- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd original type renaming.
Interfaces that are still in use were renamed with a compatibility
interface. Unused interfaces were fully deprecated for removal.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Usbguard enforces the USB device authorization policy for all USB
devices. Users can be authorized to manage rules and make device
authorization decisions using a command line tool.
Add rules for usbguard. Optionally, allow authorized users to control
the daemon, which requires usbguard-daemon to be able modify its rules
in /etc/usbguard.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:
type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByName dest=org.freedesktop.systemd1
spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'
Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
