Commit Graph

4617 Commits

Author SHA1 Message Date
Chris PeBenito ff041dd6fc filesystem: Fix error in fs_cgroup_filetrans(). 2017-06-04 20:45:13 -04:00
Jason Zaman b93c403dd7 filesystem: introduce fs_cgroup_filetrans interface 2017-06-04 20:24:51 -04:00
Chris PeBenito 2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito 1a7a723891 Update contrib. 2017-05-25 21:05:38 -04:00
Chris PeBenito 602b77236d Module version bump for mmap fixes from Stephen Smalley. 2017-05-24 19:58:32 -04:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Chris PeBenito 6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Chris PeBenito 412fc7e7fd corenet/sysadm: Move lines. 2017-05-24 19:36:04 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito 36c79fd3ee Module version bump for libmtp from Guido Trentalancia. 2017-05-22 20:20:47 -04:00
Guido Trentalancia 4f8b753f24 base: role changes for the new libmtp module
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
2017-05-22 20:05:52 -04:00
Stephen Smalley cfe0a94feb refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:57 -04:00
Stephen Smalley c5cdfec50b refpolicy: Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:50 -04:00
Chris PeBenito 57c84075e3 Update contrib 2017-05-15 18:48:58 -04:00
Chris PeBenito 8902f93b9a Module version bump for systemd fix from Krzysztof Nowicki. 2017-05-15 18:48:51 -04:00
Chris PeBenito 895eefc207 init: add comment for ProtectSystem. 2017-05-15 18:42:18 -04:00
Krzysztof Nowicki 3b5e622339 Enable /etc directory protection using ProtectSystem
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.

This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
2017-05-15 18:41:00 -04:00
Chris PeBenito 3cdaad6e29 Module version bump for changes from Jason Zaman and Luis Ressel. 2017-05-11 19:54:25 -04:00
Luis Ressel a114d07fd3 system/selinuxutil: Allow semanage to execute its tmp files
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):

Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
    import seobject
  File "py/seobject.py", line 34, in <module>
    import sepolicy
  File "py/sepolicy/__init__.py", line 8, in <module>
    import setools
  File "py/setools/__init__.py", line 77, in <module>
    from .infoflow import InfoFlowAnalysis
  File "py/setools/infoflow.py", line 22, in <module>
    import networkx as nx
  File "py/networkx/__init__.py", line 93, in <module>
    import networkx.linalg
  File "py/networkx/linalg/__init__.py", line 9, in <module>
    from networkx.linalg.algebraicconnectivity import *
  File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
    from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
  File "py/numpy/__init__.py", line 180, in <module>
    from . import add_newdocs
  File "py/numpy/add_newdocs.py", line 13, in <module>
    from numpy.lib import add_newdoc
  File "py/numpy/lib/__init__.py", line 8, in <module>
    from .type_check import *
  File "py/numpy/lib/type_check.py", line 11, in <module>
    import numpy.core.numeric as _nx
  File "py/numpy/core/__init__.py", line 22, in <module>
    from . import _internal  # for freeze programs
  File "py/numpy/core/_internal.py", line 14, in <module>
    import ctypes
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
    _reset_cache()
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
    CFUNCTYPE(c_int)(lambda: None)
MemoryError
2017-05-11 19:43:38 -04:00
Jason Zaman aa1afa41aa corecommands: add consolekit fcontexts 2017-05-11 19:35:53 -04:00
Jason Zaman 299e1ce6be appconfig: Add openrc_contexts file 2017-05-11 19:35:53 -04:00
Jason Zaman a5697b56a2 libraries: update wildcard /usr/lib fcontext
subs_dist takes care of it, the wildcard is no longer needed
2017-05-11 19:35:53 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 8ab6ff00f6 Merge branch 'usr_bin_fc' of git://github.com/fishilico/selinux-refpolicy-patched 2017-05-04 08:20:42 -04:00
Chris PeBenito 8f5927ec7c Module version bump for minor fixes from Guido Trentalancia. 2017-05-01 18:45:01 -04:00
Guido Trentalancia 12743e949b init: smoother system boot
Improve the initrc domain within the init module with some permissions
needed for a smoother boot.

