RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,603 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

4603 Commits

Author SHA1 Message Date
Jason Zaman 9adc6c5ddb gssproxy: Allow others to stream connect 
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
 2017-11-04 14:00:56 -04:00
Jason Zaman 6efe498a9b Add key interfaces and perms 
Mostly taken from the fedora rawhide policy
 2017-11-04 14:00:56 -04:00
Jason Zaman 09ae441706 mls mcs: Add constraints for key class 
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
 2017-11-04 14:00:56 -04:00
Chris PeBenito 5a73eaf64e files, userdomain: Module version bump. 2017-11-01 19:03:30 -04:00
Jason Zaman 7d8ee436d7 files: fcontext for /etc/zfs/zpool.cache 2017-11-01 18:59:17 -04:00
Jason Zaman d5f6a58a77 userdomain: allow admin to rw tape storage 2017-11-01 18:59:17 -04:00
Chris PeBenito 289be9e0b4 Update contrib. 2017-10-30 21:39:46 -04:00
Chris PeBenito 52b53077cd miscfiles: Module version bump. 2017-10-30 21:39:39 -04:00
Russell Coker d97a1cd3c8 refpolicy and certs 
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
 2017-10-30 21:38:27 -04:00
Chris PeBenito d2e201495a files, netutils: Module version bump. 2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy 68690d8e62 netutils: Grant netutils_t map perms for the packet_socket class 
This is required for the PACKET_RX_RING feature used by tcpdump.
 2017-10-25 17:16:06 -04:00
Luis Ressel via refpolicy 75a5ebca75 kernel/files.if: files_list_kernel_modules should grant read perms for symlinks 
files_search_kernel_modules also grant this; there's a couple of
symlinks in /lib/modules/.
 2017-10-25 17:16:06 -04:00
Chris PeBenito 0bdd993c1c Update contrib. 2017-10-22 14:26:43 -04:00
Chris PeBenito 9f790ef731 Merge pull request #128 from williamcroberts/fc-sort-fixups 
fc_sort: use calloc instead of malloc
 2017-10-19 06:28:03 -04:00
William Roberts 65620e0f94 fc_sort: use calloc instead of malloc 
Rather than using malloc to allocated nodes and setting all the fields,
just use calloc.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2017-10-18 19:26:36 -07:00
Chris PeBenito 1b405f4a90 files, init, sysnetwork, systemd: Module version bumps. 2017-10-12 18:48:29 -04:00
Chris PeBenito 6128c262bb Merge branch 'systemd-networkd' 
# Conflicts:
#	policy/modules/system/init.te
 2017-10-12 18:40:15 -04:00
David Sugar 4a54f9c1f0 policy for systemd-networkd 
Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-12 18:38:54 -04:00
Chris PeBenito 2ec1c9b85c files: Whitespace fix. 2017-10-12 18:00:12 -04:00
David Sugar e7b4159ec5 Denial relabeling /run/systemd/private 
I am seeing the following denial (in dmesg) during system startup:
[    4.623332] type=1400 audit(1507767947.042:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file

It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.

Updated to create new interface for relabeling of sock_files rather than adding to existing interface

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-12 18:00:12 -04:00
Chris PeBenito 2fca8c8d95 init: Clean up line placement in init_systemd blocks. 
No rule changes.
 2017-10-12 17:42:23 -04:00
Chris PeBenito a89570282e Merge branch 'master' of git://github.com/aduskett/refpolicy 2017-10-11 18:50:58 -04:00
Chris PeBenito 3001c50364 ipsec: Module version bump. 2017-10-11 18:45:29 -04:00
Chris PeBenito 9456ab758a Merge branch 'master' of git://github.com/davidgraz/refpolicy 2017-10-11 18:44:39 -04:00
David Graziano 99aebc2af5 system/ipsec: Add signull access for strongSwan 
Allows ipsec_supervisor_t domain to signull other
strongSwan domains.

Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
 2017-10-11 08:17:51 -05:00
Chris PeBenito 2ae2b38e6d Module version bumps. 2017-10-10 20:32:43 -04:00
David Sugar 967ef00181 Fix problem labeling /run/log/journal/* 
Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-10 20:24:18 -04:00
Adam Duskett 6c9cc47e6c fix regex escape sequence error. 
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py.  This patch fixes these errors by turning the string
in the into a raw string.
 2017-10-10 18:00:30 -04:00
Chris PeBenito 570bfa8cbd devices: Module version bump. 2017-10-09 14:51:56 -04:00
Konrad Rzeszutek Wilk b5c8b1d77d kernel/xen: Add map permission to the dev_rw_xen 
type=AVC msg=audit(1504637347.487:280): avc:  denied  { map } for  pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0

Without this we can't use xenconsole (client) to
talk to xenconsoled (server).

Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
 2017-10-09 13:57:47 -04:00
Konrad Rzeszutek Wilk c7d48c3bc2 kernel/xen: Update for Xen 4.6 
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".

Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
 2017-10-09 13:57:47 -04:00
Guido Trentalancia 5490639ac9 fc_sort: memory leakages 
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).

Some NULL pointer checks with or without associated error
reporting.

Some white space and comment formatting fixes.

Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).

Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.

This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.

For reference, the original issue reported by the Cland
static analyzer is as follows:

support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
            malloc(sizeof(file_context_bucket_t));

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
 2017-10-04 19:29:47 -04:00
Chris PeBenito 7821eb6f37 Merge pull request #125 from lalozano/master 
Avoid memory leak warning.
 2017-09-28 18:32:58 -04:00
Chris PeBenito f47c35d20c init: Module version bump. 2017-09-27 19:45:01 -04:00
David Sugar c1eac683fa remove interface init_inherit_rlimit 
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise).  I hope ordering of the new rules is correct.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-09-27 19:37:19 -04:00
Chris PeBenito de13b68208 corecommands: Module version bump. 2017-09-23 14:36:56 -04:00
David Sugar via refpolicy f3e0a751db label /etc/mcelog/mcelog.setup correctly (for RHEL) 
I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7).  It should be labeled bin_t.

Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute } for  pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { read open } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute_no_trans } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup"
Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc:  denied  { ioctl } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc:  denied  { getattr } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-09-23 14:30:35 -04:00
Chris PeBenito 5cb00e5167 Update contrib. 2017-09-19 18:43:55 -04:00
Chris PeBenito c7c53a91af Update contrib. 2017-09-17 21:14:24 -04:00
Chris PeBenito 6abb3eb5fc corecommands, xserver, systemd, userdomain: Version bumps. 2017-09-17 11:11:18 -04:00
Russell Coker 25a9bcb405 minor nspawn, dnsmasq, and mon patches 
Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.
 2017-09-17 11:08:06 -04:00
Guido Trentalancia 4afbc35e79 xserver: do not audit ioctl operations on log files 
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2017-09-17 10:44:57 -04:00
Chris PeBenito eea649c0f4 init: Remove sm-notify.pid fc entry which collides with the rpc module. 2017-09-16 13:31:12 -04:00
Chris PeBenito d2c047bfd4 authlogin, logging, udev: Module version bump. 2017-09-16 13:30:33 -04:00
Jason Zaman via refpolicy e2db03bb8f sudo: add fcontext for /run/sudo/ts/USERNAME 
This lets restorecon -F set the context properly
 2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy 18778fcb49 syslog: allow map persist file 2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy ae482db492 udev: map module objects to load kernel modules 
denied  { map } for  pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
 2017-09-16 13:05:53 -04:00
Chris PeBenito f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Christian Göttsche e1d795de3b dphysswapfile: add interfaces and sysadm access 
v2:

add swapfile file context
 2017-09-14 17:19:55 -04:00
Chris PeBenito 09006ca15e spamassassin: Add missing requirement in spamassassin_admin(). 2017-09-13 20:00:45 -04:00