With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.
Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).
The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.
The interface requires the class(es) on which the file transition should
occur, like so:
init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Pair of objects which supported by Interbase/Firebird/Red Database:
db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):
dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated).
audit.log contains following AVC:
avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.
Currently, the /usr/share/cvs/contrib/rcs2log is only labeled as bin_t
for redhat distributions. Moving this to the general one as it is also
in use on other distributions
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.
With this setup, X is run as follows:
/usr/bin/X :0 -auth /var/run/lightdm/root/:0
Changes since v1:
- Use read_files_pattern instead of separate allow rules
Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.
Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device. This program works with udev to configure the
new device and uses SysV semaphores to synchronize states. As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.
More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html
VBoxCreateUSBNode.sh creates character special files in /dev/vboxusb each time
a new USB device appears. This script is called by udev.
audit.log on a system in permissive mode before this patch contains:
type=AVC msg=audit(1396889711.890:175): avc: denied { execute } for pid=26284 comm="systemd-udevd" name="VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
type=AVC msg=audit(1396889711.890:175): avc: denied { execute_no_trans } for pid=26284 comm="systemd-udevd" path="/usr/share/virtualbox/VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
On ArchLinux, glibc package installs /usr/bin/getconf as a hard link to a file
in /usr/lib/getconf/. For example on a x86_64 machine:
$ ls -i -l /usr/bin/getconf /usr/lib/getconf/XBS5_LP64_OFF64
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/bin/getconf
5900355 -rwxr-xr-x. 4 root root 22880 Feb 28 04:53 /usr/lib/getconf/XBS5_LP64_OFF64
Such configuration produces an instability when labeling the files with
"restorecon -Rv /":
restorecon reset /usr/bin/getconf context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib/getconf/XBS5_LP64_OFF64 context unconfined_u:object_r:bin_t:s0->unconfined_u:object_r:lib_t:s0
As /usr/lib/getconf directory only contains executable programs, this issue is
fixed by labeling this directory and its content "bin_t".
/sys/fs/cgroup is a tmpfs which contains cgroup mounts and symlinks such as
cpu and cpuacct. Running restorecon makes this warning happen:
restorecon: Warning no default label for /sys/fs/cgroup/cpu
Declare a file context for every symlink in the cgroup tmpfs montpoint to
no longer have such warning.
Even if there is not FHS provision for this, systemd is using
/dev/hugepages to mount the hugetlbfs fs by default.
The needed file contexts are already present
Chris PeBenito
Jason Zaman
Sven Vermeulen
Chris PeBenito
Artyom Smirnov
Nicolas Iooss
Elia Pinto
Luis Ressel
cgarst
Laurent Bigonville