RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,977 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

1125 Commits

Author SHA1 Message Date
Chris PeBenito e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito e41def136a xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-14 14:20:55 -04:00
Guido Trentalancia db33386c01 The Qt library version 5 requires to write xserver_tmp_t 
files upon starting up applications (tested on version
5.12.1).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    3 +++
 1 file changed, 3 insertions(+)
 2019-04-12 17:52:50 +02:00
Chris PeBenito 4f6614ba7f ntp, init, lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:49:54 -04:00
Sugar, David 7525ba9c1e Allow ntpd to read unit files 
Adding missing documenation (sorry about that).

type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1

type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Chris PeBenito 32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David 142651a8b4 Resolve denial about logging to journal from dbus 
type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Sugar, David 9f2b1e2b4c Allow ntpd to update timezone symlink 
type=AVC msg=audit(1553013821.624:9907): avc:  denied  { create } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { rename } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { unlink } for  pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Sugar, David 1b4ffb7806 Allow ntpd to update chronyd service 
type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Sugar, David a50afdcc84 Add interface ntp_dbus_chat 
type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Chris PeBenito bb83a721cf filesystem, cron, authlogin: Module version bump. 2019-03-07 19:02:57 -05:00
Sugar, David 3fd0d7df8b Update cron use to pam interface 
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-07 19:02:57 -05:00
Chris PeBenito 712e6056d9 aide, clamav: Module version bump. 2019-02-26 19:21:27 -08:00
Sugar, David c418d0e81d Add interfaces to run freshclam 
Currently freshclam can only be started from cron or init.  This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David 899520233d Allow freshclam to read sysctl_crypto_t 
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { search } for  pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { read } for  pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { open } for  pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David 2d105029d0 Fix incorrect type in clamav_enableddisable_clamd interface 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Nicolas Iooss 919c889b7d
Add policy for stubby DNS resolver 
Stubby is a DNS resolver that encrypts DNS queries and transmits them to
a resolver in a TLS channel. It therefore requires less permissions than
a traditionnal DNS resolver such as named or unbound (provided by module
"bind").

cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

This program is packaged for Arch Linux, Debian, etc.

DNS-over-TLS uses TCP port 853, which does not seem to conflict with
existing ports. Label it like other DNS ports.

init_dbus_chat(stubby_t) is required on systemd-based distributions
because stubby's service uses DynamicUser=yes [1]. Without this
statement, the following denials are reported by dbus:

    type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus member=Hello
    dest=org.freedesktop.DBus spid=649
    scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649
    tpid=1 scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.39
    spid=1 tpid=649 scontext=system_u:system_r:init_t
    tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
 2019-02-17 22:16:33 +01:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker 044da0b8b9 more misc stuff 
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
 2019-02-01 14:16:57 -05:00
Chris PeBenito 4e5b6f39ff redis: Module version bump. 2019-01-30 18:46:28 -05:00
Chris PeBenito 8e45aef50c redis: Move line. 2019-01-30 18:46:07 -05:00
Alexander Miroshnichenko 2adbd7f732 minor updates redis module to be able to start the app 
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2019-01-30 18:45:43 -05:00
Chris PeBenito b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Chris PeBenito 137aca70e3 hostapd: Move line. 2019-01-29 18:59:50 -05:00
Chris PeBenito b54fd25c60 hostapd: Whitespace change. 2019-01-29 18:59:50 -05:00
Russell Coker 3d65c79750 yet another little patch 
This should all be obvious.
 2019-01-29 18:45:30 -05:00
Alexander Miroshnichenko 275c304dc1 Add hostapd service module 
Add a SELinux Reference Policy module for the hostapd
IEEE 802.11 wireless LAN Host AP daemon.
 2019-01-29 18:42:14 -05:00
Chris PeBenito 535cea9ad1 filesystem, postgresql: Module version bump. 2019-01-27 12:58:33 -05:00
Chris PeBenito b78be0cc7a Merge branch 'postgres' of git://github.com/alexminder/refpolicy 2019-01-27 12:44:39 -05:00
Alexander Miroshnichenko 548564099e fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface 2019-01-26 21:50:12 +03:00
Chris PeBenito 30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Chris PeBenito 14505cb1ef dovecot: Move lines. 2019-01-23 19:01:37 -05:00
Chris PeBenito fce54c10fa Merge branch 'dovecot' of git://github.com/alexminder/refpolicy 2019-01-23 18:52:35 -05:00
Chris PeBenito 09a81f7220 init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks(). 2019-01-23 18:34:10 -05:00
Russell Coker eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Russell Coker 05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Alexander Miroshnichenko de478dca3a Add dovecot_can_connect_db boolean. 
Add dovecot_can_connect_db boolean. Grant connect dovecot_auth_t to DBs by dovecot_can_connect_db boolean.
 2019-01-23 18:22:24 +03:00
Alexander Miroshnichenko 438786dfa7 Add map permission for postgresql_t to postgresql_tmp_t files. 2019-01-23 18:00:25 +03:00
Alexander Miroshnichenko cff5e0026c Add new interface fs_rmw_hugetlbfs_files. 
Add new interface fs_rmw_hugetlbfs_files and grant it to postgresql_t.
 2019-01-23 17:58:54 +03:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Sugar, David 53ea0b2288 Add interface clamav_run 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:33:31 -05:00
Chris PeBenito 7d93336024 xserver: Move line 2019-01-20 16:22:01 -05:00
Russell Coker 54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Nicolas Iooss 47b09d472e
dbus: allow using dynamic UID 
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:

    type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
    a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
    suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
    comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
    subj=system_u:system_r:system_dbusd_t key=(null)

    type=AVC msg=audit(1547313774.993:373): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1

    type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
    syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
    a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
    uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
    tty=(none) ses=4294967295 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
    key=(null)

    type=AVC msg=audit(1547313774.993:374): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=1

This directory looks like this, on Arch Linux with systemd 240:

    # ls -alZ /run/systemd/dynamic-uid
    drwxr-xr-x.  2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
    drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
    -rw-------.  1 root root system_u:object_r:init_var_run_t   8 2019-01-12 15:53 65306
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   7 2019-01-12 15:53 direct:65306 -> haveged
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   5 2019-01-12 15:53 direct:haveged -> 65306
 2019-01-16 22:13:57 +01:00
Chris PeBenito 4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker b1d309b42c trivial system cronjob 2019-01-14 17:42:17 -05:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito d01b3a1169 Merge branch 'services_single_usr_bin' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:53:58 -05:00