RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,607 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

86 Commits

Author SHA1 Message Date
Chris PeBenito 0992763548 Update callers for "pid" to "runtime" interface rename. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-28 16:03:45 -04:00
Chris PeBenito 309f655fdc various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-10 15:02:27 -04:00
Topi Miettinen 1d8333d7a7
Remove unlabeled packet access 
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-06-03 23:16:19 +03:00
Chris PeBenito f028ac96fc dbus, dpm2: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-04-16 16:27:55 -04:00
Dave Sugar 8f5cbc7779 Setup domain for tpm2_* binaries 
The various /bin/tpm2_* binaries use dbus to communicate
with tpm2-abrmd and also can directly access /dev/tpmrm0.  This
seems like a way to help limit access to the TPM by running the
tpm_* binaries in their own domain.

I setup this domain because I have a process that needs to use
tpm2_hmac to encode something, but didn't want that domain to
have direct access to the TPM.  I did some basic testing to verify
that the other tpm2_* binaries have basically the same access needs.
But it wasn't through testing of all the tpm2_* binaries.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-04-16 15:40:09 -04:00
Chris PeBenito a2ec18d2a3 dbus, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-04-06 11:40:56 -04:00
Chris PeBenito ba3818ebcc dbus: Rename tunable to dbus_pass_tuntap_fd. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-04-06 11:40:02 -04:00
David Sommerseth 79c7859a48
dbus: Add tunable - dbus_can_pass_tuntap_fd 
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.

Without this privilege the following denial will happen:

    type=AVC msg=audit(1582227542.557:3045): avc:  denied  { read write } for  pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0

This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.

GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
 2020-04-02 22:40:00 +02:00
Chris PeBenito b2f72e833b Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-29 16:54:39 -05:00
Chris PeBenito 2400f6a74c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-17 13:34:06 -05:00
Jason Zaman adaea617cd dbus: add watch perms 
avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Chris PeBenito 3e91c2264f various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-01-17 10:50:13 -05:00
Chris PeBenito e2ac94d08d dbus: Add directory watches. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-01-16 15:53:36 -05:00
Chris PeBenito 7af9eb3e91 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-01-15 10:42:45 -05:00
Stephen Smalley 161bda392e access_vectors: Remove unused permissions 
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2020-01-14 13:41:50 -05:00
Chris PeBenito 45bd96f619 various: Module version bump. 2019-11-23 09:54:36 -05:00
Laurent Bigonville 805f2d9cd4 Allow the systemd dbus-daemon to talk to systemd 
Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Chris PeBenito 291f68a119 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:39:31 -04:00
Chris PeBenito 61ecff5c31 Remove old aliases. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:02:43 -04:00
Chris PeBenito d6c7154f1c Reorder declarations based on *_runtime_t renaming. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:02:43 -04:00
Chris PeBenito 69a403cd97 Rename *_var_run_t types to *_runtime_t. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:02:43 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 14:05:19 -04:00
Chris PeBenito e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito 32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David 142651a8b4 Resolve denial about logging to journal from dbus 
type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Nicolas Iooss 47b09d472e
dbus: allow using dynamic UID 
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:

    type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
    a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
    suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
    comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
    subj=system_u:system_r:system_dbusd_t key=(null)

    type=AVC msg=audit(1547313774.993:373): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1

    type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
    syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
    a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
    uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
    tty=(none) ses=4294967295 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
    key=(null)

    type=AVC msg=audit(1547313774.993:374): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=1

This directory looks like this, on Arch Linux with systemd 240:

    # ls -alZ /run/systemd/dynamic-uid
    drwxr-xr-x.  2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
    drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
    -rw-------.  1 root root system_u:object_r:init_var_run_t   8 2019-01-12 15:53 65306
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   7 2019-01-12 15:53 direct:65306 -> haveged
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   5 2019-01-12 15:53 direct:haveged -> 65306
 2019-01-16 22:13:57 +01:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar 55c3fab804 Allow dbus to access /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 09248fa0db Move modules to contrib submodule. 2011-09-09 10:10:03 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito bdc7622e86 Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission. 2011-03-16 08:20:28 -04:00
Chris PeBenito 0419373aa7 Allow system dbus to send messages to it's clients. 2011-03-14 11:52:19 -04:00
Chris PeBenito dc24f36872 Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia. 2011-02-22 11:36:15 -05:00
Guido Trentalancia f8b9fb9391 patch to make cpufreqselector usable with dbus 
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
 2011-02-22 11:23:10 -05:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito befc7ec99f Module version bump for Dominick's consoletype cleanup. 2010-10-11 09:27:27 -04:00
Dominick Grift 8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 98ac98623c Dbus patch from Dan Walsh. 2010-05-03 09:34:42 -04:00
Chris PeBenito ed3a1f559a bump module versions for release. 2009-11-17 10:05:56 -05:00
Chris PeBenito 62c80e2546 module version bumps and changelog update for the previous 3 commits. 2009-08-18 13:20:01 -04:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00