Commit Graph

5979 Commits

Author SHA1 Message Date
Chris PeBenito 5047ce5891 Merge pull request #353 from KrissN/master 2021-02-12 11:18:32 -05:00
Krzysztof Nowicki 6d0ade349e Allow systemd-tmpfilesd to access nsswitch information
Fixes io.systemd.DynamicUser denials.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:53:21 +01:00
Krzysztof Nowicki f70f84310a Fix setting-up sandbox environment for systemd-networkd
Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:

avc:  denied  { mounton } for  pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1

Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:53:21 +01:00
Krzysztof Nowicki 014b2c41d2 Allow systemd-tmpfilesd handle faillog directory
Is is being created from a pam-provided tmpfiles.d config.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:53:20 +01:00
Krzysztof Nowicki cfe0502ed2 Mark lvm_lock_t as systemd_tmpfilesd-managed
lvm2 installs a file into /usr/lib/tmpfliles.d/ to create
/run/lock/lvm so systemd-tmpfilesd needs the rights to create it.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:53:20 +01:00
Krzysztof Nowicki 017d9750a4 Allow systemd-tmpfilesd to set attributes of /var/lock
Fixes:

avc:  denied  { setattr } for pid= comm="systemd-tmpfile" name="lock"
dev="tmpfs" ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:53:19 +01:00
Krzysztof Nowicki 900a51f134 Allow systemd-tmpfilesd to relabel generic files inside /etc
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.

Fixes:

avc:  denied  { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:52:01 +01:00
Krzysztof Nowicki 68e5f4d3f3 Enable factory directory support in systemd-tmpfilesd
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.

This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.

Relevant denials are silenced in case the policy is disabled.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:52 +01:00
Krzysztof Nowicki b30437e487 When using systemd_tmpfilesd_managed also grant directory permissions
This allows systemd-tmpfilesd to create files inside directories
belonging to the subject domain.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:52 +01:00
Krzysztof Nowicki 0111384000 Allow systemd-tmpfilesd populating of /var/lib/dbus
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:52 +01:00
Krzysztof Nowicki 0aac6a3d3b Fix systemd-journal-flush service
This service executes journalctl, which needs access to the journald
socket.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:51 +01:00
Krzysztof Nowicki 364621e6ec Allow use of systemd UNIX sockets created at initrd execution
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.

Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.

Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.

Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.

[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>

tmp
2021-02-09 13:24:51 +01:00
Krzysztof Nowicki 2cd6ffb654 Also grant directory permissions in sysnet_manage_config
On systemd, systemd-networkd keeps its configuration in
/etc/systemd/network, where both files and directories are labelled as
net_conf_t. When granting network configuration management permissions
also include directory management rights when systemd is in use.

This fixes denials from udev trying to parse systemd network
configuration.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:50 +01:00
Krzysztof Nowicki ba9fa00010 Allow execution of shell-scripted systemd generators
While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.

This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:50 +01:00
Krzysztof Nowicki b9470d408a Allow systemd to relabel startup-important directories
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:49 +01:00
Krzysztof Nowicki 5082648629 Fix interface naming convention (plural predicates)
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
2021-02-09 13:24:43 +01:00
Chris PeBenito bfa73f3c59 dovecot, postfix: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 13:05:46 -05:00
Chris PeBenito a7ac056982 Merge pull request #351 from 0xC0ncord/feature/postfix_dovecot_backend 2021-02-03 13:05:27 -05:00
Kenton Groombridge 5b0eee1093
dovecot, postfix: add missing accesses
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-03 11:36:42 -05:00
Chris PeBenito 11612378e7 Update Changelog and VERSION for release 2.20210203.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 08:38:27 -05:00
Chris PeBenito ff983a6239 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-03 08:38:26 -05:00
Chris PeBenito 255c5a4ccd various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:30:10 -05:00
Chris PeBenito 5ab1b2ee67 Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202 2021-02-02 14:28:42 -05:00
Chris PeBenito 6aaa8ee1c7 Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms 2021-02-02 14:28:40 -05:00
Chris PeBenito 8c042fb9be systemd: Rename systemd_use_machined_devpts().
Renamed to systemd_use_inherited_machined_ptys().

