RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,899 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

3019 Commits

Author SHA1 Message Date
Chris PeBenito 966f981fd8 systemd: Whitespace change 2019-01-13 14:47:34 -05:00
Nicolas Iooss c53019f2c3
systemd: add policy for systemd-rfkill 2019-01-12 23:00:29 +01:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Chris PeBenito d01b3a1169 Merge branch 'services_single_usr_bin' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:53:58 -05:00
Sugar, David f0860ff0bb Add interface to start/stop iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-12 14:32:00 -05:00
Russell Coker da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Nicolas Iooss 80fb19a9ba
Label service binaries in /usr/bin like /usr/sbin 
For some services, the program responsible for the service has a file
context which is defined only when it is installed in /usr/sbin. This
does not work on Arch Linux, where every program is in /usr/bin
(/usr/sbin is a symlink to /usr/bin).

Add relevant file contexts for /usr/bin/$PROG when /usr/sbin/$PROG
exists.
 2019-01-12 17:08:09 +01:00
Chris PeBenito 143ed2cc1b init, logging: Module version bump. 2019-01-10 20:26:36 -05:00
Nicolas Iooss 6f5e31431e
Allow systemd-journald to read systemd unit symlinks 
type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:user@1000.service"
    dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0
    type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:dbus.service"
    dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

"ls -lZ" on these files gives:

    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7
    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214
 2019-01-10 23:51:08 +01:00
Chris PeBenito 85536c64e1 kernel, jabber, ntp, init, logging, systemd: Module version bump. 2019-01-09 19:36:41 -05:00
Russell Coker 4a95d08da1 logging 
Prosody and ntpd don't just need append access to their log files.
 2019-01-09 19:30:25 -05:00
Chris PeBenito d2a1333fdc kernel, systemd: Move lines. 2019-01-09 19:30:15 -05:00
Russell Coker 9cb572bd02 mls stuff 
Here are the patches I used last time I tried to get MLS going on Debian.
 2019-01-09 19:20:35 -05:00
Chris PeBenito 1ff4b35ec2 iptables: Module version bump. 2019-01-07 18:48:44 -05:00
Sugar, David 43a77c30fa Add interface to get status of iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-07 18:40:13 -05:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito 599112a85c Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:54 -05:00
Chris PeBenito bd50873362 Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:24 -05:00
Chris PeBenito 559d4b830a Merge branch 'ssh_dac_read_search' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:06:47 -05:00
Chris PeBenito 38839b3e6c nsd: Merge two rules into one. 2019-01-06 14:03:29 -05:00
Chris PeBenito ea11d5bbc2 Merge branch 'nsd' of https://github.com/alexminder/refpolicy 2019-01-06 14:02:06 -05:00
Sugar, David 82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Sugar, David 2791589f9e Allow greeter to start dbus 
The display manager lightdm (and I think gdm) start a dbus binary.

v3 - Updated based on feedback

type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1

type=AVC msg=audit(1546551459.116:209): avc:  denied  { read } for pid=6275 comm="dbus-daemon" name="995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:209): avc:  denied  { open } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:210): avc:  denied  { getattr } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Chris PeBenito 6780e6d2e2 init: Remove inadvertent merge. 2019-01-06 13:53:02 -05:00
Russell Coker 3133587825 cron trivial 
Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.
 2019-01-06 13:50:31 -05:00
Chris PeBenito 61b83b30be systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). 
Move implementation with other networkd_runtime interfaces.
 2019-01-06 13:49:02 -05:00
Russell Coker b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Nicolas Iooss 150bd4e179
systemd: allow systemd-logind to use getutxent() 
systemd-logind reads /run/utmp in order to warn users who are currently
logged in about an imminent shutdown. It calls utmp_wall() in
https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87
This function calls glibc's getutxent() here:
https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401
This function, implemented in
https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b
, opens and locks /run/utmp in order to enumerate the users.
 2019-01-06 16:28:32 +01:00
Nicolas Iooss 49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs 
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):

    /*
     * This is called once when selinux_restorecon() is first called.
     * Searches /proc/mounts for all file systems that do not support extended
     * attributes and adds them to the exclude directory table.  File systems
     * that support security labels have the seclabel option, return
     * approximate total file count.
     */

The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().

