0179413fa3
certbot: Fix lint issues.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 10:01:27 -05:00
0f6c861dfb
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:51:56 -05:00
81b20d6b08
userdomain: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:24:14 -05:00
c42c407bdc
yet more strict patches fixed
...
More little strict patches, much of which are needed for KDE.
With the lines that Chris didn't like removed.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-01-19 09:14:16 -05:00
a686e854af
miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:02:13 -05:00
0f02829c61
certbot: Reorder fc lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:01:57 -05:00
fb95355f98
certbot: Drop aliases since they have never had the old names in refpolicy.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:01:40 -05:00
3927e3ca50
certbot: Whitespace changes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 09:01:09 -05:00
08d32dbc2d
latest iteration of certbot policy as patch
...
Same .te as sent a few days ago, but as a patch and with the other
files needed. I think this is ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-01-19 08:49:30 -05:00
437e0c4b97
chromium: Move naclhelper lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 08:39:53 -05:00
34a8c10cb9
chromium: Whitespace changes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-19 08:39:45 -05:00
31a2b463f7
base chrome/chromium patch fixed
...
This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed, and the
chromium_t:file manage_file_perms removed as requested.
I believe it's ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
2021-01-19 08:39:40 -05:00
fb377e0953
virt: add boolean to allow evdev passthrough
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-01-14 18:22:14 -05:00
7b15003eae
Remove modules for programs that are deprecated or no longer supported.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-14 17:14:30 -05:00
bf0f6121f5
Merge pull request #334 from dburgener/comment-typo
...
Fix typo in comment
2021-01-14 16:12:20 -05:00
93f5fe30f3
Fix typo in comment
...
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
2021-01-14 15:07:34 -05:00
bb471c3f1c
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-13 15:20:47 -05:00
d0c10f902b
Merge pull request #331 from pebenito/udev-updates
2021-01-13 15:19:55 -05:00
df5227d6d7
devicekit: Udisks uses udevadm, it does not exec udev.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-13 15:12:18 -05:00
ac51d56ddc
udev: Systemd 246 merged udev and udevadm executables.
...
Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.
Fixes #292
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-13 15:12:18 -05:00
6c69f6e3de
udev: Drop udev_tbl_t.
...
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev. Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.
Fixes #221
Derived from Laurent Bigonville's work in #230
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-13 15:12:11 -05:00
8c756108db
corosync, pacemaker: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-13 14:46:10 -05:00
d669ed18df
Merge pull request #332 from dschadlich/master
2021-01-13 14:44:53 -05:00
03713214e2
devices: add interface for IOCTL on input devices
...
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-01-13 10:04:53 -05:00
037ac427f8
Ensure correct monolithic binary policy is loaded
...
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).
Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.
Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.
Remove the '@touch $(tmpdir)/load' line as the file is never referenced.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2021-01-13 09:54:48 -05:00
9fd6bcbcf5
add policy for pcs_snmp_agent
...
create corosync_read_state interface, used by pcs_snmp_agent policy
update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it
denial for execmem
type=AVC msg=audit(1610036202.427:3772): avc: denied { execmem } for pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1
create contexts for pcs_snmp_agent_t and allow it some self permissions
allow pcs_snmp_agent_t to create allows and transision context of those logs
allow pcs_snmp_agent_t to read kernel sysctls
allow pcs_snmp_agent_t to exec bin_t
allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib)
type=AVC msg=audit(1610037438.918:4524): avc: denied { read write } for pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037438.918:4524): avc: denied { open } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.919:4525): avc: denied { map } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.906:4523): avc: denied { connectto } for pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
allow pcs_snmp_agent_t to read files with usr_t context
type=AVC msg=audit(1610037437.737:4513): avc: denied { getattr } for pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037439.029:4532): avc: denied { read } for pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037561.019:4615): avc: denied { read } for pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4615): avc: denied { open } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4616): avc: denied { getattr } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.020:4617): avc: denied { ioctl } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to to get cgroup information
type=AVC msg=audit(1610036387.957:3864): avc: denied { getattr } for pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036480.913:3921): avc: denied { read } for pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036665.036:4019): avc: denied { read } for pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036788.922:4099): avc: denied { read } for pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036944.042:4202): avc: denied { read } for pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036977.714:4223): avc: denied { read } for pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036977.714:4223): avc: denied { open } for pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to read nsswitch
type=AVC msg=audit(1610037562.211:4626): avc: denied { open } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037562.212:4627): avc: denied { getattr } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to read zoneinfo
type=AVC msg=audit(1610035641.390:3398): avc: denied { search } for pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610035767.532:3480): avc: denied { getattr } for pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc: denied { read } for pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc: denied { open } for pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to read certificates
