The cgroup directory under /sys/fs/cgroup contains a number of
pseudo-filesystems for each cgroup as well as two symbolic links for the
cpu and cpuacct groups, which were legacy symbolic links to the
cpu,cpuacct group.
These rules allow systemd to relabel these symbolic links from tmpfs_t
to their proper context, or otherwise denials will be printed for nearly
all systemd operation involving cgroups.
This change only grants systemd the possibility to relabel the
files. The actual relabelling needs to be done by systemd. The
accompanying change (commit 8739f23) will be released with systemd v236.
The ttm module, a dependency of radeon/amdgpu, does some
capable(CAP_SYS_ADMIN) checks. Changes in 4.13 have caused some of these
checks to be executed during module initialization, in the context of
modprobe, which fills the audit logs with a lot of denials.
Since failing these capable() checks is not an issue (they merely
control the access to emergency memory reserves, which shouldn't be an
issue during boot), I'm dontauditing them.
One potential issue with this is that if a module that actually needs
CAP_SYS_ADMIN during initialization comes along later, the dontaudit is
going to make the debugging a bit more annoying. Is anyone concerned
about this?
It already has dac_override, and depending on the pam modules being
used, this may actually be neccessary. Due to the 4.13 changes, I'm now
getting dac_read_search denials.
This is required for gtk-based login managers to access gtk's icon
cache. IIRC, past discussion on the ML came to the conclusion that
adding a new domain for this would be overkill.
Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
files in /etc/pki/*/private/).
Create and use appropriate interfaces for such new scenario (so
that SSL/TLS private keys are protected).
This part (1/2) refers to the base policy changes.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
I am seeing the following denial (in dmesg) during system startup:
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.
Updated to create new interface for relabeling of sock_files rather than adding to existing interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py. This patch fixes these errors by turning the string
in the into a raw string.
type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0
Without this we can't use xenconsole (client) to
talk to xenconsoled (server).
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).
Some NULL pointer checks with or without associated error
reporting.
Some white space and comment formatting fixes.
Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).
Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.
This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.
For reference, the original issue reported by the Cland
static analyzer is as follows:
support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
malloc(sizeof(file_context_bucket_t));
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Chris PeBenito
Krzysztof Nowicki
Luis Ressel
Guido Trentalancia
Jason Zaman
Russell Coker
Luis Ressel via refpolicy
William Roberts
David Sugar
David Graziano
Adam Duskett
Konrad Rzeszutek Wilk