RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,347 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

83 Commits

Author SHA1 Message Date
Chris PeBenito 2400f6a74c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-17 13:34:06 -05:00
Jason Zaman 124d3723d8 fstools: add zfs-auto-snapshot 
Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
 2020-02-17 13:25:59 -05:00
Chris PeBenito 7af9eb3e91 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-01-15 10:42:45 -05:00
Stephen Smalley 161bda392e access_vectors: Remove unused permissions 
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2020-01-14 13:41:50 -05:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 3899825c1c fstools: Module version bump. 2018-08-04 08:51:00 -04:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito caca2e7e6e some little misc things from Russell Coker. 
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
 2017-04-26 18:03:02 -04:00
Chris PeBenito 8527b86621 Further strict systemd fixes from Russell Coker. 2017-04-20 20:00:34 -04:00
Chris PeBenito 132cc4b2d5 bootloader from Russell Coker. 
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.

Also changed a comment about ia64 to correctly mention EFI.
 2017-04-18 20:56:59 -04:00
Chris PeBenito b49d85c83d misc daemons from Russell Coker. 
Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.
 2017-04-18 20:38:13 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 67c435f1fc Module version bump for fc updates from Nicolas Iooss. 2016-12-28 14:38:05 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito dcda0459b5 Module version bump for fstools blkid fix from Jason Zaman 2015-04-15 12:17:30 -04:00
Jason Zaman 9cf1886c68 fstools: add in filetrans for /run dir 
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0

In permissive:
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149):  cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write open } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc:  denied  { getattr } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1

Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
 2015-04-15 12:16:32 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Chris PeBenito 617466b2bd Module version bump for losetup fixes from Luis Ressel. 2014-08-19 08:45:38 -04:00
Chris PeBenito 503f2749e0 Move losetup addition in fstools. 2014-08-19 08:44:57 -04:00
Luis Ressel 9946965a53 Add neccessary permissions for losetup 
This allows losetup to bind mount_loopback_t files to loop devices.
 2014-08-18 15:24:46 -04:00
Chris PeBenito daa6ad17ad Module version bump for fstools fc entries from Luis Ressel. 2014-08-14 15:47:55 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Luis Ressel a10fefcd39 Label fatsort as fsadm_exec_t. 
FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.
 2014-02-15 14:39:32 -05:00
Chris PeBenito 3ffc91fff4 Module version bump for ZFS tools fc entries from Matthew Thode. 2014-01-21 08:55:37 -05:00
Chris PeBenito 58db129761 Update modules for file_t merge into unlabeled_t. 2014-01-16 11:24:25 -05:00
Chris PeBenito 3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Chris PeBenito 613100a7f4 Whitespace fix in fstools. 2013-12-03 10:39:51 -05:00
Dominick Grift 521bbf8586 These { read write } tty_device_t chr files on boot up in Debian 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-03 10:39:21 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 3b6a8b0ee5 fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock 
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2013-12-02 08:27:54 -05:00
Chris PeBenito 1ff40b5ec7 Add label for parted. 2013-08-26 08:30:49 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito 27044cf65b Add swapoff fc entry. 2013-04-05 09:43:14 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito 127d617b31 Pull in some changes from Fedora policy system layer. 2011-04-14 11:36:56 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 939eaf2f13 Fstools patch from Dan Walsh. 2010-03-09 14:32:17 -05:00
Chris PeBenito 77c71b54e5 Fstools and Xen patches from Dan Walsh. 2009-11-25 10:27:31 -05:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00