Jason Zaman
9adc6c5ddb
gssproxy: Allow others to stream connect
...
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
2017-11-04 14:00:56 -04:00
Jason Zaman
6efe498a9b
Add key interfaces and perms
...
Mostly taken from the fedora rawhide policy
2017-11-04 14:00:56 -04:00
Jason Zaman
09ae441706
mls mcs: Add constraints for key class
...
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
2017-11-04 14:00:56 -04:00
Chris PeBenito
5a73eaf64e
files, userdomain: Module version bump.
2017-11-01 19:03:30 -04:00
Jason Zaman
7d8ee436d7
files: fcontext for /etc/zfs/zpool.cache
2017-11-01 18:59:17 -04:00
Jason Zaman
d5f6a58a77
userdomain: allow admin to rw tape storage
2017-11-01 18:59:17 -04:00
Chris PeBenito
289be9e0b4
Update contrib.
2017-10-30 21:39:46 -04:00
Chris PeBenito
52b53077cd
miscfiles: Module version bump.
2017-10-30 21:39:39 -04:00
Russell Coker
d97a1cd3c8
refpolicy and certs
...
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
2017-10-30 21:38:27 -04:00
Chris PeBenito
d2e201495a
files, netutils: Module version bump.
2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy
68690d8e62
netutils: Grant netutils_t map perms for the packet_socket class
...
This is required for the PACKET_RX_RING feature used by tcpdump.
2017-10-25 17:16:06 -04:00
Luis Ressel via refpolicy
75a5ebca75
kernel/files.if: files_list_kernel_modules should grant read perms for symlinks
...
files_search_kernel_modules also grant this; there's a couple of
symlinks in /lib/modules/.
2017-10-25 17:16:06 -04:00
Chris PeBenito
0bdd993c1c
Update contrib.
2017-10-22 14:26:43 -04:00
Chris PeBenito
9f790ef731
Merge pull request #128 from williamcroberts/fc-sort-fixups
...
fc_sort: use calloc instead of malloc
2017-10-19 06:28:03 -04:00
William Roberts
65620e0f94
fc_sort: use calloc instead of malloc
...
Rather than using malloc to allocated nodes and setting all the fields,
just use calloc.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-10-18 19:26:36 -07:00
Chris PeBenito
1b405f4a90
files, init, sysnetwork, systemd: Module version bumps.
2017-10-12 18:48:29 -04:00
Chris PeBenito
6128c262bb
Merge branch 'systemd-networkd'
...
# Conflicts:
# policy/modules/system/init.te
2017-10-12 18:40:15 -04:00
David Sugar
4a54f9c1f0
policy for systemd-networkd
...
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-12 18:38:54 -04:00
Chris PeBenito
2ec1c9b85c
files: Whitespace fix.
2017-10-12 18:00:12 -04:00
David Sugar
e7b4159ec5
Denial relabeling /run/systemd/private
...
I am seeing the following denial (in dmesg) during system startup:
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.
Updated to create new interface for relabeling of sock_files rather than adding to existing interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-12 18:00:12 -04:00
Chris PeBenito
2fca8c8d95
init: Clean up line placement in init_systemd blocks.
...
No rule changes.
2017-10-12 17:42:23 -04:00
Chris PeBenito
a89570282e
Merge branch 'master' of git://github.com/aduskett/refpolicy
2017-10-11 18:50:58 -04:00
Chris PeBenito
3001c50364
ipsec: Module version bump.
2017-10-11 18:45:29 -04:00
Chris PeBenito
9456ab758a
Merge branch 'master' of git://github.com/davidgraz/refpolicy
2017-10-11 18:44:39 -04:00
David Graziano
99aebc2af5
system/ipsec: Add signull access for strongSwan
...
Allows ipsec_supervisor_t domain to signull other
strongSwan domains.
Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
2017-10-11 08:17:51 -05:00
Chris PeBenito
2ae2b38e6d
Module version bumps.
