Chris PeBenito
bd50873362
Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy
2019-01-06 14:07:24 -05:00
Chris PeBenito
559d4b830a
Merge branch 'ssh_dac_read_search' of git://github.com/fishilico/selinux-refpolicy
2019-01-06 14:06:47 -05:00
Chris PeBenito
38839b3e6c
nsd: Merge two rules into one.
2019-01-06 14:03:29 -05:00
Chris PeBenito
ea11d5bbc2
Merge branch 'nsd' of https://github.com/alexminder/refpolicy
2019-01-06 14:02:06 -05:00
Sugar, David
82494cedc1
pam_faillock creates files in /run/faillock
...
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t). sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.
v3 - Updated based on feedback
type=AVC msg=audit(1545153126.899:210): avc: denied { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc: denied { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545167205.531:626): avc: denied { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-06 13:57:18 -05:00
Sugar, David
2791589f9e
Allow greeter to start dbus
...
The display manager lightdm (and I think gdm) start a dbus binary.
v3 - Updated based on feedback
type=AVC msg=audit(1544626796.378:201): avc: denied { execute } for pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { read open } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { execute_no_trans } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { map } for pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.112:208): avc: denied { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1546551459.116:209): avc: denied { read } for pid=6275 comm="dbus-daemon" name="995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:209): avc: denied { open } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:210): avc: denied { getattr } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-06 13:57:18 -05:00
Chris PeBenito
6780e6d2e2
init: Remove inadvertent merge.
2019-01-06 13:53:02 -05:00
Russell Coker
3133587825
cron trivial
...
Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.
2019-01-06 13:50:31 -05:00
Chris PeBenito
61b83b30be
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime().
...
Move implementation with other networkd_runtime interfaces.
2019-01-06 13:49:02 -05:00
Russell Coker
b77b4cd610
missing from previous
...
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e
systemd misc
...
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
2019-01-06 13:11:51 -05:00
Nicolas Iooss
49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs
...
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230 ):
/*
* This is called once when selinux_restorecon() is first called.
* Searches /proc/mounts for all file systems that do not support extended
* attributes and adds them to the exclude directory table. File systems
* that support security labels have the seclabel option, return
* approximate total file count.
*/
The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().
The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:
type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for
pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
subj=system_u:system_r:restorecond_t key=(null)
type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"
Allow this, like commit 5125b8eb2d
("last misc stuff") did for
setfiles_t.
2019-01-05 23:51:36 +01:00
Nicolas Iooss
3734d7e76c
ssh: use dac_read_search instead of dac_override
...
When creating a session for a new user, sshd performs a stat() call
somewhere:
type=AVC msg=audit(1502951786.649:211): avc: denied {
dac_read_search } for pid=274 comm="sshd" capability=2
scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t
tclass=capability permissive=1
type=SYSCALL msg=audit(1502951786.649:211): arch=c000003e syscall=4
success=no exit=-2 a0=480e79b300 a1=7ffe0e09b080 a2=7ffe0e09b080
a3=7fb2aa321b20 items=0 ppid=269 pid=274 auid=1000 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="sshd" exe="/usr/bin/sshd" subj=system_u:system_r:sshd_t
key=(null)
type=PROCTITLE msg=audit(1502951786.649:211):
proctitle=737368643A2076616772616E74205B707269765D
2019-01-05 21:21:18 +01:00
Chris PeBenito
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
Chris PeBenito
da9ff19d94
sudo: Whitespace fix.
2019-01-05 14:17:18 -05:00
Russell Coker
e1babbc375
systemd related interfaces
...
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
2019-01-05 14:17:01 -05:00
Chris PeBenito
6f12a29ecc
apt, rpm: Remove and move lines to fix fc conflicts.
2019-01-05 14:09:57 -05:00
Chris PeBenito
39881a0e14
dpkg: Rename dpkg_read_script_tmp_links().
2019-01-05 13:56:43 -05:00
Chris PeBenito
5a9982de70
sysnetwork: Move lines.
