This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.
Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
Required for example to start/stop systemd-journal-flush.service
which moves the journal storage back and forth between tmpfs and
permanent storage.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
fifo_files inherited from domains allowed to change role to sysadm_r.
This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
the permissions to write the wireless device in order to
prevent a possible Denial of Service (DoS) attack from an
unprivileged process bringing down the wireless interfaces.
Only administrative users can now enable/disable the wireless
interfaces, while normal users can only read their status.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.if | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
auditd can halt the system for several reasons based on configuration.
These mostly revovle around audit partition full issues. I am seeing
the following denials when attempting to halt the system.
Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.122:1943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.147:1944): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 04:44:54 localhost audispd: node=localhost type=AVC msg=audit(1578804294.103:1923): avc: denied { getattr } for pid=6936 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=45 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
v2 - use optional rather than ifdef
v3 - fix order
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which
are used to check various path/file/directory to control starting a
service. But this requires getattr permissions on the types.
Example denials that fit the problem.
The first example is from lvm where accessing config file.
type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for
pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0
This second example is from chronyd, but it is happening becuase I added
the conditional in a drop-in file.
type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for
pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1
v3 - rework to not use interface and allow getattr for all files
Signed-off-by: Dave Sugar <dsugar@tresys.com>
libfuse 3.0 renamed fusermount to fusermount3 in order to allow both
libfuse 2 and libfuse 3 to be installed together:
695e45a4de
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:
type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByName dest=org.freedesktop.systemd1
spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'
Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
systemd's Name Service Switch (NSS) module provides UNIX user and group
name resolution for dynamic users and groups allocated through options
such as DynamicUser= in systemd unit files, according to its man page,
https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml.
If systemd compiled without NOLEGACY, commit
24eccc3414
("nss-systemd,user-util: add a way how synthesizing "nobody" can be
turned off") implemented a way to tweak nss-systemd's behavior by
checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this
access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When an unconfined user runs wine, there is an issue because
wine_domtrans() causes a transition to unconfined_u:unconfined_r:wine_t
without unconfined_r being associated with wine_t:
type=SELINUX_ERR msg=audit(1579963774.148:1047):
op=security_compute_sid
invalid_context="unconfined_u:unconfined_r:wine_t"
scontext=unconfined_u:unconfined_r:wine_t
tcontext=system_u:object_r:wine_exec_t tclass=process
This is fixed with "roleattribute unconfined_r wine_roles;", which is
provided by interface wine_run().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Looking at all audit versions in gentoo (2.8.5 to 2.6.4) every single one of them has `var/log/audit` as a directory and not as a file.
Tested on gentoo.
example for querying their state, enabling and/or disabling
them using userspace tools such as "rfkill" from util-linux).
See also:
https://wireless.wiki.kernel.org/en/users/documentation/rfkill
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/userdomain.if | 1 +
1 file changed, 1 insertion(+)
Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.
Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them. dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed. Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.
Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.
This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy. For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open. For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files. They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.
These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
