Chris PeBenito
fe29a74cad
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-22 14:03:11 -05:00
Jason Zaman
d03b8ffdf5
systemd: make remaining dbus_* optional
...
Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
6dd6823280
init: upstream fcontexts from gentoo policy
...
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
c9880f52d5
Add transition on gentoo init_t to openrc
...
Commit "init: replace call to init_domtrans_script"
(be231899f5
in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jonathan Davies
b1927e9f39
init: Added fcontext for openrc-shutdown.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jonathan Davies
b7acd3c4f9
init: Added fcontext for openrc-init.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
0ad23a33ef
getty: allow watching file /run/agetty.reload
...
avc: denied { watch } for pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
a98f25ce73
userdomain: Add watch on home dirs
...
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Chris PeBenito
f1b83f8ef4
lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-09 11:45:32 -05:00
Guido Trentalancia
7122154c19
Add LVM module permissions needed to open cryptsetup devices.
...
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/lvm.te | 2 ++
1 file changed, 2 insertions(+)
2020-11-09 15:43:01 +01:00
Chris PeBenito
aa8d432584
filesystem, xen: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-05 06:55:25 -05:00
Anthony PERARD
4f23a54b52
xen: Allow xenstored to map /proc/xen/xsd_kva
...
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2020-11-05 06:55:17 -05:00
Chris PeBenito
14a45a594b
devices, filesystem, systemd, ntp: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:45:11 -04:00
Chris PeBenito
785677771d
Merge pull request #313 from bootlin/buildroot-systemd-fixes
2020-10-09 09:42:40 -04:00
Chris PeBenito
b5525a3fca
systemd: Move systemd-pstore block up in alphabetical order.
...
No rule change.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:42:31 -04:00
Antoine Tenart
e9228b49bb
systemd: allow systemd-network to list the runtime directory
...
Fixes:
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
Antoine Tenart
49a0771dd3
systemd: allow systemd-getty-generator to read and write unallocated ttys
...
Fixes:
avc: denied { read write } for pid=40 comm="systemd-getty-g"
name="ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { open } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
Deepak Rawat
f5c8a117d9
Add selinux-policy for systemd-pstore service
...
systemd-pstore is a service to archive contents of pstore.
Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>
2020-10-09 03:20:09 +00:00
Chris PeBenito
39e2af539d
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-22 08:27:05 -04:00
Chris PeBenito
941620c89c
Merge pull request #309 from yizhao1/dhcpcd
2020-09-22 08:23:49 -04:00
Antoine Tenart
fdda7befa5
systemd: allow systemd-resolve to read in tmpfs
...
Fixes:
avc: denied { read } for pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
Antoine Tenart
34547434b8
systemd: allow systemd-network to get attributes of fs
...
Fixes:
avc: denied { getattr } for pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
Antoine Tenart
1ee738f708
systemd: allow systemd-hwdb to search init runtime directories
...
Fixes:
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
Antoine Tenart
f71d288e54
systemd: add extra systemd_generator_t rules
...
Fixes:
avc: denied { setfscreate } for pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1
avc: denied { dac_override } for pid=40 comm="systemd-fstab-g"
capability=1 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
Yi Zhao
25251b1f3b
sysnet: allow dhcpcd to create socket file
...
The dhcpcd needs to create socket file under /run/dhcpcd directory.
Fixes:
AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { setattr } for pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { sendto } for pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-09-21 14:23:09 +08:00
Antoine Tenart
23f1e4316b
sysnetwork: allow to read network configuration files
...
Fixes:
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { search } for pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
5c604e806b
logging: allow systemd-journal to write messages to the audit socket
...
Fixes:
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
8cb806fbdf
locallogin: allow login to get attributes of procfs
...
Fixes:
avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
7014af08ff
udev: allow udevadm to retrieve xattrs
...
Fixes:
avc: denied { getattr } for pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
avc: denied { getattr } for pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Chris PeBenito
c33866e1f6
selinux, init, systemd, rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-09 16:55:06 -04:00
Christian Göttsche
24827d8073
selinux: add selinux_use_status_page and deprecate selinux_map_security_files
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-09 21:00:47 +02:00
Christian Göttsche
1103350ee3
init/systemd: allow systemd to map the SELinux status page
...
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.
see https://github.com/systemd/systemd/pull/16821
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-08 13:18:18 +02:00
Chris PeBenito
dcf7ae9f48
userdomain: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-31 15:36:14 -04:00
Jonathan Davies
9d3321e4fe
userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded.
...
Thanks to Dominick Grift for helping me pin-point this.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2020-08-29 20:43:38 +00:00
Chris PeBenito
72e221fd4d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-28 15:30:52 -04:00
Chris PeBenito
cc15ff2086
Merge pull request #302 from dsugar100/master
2020-08-28 15:26:50 -04:00
Chris PeBenito
74b37e16db
Merge pull request #301 from bauen1/fix-selint-s-010
2020-08-28 15:26:47 -04:00
bauen1
fa59d0e9bc
selint: fix S-010
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-08-28 17:39:09 +02:00
Dave Sugar
1627ab361e
Looks like this got dropped in pull request #294
...
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc: denied { map } for pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2020-08-27 08:10:58 -04:00
Chris PeBenito
d387e79989
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
Chris PeBenito
ab47695bdb
files, init, modutils, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-14 09:38:09 -04:00
Chris PeBenito
e10d956f38
Merge pull request #294 from cgzones/selint
2020-08-14 09:36:44 -04:00
Yi Zhao
8322f0e0d9
Remove duplicated rules
...
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-08-14 10:55:31 +08:00
Christian Göttsche
09ed84b632
files/modutils: unify modules_object_t usage into files module
...
modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
Christian Göttsche
e9b2e1ea4f
work on SELint issues
...
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
Chris PeBenito
fbc60f2319
Merge pull request #296 from cgzones/diff-check
...
whitespace cleanup
2020-08-13 09:19:48 -04:00
Christian Göttsche
72b2c66256
whitespace cleanup
...
Remove trailing white spaces and mixed up indents
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:34:57 +02:00
Christian Göttsche
3bb507efa6
Fix several misspellings
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:08:58 +02:00
Chris PeBenito
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
Chris PeBenito
cd141fa2ea
Merge pull request #290 from pebenito/fs-image
2020-08-11 08:33:26 -04:00