The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:

    type=AVC msg=audit(1546727200.623:67): avc:  denied  { getattr } for
    pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
    scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0

    type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
    success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
    a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
    ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
    subj=system_u:system_r:restorecond_t key=(null)

    type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"

Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
 2019-01-05 23:51:36 +01:00
Nicolas Iooss 3734d7e76c ssh: use dac_read_search instead of dac_override 
When creating a session for a new user, sshd performs a stat() call
somewhere:

    type=AVC msg=audit(1502951786.649:211): avc:  denied  {
    dac_read_search } for  pid=274 comm="sshd" capability=2
    scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t
    tclass=capability permissive=1

    type=SYSCALL msg=audit(1502951786.649:211): arch=c000003e syscall=4
    success=no exit=-2 a0=480e79b300 a1=7ffe0e09b080 a2=7ffe0e09b080
    a3=7fb2aa321b20 items=0 ppid=269 pid=274 auid=1000 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
    comm="sshd" exe="/usr/bin/sshd" subj=system_u:system_r:sshd_t
    key=(null)

    type=PROCTITLE msg=audit(1502951786.649:211):
    proctitle=737368643A2076616772616E74205B707269765D
 2019-01-05 21:21:18 +01:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito da9ff19d94 sudo: Whitespace fix. 2019-01-05 14:17:18 -05:00
Russell Coker e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito 6f12a29ecc apt, rpm: Remove and move lines to fix fc conflicts. 2019-01-05 14:09:57 -05:00
Chris PeBenito 39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Chris PeBenito 5a9982de70 sysnetwork: Move lines. 2019-01-05 13:56:15 -05:00
Russell Coker 5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Chris PeBenito 57df6fa0d5 sysnetwork: Move optional block in sysnet_dns_name_resolve(). 2019-01-05 13:42:11 -05:00
Russell Coker 73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito 713f9000b5 networkmanager: Add ICMPv6 comment 2019-01-05 13:34:18 -05:00
Russell Coker 678c9e0b7a misc services patches 
Lots of little patches to services.
 2019-01-05 13:30:30 -05:00
Alexander Miroshnichenko c947258610 Remove unneeded braces from nsd.te. 2019-01-04 15:59:02 +03:00
Chris PeBenito 56b7919589 sigrok: Remove extra comments. 2019-01-03 20:52:26 -05:00
Guido Trentalancia 9e6febb049 Add sigrok contrib module 
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2019-01-03 20:51:18 -05:00
Chris PeBenito 65b7fa3f43 lvm, syncthing: Module version bump. 2019-01-03 17:52:03 -05:00
Chris PeBenito 82e652df04 Merge branch 'lvm' of https://github.com/alexminder/refpolicy 2019-01-03 17:45:16 -05:00
Chris PeBenito 9e3bb1bfde syncthing: Whitespace change 2019-01-03 17:44:48 -05:00
Alexander Miroshnichenko 972654cf09 Remove syncthing tunable_policy. 
kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.
 2019-01-03 13:26:08 +03:00
Alexander Miroshnichenko 29bbe7b958 Add comment for map on lvm_metadata_t. 2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko eca583b86c Add map permission to lvm_t on lvm_metadata_t. 
On musl libc system lvm requires map permission.
 2018-12-30 18:57:56 +03:00
Alexander Miroshnichenko faa2b15910 Add nsd_admin interface to sysadm.te. 
Allow users with sysadm_r role to start/stop NSD daemon.
 2018-12-30 18:30:23 +03:00
Alexander Miroshnichenko e426b5785f Add required permissions for nsd_t to be able running. 
Add required permissions to nsd_t for NSD work properly.
 2018-12-30 18:27:30 +03:00
Alexander Miroshnichenko 8b2add4140 Allow syncthing_t to execute ifconfig/iproute2. 
Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.
 2018-12-30 17:43:16 +03:00
Alexander Miroshnichenko 2b3473c40c Allow syncthing_t to read network state. 
Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).
 2018-12-30 17:42:26 +03:00
Alexander Miroshnichenko eb588f836e Add corecmd_exec_bin permissions to syncthing_t. 
corecmd_exec_bin required to run application.
 2018-12-30 17:41:31 +03:00
Alexander Miroshnichenko d2569bb877 Add signal_perms setpgid setsched permissions to syncthing_t. 
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
 2018-12-30 17:39:38 +03:00
Chris PeBenito e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar 6167b9b6e5 Allow auditctl_t to read bin_t symlinks. 
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod.  But policy didn't allow auditctl_t to follow
that link.