2017-10-10 20:32:43 -04:00
David Sugar
967ef00181
Fix problem labeling /run/log/journal/*
...
Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*
[ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-10 20:24:18 -04:00
Adam Duskett
6c9cc47e6c
fix regex escape sequence error.
...
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py. This patch fixes these errors by turning the string
in the into a raw string.
2017-10-10 18:00:30 -04:00
Chris PeBenito
570bfa8cbd
devices: Module version bump.
2017-10-09 14:51:56 -04:00
Konrad Rzeszutek Wilk
b5c8b1d77d
kernel/xen: Add map permission to the dev_rw_xen
...
type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0
Without this we can't use xenconsole (client) to
talk to xenconsoled (server).
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
2017-10-09 13:57:47 -04:00
Konrad Rzeszutek Wilk
c7d48c3bc2
kernel/xen: Update for Xen 4.6
...
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
2017-10-09 13:57:47 -04:00
Guido Trentalancia
5490639ac9
fc_sort: memory leakages
...
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).
Some NULL pointer checks with or without associated error
reporting.
Some white space and comment formatting fixes.
Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).
Reverts 7821eb6f37
as such
trick is no longer needed, given that all memory leakages
have now been fixed.
This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.
For reference, the original issue reported by the Cland
static analyzer is as follows:
support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
malloc(sizeof(file_context_bucket_t));
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
2017-10-04 19:29:47 -04:00
Chris PeBenito
7821eb6f37
Merge pull request #125 from lalozano/master
...
Avoid memory leak warning.
2017-09-28 18:32:58 -04:00
Chris PeBenito
f47c35d20c
init: Module version bump.
2017-09-27 19:45:01 -04:00
David Sugar
c1eac683fa
remove interface init_inherit_rlimit
...
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-27 19:37:19 -04:00
Chris PeBenito
de13b68208
corecommands: Module version bump.
2017-09-23 14:36:56 -04:00
David Sugar via refpolicy
f3e0a751db
label /etc/mcelog/mcelog.setup correctly (for RHEL)
...
I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7). It should be labeled bin_t.
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute } for pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { read open } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute_no_trans } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup"
Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc: denied { ioctl } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc: denied { getattr } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-23 14:30:35 -04:00
Chris PeBenito
5cb00e5167
Update contrib.
2017-09-19 18:43:55 -04:00
Chris PeBenito
c7c53a91af
Update contrib.
2017-09-17 21:14:24 -04:00
Chris PeBenito
6abb3eb5fc
corecommands, xserver, systemd, userdomain: Version bumps.
2017-09-17 11:11:18 -04:00
Russell Coker
25a9bcb405
minor nspawn, dnsmasq, and mon patches
...
Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
2017-09-17 11:08:06 -04:00
Guido Trentalancia
4afbc35e79
xserver: do not audit ioctl operations on log files
...
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2017-09-17 10:44:57 -04:00
Chris PeBenito
eea649c0f4
init: Remove sm-notify.pid fc entry which collides with the rpc module.
2017-09-16 13:31:12 -04:00
Chris PeBenito
d2c047bfd4
authlogin, logging, udev: Module version bump.
2017-09-16 13:30:33 -04:00
Jason Zaman via refpolicy
e2db03bb8f
sudo: add fcontext for /run/sudo/ts/USERNAME
...
This lets restorecon -F set the context properly
2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy
18778fcb49
syslog: allow map persist file
2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy
ae482db492
udev: map module objects to load kernel modules
...
denied { map } for pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
2017-09-16 13:05:53 -04:00
Chris PeBenito
f74a91a1a6
sysadm,fstools: Module version bump.
2017-09-14 17:21:56 -04:00
Christian Göttsche
e1d795de3b
dphysswapfile: add interfaces and sysadm access
...
v2:
add swapfile file context
2017-09-14 17:19:55 -04:00
Chris PeBenito
09006ca15e
spamassassin: Add missing requirement in spamassassin_admin().
2017-09-13 20:00:45 -04:00