2019-01-05 13:56:15 -05:00
Russell Coker
5125b8eb2d
last misc stuff
...
More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
2019-01-05 13:54:38 -05:00
Chris PeBenito
57df6fa0d5
sysnetwork: Move optional block in sysnet_dns_name_resolve().
2019-01-05 13:42:11 -05:00
Russell Coker
73f8b85ef3
misc interfaces
...
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
2019-01-05 13:36:20 -05:00
Chris PeBenito
713f9000b5
networkmanager: Add ICMPv6 comment
2019-01-05 13:34:18 -05:00
Russell Coker
678c9e0b7a
misc services patches
...
Lots of little patches to services.
2019-01-05 13:30:30 -05:00
Alexander Miroshnichenko
c947258610
Remove unneeded braces from nsd.te.
2019-01-04 15:59:02 +03:00
Chris PeBenito
56b7919589
sigrok: Remove extra comments.
2019-01-03 20:52:26 -05:00
Guido Trentalancia
9e6febb049
Add sigrok contrib module
...
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2019-01-03 20:51:18 -05:00
Chris PeBenito
65b7fa3f43
lvm, syncthing: Module version bump.
2019-01-03 17:52:03 -05:00
Chris PeBenito
82e652df04
Merge branch 'lvm' of https://github.com/alexminder/refpolicy
2019-01-03 17:45:16 -05:00
Chris PeBenito
9e3bb1bfde
syncthing: Whitespace change
2019-01-03 17:44:48 -05:00
Chris PeBenito
38cd14761a
Merge branch 'syncthing' of https://github.com/alexminder/refpolicy
2019-01-03 17:44:22 -05:00
Alexander Miroshnichenko
972654cf09
Remove syncthing tunable_policy.
...
kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.
2019-01-03 13:26:08 +03:00
Alexander Miroshnichenko
29bbe7b958
Add comment for map on lvm_metadata_t.
2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko
eca583b86c
Add map permission to lvm_t on lvm_metadata_t.
...
On musl libc system lvm requires map permission.
2018-12-30 18:57:56 +03:00
Alexander Miroshnichenko
faa2b15910
Add nsd_admin interface to sysadm.te.
...
Allow users with sysadm_r role to start/stop NSD daemon.
2018-12-30 18:30:23 +03:00
Alexander Miroshnichenko
e426b5785f
Add required permissions for nsd_t to be able running.
...
Add required permissions to nsd_t for NSD work properly.
2018-12-30 18:27:30 +03:00
Alexander Miroshnichenko
8b2add4140
Allow syncthing_t to execute ifconfig/iproute2.
...
Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.
2018-12-30 17:43:16 +03:00
Alexander Miroshnichenko
2b3473c40c
Allow syncthing_t to read network state.
...
Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).
2018-12-30 17:42:26 +03:00
Alexander Miroshnichenko
eb588f836e
Add corecmd_exec_bin permissions to syncthing_t.
...
corecmd_exec_bin required to run application.
2018-12-30 17:41:31 +03:00
Alexander Miroshnichenko
d2569bb877
Add signal_perms setpgid setsched permissions to syncthing_t.
...
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
2018-12-30 17:39:38 +03:00
Chris PeBenito
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
David Sugar
6167b9b6e5
Allow auditctl_t to read bin_t symlinks.
...
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod. But policy didn't allow auditctl_t to follow
that link.
type=AVC msg=audit(1543853530.925:141): avc: denied { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc: denied { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc: denied { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc: denied { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
e73e9e7734
Add missing require for 'daemon' attribute.
...
Not sure how I didn't notice this missing require before.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
241b917d37
Allow kmod to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
3425d22c24
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73
cron, minissdpd, ntp, systemd: Module version bump.
2018-11-17 19:02:54 -05:00
Chris PeBenito
45a8ddd39f
Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
2018-11-17 18:58:09 -05:00
David Sugar
b73758bb97
Interface to read cron_system_spool_t
...
Useful for the case that manage isn't requied.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
David Sugar
56e8f679b2
interface to enable/disable systemd_networkd service
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00