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:11:47 -05:00
Chris PeBenito 072f850e23
Merge pull request #348 from cgzones/monolithic
Improve monolithic policy build support
2021-02-02 14:10:44 -05:00
Chris PeBenito e6fbff4948 systemd: Fix lint errors.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 14:02:49 -05:00
Chris PeBenito 4436cd0d6d various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:58:24 -05:00
Chris PeBenito a673712d8a systemd: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:50:45 -05:00
Russell Coker ab0367b4b6 machined
This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:46:42 -05:00
Chris PeBenito eae12d8418 apt, bootloader: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 13:32:42 -05:00
Russell Coker 8b4f1e3384 misc apps and admin patches
Send again without the section Dominick didn't like.  I think it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 13:29:48 -05:00
Kenton Groombridge edd4ba6f32
Various fixes
Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-02 10:52:59 -05:00
Chris PeBenito cfb48c28d0 screen: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:55 -05:00
Chris PeBenito 460cd1a4b1 Merge pull request #346 from jpds/tmux-xdg-config 2021-02-02 08:47:31 -05:00
Chris PeBenito aa35a710a5 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:47:00 -05:00
Chris PeBenito 9e195ea6ae dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces.
Rename interfaces from a7f3fdabad.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-02 08:46:41 -05:00
Russell Coker a7f3fdabad new version of filetrans patch
Name changes suggested by Dominick and some more additions.

Signed-off-by: Russell Coker <russell@coker.com.au>
2021-02-02 08:31:14 -05:00
Jonathan Davies 9ec80c1b2f apps/screen.te: Allow screen to search xdg directories.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2021-02-01 21:42:12 +00:00
Chris PeBenito e7065e2442 certbot: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2021-02-01 15:56:31 -05:00
Chris PeBenito 16ede470f6 Merge pull request #347 from 0xC0ncord/feature/acme-sh_certbot 2021-02-01 15:56:03 -05:00
Kenton Groombridge ed5d860a8c
lvm: add lvm_tmpfs_t type and rules
cryptsetup uses tmpfs when performing some operations on encrypted
volumes such as changing keys.

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:46:24 -05:00
Kenton Groombridge 3ce27e68d9
certbot: add support for acme.sh
Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-02-01 15:29:24 -05:00
Christian Göttsche ad74df28e7 Rules.monolithic: add missing phony declarations
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:09:27 +01:00
Christian Göttsche 511f3b57f3 Rules.monolithic: drop dead variable
USEPWD is nowhere declared or documented.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:08:54 +01:00
Christian Göttsche de6cdd96c6 Rules.monolithic: tweak checkpolicy arguments
- enable optimizations (3.0 071247e8f4)
- fail on warnings (3.1 62a91d7d71)
- sort ocontexts (2.9 9077c5c056)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:07:40 +01:00
Christian Göttsche 991d597199 Rules.monolithic: do not suppress load_policy warning messages
Also do not supply the policy path, it is ignored since at least 2008
(13cd4c8960).

/usr/sbin/load_policy:  Warning!  Policy file argument (/etc/selinux/debian/policy/policy.32) is no longer supported, installed policy is always loaded.  Continuing...

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 20:05:19 +01:00
Christian Göttsche 2d9e297f22 Preset OUTPUT_POLICY to 32
32 is the policy version of the latest SELinux userland release, 3.1 .

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
Christian Göttsche be0f5f0d68 gitignore: ignore monolithic generated files
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00
Christian Göttsche 02f1c1c06b Rules.monolithic: ignore version mismatch
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-02-01 15:33:25 +01:00