Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing.
The tests pass for all combinations of distros, monolithic,
direct_initrc, standard/mcs/mls.
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
Jason Zaman
Chris PeBenito
Stephen Smalley
Laurent Bigonville
Steve Lawrence
Sven Vermeulen
Nicolas Iooss
Chris PeBenito