This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process. It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
import seobject
File "py/seobject.py", line 34, in <module>
import sepolicy
File "py/sepolicy/__init__.py", line 8, in <module>
import setools
File "py/setools/__init__.py", line 77, in <module>
from .infoflow import InfoFlowAnalysis
File "py/setools/infoflow.py", line 22, in <module>
import networkx as nx
File "py/networkx/__init__.py", line 93, in <module>
import networkx.linalg
File "py/networkx/linalg/__init__.py", line 9, in <module>
from networkx.linalg.algebraicconnectivity import *
File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
File "py/numpy/__init__.py", line 180, in <module>
from . import add_newdocs
File "py/numpy/add_newdocs.py", line 13, in <module>
from numpy.lib import add_newdoc
File "py/numpy/lib/__init__.py", line 8, in <module>
from .type_check import *
File "py/numpy/lib/type_check.py", line 11, in <module>
import numpy.core.numeric as _nx
File "py/numpy/core/__init__.py", line 22, in <module>
from . import _internal # for freeze programs
File "py/numpy/core/_internal.py", line 14, in <module>
import ctypes
File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
_reset_cache()
File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
CFUNCTYPE(c_int)(lambda: None)
MemoryError
Improve the initrc domain within the init module with some permissions
needed for a smoother boot.
Let the iptables init scripts read the iptables configuration.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).
Thanks to Dominick Grift for suggesting this.
Other modules are likely affected by the same issue.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
This patch fixes the policy for sulogin. It is very important
because without this patch, sulogin cannot work properly and
it should be considered that it is used as an emergency shell
when there are serious consistency errors in the system, so it
constitutes the only way to recover the system in such
circumstances.
Nowadays, sulogin never uses PAM (at least not the official one
from util-linux), so obsolete, confusing and buggy policy has
been removed.
Extensive testing carried out while creating this patch indicates
that there aren't other permissions needed to successfully run
sulogin.
This second version should apply cleanly to the latest git tree.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This patch fixes the xserver module so that the hidden .ICEauthority
file is created with the proper context (file transition).
It also optimizes a similar interface used for xauth home files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This patch adds three new file contexts for script executables
belonging to new Gnome applications (weather application and
sound recorder).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Added mono_run for unconfined and also xserver_role and allow it to dbus
chat with xdm.
Allow sysadm_t to read kmsg.
Allow user domains to dbus chat with kerneloops for the kerneloops desktop
gui. Also allow them to chat with devicekit disk and power daemons.
Allow gconfd_t to read /var/lib/gconf/defaults and /proc/filesystems
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.
Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.
Patch for brctl to allow it to create sysfs files.
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.
Also changed a comment about ia64 to correctly mention EFI.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory. With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...
As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.
This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
and /usr/sbin/mount\.zfs. These patterns are not consistent for two
reasons:
- some distributions use /sbin/mount... for other file systems that zfs.
For example Debian uses /sbin/mount.ntfs-3g
(https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
- mount_exec_t type should only be applied to mount, umount, mount.$FS
and umount.udisks2, not mountpoint.
Replace the file patterns with ones that do not match mountpoint and
match every mount and umount programs in /usr/bin and /usr/sbin.
Python 3.6 complains about the strings which are used as regular
expression in the support scripts:
File "support/segenxml.py", line 37
INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
^
SyntaxError: invalid escape sequence \s
Stephen Smalley
Chris PeBenito
Krzysztof Nowicki
Luis Ressel
Jason Zaman
Guido Trentalancia
Guido Trentalancia via refpolicy
Nicolas Iooss