The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.
Use samba_runtime_t instead.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.
See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/
Signed-off-by: bauen1 <j2468h@gmail.com>
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
I have been working to support IMA/EVM on a system. It
requires having keys added to the kernel keyring. Keys
added with keyctl and evmctl. I am creating keys in the
ima_key_t type. Once the keys are created, many domains
then need search permission on the type of the key. The
following changes are needed to get things to work.
Need to add keys to the kernel keyring (keyctl).
type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Allow all domains to search key
type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t
files to avoid a crash. Related audit event:
type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc: denied { map } for pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Allow systemd-networkd to send and receive ICMPv6 Router Solicitation
and Router Advertisement packets (in reality all ICMP/ICMPv6 packets)
and DHCP client packets.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Christian Göttsche
Chris PeBenito
bauen1
Topi Miettinen
Daniel Burgener
Dave Sugar