RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-30 23:36:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
271e4bb8c9
selinux-refpolicy/policy/modules/kernel
History
Dave Sugar a0403b52d8 Interfaces needed to support IMA/EVM keys 
I have been working to support IMA/EVM on a system.  It
requires having keys added to the kernel keyring.  Keys
added with keyctl and evmctl.  I am creating keys in the
ima_key_t type.  Once the keys are created, many domains
then need search permission on the type of the key.  The
following changes are needed to get things to work.

Need to add keys to the kernel keyring (keyctl).

type=AVC msg=audit(1585420717.704:1868): avc:  denied  { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Allow all domains to search key

type=AVC msg=audit(1587936822.802:556): avc:  denied  { search } for  pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc:  denied  { search } for  pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc:  denied  { search } for  pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc:  denied  { search } for  pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc:  denied  { search } for  pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-29 11:50:16 -04:00
..
corecommands.fc Setup generic generator attribute and change generator types. 2020-03-31 22:54:41 -04:00
corecommands.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
corecommands.te corecommands, init, lvm, systemd: Module version bump. 2020-04-01 13:15:28 -04:00
corenetwork.fc Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
corenetwork.if.in access_vectors: Remove unused permissions 2020-01-14 13:41:50 -05:00
corenetwork.if.m4 Allow systemd-networkd to handle ICMP and DHCP packets 2020-04-22 15:46:56 +03:00
corenetwork.te.in corenetwork, systemd: Module version bump. 2020-04-22 10:21:45 -04:00
corenetwork.te.m4 Allow systemd-networkd to handle ICMP and DHCP packets 2020-04-22 15:46:56 +03:00
devices.fc devices: label /dev/sysdig0 2020-04-19 11:40:59 +02:00
devices.if Merge pull request #220 from dburgener/fix-macro-usage 2020-04-21 11:01:59 -04:00
devices.te various: Module version bump. 2020-04-21 11:03:01 -04:00
domain.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
domain.if Interfaces needed to support IMA/EVM keys 2020-04-29 11:50:16 -04:00
domain.te various: Module version bump. 2020-04-21 11:03:01 -04:00
files.fc Merge pull request #75 from fishilico/fc-escape-single-dot 2019-08-31 06:24:06 -04:00
files.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
files.te Bump module versions for release. 2020-02-29 16:54:39 -05:00
filesystem.fc added bpf_t filesystem label 2019-12-16 20:16:14 +01:00
filesystem.if bootloader: add rEFInd and systemd-boot 2020-04-25 13:15:46 +03:00
filesystem.te bootloader, filesystem: Module version bump. 2020-04-29 10:51:26 -04:00
kernel.fc Add fc for /sys/kernel/debug as debugfs_t 2015-05-06 09:49:40 -04:00
kernel.if Interfaces needed to support IMA/EVM keys 2020-04-29 11:50:16 -04:00
kernel.te Bump module versions for release. 2020-02-29 16:54:39 -05:00
mcs.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
mcs.if remove trailing whitespaces 2016-12-06 13:45:13 +01:00
mcs.te Bump module versions for release. 2013-04-24 16:14:52 -04:00
metadata.xml remove extra level of directory 2006-07-12 20:32:27 +00:00
mls.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
mls.if Remove unused translate permission in context userspace class. 2018-10-13 13:39:18 -04:00
mls.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
selinux.fc remove extra level of directory 2006-07-12 20:32:27 +00:00
selinux.if grant rpm_t permission to map security_t 2019-07-13 14:00:23 -04:00
selinux.te Bump module versions for release. 2020-02-29 16:54:39 -05:00
storage.fc devices, storage: Add fc entries for mtd char devices and ndctl devices. 2019-07-16 16:38:43 -04:00
storage.if Fix mismatches between object class and permission macro. 2020-04-20 15:46:33 -04:00
storage.te various: Module version bump. 2020-04-21 11:03:01 -04:00
terminal.fc Remove old exception 2020-02-23 17:52:54 +01:00
terminal.if Fix mismatches between object class and permission macro. 2020-04-20 15:46:33 -04:00
terminal.te various: Module version bump. 2020-04-21 11:03:01 -04:00
ubac.fc trunk: add missing ubac module. 2008-11-05 16:11:27 +00:00
ubac.if Improve the documentation of ubac_constrained(). 2010-03-02 11:28:44 -05:00
ubac.te Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00