Since commit 0fd9dc55, logging.te contains:
term_write_all_user_ttys(syslogd_t)
As "write" is a superset of "append", this rule is no longer needed:
term_append_unallocated_ttys(syslogd_t)
While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
These are seldomly-used tools from the util-linux package.
Please check if they are located in /sbin instead of /usr/sbin on other
distributions.
Signed-off-by: Luis Ressel <aranea@aixah.de>
With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):
dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated).
audit.log contains following AVC:
avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.
Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device. This program works with udev to configure the
new device and uses SysV semaphores to synchronize states. As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
VBoxCreateUSBNode.sh creates character special files in /dev/vboxusb each time
a new USB device appears. This script is called by udev.
audit.log on a system in permissive mode before this patch contains:
type=AVC msg=audit(1396889711.890:175): avc: denied { execute } for pid=26284 comm="systemd-udevd" name="VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
type=AVC msg=audit(1396889711.890:175): avc: denied { execute_no_trans } for pid=26284 comm="systemd-udevd" path="/usr/share/virtualbox/VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.
The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.
Properly labeling them ensure that mandb can read them.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591
Unprivileged users don't need to read kallsyms and /boot/System.map.
This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:
# cjp: why?
bootloader_read_kernel_symbol_table($1_t)
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.
dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
Make it consistent with sysadm_r:sysadm_t.
If you build targeted policy then consider direct_initrc=y
If you build with direct_initrc=n then both unconfined_r:unconfined_t,
as well as sysadm_r:sysadm_t rely on run_init for running services on
behalf of the system.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.
The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.
This patch has been taken from the Fedora policy
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Nicolas Iooss
Chris PeBenito
Luis Ressel
Sven Vermeulen
Elia Pinto
Laurent Bigonville
Chris PeBenito
Matthew Thode
Dominick Grift