nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,117 Commits 1 Branch 0 Tags 16 MiB
10cd3fb258
Commit Graph

3317 Commits

Author SHA1 Message Date
Chris PeBenito
373a1c090a Merge pull request #73 from fishilico/rpcbind-redundant-pid-fc 2019-08-27 00:36:18 -04:00
Chris PeBenito
68b74385a4 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-27 00:28:34 -04:00
Chris PeBenito
95c4192509 Merge pull request #64 from fishilico/haveged-unit 2019-08-27 00:20:24 -04:00
Chris PeBenito
7e5503155c Merge pull request #65 from fishilico/haveged-cmd-socket 2019-08-27 00:19:57 -04:00
Chris PeBenito
20f1151192 Merge pull request #66 from fishilico/ulogd-fix-context 2019-08-27 00:19:10 -04:00
Chris PeBenito
1106d0b692 Merge pull request #67 from fishilico/typo-monit-s9 2019-08-27 00:18:47 -04:00
Chris PeBenito
5c9d60245b Merge pull request #68 from fishilico/typo-java-fc 2019-08-27 00:18:24 -04:00
Chris PeBenito
de3e9befcc Merge pull request #69 from fishilico/typo-lib-adobe-fc 2019-08-27 00:17:46 -04:00
Nicolas Iooss
6875a1b0a5
rpcbind: remove redundant file context for /run/rpc.statd.pid 
There are two patterns that define file contexts for /run/rpc.statd.pid:

* in policy/modules/services/rpcbind.fc:

    /run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)

* in policy/modules/services/rpc.dc:

    /run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)

They coexist even though their labels differ because the first one uses
a unescaped dot. As it does not seem to exist other files matching the
first pattern, remove it in order to only keep the second one.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-22 21:49:28 +02:00
Nicolas Iooss
d938683bf4
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd 
In order to match /usr/lib/ocf/resource.d/linbit/drbd, the dot needs to
be escaped, not the d.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-21 23:03:01 +02:00
Nicolas Iooss
1b44cb6c2e
libraries: match a digit in Adobe Reader directories 
Patterns using this have a small issue:

    /opt/Adobe/Reader.?/Reader/intellinux

The issue is that the dot can also match a slash. A bettern pattern
would be:

    /opt/Adobe/Reader[^/]?/Reader/intellinux

In this specific case, the intent is to match digits (like
/opt/Adobe/Reader9). Use [0-9] for this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-21 21:43:56 +02:00
Nicolas Iooss
3d97e06a8d
java: reduce the scope of the pattern in for java entry points 
The following pattern seems to match much more than intended:

    /usr/(.*/)?bin/java[^-]*

According to the commit which introduced it
(0190325c18),
the aim was to match java1.4, java5, java6, and not java-config nor
java-check-environment. The issue is that the pattern also matches
sub-directories such as:

    /usr/share/my-application/bin/java/myfile

Prevent this by adding / in the character blacklist of the pattern.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-21 21:41:11 +02:00
Nicolas Iooss
271352c1c2
monit: use s0 instead of s9 
This seems to be a misspelling, and there is no reason which would
explain why monit's init script would be labeled with a different
sensitivity while the main binary uses s0.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-21 21:39:26 +02:00
Nicolas Iooss
2bfb67d339
ulogd: fix pattern for /run/ulog directory 
The pattern only matched /run/ulog, not its content.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-18 21:38:00 +02:00
Nicolas Iooss
d7f66dce04
entropyd: allow haveged to create a Unix socket to received commands 
haveged listens to commands using a Unix socket
(at path "\0/sys/entropy/haveged" according to
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.h#L34).
The implementation of this server is available on
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.c .

This fixes the following denial:

    type=AVC msg=audit(1551002989.396:27): avc:  denied  { listen } for
    pid=262 comm="haveged"
    path=002F7379732F656E74726F70792F68617665676564
    scontext=system_u:system_r:entropyd_t
    tcontext=system_u:system_r:entropyd_t tclass=unix_stream_socket
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-18 21:34:52 +02:00
Nicolas Iooss
1ab82b1150
entropyd: label the unit file of haveged 
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-18 21:20:27 +02:00
Chris PeBenito
230262368b ulogd: Rename ulogd_var_run_t to ulogd_runtime_t. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-17 15:17:51 -04:00
Chris PeBenito
ac1659e79f ulogd: Module version bump. 2019-08-17 15:11:32 -04:00
Nicolas Iooss
9686bf05a7
ulogd: allow starting on a Debian system 
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:

    drwxrwx---. ulog adm /var/log/ulog

(root does not have an access to the directory without bypassing the DAC.)

