Commit Graph

3252 Commits

Author SHA1 Message Date
Nicolas Iooss d938683bf4
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
In order to match /usr/lib/ocf/resource.d/linbit/drbd, the dot needs to
be escaped, not the d.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-21 23:03:01 +02:00
Chris PeBenito 230262368b ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-17 15:17:51 -04:00
Chris PeBenito ac1659e79f ulogd: Module version bump. 2019-08-17 15:11:32 -04:00
Nicolas Iooss 9686bf05a7
ulogd: allow starting on a Debian system
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:

    drwxrwx---. ulog adm /var/log/ulog

(root does not have an access to the directory without bypassing the DAC.)

Add a comment describing how to avoid allowing dac_read_search to ulogd_t.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 16:03:39 +02:00
Nicolas Iooss d91d41b53a
ulogd: allow creating a netlink-netfilter socket
This is used to get the packets logged by the firewall.

I experienced this on a Debian system which uses nftables rules with the
"log" keyword:

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tcla
    ss=netlink_netfilter_socket permissive=1

    type=AVC msg=audit(1565901103.154:327): avc:  denied  { read } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
    success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
    pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
    egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
    exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)

    type=PROCTITLE msg=audit(1565901103.154:327):
    proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964

    [ ... ]

    type=AVC msg=audit(1565901600.241:338): avc:  denied  { write } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:349): avc:  denied  { getattr } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:350): avc:  denied  { bind } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 15:53:32 +02:00
Nicolas Iooss f37b4b5ddd
ulogd: add Debian's log directory
Debian uses /var/log/ulog/syslogemu.log by default to log network
packets sent through a netlink multicast group by the firewall.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 15:52:58 +02:00
Sugar, David 566fd554a6 Module for tpm2
Module for tpm2

v2 - updated to rename module and interface names, different dbus
interface

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-08-11 15:02:20 -04:00
Chris PeBenito fb04518b9d devices, storage: Module version bump
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-29 20:50:45 -04:00
Chris PeBenito 4ef04d8adb Merge pull request #58 from pebenito/more-device-updates 2019-07-29 20:50:23 -04:00
Chris PeBenito f191b07166 systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-21 14:34:09 -04:00
Laurent Bigonville 6b12bd3aca Allow systemd_modules_load_t to module_request and map modules_object_t files
[   10.685610] audit: type=1400 audit(1563706740.429:3): avc:  denied  { map } for  pid=394 comm="systemd-modules" path="/usr/lib/modules/4.19.0-5-amd64/kernel/drivers/parport/parport.ko" dev="dm-0" ino=795927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
[   10.695021] audit: type=1400 audit(1563706740.437:5): avc:  denied  { module_request } for  pid=394 comm="systemd-modules" kmod="parport_lowlevel" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-07-21 19:46:47 +02:00
Chris PeBenito a5db4b262d devices: Add types for trusted execution environment interfaces.
These are interfaces for trusted OSes such as ARM TrustZone.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-07-16 16:38:50 -04:00
Chris PeBenito a159153d82 devices, storage: Add fc entries for mtd char devices and ndctl devices.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-07-16 16:38:43 -04:00
Chris PeBenito 921eb37a97 rpm, selinux, sysadm, init: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:07:11 -04:00
Chris PeBenito de8cf73de0 knot: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:06:44 -04:00
Chris PeBenito 7a1260ffe3 knot: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:06:02 -04:00
Alexander Miroshnichenko 491ae9991a Add knot module
Add a SELinux Reference Policy module for the
Knot authoritative-only DNS server.

