Commit Graph

1896 Commits

Author SHA1 Message Date
Dominick Grift d66cfb529b logging: syslog (rs:main Q:Reg) reading sysctl_vm files (overcommit_memory) in Debian
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:49:38 -04:00
Chris PeBenito 0b1efe5612 Module version bump for tmpfs associate to device_t from Dominick Grift. 2013-09-26 08:48:48 -04:00
Dominick Grift e3072cb7bf filesystem: associate tmpfs_t (shm) to device_t (devtmpfs) file systems
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:46:36 -04:00
Chris PeBenito 7174140178 Module version bump for xserver and selinuxutil updates from Dominick Grift. 2013-09-26 08:32:33 -04:00
Chris PeBenito b2eaf87020 Add comment for setfiles using /dev/console when it needs to be relabeled. 2013-09-26 08:31:41 -04:00
Dominick Grift dae823c43a Restorecon reads, and writes /dev/console before it is properly labeled
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:30:00 -04:00
Dominick Grift 1a5c0ec970 These regular expressions were not matched
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:23:37 -04:00
Chris PeBenito 2f6ea284d2 Update contrib. 2013-09-23 15:47:09 -04:00
Chris PeBenito 65499f0580 Module version bump for redis port from Dominick Grift. 2013-09-23 15:47:00 -04:00
Dominick Grift b44a96030e Support redis port tcp,6379
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-23 14:44:16 -04:00
Chris PeBenito 951462610d Module version bump for pstore filesystem support from Dominick Grift. 2013-09-23 14:41:03 -04:00
Dominick Grift bf1ab85c1f Initial pstore support
Generic interface to platform dependent persistent storage
https://www.kernel.org/doc/Documentation/ABI/testing/pstore

This basically works pretty much the same as cgroup file systems from a
SELinux perspective

Make sure that the installed /sys/fs/pstore directory is labeled
properly so that the pstore file system can be mounted on that

I also removed the files_type() calls as they are duplicate (it is
already called in files_mountpoint)

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-23 14:31:20 -04:00
Chris PeBenito 36e088fa43 Module version bump for kerberos keytab changes for ssh from Dominick Grift. 2013-09-23 14:28:00 -04:00
Dominick Grift 22f71be4e3 The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-23 14:15:46 -04:00
Sven Vermeulen 94a6b29e00 Support named file transition for fixed_disk_device_t
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-08-26 08:51:20 -04:00
Sven Vermeulen 6fb9a34679 Get grub2-install to work properly
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.

Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-08-26 08:32:53 -04:00
Chris PeBenito 1ff40b5ec7 Add label for parted. 2013-08-26 08:30:49 -04:00
Chris PeBenito 7e95a88171 Update contrib. 2013-05-14 11:21:37 -04:00
Chris PeBenito 2b7b44d80e Remove general unlabeled packet usage.
Back when the SECMARK implementation was new, the packet class was always
checked.  Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules.  Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules.  Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.

To have partial SECMARK confinement, the following rule applies:

allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };

It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:

allow * unlabeled_t:packet { send recv };

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2013-05-14 10:15:34 -04:00
Chris PeBenito 7f171849e5 Update contrib to pull in minidlna. 2013-05-09 09:18:59 -04:00
Sven Vermeulen af30431070 Add trivnet1 port (8200)
Create the proper port types for trivnet1 (port 8200)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-05-09 08:54:20 -04:00
Chris PeBenito 04a929f7c0 Update Changelog and VERSION for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito 924e16ff77 Update contrib 2013-04-23 08:04:09 -04:00
Chris PeBenito 77a244c393 Update contrib. 2013-04-05 09:46:23 -04:00
Chris PeBenito f1aa23dc47 Add conntrack fc entry.
This tool is for maintaining the netfilter connection tracking.
2013-04-05 09:45:04 -04:00
Chris PeBenito 27044cf65b Add swapoff fc entry. 2013-04-05 09:43:14 -04:00
Chris PeBenito 7c1cbfd97d Module version bump for chfn fixes from Sven Vermeulen. 2013-04-04 15:22:08 -04:00
Sven Vermeulen 62e395b90b chfn_t reads in file context information and executes nscd
The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:

Changing the login shell for root
Enter the new value, or press ENTER for the default
	Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd

The following AVC denials are shown:

Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc:  denied  { search } for  pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

In permissive mode, this goes up to:

Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc:  denied  { open } for  pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file

Hence, adding in seutil_read_file_contexts().