type=AVC msg=audit(1610037375.994:4485): avc: denied { getattr } for pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037499.874:4565): avc: denied { read } for pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc: denied { read } for pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc: denied { open } for pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t get service status
type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s
ystem exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas
s=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1610034251.757:2361): avc: denied { getattr } for pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
allow pcs_snmp_agent_t to search init_t dirs
type=AVC msg=audit(1610037317.490:4460): avc: denied { search } for pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
allow pcs_snmp_agent_t to connecto to systemd unix socket
type=AVC msg=audit(1610037533.196:4600): avc: denied { connectto } for pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
allow pcs_snmp_agent_t to run corosync in corosync_t domain
type=AVC msg=audit(1610037437.793:4515): avc: denied { execute } for pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc: denied { read open } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc: denied { execute_no_trans } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc: denied { map } for pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610034246.149:2265): avc: denied { execute } for pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to read corosync state
type=AVC msg=audit(1610037503.610:4570): avc: denied { open } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037503.611:4571): avc: denied { getattr } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to exec hostname
type=AVC msg=audit(1610037469.569:4545): avc: denied { execute } for pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc: denied { read open } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc: denied { execute_no_trans } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc: denied { map } for pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
allow pcs_snmp_agent_t to connecto to snmp socket
type=AVC msg=audit(1610034242.897:2197): avc: denied { write } for pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1610034242.897:2197): avc: denied { connectto } for pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1
allow pcs_snmp_agent_t to read systemd journal files
type=AVC msg=audit(1610037472.176:4552): avc: denied { map } for pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037533.220:4602): avc: denied { read } for pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037533.220:4602): avc: denied { open } for pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>
2021-01-12 10:30:32 -05:00
26ed37c991
Makefile: Add -E to setfiles labeling targets.
...
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.
closes #218
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-01-06 13:53:46 -05:00
010692dda2
Merge pull request #326 from dburgener/no-self
...
Use self keyword when an AV rule source type matches destination
2021-01-04 09:14:46 -05:00
8a1bc98a31
authlogin, init, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-17 09:23:18 -05:00
a63c24c6b7
Merge pull request #269 from bauen1/systemd-userdb
2020-12-17 09:22:55 -05:00
2a660fb6f6
Merge pull request #325 from pdmorrow/selinux_getbools
...
selinux: add selinux_get_all_booleans() interface
2020-12-15 11:10:12 -05:00
37cc0aae1d
Use self keyword when an AV rule source type matches destination
...
This is reported in a new SELint check in soon to be released selint version 1.2.0
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
2020-12-15 10:29:52 -05:00
b3bfd10ccd
selinux: add selinux_get_all_booleans() interface
...
Allow the caller to read the state of selinuxfs booleans.
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2020-12-15 15:19:30 +00:00
cef667fa31
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-15 09:40:48 -05:00
2c2d27ce70
Merge pull request #324 from dburgener/dburgener/systemd-watch
2020-12-15 09:33:50 -05:00
b3204ea4c1
Allow systemd-ask-password to watch files
...
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-12-11 19:47:13 +00:00
c8c418267d
systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-12-11 19:45:54 +00:00
87c4adc790
kernel, modutils, userdomain, xserver: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 15:13:57 -05:00
97eda18388
Merge pull request #323 from dsugar100/master
2020-12-08 15:09:54 -05:00
7fd6d78c2c
userdomain: Fix error in calling userdom_xdg_user_template().
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 15:09:27 -05:00
cdfcec0e9a
Merge pull request #320 from 0xC0ncord/master
2020-12-08 15:01:27 -05:00
d7c3c78c2d
Drop criteria on github actions.
...
Either they do not have the desired effects or they are broken.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 12:31:00 -05:00
1d15c9e009
userdomain, xserver: move xdg rules to userdom_xdg_user_template
...
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2020-12-08 10:59:17 -05:00
ca5f1a5662
Allow systemd-modules-load to search kernel keys
...
I was seeing the following errors from systemd-modules-load without this search permission.
Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules.
This is the denial:
Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-12-08 10:51:44 -05:00
699268ff41
init, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:32:57 -05:00
b31d8308da
systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd().
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:31:22 -05:00
42b184c2a8
systemd: Whitespace changes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:31:17 -05:00
b4dd2ae0cc
Merge pull request #315 from galaxy4public/systemd-socket-proxyd
2020-12-04 13:29:55 -05:00
8d7ea992e2
Merge pull request #322 from pebenito/github-actions
...
Switch to GitHub actions for CI actions.
2020-12-03 10:10:01 -05:00
e7b9598865
Switch to GitHub actions for CI actions.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-03 10:07:05 -05:00
Chris PeBenito
Russell Coker
Kenton Groombridge
Daniel Burgener
Richard Haines
David Schadlich
Peter Morrow
Daniel Burgener
Chris PeBenito
Dave Sugar