RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-04-01 00:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
e1ccf0ce02
selinux-refpolicy/policy/modules/system
History
Sugar, David e1ccf0ce02 Allow systemd to getattr all files 
Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which
are used to check various path/file/directory to control starting a
service.  But this requires getattr permissions on the types.
Example denials that fit the problem.

The first example is from lvm where accessing config file.

type=AVC msg=audit(1575427946.229:1624): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0

This second example is from chronyd, but it is happening becuase I added
the conditional in a drop-in file.

type=AVC msg=audit(1575427959.882:1901): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1

v3 - rework to not use interface and allow getattr for all files

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-02-08 09:38:25 -05:00
..
application.fc
application.if
application.te
authlogin.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
authlogin.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
authlogin.te various: Module version bump. 2019-09-30 20:39:31 -04:00
clock.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
clock.if Rearrange interfaces in files, clock, and udev. 2012-10-30 14:16:30 -04:00
clock.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
daemontools.fc Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
daemontools.if Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
daemontools.te Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
fstools.fc fstools: label e2mmpstatus as fsadm_exec_t 2018-08-04 08:50:06 -04:00
fstools.if dphysswapfile: add interfaces and sysadm access 2017-09-14 17:19:55 -04:00
fstools.te various: Module version bump. 2020-01-15 10:42:45 -05:00
getty.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
getty.if getty: overlook module 2017-02-27 19:21:39 +01:00
getty.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
hostname.fc Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
hostname.if
hostname.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
hotplug.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
hotplug.if Add requires to interfaces that reference types or attributes without requiring them 2020-01-16 09:59:56 -05:00
hotplug.te various: Module version bump. 2020-01-15 10:42:45 -05:00
init.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
init.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
init.te Allow systemd to getattr all files 2020-02-08 09:38:25 -05:00
ipsec.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
ipsec.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
ipsec.te various: Module version bump. 2020-01-15 10:42:45 -05:00
iptables.fc iptables: fcontexts for 1.8.0 2018-07-10 17:25:11 -04:00
iptables.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
iptables.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
iscsi.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
iscsi.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
iscsi.te various: Module version bump. 2020-01-15 10:42:45 -05:00
libraries.fc libraries: fix some misspellings in patterns 2019-09-01 15:47:57 +02:00
libraries.if Add new mmap permission set and pattern support macros. 2017-12-13 18:58:34 -05:00
libraries.te various: Module version bump. 2019-09-03 19:47:12 -04:00
locallogin.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
locallogin.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
locallogin.te various: Module version bump. 2019-09-07 16:58:51 -04:00
logging.fc Remove obsolete gentoo specific rule 2020-01-25 12:40:08 +01:00
logging.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
logging.te various: Module version bump. 2020-01-25 13:48:52 -05:00
lvm.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
lvm.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
lvm.te various: Module version bump. 2020-01-15 10:42:45 -05:00
metadata.xml
miscfiles.fc Remove unescaped single dot from the policy 2019-08-27 23:38:09 +02:00
miscfiles.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
miscfiles.te various: Module version bump. 2020-01-17 10:50:13 -05:00
modutils.fc Remove unescaped single dot from the policy 2019-08-27 23:38:09 +02:00
modutils.if Add requires to interfaces that reference types or attributes without requiring them 2020-01-16 09:59:56 -05:00
modutils.te various: Module version bump. 2019-09-30 20:39:31 -04:00
mount.fc mount: label fusermount3 like fusermount 2020-01-26 18:47:33 +01:00
mount.if systemd: Add filesystem watches. 2020-01-16 15:53:36 -05:00
mount.te various: Module version bump. 2020-01-17 10:50:13 -05:00
netlabel.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
netlabel.if
netlabel.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
pcmcia.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
pcmcia.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
pcmcia.te various: Module version bump. 2019-09-30 20:39:31 -04:00
raid.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
raid.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
raid.te various: Module version bump. 2019-09-30 20:39:31 -04:00
selinuxutil.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
selinuxutil.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
selinuxutil.te various: Module version bump. 2019-12-26 11:48:27 -05:00
setrans.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
setrans.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
setrans.te various: Module version bump. 2019-09-30 20:39:31 -04:00
sysnetwork.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
sysnetwork.if Fix situations where require blocks in interfaces listed types not actually referenced by that interface 2020-01-24 08:18:55 -05:00
sysnetwork.te various: Module version bump. 2020-01-15 10:42:45 -05:00
systemd.fc systemd: add an interface to use nss-systemd 2020-01-25 16:43:17 +01:00
systemd.if systemd: add an interface to use nss-systemd 2020-01-25 16:43:17 +01:00
systemd.te systemd, devices: Module version bump. 2020-02-08 09:35:13 -05:00
udev.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
udev.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
udev.te various: Module version bump. 2019-12-26 12:21:07 -05:00
unconfined.fc Apache OpenOffice module (base policy part) 2016-12-06 20:08:06 -05:00
unconfined.if unconfined: Add namespaced capabilities. 2019-11-15 11:13:58 -05:00
unconfined.te various: Module version bump. 2020-01-25 13:48:52 -05:00
userdomain.fc Move use of user_devpts_t from terminal.fc to userdomain.fc 2018-04-12 18:44:50 -04:00
userdomain.if Merge pull request #167 from gtrentalancia/master 2020-01-25 14:32:20 -05:00
userdomain.te userdomain: Module version bump. 2020-01-25 14:32:50 -05:00
xdg.fc freedesktop location support 2018-06-10 13:23:01 -04:00
xdg.if xdg: Introduce xdg_search_cache_dirs 2018-06-24 19:11:14 -04:00
xdg.te Bump module versions for release. 2018-07-01 11:02:33 -04:00
xen.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
xen.if Add requires to interfaces that reference types or attributes without requiring them 2020-01-16 09:59:56 -05:00
xen.te various: Module version bump. 2020-01-15 10:42:45 -05:00