Commit Graph

2351 Commits

Author SHA1 Message Date
Nicolas Iooss 29d543da4c Fix typos in comments from corenetwork module 2016-01-19 00:17:05 +01:00
Nicolas Iooss 80d74c2408 Fix typo in init_dbus_chat requirements
init_dbus_chat interface required initrc_t type but used init_t type.
2016-01-19 00:17:05 +01:00
Chris PeBenito 4e487ffe3d Module version bump for systemd audit_read capability from Laurent Bigonville 2016-01-15 09:50:01 -05:00
Laurent Bigonville c94097864a Allow systemd the audit_read capability
At early boot, I get the following messages in dmesg:

audit: type=1400 audit(1452851002.184:3): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
systemd[1]: Listening on Journal Audit Socket.
2016-01-15 11:43:45 +01:00
Chris PeBenito 24e6175132 Module version bump for systemd PrivateNetwork patch from Nicolas Iooss 2016-01-11 13:26:55 -05:00
Nicolas Iooss 25bc2d5c1d Allow systemd services to use PrivateNetwork feature
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.
2016-01-11 13:17:16 -05:00
Chris PeBenito 619b4adf78 Add a type and genfscon for nsfs. 2016-01-11 09:02:39 -05:00
Chris PeBenito 001cd53e2a Module version bump for Debian Xorg fc fixes from Laurent Bigonville 2016-01-07 13:11:50 -05:00
Laurent Bigonville fb4f17e4b0 Label Xorg server binary correctly on Debian
On Debian, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg/Xorg.
2016-01-07 16:48:08 +01:00
Chris PeBenito cc248fc976 Module version bump for syslog and systemd changes from Laurent Bigonville 2016-01-06 09:22:11 -05:00
Chris PeBenito 5922346539 Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into bigon-systemd-1 2016-01-06 09:13:47 -05:00
Chris PeBenito c08499e9ab Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into bigon-overcommit-1 2016-01-06 09:12:25 -05:00
Chris PeBenito 2c465410d9 Add neverallow for mac_override capability. It is not used by SELinux. 2016-01-06 09:09:36 -05:00
Chris PeBenito 994f605a2c Module version bump for Xorg and SSH patches from Nicolas Iooss. 2016-01-05 13:38:19 -05:00
Nicolas Iooss ce2982bf50 Label OpenSSH systemd unit files
On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh@.service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
2016-01-05 13:22:52 -05:00
Nicolas Iooss 3505a51d76 Label OpenSSH files correctly on Arch Linux
On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:

* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)

Label all these files but sftp-server as bin_t.
2016-01-05 13:22:52 -05:00
Nicolas Iooss 59e00c5580 Label Xorg server binary correctly on Arch Linux
On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details).  Therefore label it as xserver_exec_t.

This makes the following AVC appear:

    denied  { execute_no_trans } for  pid=927 comm="X"
    path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
    scontext=system_u:system_r:xserver_t
    tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
2016-01-05 13:22:52 -05:00
Laurent Bigonville b02a5d4b55 Allow syslogd_t to read sysctl_vm_overcommit_t 2015-12-16 19:30:47 +01:00
Laurent Bigonville c0e95ed326 On Debian, systemd binaries are installed in / not /usr
On Debian, systemd binaries are installed in / not /usr, add an
equivalence for this.
2015-12-14 22:52:47 +01:00
Laurent Bigonville 83b15c15b3 Give some systemd domain access to /proc/sys/kernel/random/boot_id 2015-12-14 22:19:24 +01:00
Chris PeBenito 4d0610807f Update contrib. 2015-12-14 10:40:04 -05:00
Chris PeBenito 2b972fefd1 Module version bump for vm overcommit sysctl interfaces from Laurent Bigonville. 2015-12-14 10:04:14 -05:00
Laurent Bigonville 4340b9f8a4 Add interfaces to read/write /proc/sys/vm/overcommit_memory 2015-12-14 10:02:53 -05:00
Chris PeBenito 6b1b2e3965 Module version bumps for 2 patches from Dominick Grift. 2015-12-10 15:46:13 -05:00
Dominick Grift 6d6370c98a kernel: implement sysctl_vm_overcommit_t for /proc/sys/vm/overcommit_memory
Whoever requires this type first gets to create the interfaces to operate on this object

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
Dominick Grift 81d15a0273 authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
Chris PeBenito 727949924a Module version bump for systemd-user-sessions fc entry from Dominick Grift 2015-12-09 09:40:55 -05:00
Dominick Grift e1eeef00a6 systemd: add missing file context spec for systemd-user-sessions executable file
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-09 09:26:59 -05:00
Chris PeBenito 4fd44dc0f6 Update Changelog and VERSION for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito a2fab1a961 Update contrib. 2015-12-01 10:23:56 -05:00
Chris PeBenito 70ba55c2fc Module version bump for utempter Debian helper from Laurent Bigonville. 2015-12-01 10:23:46 -05:00
Laurent Bigonville c6efc3ada1 Properly label utempter helper on debian 2015-12-01 09:45:06 -05:00
Chris PeBenito 37d2aeca3d Remove bad interface in systemd.if. 2015-11-05 15:31:53 -05:00
Chris PeBenito b94f45d760 Revise selinux module interfaces for perms protected by neverallows.
Use the allow rules on the relevant attributes in selinux.te, rather than
only using the attribute to pass the neverallows.

Closes #14
2015-11-04 15:10:29 -05:00
Chris PeBenito a3208c3495 Update contrib for dbus systemd fix. 2015-10-29 07:36:33 -04:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 60d8b699fb Change policy_config_t to a security file type.
This fixes an assertion error with systemd_tmpfiles_t. It should
have been a security file for a while.
2015-10-23 10:17:46 -04:00
Chris PeBenito 4388def2d9 Add refpolicy core socket-activated services. 2015-10-23 10:17:46 -04:00
Chris PeBenito bdfc7e3eb0 Add sysfs_types attribute.
Collect all types used to label sysfs entries.
2015-10-23 10:17:46 -04:00
Chris PeBenito f7286189b3 Add systemd units for core refpolicy services.
Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
Chris PeBenito fc2de5c21c Add rules for sysadm_r to manage the services. 2015-10-23 10:17:46 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito 3639880cf6 Implement core systemd policy.
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
2015-10-23 10:16:59 -04:00
Chris PeBenito d326c3878c Add systemd access vectors. 2015-10-20 15:01:27 -04:00
Chris PeBenito 4d28cb714f Module version bump for patches from Jason Zaman/Matthias Dahl. 2015-10-12 09:31:18 -04:00
Chris PeBenito 2c0e3d9a24 Rearrange lines in ipsec.te. 2015-10-12 09:30:05 -04:00
Jason Zaman 775b07e60a system/ipsec: Add policy for StrongSwan
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.
2015-10-12 09:16:28 -04:00
Jason Zaman b3a95b4aeb Add overlayfs as an XATTR capable fs
The module is called "overlay" in the kernel
2015-10-12 09:13:53 -04:00
Chris PeBenito 778dfaf776 Update contrib. 2015-09-15 08:39:38 -04:00