- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
xdm (currently used by the userdomain module in
the common user template);
- added permission to chat over dbus with colord.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
On Arch Linux, OpenSSH unit files are:
/usr/lib/systemd/system/sshdgenkeys.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
On Debian jessie, the unit files are:
/lib/systemd/system/ssh.service
/lib/systemd/system/ssh@.service
/lib/systemd/system/ssh.socket
On Fedora 22, the unit files are:
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)
Label all these files but sftp-server as bin_t.
On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.
Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details). Therefore label it as xserver_exec_t.
This makes the following AVC appear:
denied { execute_no_trans } for pid=927 comm="X"
path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
scontext=system_u:system_r:xserver_t
tcontext=system_u:object_r:xserver_exec_t tclass=file
Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.
Thanks to Russell Coker for this patch
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.
There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
Domains that are granted postgresql_stream_connect() need to be able to search
through the postgresql_var_run_t directory (in which the socket is located).
Update the interface to use the stream_connect_pattern definition to simplify
the interface and make it more readable.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).
Update the file contexts of the translated locations.
Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.
Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Guido Trentalancia
cgzones
Chris PeBenito
Chris PeBenito
Laurent Bigonville
Nicolas Iooss
Luis Ressel
Jason Zaman
Sven Vermeulen
Chris PeBenito
Dominick Grift
Dominick Grift