RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,824 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

4824 Commits

Author SHA1 Message Date
David Sugar 5deea1b940 Add interfaces to control ntpd_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
Chris PeBenito cd4be3dcd0 dnsmasq: Module version bump. 2018-11-17 18:50:18 -05:00
Petr Vorel da49b37d87 dnsmasq: Require log files to have .log suffix 
+ allow log rotate as well.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
 2018-11-17 18:49:59 -05:00
Laurent Bigonville a71cc466fc Allow minissdpd_t to create a unix_stream_socket 
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc:  denied  { listen } for  pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc:  denied  { accept } for  pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
 2018-11-12 16:24:54 +01:00
Chris PeBenito b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Chris PeBenito 205b5e705a Merge branch 'iscsi' of https://github.com/bigon/refpolicy 2018-11-11 15:53:19 -05:00
Chris PeBenito 0e868859c4 Merge branch 'resolved' of https://github.com/bigon/refpolicy 2018-11-11 15:52:51 -05:00
Chris PeBenito 390c4f80fb Merge branch 'master' of https://github.com/bigon/refpolicy 2018-11-11 15:52:14 -05:00
Laurent Bigonville 7316be9c2a Allow iscsid_t to create a netlink_iscsi_socket 
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc:  denied  { bind } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc:  denied  { create } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
 2018-11-11 20:04:21 +01:00
Laurent Bigonville d5d6fe0046 Allow systemd_resolved_t to bind to port 53 and use net_raw 
resolved also binds against port 53 on lo interface
 2018-11-11 14:27:01 +01:00
Laurent Bigonville 404dcf2af4 Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names 
Also allow unconfined_t to talk with the resolved daemon
 2018-11-11 13:36:05 +01:00
Laurent Bigonville 06588b55b4 Add systemd_dbus_chat_resolved() interface 2018-11-11 13:33:00 +01:00
Laurent Bigonville df58008c2b Allow ntpd_t to read init state 
With systemd-timesyncd, the following AVC denials are generated:
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { open } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { read } for  pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc:  denied  { getattr } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
 2018-11-10 19:01:33 +01:00
Laurent Bigonville 6060f35f03 Allow semanage_t to connect to system D-Bus bus 
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
 2018-11-10 19:01:33 +01:00
Laurent Bigonville 2f054c67a2 irqbalance now creates an abstract socket 2018-11-10 19:01:28 +01:00
Chris PeBenito 4ff893bca0 dnsmasq: Reorder lines in file contexts. 2018-11-09 19:35:14 -05:00
Chris PeBenito f583b6b061 dnsmasq: Whitespace fix in file contexts. 2018-11-09 19:34:49 -05:00
Chris PeBenito 1431ba9d41 amavis, apache, clamav, exim, mta, udev: Module version bump. 2018-11-09 19:32:08 -05:00
David Sugar 75dd54edc7 Allow clamd to use sent file descriptor 
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:09:49 -05:00
David Sugar 2fa76a4b9e Add interfaces to control clamav_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar 81953475a5 Interface to add domain allowed to be read by ClamAV for scanning. 
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar 03f248c9e1 Allow clamd_t to read /proc/sys/crypt/fips_enabled 
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc:  denied  { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc:  denied  { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc:  denied  { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc:  denied  { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar f0047d0247 Add interface udev_run_domain 
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action.  This interface allows a domain transition to occur for the run action.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:04:22 -05:00
Chris PeBenito 35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
David Sugar 8e18a55457 Update CUSTOM_BUILDOPT 
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-10-27 14:56:34 -04:00
Luis Ressel 9dd80c6a67 system/init: Give init_spec_daemon_domain()s the "daemon" attribute 
init_daemon_domain() applies this attribute too.
 2018-10-27 14:56:34 -04:00
Luis Ressel a42ff404bd services/ssh: Don't audit accesses from ssh_t to /dev/random 
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
 2018-10-27 14:56:34 -04:00
David Sugar 1941eefa13 Interface to allow reading of virus signature files. 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-10-27 14:56:34 -04:00
Chris PeBenito 66a337eec6 obj_perm_sets.spt: Add xdp_socket to socket_class_set. 2018-10-23 17:18:43 -04:00
Chris PeBenito 8d86c5eaf8
Merge pull request #3 from bigon/xdp-socket 
Add xdp_socket security class and access vectors
 2018-10-21 13:28:00 -04:00
Laurent Bigonville 109ab3296b Add xdp_socket security class and access vectors 
Added in 4.18 release
 2018-10-21 13:01:22 +02:00
Chris PeBenito 5a3207fb45 miscfiles: Module version bump. 2018-10-14 13:55:21 -04:00
Luis Ressel 75dcc276c0 miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t 
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
 2018-10-14 13:50:27 -04:00
Chris PeBenito e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00
Luis Ressel 14b4c0c8c7 Realign logrotate.fc, remove an obvious comment 2018-10-13 13:39:18 -04:00
Luis Ressel a604ae7ca2 Add fc for /var/lib/misc/logrotate.status 
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
 2018-10-13 13:39:18 -04:00
Chris PeBenito 65da822c1b Remove unused translate permission in context userspace class. 
mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
 2018-10-13 13:39:18 -04:00
Chris PeBenito e256e5563e
Merge pull request #1 from bigon/fix-sepolgen-ifgen 
policy/support/obj_perm_sets.spt: modify indentation of mmap_file_per…
 2018-10-09 19:27:59 -04:00
Laurent Bigonville 606e486876 policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make sepolgen-ifgen happy 
Currently, sepolgen-ifgen fails with the following error:
  /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]
  error parsing headers
  error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]"
 2018-10-09 12:53:44 +02:00
Chris PeBenito bf16b6d4b9 xserver: Module version bump. 2018-10-03 22:08:23 -04:00
Luis Ressel 9be8cfac19 xserver: Allow user fonts (and caches) to be mmap()ed. 
Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
 2018-10-03 22:07:59 -04:00
Chris PeBenito b3a1e8a8f8 corecommands: Module version bump. 2018-09-28 15:20:46 -04:00
Luis Ressel e751959925 corecommands: Fix /usr/share/apr* fc 
Both apr and apr-1 are possible
 2018-09-28 15:14:43 -04:00
Chris PeBenito 3899825c1c fstools: Module version bump. 2018-08-04 08:51:00 -04:00
Nicolas Iooss 094409b735 fstools: label e2mmpstatus as fsadm_exec_t 
e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:

Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t

Fix this by labelling e2mmpstatus like dumpe2fs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2018-08-04 08:50:06 -04:00
Chris PeBenito e1caae17a2 ipsec: Module version bump. 2018-07-28 09:02:22 -04:00
Yuli Khodorkovskiy 305bd29f65 ipsec: add missing permissions for pluto 
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
 2018-07-28 08:58:34 -04:00
Chris PeBenito 9285d9f450 misc_patterns.spt: Remove unnecessary brackets. 2018-07-19 19:49:21 -04:00
Lukas Vrabec a7edcc9f2b Improve domain_transition_pattern to allow mmap entrypoint bin file. 
In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };

map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.
 2018-07-19 19:48:08 -04:00
Chris PeBenito e9eec95de4 devices: Module version bump. 2018-07-15 16:56:51 -04:00