Add a comment describing how to avoid allowing dac_read_search to ulogd_t.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-17 16:03:39 +02:00
Nicolas Iooss
d91d41b53a
ulogd: allow creating a netlink-netfilter socket 
This is used to get the packets logged by the firewall.

I experienced this on a Debian system which uses nftables rules with the
"log" keyword:

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tcla
    ss=netlink_netfilter_socket permissive=1

    type=AVC msg=audit(1565901103.154:327): avc:  denied  { read } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
    success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
    pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
    egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
    exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)

    type=PROCTITLE msg=audit(1565901103.154:327):
    proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964

    [ ... ]

    type=AVC msg=audit(1565901600.241:338): avc:  denied  { write } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:349): avc:  denied  { getattr } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:350): avc:  denied  { bind } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-17 15:53:32 +02:00
Nicolas Iooss
f37b4b5ddd
ulogd: add Debian's log directory 
Debian uses /var/log/ulog/syslogemu.log by default to log network
packets sent through a netlink multicast group by the firewall.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-17 15:52:58 +02:00
Sugar, David
566fd554a6 Module for tpm2 
Module for tpm2

v2 - updated to rename module and interface names, different dbus
interface

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-08-11 15:02:20 -04:00
Chris PeBenito
fb04518b9d devices, storage: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-29 20:50:45 -04:00
Chris PeBenito
4ef04d8adb Merge pull request #58 from pebenito/more-device-updates 2019-07-29 20:50:23 -04:00
Chris PeBenito
f191b07166 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-21 14:34:09 -04:00
Laurent Bigonville
6b12bd3aca Allow systemd_modules_load_t to module_request and map modules_object_t files 
[   10.685610] audit: type=1400 audit(1563706740.429:3): avc:  denied  { map } for  pid=394 comm="systemd-modules" path="/usr/lib/modules/4.19.0-5-amd64/kernel/drivers/parport/parport.ko" dev="dm-0" ino=795927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
[   10.695021] audit: type=1400 audit(1563706740.437:5): avc:  denied  { module_request } for  pid=394 comm="systemd-modules" kmod="parport_lowlevel" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-07-21 19:46:47 +02:00
Chris PeBenito
a5db4b262d devices: Add types for trusted execution environment interfaces. 
These are interfaces for trusted OSes such as ARM TrustZone.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-07-16 16:38:50 -04:00
Chris PeBenito
a159153d82 devices, storage: Add fc entries for mtd char devices and ndctl devices. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-07-16 16:38:43 -04:00
Chris PeBenito
921eb37a97 rpm, selinux, sysadm, init: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:07:11 -04:00
Chris PeBenito
de8cf73de0 knot: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:06:44 -04:00
Chris PeBenito
7a1260ffe3 knot: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:06:02 -04:00
Alexander Miroshnichenko
491ae9991a Add knot module 
Add a SELinux Reference Policy module for the
Knot authoritative-only DNS server.

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2019-07-13 14:00:31 -04:00
Sugar, David
2831598bb5 grant rpm_t permission to map security_t 
type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

v2 - Create new interface to allow mapping security_t and use this interface by rpm_t

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-13 14:00:23 -04:00
Chris PeBenito
b85c93b582 rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-08 20:49:31 -04:00
Sugar, David
72cc3e9136 Allow rpm scripts to alter systemd services 
In RPM scripts it is common to enable/start services that are being
installed.  This allows rpm_script_t to manage sysemd units

type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
66bbd568e4 Allow rpm to map file contexts 
type=AVC msg=audit(1560944465.365:270): avc:  denied  { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
79fd6ddb3e grant rpm permissions to map locale_t 
type=AVC msg=audit(1560913896.408:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
8e09ba5637 grant permission for rpm to write to audit log 
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=?  terminal=? res=success'

