The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
I am seeing the following denial (in dmesg) during system startup:
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.
Updated to create new interface for relabeling of sock_files rather than adding to existing interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py. This patch fixes these errors by turning the string
in the into a raw string.
type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0
Without this we can't use xenconsole (client) to
talk to xenconsoled (server).
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).
Some NULL pointer checks with or without associated error
reporting.
Some white space and comment formatting fixes.
Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).
Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.
This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.
For reference, the original issue reported by the Cland
static analyzer is as follows:
support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
malloc(sizeof(file_context_bucket_t));
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Jason Zaman
Chris PeBenito
Russell Coker
Luis Ressel via refpolicy
William Roberts
David Sugar
David Graziano
Adam Duskett
Konrad Rzeszutek Wilk
Guido Trentalancia
Christian Göttsche