Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
CryFS (https://www.cryfs.org/) is a software that can be run by non-root
users that have access to /dev/fuse. Its command is directly used to
mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command
"mount". Unmounting a mountpoint is done with "fusermount -u
mountpoint", /usr/bin/fusermount being a setuid-root program labeled
mount_exec_t.
EncFS (https://www.arg0.net/encfs) is a similar software that has been
considered insecure since a security audit in 2014 found vulnerabilities
that are not yet fixed (like https://github.com/vgough/encfs/issues/9).
gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that
has been inspired by EncFS.
Allow users with role sysadm to use all these projects.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
WeeChat is an extensible IRC client: https://weechat.org/
* Label WeeChat program and configuration file like other IRC clients
* Allow WeeChat to create a pipe in ~/.weechat/weechat_fifo
* Allow WeeChat to read /proc/sys/crypto/fips_enabled
* Allow WeeChat to use a Unix datagram socket with its forked children
* Allow other accesses
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/usr/lib/jvm/java(.*/)bin(/.*)? uses misleading parentheses around
".*/". In some cases, a pattern with (.*/) is a mispelling to (.*/)?,
but not here (/usr/lib/jvm/javabin/ never exists).
Moreover, using .* here is right, as the pattern matches the content of
subdirectories of /usr/lib/jvm/ which names are prefixed by java. More
precisely, the pattern matches for example:
- programs in /usr/lib/jvm/java-10-openjdk/bin
- programs in /usr/lib/jvm/java-8-openjdk/jre/bin
In the end, the pattern does not have any error, but the parentheses are
misleading. Remove them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern "(.*)?" means "match anything including the nothing, or
nothing": the question mark is redundant. This is likely to be a
mispelling for "(/.*)?", which means "match a slash and anthing, or
nothing", or for ".*", or for other patterns.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.
Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The following pattern seems to match much more than intended:
/usr/(.*/)?bin/java[^-]*
According to the commit which introduced it
(0190325c18),
the aim was to match java1.4, java5, java6, and not java-config nor
java-check-environment. The issue is that the pattern also matches
sub-directories such as:
/usr/share/my-application/bin/java/myfile
Prevent this by adding / in the character blacklist of the pattern.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