These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc:  denied  { audit_write } for  pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1561298132.446:240): avc:  denied  { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { nlmsg_relay } for  pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc:  denied  { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Sugar, David
c2f504c25e grant rpm permission to map rpm_var_lib_t 
type=AVC msg=audit(1560913896.432:218): avc:  denied  { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Chris PeBenito
8c3893e427 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 14:05:19 -04:00
Chris PeBenito
10784f3b33 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 13:37:51 -04:00
Chris PeBenito
af2e1f91fd Merge pull request #57 from pebenito/pmem-dax 2019-06-09 13:26:49 -04:00
Chris PeBenito
c00bf89d73 Merge pull request #56 from pebenito/apache-simplify 2019-06-09 13:26:46 -04:00
Chris PeBenito
91028527fc Merge pull request #55 from pebenito/modules-load 2019-06-09 13:26:43 -04:00
Chris PeBenito
666b744714 devices: Add type for /dev/daxX.Y. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-06-04 15:10:28 -04:00
Chris PeBenito
f0e8bdbf50 storage: Add fc entry for /dev/pmem* 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-06-04 15:10:06 -04:00
Chris PeBenito
d348413004 apache: Web content rules simplification. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-06-03 15:01:43 -04:00
Chris PeBenito
b07f7b4495 systemd: modules-load updates. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-06-03 08:42:53 -04:00
Chris PeBenito
4aafedd872 init: Add systemd block to init_script_domain(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-05-31 08:57:17 -04:00
Chris PeBenito
3a6b7c1856 logrotate: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-05-27 19:30:24 -04:00
Chris PeBenito
5a8c36f390 logrotate: Make MTA optional. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-05-16 11:48:05 -04:00
Chris PeBenito
2d9ad29d04 dovecot, logrotate: Module version bump. 2019-05-03 20:39:36 -04:00
Chris PeBenito
43a682068d Merge pull request #49 from bigon/fail2ban_logrotate 2019-05-03 08:00:43 -04:00
Chris PeBenito
eaed7a9123 Merge pull request #48 from bigon/dovecot_lmtp 2019-05-03 08:00:41 -04:00
Laurent Bigonville
83f8240f04 Allow logrotate to execute fail2ban-client 
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
 2019-05-03 13:34:16 +02:00
Laurent Bigonville
8215279af4 Add dovecot to listen to LMTP port 
Mails can be injected in dovecot directly using LMTP
 2019-05-03 12:33:09 +02:00
Dave Sugar
de0e70f07a create interfaces for NetworkManager units 
Create interfaces to allow start/stop, enable/disable
and status of NetworkManager systemd unit
 2019-05-02 11:16:41 -04:00
Chris PeBenito
5d345b79ee various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-27 10:51:06 -04:00
Chris PeBenito
6857cda019 Merge pull request #46 from pebenito/systemd-user 2019-04-27 10:50:32 -04:00
Chris PeBenito
a77e0f6837 Merge pull request #45 from pebenito/systemd-update-done-tweak 2019-04-27 10:50:30 -04:00
Chris PeBenito
e5d14ad308 Merge pull request #44 from pebenito/http-mta-optional 2019-04-27 10:50:29 -04:00
Chris PeBenito
54dbc8a7a7 Merge pull request #43 from pebenito/various-device-labels 2019-04-27 10:50:27 -04:00
Chris PeBenito
da156aea1e systemd: Add initial policy for systemd --user. 
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-25 11:18:58 -04:00
Chris PeBenito
4bca3dade2 devices: Change netcontrol devices to pmqos. 
Devices with the netcontrol_device_t type are actually PM QoS devices.
Rename the type and add labeling for /dev/memory_bandwidth.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-24 09:17:36 -04:00
Chris PeBenito
3b0d0ea330 devices: Add type for GPIO chips, /dev/gpiochip[0-9] 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-24 08:50:41 -04:00
Chris PeBenito
b1a312152c devices: Label /dev/tpmrm[0-9]. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-24 08:50:41 -04:00
Chris PeBenito
77161ca8b7 storage: Label /dev/mmcblk* character nodes. 
An example is mmcblk0rpmb, which is for the replay protected memory block
subsystem.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-24 08:50:41 -04:00
Chris PeBenito
ae2d2ec470 kernel, devices, plymouthd, xserver: Module version bump. 2019-04-23 18:37:22 -04:00
Chris PeBenito
ff9bd742b7 systemd: Remove unnecessary names in systemd-update-done filetrans. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-23 15:22:17 -04:00
Chris PeBenito
2f0ead8ecf apache: Make MTA optional. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-23 15:17:33 -04:00
Dave Sugar
51aadce3c2 Changes to support plymouth working in enforcing 
plymouth is started very early in the boot process.  Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t.  Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.