type=AVC msg=audit(1543853530.925:141): avc:  denied  { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc:  denied  { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc:  denied  { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc:  denied  { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar e73e9e7734 Add missing require for 'daemon' attribute. 
Not sure how I didn't notice this missing require before.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar 55c3fab804 Allow dbus to access /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar 241b917d37 Allow kmod to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769402.716:165): avc:  denied  { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc:  denied  { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar 3425d22c24 Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543761322.221:211): avc:  denied  { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc:  denied  { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
Chris PeBenito 249e87ab73 cron, minissdpd, ntp, systemd: Module version bump. 2018-11-17 19:02:54 -05:00
Chris PeBenito 45a8ddd39f Merge branch 'minissdpd' of https://github.com/bigon/refpolicy 2018-11-17 18:58:09 -05:00
David Sugar b73758bb97 Interface to read cron_system_spool_t 
Useful for the case that manage isn't requied.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
David Sugar 56e8f679b2 interface to enable/disable systemd_networkd service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
David Sugar 5deea1b940 Add interfaces to control ntpd_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
Chris PeBenito cd4be3dcd0 dnsmasq: Module version bump. 2018-11-17 18:50:18 -05:00
Petr Vorel da49b37d87 dnsmasq: Require log files to have .log suffix 
+ allow log rotate as well.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
 2018-11-17 18:49:59 -05:00
Laurent Bigonville a71cc466fc Allow minissdpd_t to create a unix_stream_socket 
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc:  denied  { listen } for  pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc:  denied  { accept } for  pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
 2018-11-12 16:24:54 +01:00
Chris PeBenito b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Chris PeBenito 205b5e705a Merge branch 'iscsi' of https://github.com/bigon/refpolicy 2018-11-11 15:53:19 -05:00
Chris PeBenito 0e868859c4 Merge branch 'resolved' of https://github.com/bigon/refpolicy 2018-11-11 15:52:51 -05:00
Laurent Bigonville 7316be9c2a Allow iscsid_t to create a netlink_iscsi_socket 
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc:  denied  { bind } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc:  denied  { create } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
 2018-11-11 20:04:21 +01:00
Laurent Bigonville d5d6fe0046 Allow systemd_resolved_t to bind to port 53 and use net_raw 
resolved also binds against port 53 on lo interface
 2018-11-11 14:27:01 +01:00
Laurent Bigonville 404dcf2af4 Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names 
Also allow unconfined_t to talk with the resolved daemon
 2018-11-11 13:36:05 +01:00
Laurent Bigonville 06588b55b4 Add systemd_dbus_chat_resolved() interface 2018-11-11 13:33:00 +01:00
Laurent Bigonville df58008c2b Allow ntpd_t to read init state 
With systemd-timesyncd, the following AVC denials are generated:
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { open } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { read } for  pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc:  denied  { getattr } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
 2018-11-10 19:01:33 +01:00
Laurent Bigonville 6060f35f03 Allow semanage_t to connect to system D-Bus bus 
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
 2018-11-10 19:01:33 +01:00
Laurent Bigonville 2f054c67a2 irqbalance now creates an abstract socket 2018-11-10 19:01:28 +01:00
Chris PeBenito 4ff893bca0 dnsmasq: Reorder lines in file contexts. 2018-11-09 19:35:14 -05:00
Chris PeBenito f583b6b061 dnsmasq: Whitespace fix in file contexts. 2018-11-09 19:34:49 -05:00
Chris PeBenito 1431ba9d41 amavis, apache, clamav, exim, mta, udev: Module version bump. 2018-11-09 19:32:08 -05:00
David Sugar 75dd54edc7 Allow clamd to use sent file descriptor 
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:09:49 -05:00
David Sugar 2fa76a4b9e Add interfaces to control clamav_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar 81953475a5 Interface to add domain allowed to be read by ClamAV for scanning. 
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar 03f248c9e1 Allow clamd_t to read /proc/sys/crypt/fips_enabled 
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc:  denied  { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc:  denied  { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc:  denied  { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc:  denied  { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar f0047d0247 Add interface udev_run_domain 
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action.  This interface allows a domain transition to occur for the run action.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:04:22 -05:00
Chris PeBenito 35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
Luis Ressel 9dd80c6a67 system/init: Give init_spec_daemon_domain()s the "daemon" attribute 
init_daemon_domain() applies this attribute too.
 2018-10-27 14:56:34 -04:00
Luis Ressel a42ff404bd services/ssh: Don't audit accesses from ssh_t to /dev/random 
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
 2018-10-27 14:56:34 -04:00
David Sugar 1941eefa13 Interface to allow reading of virus signature files. 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-10-27 14:56:34 -04:00
Chris PeBenito 5a3207fb45 miscfiles: Module version bump. 2018-10-14 13:55:21 -04:00
Luis Ressel 75dcc276c0 miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t 
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
 2018-10-14 13:50:27 -04:00
Chris PeBenito e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00
Luis Ressel 14b4c0c8c7 Realign logrotate.fc, remove an obvious comment 2018-10-13 13:39:18 -04:00
Luis Ressel a604ae7ca2 Add fc for /var/lib/misc/logrotate.status 
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
 2018-10-13 13:39:18 -04:00