Commit Graph

5046 Commits

Author SHA1 Message Date
Chris PeBenito 5260679657 usermanage: Move kernel_dgram_send(passwd_t) to systemd block. 2019-03-11 20:59:16 -04:00
Sugar, David 1cc0045642 Resolve denial while changing password
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:54:29 -04:00
Sugar, David 9d2b68e0ba Allow additional map permission when reading hwdb
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:53:30 -04:00
Chris PeBenito 5fda529636 Remove incorrect comment about capability2:mac_admin. 2019-03-11 20:49:42 -04:00
Chris PeBenito bb83a721cf filesystem, cron, authlogin: Module version bump. 2019-03-07 19:02:57 -05:00
Sugar, David 3fd0d7df8b Update cron use to pam interface
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Sugar, David 4f8d21ea71 Add interface to allow relabeling of iso 9660 filesystems.
I have a case where I'm labeling media with my own types to control
access.  But that is requiring that I relabel from iso9660_t to my
own type.  This interface allows that relabel.

type=AVC msg=audit(1551621984.372:919): avc:  denied  { relabelfrom } for  pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Chris PeBenito 712e6056d9 aide, clamav: Module version bump. 2019-02-26 19:21:27 -08:00
Sugar, David 59413b10b8 Allow AIDE to mmap files
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David e5b8318420 Allow AIDE to read kernel sysctl_crypto_t
type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David 2f063edd88 Allow AIDE to sendto kernel datagram socket
type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David c418d0e81d Add interfaces to run freshclam
Currently freshclam can only be started from cron or init.  This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David 899520233d Allow freshclam to read sysctl_crypto_t
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { search } for  pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { read } for  pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { open } for  pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David 2d105029d0 Fix incorrect type in clamav_enableddisable_clamd interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Chris PeBenito e6dcad5002 systemd: Module version bump. 2019-02-24 08:19:27 -08:00
Chris PeBenito a6d7668acc Merge branch 'systemd-update-done' of git://github.com/fishilico/selinux-refpolicy 2019-02-24 07:43:03 -08:00
Nicolas Iooss 2fb15c8268
Update systemd-update-done policy
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { sendto } for
    pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
    permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { write } for
    pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { connect } for
    pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t
    tclass=unix_dgram_socket permissive=1

Moreover it creates /etc/.updated and /var/.updated using temporary
files:

    type=AVC msg=audit(1550865504.463:83): avc:  denied  { setfscreate }
    for  pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t tclass=process
    permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { read write
    open } for  pid=277 comm="systemd-update-"
    path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { create } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    [...]

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { unlink } for
    pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { rename } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
    ino=806171 scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 11:08:20 +01:00
Chris PeBenito 2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Chris PeBenito 0805aaca8d Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy 2019-02-23 18:43:02 -08:00
Chris PeBenito 0b3b6dbbf0 Merge branch 'systemd-journald-signull' of git://github.com/fishilico/selinux-refpolicy 2019-02-23 18:42:27 -08:00
Nicolas Iooss 0ab9035efa
Remove a broad read-files rule for restorecond
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):

    auth_read_all_files_except_shadow(restorecond_t)

Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.

This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
2019-02-23 21:20:21 +01:00
Nicolas Iooss 7bb9172b67
Allow restorecond to read customizable_types
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { open } for
    pid=281 comm="restorecond"
    path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { read } for
    pid=281 comm="restorecond" name="customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
2019-02-23 21:14:10 +01:00
Nicolas Iooss 5250bd4863
Allow systemd-journald to use kill(pid, 0) on its clients
Since systemd 241, systemd-journald is using kill(pid, 0) in order to
find dead processes and reduce its cache. The relevant commit is
91714a7f42
("journald: periodically drop cache for all dead PIDs"). This commit
added a call to pid_is_unwaited(c->pid), which is a function implemented in
https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 :

    bool pid_is_unwaited(pid_t pid) {
        /* Checks whether a PID is still valid at all, including a zombie */
        if (pid < 0)
                return false;
        if (pid <= 1) /* If we or PID 1 would be dead and have been waited for, this code would not be running */
                return true;
        if (pid == getpid_cached())
                return true;
        if (kill(pid, 0) >= 0)
                return true;
        return errno != ESRCH;
    }

This new code triggers the following AVC denials:

    type=AVC msg=audit(1550911933.606:332): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:auditd_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:333): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:334): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:sshd_t tclass=process permissive=1
2019-02-23 20:55:17 +01:00
Chris PeBenito 5986fdc4df logging, miscfiles, authlogin: Module version bump. 2019-02-20 19:38:55 -08:00
Sugar, David 81c10b077a New interface to dontaudit access to cert_t
I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki.  They seem to be working OK even with the denial.  The
tunable authlogin_nsswitch_use_ldap controls access to cert_t
(for domains that are part of nsswitch_domain attribute).  Use this
new interface when that tunable is off to quiet the denials.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-20 19:28:45 -08:00
Sugar, David d8492558b3 Add interface to get status of rsyslog service
Updated based on feedback.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-20 19:28:45 -08:00
Chris PeBenito 98a7f0446d init, systemd, cdrecord: Module version bump. 2019-02-19 19:31:04 -08:00
Chris PeBenito b3e8e5a4ba systemd: Remove unnecessary brackets. 2019-02-19 19:20:57 -08:00
Sugar, David 31ac26dd58 Add interface to run cdrecord in caller domain
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:19:28 -08:00
Sugar, David b3cbf00cba Allow systemd-hostnamed to set the hostname
When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.

Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc:  denied  { sys_admin } for  pid=7873 comm="systemd-hostnam" capability=21  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:06:40 -08:00
Sugar, David 61d12f722d Allow init_t to read net_conf_t
init (systemd) needs to read /etc/hostname during boot
to retreive the hostname to apply to the system.

Feb 06 18:37:06 localhost.localdomain kernel: type=1400 audit(1549478223.842:3): avc:  denied  { read } for  pid=1 comm="systemd" name="hostname" dev="dm-1" ino=1262975 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:06:40 -08:00
Chris PeBenito 807cf71287 corenetwork: Module version bump. 2019-02-17 21:11:43 -05:00
Chris PeBenito 0608514160 Merge branch 'stubby-daemon' of git://github.com/fishilico/selinux-refpolicy 2019-02-17 21:11:04 -05:00
Nicolas Iooss 919c889b7d
Add policy for stubby DNS resolver
Stubby is a DNS resolver that encrypts DNS queries and transmits them to
a resolver in a TLS channel. It therefore requires less permissions than
a traditionnal DNS resolver such as named or unbound (provided by module
"bind").

cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

This program is packaged for Arch Linux, Debian, etc.

DNS-over-TLS uses TCP port 853, which does not seem to conflict with
existing ports. Label it like other DNS ports.

init_dbus_chat(stubby_t) is required on systemd-based distributions
because stubby's service uses DynamicUser=yes [1]. Without this
statement, the following denials are reported by dbus:

    type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus member=Hello
    dest=org.freedesktop.DBus spid=649
    scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649
    tpid=1 scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.39
    spid=1 tpid=649 scontext=system_u:system_r:init_t
    tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
2019-02-17 22:16:33 +01:00
Chris PeBenito e3f90ef0b5 sysadm: Module version bump. 2019-02-13 18:53:56 -05:00
Chris PeBenito 9508b3bbe9 Merge branch 'sysadm-dynamic-users' of git://github.com/fishilico/selinux-refpolicy 2019-02-13 18:49:35 -05:00
Nicolas Iooss 4aa9acca0a
sysadm: allow resolving dynamic users
On a virtual machine using haveged daemon, running "ps" from a sysadm_t
user leads to the following output:

    $ ps -eH -o label,user,pid,cmd
    ...
    system_u:system_r:init_t        root         1 /sbin/init
    system_u:system_r:syslogd_t     root       223   /usr/lib/systemd/systemd-journald
    system_u:system_r:lvm_t         root       234   /usr/bin/lvmetad -f
    system_u:system_r:udev_t        root       236   /usr/lib/systemd/systemd-udevd
    system_u:system_r:entropyd_t    65306      266   /usr/bin/haveged --Foreground --verbose=1

User 65306 is a dynamic user attributed by systemd:

    $ cat /var/run/systemd/dynamic-uid/65306
    haveged

Running ps leads to the following log:

    type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1
    spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Allow sysadm_t to resolve dynamic users when systemd is used.

After this, "ps" works fine:

    system_u:system_r:entropyd_t    haveged    266   /usr/bin/haveged --Foreground --verbose=1
2019-02-12 21:43:08 +01:00
Chris PeBenito e727079acc systemd: Module version bump. 2019-02-09 09:06:37 -05:00
Sugar, David 24da4bf370 Separate domain for systemd-modules-load
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules.  This change sets up a new domain for this service and grants permission
necessary to load kernel modules.

Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc:  denied  { read } for  pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc:  denied  { open } for  pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
Sugar, David 21351f6bd9 Allow systemd-networkd to get IP address from dhcp server
I'm seeing the following denials when attempting to get a DHCP address.

type=AVC msg=audit(1549471325.440:199): avc:  denied  { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { net_bind_service } for  pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
Chris PeBenito 10e0106e82 Update Changelog and VERSION for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker 044da0b8b9 more misc stuff
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
2019-02-01 14:16:57 -05:00
Chris PeBenito 4e5b6f39ff redis: Module version bump. 2019-01-30 18:46:28 -05:00
Chris PeBenito 8e45aef50c redis: Move line. 2019-01-30 18:46:07 -05:00
Alexander Miroshnichenko 2adbd7f732 minor updates redis module to be able to start the app
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2019-01-30 18:45:43 -05:00
Chris PeBenito b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Chris PeBenito 137aca70e3 hostapd: Move line. 2019-01-29 18:59:50 -05:00
Chris PeBenito b54fd25c60 hostapd: Whitespace change. 2019-01-29 18:59:50 -05:00