type=AVC msg=audit(1554917011.127:225): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc:  denied  { remove_name } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc:  denied  { unlink } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1554917011.116:224): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1

type=AVC msg=audit(1555069712.938:237): avc:  denied  { ioctl } for  pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
 2019-04-23 07:48:15 -04:00
Dave Sugar
2b42f0c13d Allow xdm (lightdm) start plymouth 
type=AVC msg=audit(1554917007.995:194): avc:  denied  { execute } for  pid=7647 comm="lightdm" name="plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { read open } for  pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { execute_no_trans } for  pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { map } for  pid=7647 comm="plymouth" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
 2019-04-16 22:20:29 -04:00
Chris PeBenito
e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito
e41def136a xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-14 14:20:55 -04:00
Chris PeBenito
2356eda7fc Merge pull request #40 from gtrentalancia/master 2019-04-14 14:15:16 -04:00
Guido Trentalancia
db33386c01 The Qt library version 5 requires to write xserver_tmp_t 
files upon starting up applications (tested on version
5.12.1).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    3 +++
 1 file changed, 3 insertions(+)
 2019-04-12 17:52:50 +02:00
Chris PeBenito
32ce73f9b8 kernel: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-12 07:57:00 -04:00
Lukas Vrabec
ce570ab34d Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t 
CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.

Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
 2019-04-12 07:52:27 -04:00
Chris PeBenito
beb4a290b0 init: Module version bump. 2019-04-07 20:56:22 -04:00
Chris PeBenito
4c2f16bb26 Merge pull request #39 from pebenito/revise-init-stopstart 2019-04-07 20:54:40 -04:00
Chris PeBenito
b06126dca3 init: Revise conditions in init_startstop_service(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-05 15:18:29 -04:00
Chris PeBenito
df696a3254 kernel, init, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:58:15 -04:00
Chris PeBenito
98c16077ba Merge pull request #37 from pebenito/master 
Misc system fixes.

Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
 2019-03-27 18:57:39 -04:00
Chris PeBenito
4f6614ba7f ntp, init, lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72 Denial of cryptsetup reading cracklib database 
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength.  This is
allowing the needed access.

type=AVC msg=audit(1553216939.261:2652): avc:  denied  { search } for  pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { read } for  pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { open } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc:  denied  { getattr } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Sugar, David
7525ba9c1e Allow ntpd to read unit files 
Adding missing documenation (sorry about that).

type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1

type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Chris PeBenito
32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4 Resolve denial about logging to journal from dbus 
type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Sugar, David
5f14e530ad Resolve denial about logging to journal from chkpwd 
type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Sugar, David
9f2b1e2b4c Allow ntpd to update timezone symlink 
type=AVC msg=audit(1553013821.624:9907): avc:  denied  { create } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { rename } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { unlink } for  pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Sugar, David
1b4ffb7806 Allow ntpd to update chronyd service 
type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Sugar, David
a50afdcc84 Add interface ntp_dbus_chat 
type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:35:44 -04:00
Chris PeBenito
e19f3d658c init: Remove duplicate setenforce rule for init scripts. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:10:23 -04:00
Chris PeBenito
99f967d3b5 udev: Drop write by udev to its executable. 
This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:10:10 -04:00
Chris PeBenito
40bf663090 systemd: Drop unconfined kernel access for systemd_nspawn. 
Revise kernel assertion to /proc/kmsg to be more precise.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:09:37 -04:00
Chris PeBenito
c46eba9c02 sysadm, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:27:34 -04:00
Chris PeBenito
ceadf42b75 udev: Move one line and remove a redundant line. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:28 -04:00
Chris PeBenito
2297487654 udev: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:03 -04:00
Sugar, David
ba31e59cd1 Separate out udevadm into a new domain 
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-17 16:15:21 -04:00