When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)
Some aspect to note:
1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins
The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:
$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -snrvm
According to https://wiki.debian.org/motd, the script is executed
through run-parts:
if (!system("/usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
run-parts --lsbsysinit /etc/update-motd.d >
/run/motd.dynamic.new"))
rename("/run/motd.dynamic.new", "/run/motd.dynamic");
This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.
Allow relevant accesses for Debian-based systems.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.
The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
The following patch adds dontaudit rules for where the net_admin capability
is requested due to SO_SNDBUFFORCE. This forces the caller to use SO_SNDBUF
which gives the same result but possibly a smaller buffer.
From Russell Coker
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
On Arch Linux, OpenSSH unit files are:
/usr/lib/systemd/system/sshdgenkeys.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
On Debian jessie, the unit files are:
/lib/systemd/system/ssh.service
/lib/systemd/system/ssh@.service
/lib/systemd/system/ssh.socket
On Fedora 22, the unit files are:
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd@.service
/usr/lib/systemd/system/sshd.socket
Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
Chris PeBenito
Topi Miettinen
Daniel Burgener
Stephen Smalley
Dominick Grift
Nicolas Iooss
Russell Coker
Luis Ressel
Jason Zaman
cgzones
Chris PeBenito