RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,873 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

4873 Commits

Author SHA1 Message Date
Chris PeBenito ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker 05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Chris PeBenito ecb4968238 systemd: Move interface implementation. 2019-01-20 16:36:36 -05:00
Russell Coker 6cbaf3240e map systemd private dirs 2019-01-20 16:34:59 -05:00
Sugar, David 6e86de0736 Add interface to read journal files 
When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:34:14 -05:00
Sugar, David 53ea0b2288 Add interface clamav_run 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:33:31 -05:00
Chris PeBenito 7d93336024 xserver: Move line 2019-01-20 16:22:01 -05:00
Russell Coker 54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito 310a7b0b85 Merge branch 'dbus-dynamic-uid' of git://github.com/fishilico/selinux-refpolicy 2019-01-19 12:51:26 -05:00
Chris PeBenito b5cda0e2c5 selinuxutil: Module version bump. 2019-01-16 18:20:51 -05:00
Chris PeBenito 038a5af1ed Merge branch 'restorecond-dontaudit-symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-16 18:20:05 -05:00
Chris PeBenito 238bd4f91f logging, sysnetwork, systemd: Module version bump. 2019-01-16 18:19:22 -05:00
Sugar, David 69961e18a8 Modify type for /etc/hostname 
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:13:41 -05:00
Sugar, David 34e3505004 Interface with systemd_hostnamed over dbus to set hostname 
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:12:50 -05:00
Sugar, David 9255dfbf4e label journald configuraiton files syslog_conf_t 
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:11:43 -05:00
Nicolas Iooss 47b09d472e
dbus: allow using dynamic UID 
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:

    type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
    a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
    suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
    comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
    subj=system_u:system_r:system_dbusd_t key=(null)

    type=AVC msg=audit(1547313774.993:373): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1

    type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
    syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
    a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
    uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
    tty=(none) ses=4294967295 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
    key=(null)

    type=AVC msg=audit(1547313774.993:374): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=1

This directory looks like this, on Arch Linux with systemd 240:

    # ls -alZ /run/systemd/dynamic-uid
    drwxr-xr-x.  2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
    drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
    -rw-------.  1 root root system_u:object_r:init_var_run_t   8 2019-01-12 15:53 65306
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   7 2019-01-12 15:53 direct:65306 -> haveged
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   5 2019-01-12 15:53 direct:haveged -> 65306
 2019-01-16 22:13:57 +01:00
Nicolas Iooss 6e2896098c
selinuxutil: restorecond is buggy when it dereferencies symlinks 
restorecond uses libselinux's selinux_restorecon() to relabel files,
which dereferences symlinks in a useless call to statfs(). This produces
AVC denials which are noisy.

Fixes: https://github.com/SELinuxProject/refpolicy/pull/22
 2019-01-16 22:10:38 +01:00
Chris PeBenito 4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker dcb2d1d8b8 another trivial 
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
 2019-01-14 17:43:15 -05:00
Russell Coker b1d309b42c trivial system cronjob 2019-01-14 17:42:17 -05:00
Chris PeBenito 2c96e2fb56 Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy 2019-01-14 17:41:28 -05:00
Chris PeBenito f35b390a5d Merge branch 'restorecond-symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-14 17:40:58 -05:00
Dominick Grift a4a219a733
unconfined: add a note about DBUS 
Addresses https://github.com/SELinuxProject/refpolicy/issues/18
 2019-01-14 17:02:56 +01:00
Nicolas Iooss ae35b48f8e
selinuxutil: allow restorecond to read symlinks 
As restorecond dereferences symlinks when it encounters them in user
home directories, allow this access.
 2019-01-13 22:47:11 +01:00
Chris PeBenito 353d92a77a systemd: Module version bump. 2019-01-13 14:59:27 -05:00
Chris PeBenito 966f981fd8 systemd: Whitespace change 2019-01-13 14:47:34 -05:00
Chris PeBenito 65ce8b6df1 Merge branch 'systemd-rfkill' of git://github.com/fishilico/selinux-refpolicy 2019-01-13 14:47:04 -05:00
Nicolas Iooss c53019f2c3
systemd: add policy for systemd-rfkill 2019-01-12 23:00:29 +01:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Chris PeBenito d01b3a1169 Merge branch 'services_single_usr_bin' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:53:58 -05:00
Sugar, David f0860ff0bb Add interface to start/stop iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-12 14:32:00 -05:00
Russell Coker da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Nicolas Iooss 80fb19a9ba
Label service binaries in /usr/bin like /usr/sbin 
For some services, the program responsible for the service has a file
context which is defined only when it is installed in /usr/sbin. This
does not work on Arch Linux, where every program is in /usr/bin
(/usr/sbin is a symlink to /usr/bin).

Add relevant file contexts for /usr/bin/$PROG when /usr/sbin/$PROG
exists.
 2019-01-12 17:08:09 +01:00
Chris PeBenito 143ed2cc1b init, logging: Module version bump. 2019-01-10 20:26:36 -05:00
Chris PeBenito 4613001a1a Merge branch 'systemd-journald_units_symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-10 20:24:59 -05:00
Nicolas Iooss 6f5e31431e
Allow systemd-journald to read systemd unit symlinks 
type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:user@1000.service"
    dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0
    type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:dbus.service"
    dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

"ls -lZ" on these files gives:

    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7
    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214
 2019-01-10 23:51:08 +01:00
Chris PeBenito 85536c64e1 kernel, jabber, ntp, init, logging, systemd: Module version bump. 2019-01-09 19:36:41 -05:00
Russell Coker 4a95d08da1 logging 
Prosody and ntpd don't just need append access to their log files.
 2019-01-09 19:30:25 -05:00
Chris PeBenito d2a1333fdc kernel, systemd: Move lines. 2019-01-09 19:30:15 -05:00
Russell Coker 9cb572bd02 mls stuff 
Here are the patches I used last time I tried to get MLS going on Debian.
 2019-01-09 19:20:35 -05:00
Chris PeBenito e8f5b8844f Add CONTRIBUTING file. 2019-01-07 18:52:17 -05:00
Chris PeBenito 1ff4b35ec2 iptables: Module version bump. 2019-01-07 18:48:44 -05:00
Sugar, David 43a77c30fa Add interface to get status of iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-07 18:40:13 -05:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito 599112a85c Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:54 -05:00
Chris PeBenito bd50873362 Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:24 -05:00
Chris PeBenito 559d4b830a Merge branch 'ssh_dac_read_search' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:06:47 -05:00