RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-30 07:16:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,070 Commits 3 Branches 50 Tags 22 MiB
b43aebcc2f
Commit Graph

1327 Commits

Author SHA1 Message Date
Sugar, David
d8492558b3 Add interface to get status of rsyslog service 
Updated based on feedback.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-20 19:28:45 -08:00
Chris PeBenito
98a7f0446d init, systemd, cdrecord: Module version bump. 2019-02-19 19:31:04 -08:00
Chris PeBenito
b3e8e5a4ba systemd: Remove unnecessary brackets. 2019-02-19 19:20:57 -08:00
Sugar, David
b3cbf00cba Allow systemd-hostnamed to set the hostname 
When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.

Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc:  denied  { sys_admin } for  pid=7873 comm="systemd-hostnam" capability=21  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-19 19:06:40 -08:00
Sugar, David
61d12f722d Allow init_t to read net_conf_t 
init (systemd) needs to read /etc/hostname during boot
to retreive the hostname to apply to the system.

Feb 06 18:37:06 localhost.localdomain kernel: type=1400 audit(1549478223.842:3): avc:  denied  { read } for  pid=1 comm="systemd" name="hostname" dev="dm-1" ino=1262975 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-19 19:06:40 -08:00
Chris PeBenito
e727079acc systemd: Module version bump. 2019-02-09 09:06:37 -05:00
Sugar, David
24da4bf370 Separate domain for systemd-modules-load 
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules.  This change sets up a new domain for this service and grants permission
necessary to load kernel modules.

Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc:  denied  { read } for  pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc:  denied  { open } for  pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-09 09:01:05 -05:00
Sugar, David
21351f6bd9 Allow systemd-networkd to get IP address from dhcp server 
I'm seeing the following denials when attempting to get a DHCP address.

type=AVC msg=audit(1549471325.440:199): avc:  denied  { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { net_bind_service } for  pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-09 09:01:05 -05:00
Chris PeBenito
445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker
044da0b8b9 more misc stuff 
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
 2019-02-01 14:16:57 -05:00
Chris PeBenito
b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Russell Coker
3d65c79750 yet another little patch 
This should all be obvious.
 2019-01-29 18:45:30 -05:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Jason Zaman
fa23645ca1 userdomain: introduce userdom_user_home_dir_filetrans_user_cert 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Chris PeBenito
7a1e0d0ca9 init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks(). 2019-01-23 18:35:00 -05:00
Chris PeBenito
09a81f7220 init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks(). 2019-01-23 18:34:10 -05:00
Russell Coker
eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Chris PeBenito
ecb4968238 systemd: Move interface implementation. 2019-01-20 16:36:36 -05:00
Sugar, David
6e86de0736 Add interface to read journal files 
When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:34:14 -05:00
Russell Coker
54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito
b5cda0e2c5 selinuxutil: Module version bump. 2019-01-16 18:20:51 -05:00
Chris PeBenito
038a5af1ed Merge branch 'restorecond-dontaudit-symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-16 18:20:05 -05:00
Chris PeBenito
238bd4f91f logging, sysnetwork, systemd: Module version bump. 2019-01-16 18:19:22 -05:00
Sugar, David
69961e18a8 Modify type for /etc/hostname 
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:13:41 -05:00
Sugar, David
34e3505004 Interface with systemd_hostnamed over dbus to set hostname 
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:12:50 -05:00
Sugar, David
9255dfbf4e label journald configuraiton files syslog_conf_t 
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:11:43 -05:00
Nicolas Iooss
6e2896098c
selinuxutil: restorecond is buggy when it dereferencies symlinks 
restorecond uses libselinux's selinux_restorecon() to relabel files,
which dereferences symlinks in a useless call to statfs(). This produces
AVC denials which are noisy.

