Commit Graph

124 Commits

Author SHA1 Message Date
Chris PeBenito 1bdbba4fb2 corenetwork, sysadm, sysnetwork: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-08 15:52:56 -04:00
Chris PeBenito aafca49ae8 Merge pull request #137 from bigon/aptcacher 2020-03-08 15:44:52 -04:00
Chris PeBenito b2f72e833b Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito 215a8be698 auditadm, secadm, staff, sysadm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-16 11:32:16 -05:00
bauen1 b6352a3de7
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to
fifo_files inherited from domains allowed to change role to sysadm_r.

This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
2020-02-16 17:05:40 +01:00
Laurent Bigonville 1911cd11f4 Add policy for acngtool
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2020-02-09 15:57:50 +01:00
Chris PeBenito 335d9425c0 various: Module version bump. 2019-12-26 11:48:27 -05:00
Chris PeBenito 9a5d515584 Merge pull request #143 from fishilico/sysadm-chat-hostnamed 2019-12-26 11:41:37 -05:00
Nicolas Iooss 358bcef0a4
Add policy for CryFS, encfs and gocryptfs
CryFS (https://www.cryfs.org/) is a software that can be run by non-root
users that have access to /dev/fuse. Its command is directly used to
mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command
"mount". Unmounting a mountpoint is done with "fusermount -u
mountpoint", /usr/bin/fusermount being a setuid-root program labeled
mount_exec_t.

EncFS (https://www.arg0.net/encfs) is a similar software that has been
considered insecure since a security audit in 2014 found vulnerabilities
that are not yet fixed (like https://github.com/vgough/encfs/issues/9).

gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that
has been inspired by EncFS.

Allow users with role sysadm to use all these projects.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:03:53 +01:00
Nicolas Iooss b1566c1966
sysadm: allow using hostnamectl
Command "hostnamectl" communicates with systemd_hostnamed_t through
DBUS:

    type=USER_AVC msg=audit(1576535282.679:345): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus.Properties member=GetAll
    dest=org.freedesktop.hostname1 spid=1449 tpid=1450
    scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:systemd_hostnamed_t tclass=dbus
    permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
    terminal=?'

    type=USER_AVC msg=audit(1576535282.683:347): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.269 spid=1450 tpid=1449
    scontext=system_u:system_r:systemd_hostnamed_t
    tcontext=sysadm_u:sysadm_r:sysadm_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 17:26:34 +01:00
Chris PeBenito 208296a0c2 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 16:58:51 -04:00
Nicolas Iooss a7c9634eca
Add a policy module for WireGuard VPN
WireGuard is a fast, modern, secure VPN tunnel, according to
https://www.wireguard.com/. In order to install it, the mostly
documented way consists in building and installing an out-of-tree kernel
module and using userland tools to configure this module (wg and
wg-quick).

* WireGuard is like "ip": the userland tool communicates with the kernel
  module through a netlink socket.

* WireGuard is like "iptables": there is no daemon, but some
  distributions ship systemd units that restores a WireGuard
  configuration when started.

* WireGuard is like other services: its configuration files are in /etc,
  and it can use /run and /tmp.

Create a new policy module which handles all of this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 22:20:40 +02:00
Chris PeBenito 921eb37a97 rpm, selinux, sysadm, init: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:07:11 -04:00
Alexander Miroshnichenko 491ae9991a Add knot module
Add a SELinux Reference Policy module for the
Knot authoritative-only DNS server.

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2019-07-13 14:00:31 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito c46eba9c02 sysadm, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:27:34 -04:00
Sugar, David ba31e59cd1 Separate out udevadm into a new domain
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-17 16:15:21 -04:00
Chris PeBenito e3f90ef0b5 sysadm: Module version bump. 2019-02-13 18:53:56 -05:00
Nicolas Iooss 4aa9acca0a
sysadm: allow resolving dynamic users
On a virtual machine using haveged daemon, running "ps" from a sysadm_t
user leads to the following output:

    $ ps -eH -o label,user,pid,cmd
    ...
    system_u:system_r:init_t        root         1 /sbin/init
    system_u:system_r:syslogd_t     root       223   /usr/lib/systemd/systemd-journald
    system_u:system_r:lvm_t         root       234   /usr/bin/lvmetad -f
    system_u:system_r:udev_t        root       236   /usr/lib/systemd/systemd-udevd
    system_u:system_r:entropyd_t    65306      266   /usr/bin/haveged --Foreground --verbose=1

User 65306 is a dynamic user attributed by systemd:

    $ cat /var/run/systemd/dynamic-uid/65306
    haveged

Running ps leads to the following log:

    type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1
    spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Allow sysadm_t to resolve dynamic users when systemd is used.

After this, "ps" works fine:

    system_u:system_r:entropyd_t    haveged    266   /usr/bin/haveged --Foreground --verbose=1
2019-02-12 21:43:08 +01:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Russell Coker 1574ac4a5d chromium
There are several nacl binaries that need labels.

Put an ifdef debian for some chromium paths.

Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?

I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

Allow domain_use_interactive_fds() for running via ssh -X.

Allow managing xdg data, cache, and config.

Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.

How does the whold naclhelper thing work anyway?  I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?

Added lots of other stuff like searching cgroup dirs etc.
2019-01-29 18:59:33 -05:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Alexander Miroshnichenko faa2b15910 Add nsd_admin interface to sysadm.te.
Allow users with sysadm_r role to start/stop NSD daemon.
2018-12-30 18:30:23 +03:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman 9adc6c5ddb gssproxy: Allow others to stream connect
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
2017-11-04 14:00:56 -04:00
Chris PeBenito f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Christian Göttsche e1d795de3b dphysswapfile: add interfaces and sysadm access
v2:

add swapfile file context
2017-09-14 17:19:55 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones c6f76058dc chkrootkit: add interfaces and sysadm permit
v2:
 - add bin_t fc to corecommands
2017-06-12 18:41:56 -04:00
Chris PeBenito 5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
cgzones 9ab63a1bdf rkhunter: add interfaces for rkhunter module and sysadm permit 2017-06-08 18:22:53 -04:00
Chris PeBenito 2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito 6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Chris PeBenito 412fc7e7fd corenet/sysadm: Move lines. 2017-05-24 19:36:04 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito 36c79fd3ee Module version bump for libmtp from Guido Trentalancia. 2017-05-22 20:20:47 -04:00
Guido Trentalancia 4f8b753f24 base: role changes for the new libmtp module
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
2017-05-22 20:05:52 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito 878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito 8f6f0cf0e2 Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 603f0e1e6e Module version bump for monit patch from cgzones 2017-03-25 13:24:56 -04:00
cgzones f438513a8a sysadm: add monit admin permissions 2017-03-09 13:24:51 +01:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito 3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00