Nicolas Iooss
d938683bf4
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
...
In order to match /usr/lib/ocf/resource.d/linbit/drbd, the dot needs to
be escaped, not the d.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-21 23:03:01 +02:00
Chris PeBenito
230262368b
ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-17 15:17:51 -04:00
Chris PeBenito
ac1659e79f
ulogd: Module version bump.
2019-08-17 15:11:32 -04:00
Nicolas Iooss
9686bf05a7
ulogd: allow starting on a Debian system
...
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:
drwxrwx---. ulog adm /var/log/ulog
(root does not have an access to the directory without bypassing the DAC.)
Add a comment describing how to avoid allowing dac_read_search to ulogd_t.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 16:03:39 +02:00
Nicolas Iooss
d91d41b53a
ulogd: allow creating a netlink-netfilter socket
...
This is used to get the packets logged by the firewall.
I experienced this on a Debian system which uses nftables rules with the
"log" keyword:
type=AVC msg=audit(1565901600.257:348): avc: denied { create } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tcla
ss=netlink_netfilter_socket permissive=1
type=AVC msg=audit(1565901103.154:327): avc: denied { read } for
pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)
type=PROCTITLE msg=audit(1565901103.154:327):
proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964
[ ... ]
type=AVC msg=audit(1565901600.241:338): avc: denied { write } for
pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:348): avc: denied { create } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:349): avc: denied { getattr } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:350): avc: denied { bind } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 15:53:32 +02:00
Nicolas Iooss
f37b4b5ddd
ulogd: add Debian's log directory
...
Debian uses /var/log/ulog/syslogemu.log by default to log network
packets sent through a netlink multicast group by the firewall.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 15:52:58 +02:00
Sugar, David
566fd554a6
Module for tpm2
...
Module for tpm2
v2 - updated to rename module and interface names, different dbus
interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-08-11 15:02:20 -04:00
Chris PeBenito
fb04518b9d
devices, storage: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-29 20:50:45 -04:00
Chris PeBenito
4ef04d8adb
Merge pull request #58 from pebenito/more-device-updates
2019-07-29 20:50:23 -04:00
Chris PeBenito
f191b07166
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-21 14:34:09 -04:00
Laurent Bigonville
6b12bd3aca
Allow systemd_modules_load_t to module_request and map modules_object_t files
...
[ 10.685610] audit: type=1400 audit(1563706740.429:3): avc: denied { map } for pid=394 comm="systemd-modules" path="/usr/lib/modules/4.19.0-5-amd64/kernel/drivers/parport/parport.ko" dev="dm-0" ino=795927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
[ 10.695021] audit: type=1400 audit(1563706740.437:5): avc: denied { module_request } for pid=394 comm="systemd-modules" kmod="parport_lowlevel" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-07-21 19:46:47 +02:00
Chris PeBenito
a5db4b262d
devices: Add types for trusted execution environment interfaces.
...
These are interfaces for trusted OSes such as ARM TrustZone.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-07-16 16:38:50 -04:00
Chris PeBenito
a159153d82
devices, storage: Add fc entries for mtd char devices and ndctl devices.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-07-16 16:38:43 -04:00
Chris PeBenito
921eb37a97
rpm, selinux, sysadm, init: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:07:11 -04:00
Chris PeBenito
de8cf73de0
knot: Move lines.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:06:44 -04:00
Chris PeBenito
7a1260ffe3
knot: Whitespace changes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:06:02 -04:00
Alexander Miroshnichenko
491ae9991a
Add knot module
...
Add a SELinux Reference Policy module for the
Knot authoritative-only DNS server.
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2019-07-13 14:00:31 -04:00
Sugar, David
2831598bb5
grant rpm_t permission to map security_t
...
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-13 14:00:23 -04:00
Chris PeBenito
b85c93b582
rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-08 20:49:31 -04:00
Sugar, David
72cc3e9136
Allow rpm scripts to alter systemd services
...