Fixes: https://github.com/SELinuxProject/refpolicy/pull/22
 2019-01-16 22:10:38 +01:00
Chris PeBenito
4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Chris PeBenito
2c96e2fb56 Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy 2019-01-14 17:41:28 -05:00
Dominick Grift
a4a219a733
unconfined: add a note about DBUS 
Addresses https://github.com/SELinuxProject/refpolicy/issues/18
 2019-01-14 17:02:56 +01:00
Nicolas Iooss
ae35b48f8e
selinuxutil: allow restorecond to read symlinks 
As restorecond dereferences symlinks when it encounters them in user
home directories, allow this access.
 2019-01-13 22:47:11 +01:00
Chris PeBenito
353d92a77a systemd: Module version bump. 2019-01-13 14:59:27 -05:00
Chris PeBenito
966f981fd8 systemd: Whitespace change 2019-01-13 14:47:34 -05:00
Nicolas Iooss
c53019f2c3
systemd: add policy for systemd-rfkill 2019-01-12 23:00:29 +01:00
Chris PeBenito
e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito
e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Sugar, David
f0860ff0bb Add interface to start/stop iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-12 14:32:00 -05:00
Russell Coker
da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss
c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Chris PeBenito
143ed2cc1b init, logging: Module version bump. 2019-01-10 20:26:36 -05:00
Nicolas Iooss
6f5e31431e
Allow systemd-journald to read systemd unit symlinks 
type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:user@1000.service"
    dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0
    type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:dbus.service"
    dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

"ls -lZ" on these files gives:

    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7
    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214
 2019-01-10 23:51:08 +01:00
Chris PeBenito
85536c64e1 kernel, jabber, ntp, init, logging, systemd: Module version bump. 2019-01-09 19:36:41 -05:00
Chris PeBenito
d2a1333fdc kernel, systemd: Move lines. 2019-01-09 19:30:15 -05:00
Russell Coker
9cb572bd02 mls stuff 
Here are the patches I used last time I tried to get MLS going on Debian.
 2019-01-09 19:20:35 -05:00
Chris PeBenito
1ff4b35ec2 iptables: Module version bump. 2019-01-07 18:48:44 -05:00
Sugar, David
43a77c30fa Add interface to get status of iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-07 18:40:13 -05:00
Chris PeBenito
e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito
599112a85c Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:54 -05:00
Chris PeBenito
bd50873362 Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:24 -05:00
Sugar, David
82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Chris PeBenito
6780e6d2e2 init: Remove inadvertent merge. 2019-01-06 13:53:02 -05:00
Chris PeBenito
61b83b30be systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). 
Move implementation with other networkd_runtime interfaces.
 2019-01-06 13:49:02 -05:00
Russell Coker
b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Nicolas Iooss
150bd4e179
systemd: allow systemd-logind to use getutxent() 
systemd-logind reads /run/utmp in order to warn users who are currently
logged in about an imminent shutdown. It calls utmp_wall() in
https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87
This function calls glibc's getutxent() here:
https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401
This function, implemented in
https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b
, opens and locks /run/utmp in order to enumerate the users.
 2019-01-06 16:28:32 +01:00
Nicolas Iooss
49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs 
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):

    /*
     * This is called once when selinux_restorecon() is first called.
     * Searches /proc/mounts for all file systems that do not support extended
     * attributes and adds them to the exclude directory table.  File systems
     * that support security labels have the seclabel option, return
     * approximate total file count.
     */

The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().

The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:

    type=AVC msg=audit(1546727200.623:67): avc:  denied  { getattr } for
    pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
    scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0

    type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
    success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
    a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
    ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
    subj=system_u:system_r:restorecond_t key=(null)

    type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"

Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
 2019-01-05 23:51:36 +01:00
Chris PeBenito
d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Russell Coker
e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito
39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Chris PeBenito
5a9982de70 sysnetwork: Move lines. 2019-01-05 13:56:15 -05:00
Russell Coker
5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Chris PeBenito
57df6fa0d5 sysnetwork: Move optional block in sysnet_dns_name_resolve(). 2019-01-05 13:42:11 -05:00
Russell Coker
73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito
65b7fa3f43 lvm, syncthing: Module version bump. 2019-01-03 17:52:03 -05:00
Alexander Miroshnichenko
29bbe7b958 Add comment for map on lvm_metadata_t. 2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko
eca583b86c Add map permission to lvm_t on lvm_metadata_t. 
On musl libc system lvm requires map permission.
 2018-12-30 18:57:56 +03:00
Chris PeBenito
e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar
6167b9b6e5 Allow auditctl_t to read bin_t symlinks. 
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod.  But policy didn't allow auditctl_t to follow
that link.

