Commit Graph

141 Commits

Author SHA1 Message Date
Chris PeBenito 9f7cbe1427 Module version bump for patches from Nicolas Iooss. 2017-08-13 19:52:41 -04:00
Chris PeBenito 81aa9242aa logging: Move line. 2017-08-13 19:52:16 -04:00
Nicolas Iooss 52109514d5 audit: allow reading /etc/localtime
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:

    avc:  denied  { read } for  pid=191 comm="auditctl" name="UTC"
    dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1
    avc:  denied  { open } for  pid=191 comm="auditctl"
    path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
    scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1

This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":

    [pid   635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
    "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
    ...
    [pid   635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
    such file or directory)
    [pid   635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
    [pid   635] lseek(4, -71, SEEK_CUR)     = 56
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
    [pid   635] close(4)                    = 0
    [pid   635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
    [pid   635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
    [pid   635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
    /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
    NULL, 0) = 81
    [pid   635] exit_group(0)               = ?

More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.

[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
2017-08-13 19:51:18 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 602b77236d Module version bump for mmap fixes from Stephen Smalley. 2017-05-24 19:58:32 -04:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 477d984415 systemd init from Russell Coker
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems.  Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.

Allow init_t to do several things that it requires when init is systemd.

Allow various operations on var_log_t to access var_log_t symlinks too.

Let auditd setattr it's directory.
2017-04-16 19:08:40 -04:00
Chris PeBenito 160d08f3ae systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
2017-03-28 18:51:35 -04:00
Chris PeBenito 4dcbc032cf Module version bump from /var/run fixes from cgzones. 2017-03-25 13:05:13 -04:00
Chris PeBenito 5e20a0ee5b /var/run -> /run again
Here's the latest version of my patch to remove all /var/run when it's not
needed.  I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it.  So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.

From Russell Coker
2017-03-25 12:56:03 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
Chris PeBenito c3c767bae2 Module version bump for CI fixes. 2017-02-23 20:32:10 -05:00
Chris PeBenito 65e60689d4 Fix CI errors. 2017-02-23 20:16:40 -05:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 0fe21742cd Module version bumps for patches from cgzones. 2017-01-09 20:34:15 -05:00
cgzones e83058d205 auditd / auditctl: fix audits 2017-01-05 11:53:06 +01:00
Chris PeBenito 67c435f1fc Module version bump for fc updates from Nicolas Iooss. 2016-12-28 14:38:05 -05:00
Chris PeBenito f850ec37df Module version bumps for /run fc changes from cgzones. 2016-12-22 15:54:46 -05:00
Chris PeBenito d73cd61952 Module version bump for journald fixes from cgzones. 2016-12-06 19:52:42 -05:00
cgzones c1fa5e55ab fix syslogd audits 2016-12-04 23:09:49 +01:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito 71a425fdcd Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
Chris PeBenito 672ea96b45 Module version bump for mlstrustedsocket from qqo. 2016-05-31 09:15:40 -04:00
qqo aedd5c314d Adds attribute mlstrustedsocket, along with the interface.
Sample AVC:
 type=AVC msg=audit(1459979143.990:219): avc:  denied  { sendto } for  pid=1935
 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0

This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html
2016-04-12 19:28:13 +03:00
Chris PeBenito cc248fc976 Module version bump for syslog and systemd changes from Laurent Bigonville 2016-01-06 09:22:11 -05:00
Laurent Bigonville b02a5d4b55 Allow syslogd_t to read sysctl_vm_overcommit_t 2015-12-16 19:30:47 +01:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 4388def2d9 Add refpolicy core socket-activated services. 2015-10-23 10:17:46 -04:00
Chris PeBenito f7286189b3 Add systemd units for core refpolicy services.
Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito 0a088aa8ac Module version bumps for further init_startstop_service() changes from Jason Zaman. 2015-05-27 14:50:45 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 47fa454784 /dev/log symlinks are not labeled devlog_t.
Drop rule; if /dev/log is a symlink, it should be device_t.
2014-09-12 14:25:01 -04:00
Chris PeBenito e4cbb09a3d Module version bumps for systemd/journald patches from Nicolas Iooss. 2014-09-12 11:30:05 -04:00
Nicolas Iooss 0cd1ea9596 Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
Since commit 0fd9dc55, logging.te contains:

  term_write_all_user_ttys(syslogd_t)

As "write" is a superset of "append", this rule is no longer needed:

    term_append_unallocated_ttys(syslogd_t)

While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
2014-09-12 09:55:58 -04:00
Nicolas Iooss 6a201e405b Allow journald to access to the state of all processes
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589

This needs domain_read_all_domains_state.
2014-09-12 09:55:13 -04:00
Chris PeBenito 6ced8116bd Add comment for journald ring buffer reading. 2014-09-12 09:54:11 -04:00
Nicolas Iooss 3a7e30c22d Allow journald to read the kernel ring buffer and to use /dev/kmsg
audit.log shows that journald needs to read the kernel read buffer:

    avc:  denied  { syslog_read } for  pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1

Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-12 09:52:18 -04:00
Chris PeBenito 16bc3a454f Module version bumps for fc fixes from Nicolas Iooss. 2014-04-21 10:37:44 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito d5a562246e Module version bump for logging fc patch from Laurent Bigonville. 2014-01-31 22:24:08 -05:00
Chris PeBenito 58db129761 Update modules for file_t merge into unlabeled_t. 2014-01-16 11:24:25 -05:00
Chris PeBenito 9d6546a472 Module version bumps for syslog-ng and semodule updates. 2013-11-13 09:27:21 -05:00
Chris PeBenito 9fcc6fe625 Add comments about new capabilities for syslogd_t. 2013-11-13 09:26:38 -05:00