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2019-07-13 14:00:31 -04:00
Sugar, David 2831598bb5 grant rpm_t permission to map security_t
type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

v2 - Create new interface to allow mapping security_t and use this interface by rpm_t

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-13 14:00:23 -04:00
Chris PeBenito b85c93b582 rpm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-08 20:49:31 -04:00
Sugar, David 72cc3e9136 Allow rpm scripts to alter systemd services
In RPM scripts it is common to enable/start services that are being
installed.  This allows rpm_script_t to manage sysemd units

type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David 66bbd568e4 Allow rpm to map file contexts
type=AVC msg=audit(1560944465.365:270): avc:  denied  { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David 79fd6ddb3e grant rpm permissions to map locale_t
type=AVC msg=audit(1560913896.408:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David 8e09ba5637 grant permission for rpm to write to audit log
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=?  terminal=? res=success'

These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc:  denied  { audit_write } for  pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1561298132.446:240): avc:  denied  { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { nlmsg_relay } for  pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc:  denied  { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Sugar, David c2f504c25e grant rpm permission to map rpm_var_lib_t
type=AVC msg=audit(1560913896.432:218): avc:  denied  { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito 10784f3b33 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 13:37:51 -04:00
Chris PeBenito af2e1f91fd Merge pull request #57 from pebenito/pmem-dax 2019-06-09 13:26:49 -04:00
Chris PeBenito c00bf89d73 Merge pull request #56 from pebenito/apache-simplify 2019-06-09 13:26:46 -04:00
Chris PeBenito 91028527fc Merge pull request #55 from pebenito/modules-load 2019-06-09 13:26:43 -04:00
Chris PeBenito 666b744714 devices: Add type for /dev/daxX.Y.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-06-04 15:10:28 -04:00
Chris PeBenito f0e8bdbf50 storage: Add fc entry for /dev/pmem*
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-06-04 15:10:06 -04:00
Chris PeBenito d348413004 apache: Web content rules simplification.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-06-03 15:01:43 -04:00
Chris PeBenito b07f7b4495 systemd: modules-load updates.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-06-03 08:42:53 -04:00
Chris PeBenito 4aafedd872 init: Add systemd block to init_script_domain().
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-05-31 08:57:17 -04:00
Chris PeBenito 3a6b7c1856 logrotate: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-05-27 19:30:24 -04:00
Chris PeBenito 5a8c36f390 logrotate: Make MTA optional.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-05-16 11:48:05 -04:00
Chris PeBenito 2d9ad29d04 dovecot, logrotate: Module version bump. 2019-05-03 20:39:36 -04:00
Chris PeBenito 43a682068d Merge pull request #49 from bigon/fail2ban_logrotate 2019-05-03 08:00:43 -04:00
Chris PeBenito eaed7a9123 Merge pull request #48 from bigon/dovecot_lmtp 2019-05-03 08:00:41 -04:00
Laurent Bigonville 83f8240f04 Allow logrotate to execute fail2ban-client
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
2019-05-03 13:34:16 +02:00
Laurent Bigonville 8215279af4 Add dovecot to listen to LMTP port
Mails can be injected in dovecot directly using LMTP
2019-05-03 12:33:09 +02:00
Dave Sugar de0e70f07a create interfaces for NetworkManager units
Create interfaces to allow start/stop, enable/disable
and status of NetworkManager systemd unit
2019-05-02 11:16:41 -04:00
Chris PeBenito 5d345b79ee various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-27 10:51:06 -04:00
Chris PeBenito 6857cda019 Merge pull request #46 from pebenito/systemd-user 2019-04-27 10:50:32 -04:00
Chris PeBenito a77e0f6837 Merge pull request #45 from pebenito/systemd-update-done-tweak 2019-04-27 10:50:30 -04:00
Chris PeBenito e5d14ad308 Merge pull request #44 from pebenito/http-mta-optional 2019-04-27 10:50:29 -04:00
Chris PeBenito 54dbc8a7a7 Merge pull request #43 from pebenito/various-device-labels 2019-04-27 10:50:27 -04:00
Chris PeBenito da156aea1e systemd: Add initial policy for systemd --user.
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-25 11:18:58 -04:00
Chris PeBenito 4bca3dade2 devices: Change netcontrol devices to pmqos.
Devices with the netcontrol_device_t type are actually PM QoS devices.
Rename the type and add labeling for /dev/memory_bandwidth.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-24 09:17:36 -04:00
Chris PeBenito 3b0d0ea330 devices: Add type for GPIO chips, /dev/gpiochip[0-9]
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-24 08:50:41 -04:00