A second error is that chsh, if available, wants to execute nscd:

Changing the login shell for root
Enter the new value, or press ENTER for the default
        Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.

Similar to most other user admin utilities, we grant it the rights to run nscd.

Changes since v1
- Removed seutil_dontaudit_search_config() call

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-04-04 14:25:55 -04:00
Chris PeBenito 019a11b370 Update contrib 2013-02-26 09:14:19 -05:00
Chris PeBenito 8e122068e4 Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai. 2013-02-25 11:26:13 -05:00
Chris PeBenito fd569471c3 Module version bump for Debian updates from Laurent Bigonville. 2013-01-23 07:23:52 -05:00
Laurent Bigonville 6a62fd0acb Label nut drivers that are installed in /lib/nut on Debian as bin_t 2013-01-23 07:12:48 -05:00
Laurent Bigonville 20e47b2f4e Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
On Debian, part of gnome-settings-daemon is installed in that
directory
2013-01-23 07:12:34 -05:00
Laurent Bigonville 8be0fad549 Add initrc_t to use block_suspend capability
This is needed by nm-dispatcher.action witch is labeled as
NetworkManager_initc_exec_t and is transitioned to initrc_t
2013-01-23 07:12:18 -05:00
Laurent Bigonville 693532ae68 Add mount_var_run_t type and allow mount_t domain to manage the files and directories
In Debian, mount store some information (a utab file) under
/var/run/mount directory.

This is inspired by the fedora policy.
2013-01-23 07:11:17 -05:00
Laurent Bigonville ef854630b4 Label var_lock_t as a mountpoint
In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
mount.
2013-01-23 07:10:13 -05:00
Laurent Bigonville 7955d0b246 Add support for rsyslog
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc

squash! Add support for rsyslog
2013-01-23 07:10:00 -05:00
Laurent Bigonville bb00509804 Label executables in /usr/lib/NetworkManager/ as bin_t 2013-01-23 07:09:24 -05:00
Laurent Bigonville bc40d90816 udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files
udev_manage_pid_files is supposed to manage files that are located in
/var/run, allow to search files in this directory instead of /var/lib
2013-01-23 07:09:05 -05:00
Laurent Bigonville 0ca8ac16f3 Label /var/run/initctl as initctl_t
In Debian, the initctl pipe has been moved from /dev/initctl to
/run/initctl
2013-01-23 07:08:38 -05:00
Laurent Bigonville 4ae3d78602 Label /var/run/motd.dynamic as initrc_var_run_t 2013-01-23 07:08:06 -05:00
Laurent Bigonville b40dc4f657 Label /var/run/shm as tmpfs_t for Debian
In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
the same way.
2013-01-23 07:07:28 -05:00
Chris PeBenito be2e70be8d Module version bump for fixes from Dominick Grift. 2013-01-03 10:53:34 -05:00
Dominick Grift 79e1e4efb9 NSCD related changes in various policy modules
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use

Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch

Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-01-03 10:43:10 -05:00
Dominick Grift 8b3ffb9663 Changes to the userdomain policy module
Make sure various virt user home content gets created with a type
transition and proper file contexts for common users

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-01-03 10:43:10 -05:00
Dominick Grift 88b2de1c17 Changes to the init policy module
virt_manage_svirt_cache() is deprecated, use virt_manage_virt_cache()
instead

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-01-03 10:43:10 -05:00
Chris PeBenito 569afb9039 Update contrib. 2013-01-03 10:33:27 -05:00
Chris PeBenito e1ab3f885b Module version bump for misc updates from Sven Vermeulen. 2013-01-03 10:32:41 -05:00
Sven Vermeulen 517f37fd26 Introduce exec-check interfaces for passwd binaries and useradd binaries
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-01-03 10:32:41 -05:00