Let the iptables init scripts read the iptables configuration.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-05-01 18:41:50 -04:00
Guido Trentalancia efc6502e8f kernel: low-priority update
Update the kernel module with some low priority fixes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-05-01 18:41:42 -04:00
Chris PeBenito f81025dc03 Module version bump for locallogin patch from Guido Trentalancia. 2017-04-29 11:27:26 -04:00
Chris PeBenito 1e36afff93 locallogin: Move one line. 2017-04-29 11:27:05 -04:00
Guido Trentalancia f4706daf3b locallogin: fine tune DAC override permissions
Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).

Thanks to Dominick Grift for suggesting this.

Other modules are likely affected by the same issue.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-04-29 11:25:59 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito 5e49dcea60 apt/dpkg strict patches from Russell Coker.
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
2017-04-29 11:14:15 -04:00
Chris PeBenito caca2e7e6e some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
2017-04-26 18:03:02 -04:00
Chris PeBenito 878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito 8f6f0cf0e2 Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito 61e9ec3240 Login take 4 from Russell Coker.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.

Please merge this.
2017-04-26 06:26:50 -04:00
Chris PeBenito 6a87c0f587 locallogin: Move two sulogin lines. 2017-04-26 06:16:22 -04:00
Guido Trentalancia 02b4ee1f81 locallogin: fix the sulogin submodule (emergency shell!)
This patch fixes the policy for sulogin. It is very important
because without this patch, sulogin cannot work properly and
it should be considered that it is used as an emergency shell
when there are serious consistency errors in the system, so it
constitutes the only way to recover the system in such
circumstances.

Nowadays, sulogin never uses PAM (at least not the official one
from util-linux), so obsolete, confusing and buggy policy has
been removed.

Extensive testing carried out while creating this patch indicates
that there aren't other permissions needed to successfully run
sulogin.

This second version should apply cleanly to the latest git tree.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-04-26 06:15:02 -04:00
Chris PeBenito f93522e171 Update contrib. 2017-04-20 20:20:14 -04:00
Chris PeBenito 8527b86621 Further strict systemd fixes from Russell Coker. 2017-04-20 20:00:34 -04:00
Chris PeBenito 95b584b5e9 xdm sigchld interface from Russell Coker. 2017-04-20 19:32:19 -04:00
Chris PeBenito 291f1512e3 Module version bump from fixes from Guido Trentalancia. 2017-04-20 19:19:25 -04:00
Guido Trentalancia via refpolicy 51fa34de36 xserver: fix iceauth_home_t file context creation
This patch fixes the xserver module so that the hidden .ICEauthority
file is created with the proper context (file transition).

It also optimizes a similar interface used for xauth home files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-04-20 18:58:27 -04:00
Chris PeBenito e04f2d3f16 Module version bump for patch from Guido Trentalancia 2017-04-18 21:52:26 -04:00
Chris PeBenito bff3838916 corecommands: Add fc escaping for previous patch. 2017-04-18 21:51:52 -04:00
Guido Trentalancia c3dab0699b corecommands: new file contexts for Gnome applications
This patch adds three new file contexts for script executables
belonging to new Gnome applications (weather application and
sound recorder).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-04-18 21:46:24 -04:00
Chris PeBenito e03f6d4c61 some userdomain patches from Russell Coker
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.

Allow sysadm_t to read kmsg.

Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui.  Also allow them to chat with devicekit disk and power daemons.

Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
2017-04-18 21:41:45 -04:00
Chris PeBenito 57bb7dd471 another bootloader patch from Russell Coker 2017-04-18 21:30:02 -04:00
Chris PeBenito a8a360c178 devicekit, mount, xserver, and selinuxutil from Russell Coker
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.

Allow mount_t to do more with it's runtime files and stat more filesystem
types.

Allow xauth to send sigchld to xdm.

Allow semanage to search policy_src_t dirs and read /dev/urandom.
2017-04-18 21:28:16 -04:00