Alexander Miroshnichenko
faa2b15910
Add nsd_admin interface to sysadm.te.
...
Allow users with sysadm_r role to start/stop NSD daemon.
2018-12-30 18:30:23 +03:00
Alexander Miroshnichenko
e426b5785f
Add required permissions for nsd_t to be able running.
...
Add required permissions to nsd_t for NSD work properly.
2018-12-30 18:27:30 +03:00
Chris PeBenito
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
David Sugar
6167b9b6e5
Allow auditctl_t to read bin_t symlinks.
...
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod. But policy didn't allow auditctl_t to follow
that link.
type=AVC msg=audit(1543853530.925:141): avc: denied { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc: denied { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc: denied { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc: denied { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
e73e9e7734
Add missing require for 'daemon' attribute.
...
Not sure how I didn't notice this missing require before.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
241b917d37
Allow kmod to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
3425d22c24
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73
cron, minissdpd, ntp, systemd: Module version bump.
2018-11-17 19:02:54 -05:00
Chris PeBenito
45a8ddd39f
Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
2018-11-17 18:58:09 -05:00
David Sugar
b73758bb97
Interface to read cron_system_spool_t
...
Useful for the case that manage isn't requied.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
David Sugar
56e8f679b2
interface to enable/disable systemd_networkd service
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
David Sugar
5deea1b940
Add interfaces to control ntpd_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
Chris PeBenito
cd4be3dcd0
dnsmasq: Module version bump.
2018-11-17 18:50:18 -05:00
Petr Vorel
da49b37d87
dnsmasq: Require log files to have .log suffix
...
+ allow log rotate as well.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
2018-11-17 18:49:59 -05:00
Laurent Bigonville
a71cc466fc
Allow minissdpd_t to create a unix_stream_socket
...
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc: denied { listen } for pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc: denied { accept } for pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
2018-11-12 16:24:54 +01:00
Chris PeBenito
b4d7c65fc4
Various modules: Version bump.
2018-11-11 15:58:59 -05:00
Chris PeBenito
205b5e705a
Merge branch 'iscsi' of https://github.com/bigon/refpolicy
2018-11-11 15:53:19 -05:00
Chris PeBenito
0e868859c4
Merge branch 'resolved' of https://github.com/bigon/refpolicy
2018-11-11 15:52:51 -05:00
Chris PeBenito
390c4f80fb
Merge branch 'master' of https://github.com/bigon/refpolicy
2018-11-11 15:52:14 -05:00
Laurent Bigonville
7316be9c2a
Allow iscsid_t to create a netlink_iscsi_socket
...
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc: denied { bind } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc: denied { create } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
2018-11-11 20:04:21 +01:00
Laurent Bigonville
d5d6fe0046
Allow systemd_resolved_t to bind to port 53 and use net_raw
...
resolved also binds against port 53 on lo interface
2018-11-11 14:27:01 +01:00
Laurent Bigonville
404dcf2af4
Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
...
Also allow unconfined_t to talk with the resolved daemon
2018-11-11 13:36:05 +01:00
Laurent Bigonville
06588b55b4
Add systemd_dbus_chat_resolved() interface
2018-11-11 13:33:00 +01:00
Laurent Bigonville
df58008c2b
Allow ntpd_t to read init state
...
With systemd-timesyncd, the following AVC denials are generated:
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { open } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { read } for pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc: denied { getattr } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
2018-11-10 19:01:33 +01:00
Laurent Bigonville
6060f35f03
Allow semanage_t to connect to system D-Bus bus
...
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
2018-11-10 19:01:33 +01:00
Laurent Bigonville
2f054c67a2
irqbalance now creates an abstract socket
2018-11-10 19:01:28 +01:00
Chris PeBenito
4ff893bca0
dnsmasq: Reorder lines in file contexts.
2018-11-09 19:35:14 -05:00
Chris PeBenito
f583b6b061
dnsmasq: Whitespace fix in file contexts.
2018-11-09 19:34:49 -05:00
Chris PeBenito
1431ba9d41
amavis, apache, clamav, exim, mta, udev: Module version bump.
2018-11-09 19:32:08 -05:00
David Sugar
75dd54edc7
Allow clamd to use sent file descriptor
...
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning. This still requires
the file type to be readable by clamd.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:09:49 -05:00
David Sugar
2fa76a4b9e
Add interfaces to control clamav_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
81953475a5
Interface to add domain allowed to be read by ClamAV for scanning.
...
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
03f248c9e1
Allow clamd_t to read /proc/sys/crypt/fips_enabled
...
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc: denied { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc: denied { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc: denied { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc: denied { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
f0047d0247
Add interface udev_run_domain
...
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action. This interface allows a domain transition to occur for the run action.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:04:22 -05:00
Chris PeBenito
35463351a0
clamav, ssh, init: Module version bump.
2018-10-27 15:10:10 -04:00
David Sugar
8e18a55457
Update CUSTOM_BUILDOPT
...
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Luis Ressel
9dd80c6a67
system/init: Give init_spec_daemon_domain()s the "daemon" attribute
...
init_daemon_domain() applies this attribute too.
2018-10-27 14:56:34 -04:00
Luis Ressel
a42ff404bd
services/ssh: Don't audit accesses from ssh_t to /dev/random
...
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.
The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
2018-10-27 14:56:34 -04:00
David Sugar
1941eefa13
Interface to allow reading of virus signature files.
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Chris PeBenito
66a337eec6
obj_perm_sets.spt: Add xdp_socket to socket_class_set.
2018-10-23 17:18:43 -04:00
Chris PeBenito
8d86c5eaf8
Merge pull request #3 from bigon/xdp-socket
...
Add xdp_socket security class and access vectors
2018-10-21 13:28:00 -04:00
Laurent Bigonville
109ab3296b
Add xdp_socket security class and access vectors
...
Added in 4.18 release
2018-10-21 13:01:22 +02:00
Chris PeBenito
5a3207fb45
miscfiles: Module version bump.
2018-10-14 13:55:21 -04:00
Luis Ressel
75dcc276c0
miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t
...
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
2018-10-14 13:50:27 -04:00
Chris PeBenito
e3eba7b7ff
logrotate: Module version bump.
2018-10-13 13:39:18 -04:00
Luis Ressel
14b4c0c8c7
Realign logrotate.fc, remove an obvious comment
2018-10-13 13:39:18 -04:00
Luis Ressel
a604ae7ca2
Add fc for /var/lib/misc/logrotate.status
...
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
2018-10-13 13:39:18 -04:00
Chris PeBenito
65da822c1b
Remove unused translate permission in context userspace class.
...
mcstransd never implemented this permission. To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
2018-10-13 13:39:18 -04:00
Chris PeBenito
e256e5563e
Merge pull request #1 from bigon/fix-sepolgen-ifgen
...
policy/support/obj_perm_sets.spt: modify indentation of mmap_file_per…
2018-10-09 19:27:59 -04:00