RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,358 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5358 Commits

Author SHA1 Message Date
Chris PeBenito aafca49ae8 Merge pull request #137 from bigon/aptcacher 2020-03-08 15:44:52 -04:00
Chris PeBenito 4677078b7b terminal, portage: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-03-01 14:54:45 -05:00
Chris PeBenito 128d6f4000 Merge pull request #187 from Jarel1337/patch-2 2020-03-01 14:47:42 -05:00
Chris PeBenito 493492873d Merge pull request #186 from Jarel1337/patch-1 2020-03-01 14:47:37 -05:00
Chris PeBenito 3039bde79c Update Changelog and VERSION for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-29 16:54:39 -05:00
Chris PeBenito b2f72e833b Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-29 16:54:39 -05:00
Vilgot Fredenberg 8bc4c28409
Remove old exception 
This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.

Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
 2020-02-23 17:52:54 +01:00
Vilgot 112929f004
Portage update 
Update portage to follow the new default paths and other (small) fixes.

Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
 2020-02-23 17:51:30 +01:00
Chris PeBenito e3864c38f7 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-23 09:25:35 -05:00
Chris PeBenito c42f0a6cc8 logging: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-23 09:24:43 -05:00
Chris PeBenito 6e6736386f Merge pull request #188 from bluca/syslog_start_stop 2020-02-23 09:19:07 -05:00
Luca Boccassi 6e9c1cd187 logging: add interface to start/stop syslog units 
Required for example to start/stop systemd-journal-flush.service
which moves the journal storage back and forth between tmpfs and
permanent storage.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2020-02-19 20:43:22 +00:00
Luca Boccassi 6afabe971f journald: allow to remove /run/log/journal 
it happens when switching from tmpfs to persistent storage

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2020-02-19 11:07:32 +00:00
Chris PeBenito 2400f6a74c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-17 13:34:06 -05:00
Jason Zaman 8742aa4e3e gpg: add watch perms for agent 
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 509a639deb chromium: watch etc dirs 
avc:  denied  { watch } for  pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman adaea617cd dbus: add watch perms 
avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman dd84b117e2 policykit devicekit: Add watch perms 
avc:  denied  { watch } for  pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 9f8194fdf4 colord: add watch perms 
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 575f9494e7 cron: watch cron spool 
avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman deafc9df7a accountsd: Add watch perms 
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 1387160e0c udev: Add watch perms 
Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 124d3723d8 fstools: add zfs-auto-snapshot 
Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
 2020-02-17 13:25:59 -05:00
Chris PeBenito 215a8be698 auditadm, secadm, staff, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:32:16 -05:00
Chris PeBenito e583966f92 Merge pull request #172 from bauen1/allow-sysadm-staff-pipes 2020-02-16 11:31:38 -05:00
Chris PeBenito 2de17a8c0e systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:29:21 -05:00
Chris PeBenito 80a3827c04 Merge pull request #183 from bauen1/systemd-user-runtime-dir 2020-02-16 11:28:26 -05:00
Chris PeBenito e272f7cba9 entropyd, networkmanager, ntp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:26:49 -05:00
Chris PeBenito 9227d97eac Merge pull request #185 from cgzones/genfs_seclabel_symlinks 2020-02-16 11:20:35 -05:00
Chris PeBenito 87987636c1 Merge pull request #184 from bauen1/fix-systemd-ntp 2020-02-16 11:12:19 -05:00
Chris PeBenito 3bef33fe20 Merge pull request #182 from topimiettinen/add-iwd-as-networkmanager 2020-02-16 11:11:59 -05:00
Chris PeBenito 26be8f09a6 Merge pull request #181 from topimiettinen/add-jitterentropy-as-entropyd 2020-02-16 11:06:05 -05:00
bauen1 b6352a3de7
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to 
fifo_files inherited from domains allowed to change role to sysadm_r.

This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
 2020-02-16 17:05:40 +01:00
Topi Miettinen cdd292a26d
Consider iwd equivalent to NetworkManager etc. 
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-02-15 16:39:38 +02:00
Christian Göttsche 46de44f7d1 Add genfs_seclabel_symlinks policy capability 2020-02-14 20:03:50 +01:00
bauen1 16f030a488
systemd-user-runtime-dir: add policy 2020-02-12 22:00:23 +01:00
bauen1 b4ef3f335f
ntp: watch systemd networkd runtime dirs 
This is required for correct function after linux 5.4
 2020-02-12 16:24:25 +01:00
Topi Miettinen 1d6982b0ea
Consider jitterentropy to belong to entropyd family 
Also allow jitterentropy (or rather some libs) to read
/proc/crypto/fips_enabled.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-02-12 00:00:21 +02:00
Chris PeBenito 0d4e919176 loadkeys, init, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-11 13:13:20 -05:00
Chris PeBenito 14656579a9 Merge pull request #152 from bauen1/systemd-fstab-generator 2020-02-11 13:03:32 -05:00
Chris PeBenito 353a19d088 Merge pull request #134 from bauen1/console-setup 2020-02-11 13:03:27 -05:00
Laurent Bigonville 1911cd11f4 Add policy for acngtool 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2020-02-09 15:57:50 +01:00
Laurent Bigonville 0136b586ef Add policy for apt-cacher-ng 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2020-02-09 15:57:50 +01:00
Laurent Bigonville c89e121db4 Add an interface to allow the specified domain to mmap the general network configuration files 
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2020-02-09 15:38:31 +01:00
bauen1 79ab984197
init: split init_create_pid_files interface 2020-02-08 16:16:14 +01:00
bauen1 c8d921833c
loadkeys: remove redundant ifdef 2020-02-08 16:07:32 +01:00
Chris PeBenito 61923c23d7 init, logging, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-08 09:40:51 -05:00
Chris PeBenito 1fe2453905 systemd: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-08 09:40:09 -05:00
Sugar, David 9a0c9fdd0c audit daemon can halt system, allow this to happen. 
auditd can halt the system for several reasons based on configuration.
These mostly revovle around audit partition full issues.  I am seeing
the following denials when attempting to halt the system.

Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.122:1943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.147:1944): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 04:44:54 localhost audispd: node=localhost type=AVC msg=audit(1578804294.103:1923): avc:  denied  { getattr } for  pid=6936 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=45 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

 v2 - use optional rather than ifdef
 v3 - fix order

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-02-08 09:38:25 -05:00
Sugar, David e1ccf0ce02 Allow systemd to getattr all files 
Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which
are used to check various path/file/directory to control starting a
service.  But this requires getattr permissions on the types.
Example denials that fit the problem.

The first example is from lvm where accessing config file.

type=AVC msg=audit(1575427946.229:1624): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0

This second example is from chronyd, but it is happening becuase I added
the conditional in a drop-in file.

type=AVC msg=audit(1575427959.882:1901): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1

v3 - rework to not use interface and allow getattr for all files

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-02-08 09:38:25 -05:00