessary rules are added in order to allow this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge ed28c58eba postfix: allow postfix master fsetid capability 
The postfix master will try to correct permissions on its queue
directories with chown. This can be reproduced with 'postfix
set-permissions'.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 932bef5721 postfix: allow postfix master to get the state of init 
postfix master wants to read /proc/1/environ.

type=PROCTITLE msg=audit(1636823237.886:5323): proctitle=2F7573722F7362696E2F706F7374666978007374617274
type=PATH msg=audit(1636823237.886:5323): item=0 name="/proc/1/environ" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1636823237.886:5323): cwd="/"
type=SYSCALL msg=audit(1636823237.886:5323): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7bee3e1fb760 a2=80000 a3=0 items=1 ppid=1 pid=765167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix" subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1636823237.886:5323): avc:  denied  { search } for  pid=765167 comm="postfix" name="1" dev="proc" ino=1551198 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 2b63f7bcd1 postfix: allow postfix-map to read certbot certs 
Postfix supports TLS SNI. Postfix expects the certificate chain to be a
concatenated single file and must be mapped with postfix-map. Allow
postfix-map to read certbot certs in order to support this
configuration.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 4ff0a19212 modutils: allow kmod to write to kmsg 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge e0d44df4ac fail2ban: allow fail2ban to getsched on its processes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 3e22b4bb2a matrixd: various fixes 
Allow matrix to getsched of its own processes and also allow it to
connect to all TCP ports if federation is enabled. There are seemingly
some servers out there on weird federation ports, so allow this access.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge df59df505d bootloader, files: allow bootloader to getattr on boot_t filesystems 
If the system is using a boot partition that is formatted vfat (such as
the case of using the ESP as the boot partition itself), the filesystem
may also be explicitly labeled boot_t instead of dosfs_t. Allow the
bootloader to get the attributes of such a filesystem.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 37bbbbec79 raid: allow mdadm to use user ptys 
This is normally dontaudited, but without this access we cannot use
the mdadm utility interactively (to check the status of arrays, etc).

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 9584ccf76d systemd: dontaudit systemd-generator getattr on all dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge 3a22db2410 systemd: systemd-resolved is linked to libselinux 
systemd-resolved as of systemd 250 fails to start with this error:

Failed to initialize SELinux labeling handle: No such file or directory

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-17 13:56:08 -04:00
Kenton Groombridge ba4971ba89
git: add missing file contexts 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-27 18:13:43 -04:00
Kenton Groombridge fb531e2688 sysadm: allow sysadm to watch journal directories 
Required when using 'podman logs -f'

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-02 13:47:39 -04:00
Kenton Groombridge cf21387e29 podman: allow podman to watch journal dirs 
Watch access is required for 'podman logs -f' to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-02 13:46:14 -04:00
Kenton Groombridge c1d007563e container: also allow containers to watch public content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 10:39:30 -04:00
Kenton Groombridge f0c980b36c container: add missing capabilities 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:19 -04:00
Kenton Groombridge 53e708e724 container: add tunables to allow containers to access public content 
Note that container engines only need read access to these files even if
manage access is enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:18 -04:00
Kenton Groombridge 5dbc5aa25d container: allow generic containers to read the vm_overcommit sysctl 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:17 -04:00
Kenton Groombridge 0e3ce95c94 container, init: allow init to remount container filesystems 
Allow init to remount container filesystems. This is in support of other
services starting with NoNewPrivileges while already running containers
have mounted filesystems.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:15 -04:00
Kenton Groombridge 4fd2a2ecbc podman: add rules for systemd container units 
Allow conmon to use init file descriptors and read-write init unix
stream sockets. This is in support of containers started as systemd
units.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:14 -04:00
Kenton Groombridge fcb295578e container, podman: allow containers to interact with conmon 
Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:11 -04:00
Kenton Groombridge 8fee419513 podman: fix role associations 
Add conmon to the system role and make podman/conmon user domains user
applications.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:09 -04:00
Kenton Groombridge 91da5e861b podman: allow system podman to interact with container transient units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:06 -04:00
Kenton Groombridge db2ec49444 container, podman: allow podman to create and write config files 
Podman 4.0 now creates the CNI network config files if they do not
exist.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-04-01 09:15:04 -04:00
Russell Coker 6e5a6bffdb new sddm V2 
This patch addresses all previous issues and I think it's ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-28 10:09:24 -04:00
Chris PeBenito 42e57f4d1e
Merge pull request #487 from jpds/userdb-lnk-read 
systemd.if: Allowed reading symlinks in systemd_stream_connect_userdb()
 2022-03-25 12:39:34 -04:00
Chris PeBenito eaccf044f3 apache: Remove unnecessary require in apache_exec(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-25 11:32:26 -04:00
Chris PeBenito 2aff07c23a postfix: Move lines. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-03-25 11:32:26 -04:00
Russell Coker 68353358d4 init dbus patch for GetDynamicUsers with systemd_use_nss() V2 
Same as before but moved to the top of my patch list so it will apply to the
git policy.

Should be ready to merge now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-25 11:32:26 -04:00
Russell Coker 7849012937 certbot V3 
Same as the last one but with the directory names for the auto trans rules
removed.  I think it's ready for merging.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-03-25 11:32:26 -04:00
Jonathan Davies 5f49d2b692 systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in 
systemd_stream_connect_userdb().

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-03-25 00:39:05 +00:00
Chris PeBenito f72bc70ff8
Merge pull request #481 from 0xC0ncord/various-20211109 
Various fixes, mostly systemd-related
 2022-03-24 10:41:15 -04:00
Kenton Groombridge 8ba17d1397 networkmanager: allow getting systemd system status 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00
Kenton Groombridge a70907c1d2 udev: allow udev to start the systemd system object 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-03-23 10:57:57 -04:00