In RPM scripts it is common to enable/start services that are being
installed. This allows rpm_script_t to manage sysemd units
type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
66bbd568e4
Allow rpm to map file contexts
...
type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
79fd6ddb3e
grant rpm permissions to map locale_t
...
type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
8e09ba5637
grant permission for rpm to write to audit log
...
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success'
These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Sugar, David
c2f504c25e
grant rpm permission to map rpm_var_lib_t
...
type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Chris PeBenito
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito
10784f3b33
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 13:37:51 -04:00
Chris PeBenito
af2e1f91fd
Merge pull request #57 from pebenito/pmem-dax
2019-06-09 13:26:49 -04:00
Chris PeBenito
c00bf89d73
Merge pull request #56 from pebenito/apache-simplify
2019-06-09 13:26:46 -04:00
Chris PeBenito
91028527fc
Merge pull request #55 from pebenito/modules-load
2019-06-09 13:26:43 -04:00
Chris PeBenito
666b744714
devices: Add type for /dev/daxX.Y.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-06-04 15:10:28 -04:00
Chris PeBenito
f0e8bdbf50
storage: Add fc entry for /dev/pmem*
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-06-04 15:10:06 -04:00
Chris PeBenito
d348413004
apache: Web content rules simplification.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-06-03 15:01:43 -04:00
Chris PeBenito
b07f7b4495
systemd: modules-load updates.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-06-03 08:42:53 -04:00
Chris PeBenito
4aafedd872
init: Add systemd block to init_script_domain().
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-05-31 08:57:17 -04:00
Chris PeBenito
3a6b7c1856
logrotate: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-05-27 19:30:24 -04:00
Chris PeBenito
5a8c36f390
logrotate: Make MTA optional.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-05-16 11:48:05 -04:00
Chris PeBenito
2d9ad29d04
dovecot, logrotate: Module version bump.
2019-05-03 20:39:36 -04:00
Chris PeBenito
43a682068d
Merge pull request #49 from bigon/fail2ban_logrotate
2019-05-03 08:00:43 -04:00
Chris PeBenito
eaed7a9123
Merge pull request #48 from bigon/dovecot_lmtp
2019-05-03 08:00:41 -04:00
Laurent Bigonville
83f8240f04
Allow logrotate to execute fail2ban-client
...
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
2019-05-03 13:34:16 +02:00
Laurent Bigonville
8215279af4
Add dovecot to listen to LMTP port
...
Mails can be injected in dovecot directly using LMTP
2019-05-03 12:33:09 +02:00
Dave Sugar
de0e70f07a
create interfaces for NetworkManager units
...
Create interfaces to allow start/stop, enable/disable
and status of NetworkManager systemd unit
2019-05-02 11:16:41 -04:00
Chris PeBenito
5d345b79ee
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-27 10:51:06 -04:00
Chris PeBenito
6857cda019
Merge pull request #46 from pebenito/systemd-user
2019-04-27 10:50:32 -04:00
Chris PeBenito
a77e0f6837
Merge pull request #45 from pebenito/systemd-update-done-tweak
2019-04-27 10:50:30 -04:00
Chris PeBenito
e5d14ad308
Merge pull request #44 from pebenito/http-mta-optional
2019-04-27 10:50:29 -04:00
Chris PeBenito
54dbc8a7a7
Merge pull request #43 from pebenito/various-device-labels
2019-04-27 10:50:27 -04:00
Chris PeBenito
da156aea1e
systemd: Add initial policy for systemd --user.
...
This is just a start; it does not cover all uses.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-25 11:18:58 -04:00
Chris PeBenito
4bca3dade2
devices: Change netcontrol devices to pmqos.
...
Devices with the netcontrol_device_t type are actually PM QoS devices.
Rename the type and add labeling for /dev/memory_bandwidth.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-24 09:17:36 -04:00
Chris PeBenito
3b0d0ea330
devices: Add type for GPIO chips, /dev/gpiochip[0-9]
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-24 08:50:41 -04:00