Chris PeBenito
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
Chris PeBenito
309f655fdc
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-10 15:02:27 -04:00
Topi Miettinen
1d8333d7a7
Remove unlabeled packet access
...
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00
Chris PeBenito
f028ac96fc
dbus, dpm2: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-16 16:27:55 -04:00
Dave Sugar
8f5cbc7779
Setup domain for tpm2_* binaries
...
The various /bin/tpm2_* binaries use dbus to communicate
with tpm2-abrmd and also can directly access /dev/tpmrm0. This
seems like a way to help limit access to the TPM by running the
tpm_* binaries in their own domain.
I setup this domain because I have a process that needs to use
tpm2_hmac to encode something, but didn't want that domain to
have direct access to the TPM. I did some basic testing to verify
that the other tpm2_* binaries have basically the same access needs.
But it wasn't through testing of all the tpm2_* binaries.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-16 15:40:09 -04:00
Chris PeBenito
a2ec18d2a3
dbus, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:56 -04:00
Chris PeBenito
ba3818ebcc
dbus: Rename tunable to dbus_pass_tuntap_fd.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:02 -04:00
David Sommerseth
79c7859a48
dbus: Add tunable - dbus_can_pass_tuntap_fd
...
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.
Without this privilege the following denial will happen:
type=AVC msg=audit(1582227542.557:3045): avc: denied { read write } for pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0
This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.
GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
2020-04-02 22:40:00 +02:00
Chris PeBenito
b2f72e833b
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito
2400f6a74c
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-17 13:34:06 -05:00
Jason Zaman
adaea617cd
dbus: add watch perms
...
avc: denied { watch } for pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-02-17 13:25:59 -05:00
Chris PeBenito
3e91c2264f
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-17 10:50:13 -05:00
Chris PeBenito
e2ac94d08d
dbus: Add directory watches.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-16 15:53:36 -05:00
Chris PeBenito
7af9eb3e91
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
Stephen Smalley
161bda392e
access_vectors: Remove unused permissions
...
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito
45bd96f619
various: Module version bump.
2019-11-23 09:54:36 -05:00
Laurent Bigonville
805f2d9cd4
Allow the systemd dbus-daemon to talk to systemd
...
Recent versions of dbus are started as Type=notify
type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc: denied { write } for pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-10-31 12:05:05 +01:00
Chris PeBenito
291f68a119
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito
61ecff5c31
Remove old aliases.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
d6c7154f1c
Reorder declarations based on *_runtime_t renaming.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
69a403cd97
Rename *_var_run_t types to *_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito
e2e4094bd4
various: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f
Add kernel_dgram_send() into logging_send_syslog_msg()
...
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito
32f3f09dc4
authlogin, dbus, ntp: Module version bump.
2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4
Resolve denial about logging to journal from dbus
...
type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Chris PeBenito
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
Chris PeBenito
a7f2394902
various: Module version bump.
2019-01-20 16:45:55 -05:00
Nicolas Iooss
47b09d472e
dbus: allow using dynamic UID
...
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:
type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
subj=system_u:system_r:system_dbusd_t key=(null)
type=AVC msg=audit(1547313774.993:373): avc: denied { read } for
pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
key=(null)
type=AVC msg=audit(1547313774.993:374): avc: denied { read } for
pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
permissive=1
This directory looks like this, on Arch Linux with systemd 240:
# ls -alZ /run/systemd/dynamic-uid
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
-rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306
2019-01-16 22:13:57 +01:00
Chris PeBenito
e8ba31557d
various: Module version bump.
2019-01-06 14:11:08 -05:00
Chris PeBenito
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
Chris PeBenito
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
David Sugar
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
Chris PeBenito
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
Chris PeBenito
09248fa0db
Move modules to contrib submodule.
2011-09-09 10:10:03 -04:00
Chris PeBenito
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
Chris PeBenito
bdc7622e86
Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission.
2011-03-16 08:20:28 -04:00
Chris PeBenito
0419373aa7
Allow system dbus to send messages to it's clients.
2011-03-14 11:52:19 -04:00
Chris PeBenito
dc24f36872
Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia.
2011-02-22 11:36:15 -05:00
Guido Trentalancia
f8b9fb9391
patch to make cpufreqselector usable with dbus
...
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
2011-02-22 11:23:10 -05:00
Chris PeBenito
826d014241
Bump module versions for release.
2010-12-13 09:12:22 -05:00
Chris PeBenito
befc7ec99f
Module version bump for Dominick's consoletype cleanup.
2010-10-11 09:27:27 -04:00
Dominick Grift
8340621920
Implement miscfiles_cert_type().
...
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
98ac98623c
Dbus patch from Dan Walsh.
2010-05-03 09:34:42 -04:00
Chris PeBenito
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
Chris PeBenito
62c80e2546
module version bumps and changelog update for the previous 3 commits.
2009-08-18 13:20:01 -04:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00