The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Currently, the /usr/share/cvs/contrib/rcs2log is only labeled as bin_t
for redhat distributions. Moving this to the general one as it is also
in use on other distributions
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.
Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
in /usr/lib/getconf/. For example on a x86_64 machine:
$ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
Such configuration produces an instability when labeling the files with
"restorecon -Rv /":
restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
As /usr/lib/getconf directory only contains executable programs, this issue is
fixed by labeling this directory and its content "bin_t".
/sys/fs/cgroup is a tmpfs which contains cgroup mounts and symlinks such as
cpu and cpuacct. Running restorecon makes this warning happen:
restorecon: Warning no default label for /sys/fs/cgroup/cpu
Declare a file context for every symlink in the cgroup tmpfs montpoint to
no longer have such warning.
Even if there is not FHS provision for this, systemd is using
/dev/hugepages to mount the hugetlbfs fs by default.
The needed file contexts are already present
Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Associate the new xattrfs attribute to fs_t and the pseudo filesystems
that we know support xattr
This patch adds the attribute to the following (pseudo) filesystems
- device_t
- devpts_t
- fs_t
- hugetlbfs
- sysfs_t
- tmpfs_t
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.
This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Luis Ressel
Sven Vermeulen
Jason Zaman
Elia Pinto
Nicolas Iooss
Laurent Bigonville
Chris PeBenito