type=AVC msg=audit(1543853530.925:141): avc:  denied  { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc:  denied  { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc:  denied  { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc:  denied  { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
e73e9e7734 Add missing require for 'daemon' attribute. 
Not sure how I didn't notice this missing require before.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
241b917d37 Allow kmod to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769402.716:165): avc:  denied  { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc:  denied  { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73 cron, minissdpd, ntp, systemd: Module version bump. 2018-11-17 19:02:54 -05:00
David Sugar
56e8f679b2 interface to enable/disable systemd_networkd service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
Chris PeBenito
b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Chris PeBenito
205b5e705a Merge branch 'iscsi' of https://github.com/bigon/refpolicy 2018-11-11 15:53:19 -05:00
Chris PeBenito
0e868859c4 Merge branch 'resolved' of https://github.com/bigon/refpolicy 2018-11-11 15:52:51 -05:00
Laurent Bigonville
7316be9c2a Allow iscsid_t to create a netlink_iscsi_socket 
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc:  denied  { bind } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc:  denied  { create } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
 2018-11-11 20:04:21 +01:00
Laurent Bigonville
d5d6fe0046 Allow systemd_resolved_t to bind to port 53 and use net_raw 
resolved also binds against port 53 on lo interface
 2018-11-11 14:27:01 +01:00
Laurent Bigonville
404dcf2af4 Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names 
Also allow unconfined_t to talk with the resolved daemon
 2018-11-11 13:36:05 +01:00
Laurent Bigonville
06588b55b4 Add systemd_dbus_chat_resolved() interface 2018-11-11 13:33:00 +01:00
Laurent Bigonville
6060f35f03 Allow semanage_t to connect to system D-Bus bus 
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
 2018-11-10 19:01:33 +01:00
Chris PeBenito
1431ba9d41 amavis, apache, clamav, exim, mta, udev: Module version bump. 2018-11-09 19:32:08 -05:00
David Sugar
f0047d0247 Add interface udev_run_domain 
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action.  This interface allows a domain transition to occur for the run action.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:04:22 -05:00
Chris PeBenito
35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
Luis Ressel
9dd80c6a67 system/init: Give init_spec_daemon_domain()s the "daemon" attribute 
init_daemon_domain() applies this attribute too.
 2018-10-27 14:56:34 -04:00
Chris PeBenito
5a3207fb45 miscfiles: Module version bump. 2018-10-14 13:55:21 -04:00
Luis Ressel
75dcc276c0 miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t 
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
 2018-10-14 13:50:27 -04:00
Chris PeBenito
65da822c1b Remove unused translate permission in context userspace class. 
mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
 2018-10-13 13:39:18 -04:00
Chris PeBenito
3899825c1c fstools: Module version bump. 2018-08-04 08:51:00 -04:00
Nicolas Iooss
094409b735 fstools: label e2mmpstatus as fsadm_exec_t 
e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:

Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t

Fix this by labelling e2mmpstatus like dumpe2fs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2018-08-04 08:50:06 -04:00
Chris PeBenito
e1caae17a2 ipsec: Module version bump. 2018-07-28 09:02:22 -04:00
Yuli Khodorkovskiy
305bd29f65 ipsec: add missing permissions for pluto 
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
 2018-07-28 08:58:34 -04:00
Chris PeBenito
d301e83161 mozilla, devices, selinux, xserver, init, iptables: Module version bump. 2018-07-10 20:11:40 -04:00
Jason Zaman
6bf506ec68 iptables: fcontexts for 1.8.0 
The binary changed from /sbin/xtables-multi to xtables-legacy-multi and
xtables-nft-multi
 2018-07-10 17:25:11 -04:00
Jason Zaman
d53047dc58 Allow map xserver_misc_device_t for nvidia driver 2018-07-10 17:25:11 -04:00
Chris PeBenito
65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito
87b0512036 xdg, xserver, mplayer, games: Module version bump. 2018-06-24 20:32:02 -04:00