nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,117 Commits 1 Branch 0 Tags 16 MiB
10cd3fb258
Commit Graph

3317 Commits

Author SHA1 Message Date
Chris PeBenito
b78be0cc7a Merge branch 'postgres' of git://github.com/alexminder/refpolicy 2019-01-27 12:44:39 -05:00
Alexander Miroshnichenko
548564099e fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface 2019-01-26 21:50:12 +03:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Chris PeBenito
14505cb1ef dovecot: Move lines. 2019-01-23 19:01:37 -05:00
Chris PeBenito
fce54c10fa Merge branch 'dovecot' of git://github.com/alexminder/refpolicy 2019-01-23 18:52:35 -05:00
Chris PeBenito
08cb521ab0 chromium: Move line. 2019-01-23 18:44:45 -05:00
Chris PeBenito
71830b02c5 chromium: Whitespace fixes. 2019-01-23 18:43:16 -05:00
Jason Zaman
6d164216d9 Add chromium policy upstreamed from Gentoo 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Jason Zaman
fa23645ca1 userdomain: introduce userdom_user_home_dir_filetrans_user_cert 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Jason Zaman
4ed30f7492 kernel: introduce kernel_dontaudit_read_kernel_sysctl 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Jason Zaman
d83a104eda files: introduce files_dontaudit_read_etc_files 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Jason Zaman
1bc0503d53 devices: introduce dev_dontaudit_read_sysfs 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Chris PeBenito
7a1e0d0ca9 init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks(). 2019-01-23 18:35:00 -05:00
Chris PeBenito
09a81f7220 init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks(). 2019-01-23 18:34:10 -05:00
Russell Coker
eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito
bf21c5c0d2 dpkg: Move interface implementations. 2019-01-23 18:30:15 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Alexander Miroshnichenko
de478dca3a Add dovecot_can_connect_db boolean. 
Add dovecot_can_connect_db boolean. Grant connect dovecot_auth_t to DBs by dovecot_can_connect_db boolean.
 2019-01-23 18:22:24 +03:00
Alexander Miroshnichenko
438786dfa7 Add map permission for postgresql_t to postgresql_tmp_t files. 2019-01-23 18:00:25 +03:00
Alexander Miroshnichenko
cff5e0026c Add new interface fs_rmw_hugetlbfs_files. 
Add new interface fs_rmw_hugetlbfs_files and grant it to postgresql_t.
 2019-01-23 17:58:54 +03:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Chris PeBenito
ecb4968238 systemd: Move interface implementation. 2019-01-20 16:36:36 -05:00
Sugar, David
6e86de0736 Add interface to read journal files 
When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:34:14 -05:00
Sugar, David
53ea0b2288 Add interface clamav_run 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:33:31 -05:00
Chris PeBenito
7d93336024 xserver: Move line 2019-01-20 16:22:01 -05:00
Russell Coker
54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito
310a7b0b85 Merge branch 'dbus-dynamic-uid' of git://github.com/fishilico/selinux-refpolicy 2019-01-19 12:51:26 -05:00
Chris PeBenito
b5cda0e2c5 selinuxutil: Module version bump. 2019-01-16 18:20:51 -05:00
Chris PeBenito
038a5af1ed Merge branch 'restorecond-dontaudit-symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-16 18:20:05 -05:00
Chris PeBenito
238bd4f91f logging, sysnetwork, systemd: Module version bump. 2019-01-16 18:19:22 -05:00
Sugar, David
69961e18a8 Modify type for /etc/hostname 
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:13:41 -05:00
Sugar, David
34e3505004 Interface with systemd_hostnamed over dbus to set hostname 
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:12:50 -05:00
Sugar, David
9255dfbf4e label journald configuraiton files syslog_conf_t 
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:11:43 -05:00
Nicolas Iooss
47b09d472e
dbus: allow using dynamic UID 
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:

    type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
    a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
    suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
    comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
    subj=system_u:system_r:system_dbusd_t key=(null)

    type=AVC msg=audit(1547313774.993:373): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1

    type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
    syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
    a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
    uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
    tty=(none) ses=4294967295 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
    key=(null)

    type=AVC msg=audit(1547313774.993:374): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=1

This directory looks like this, on Arch Linux with systemd 240:

    # ls -alZ /run/systemd/dynamic-uid
    drwxr-xr-x.  2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
    drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
    -rw-------.  1 root root system_u:object_r:init_var_run_t   8 2019-01-12 15:53 65306
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   7 2019-01-12 15:53 direct:65306 -> haveged
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   5 2019-01-12 15:53 direct:haveged -> 65306
 2019-01-16 22:13:57 +01:00
Nicolas Iooss
6e2896098c
selinuxutil: restorecond is buggy when it dereferencies symlinks 
restorecond uses libselinux's selinux_restorecon() to relabel files,
which dereferences symlinks in a useless call to statfs(). This produces
AVC denials which are noisy.

Fixes: https://github.com/SELinuxProject/refpolicy/pull/22
 2019-01-16 22:10:38 +01:00
Chris PeBenito
4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker
dcb2d1d8b8 another trivial 
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
 2019-01-14 17:43:15 -05:00
Russell Coker
b1d309b42c trivial system cronjob 2019-01-14 17:42:17 -05:00
Chris PeBenito
2c96e2fb56 Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy 2019-01-14 17:41:28 -05:00
Dominick Grift
a4a219a733
unconfined: add a note about DBUS 
Addresses https://github.com/SELinuxProject/refpolicy/issues/18
 2019-01-14 17:02:56 +01:00
Nicolas Iooss
ae35b48f8e
selinuxutil: allow restorecond to read symlinks 
As restorecond dereferences symlinks when it encounters them in user
home directories, allow this access.
 2019-01-13 22:47:11 +01:00
Chris PeBenito
353d92a77a systemd: Module version bump. 2019-01-13 14:59:27 -05:00
Chris PeBenito
966f981fd8 systemd: Whitespace change 2019-01-13 14:47:34 -05:00
Nicolas Iooss
c53019f2c3
systemd: add policy for systemd-rfkill 2019-01-12 23:00:29 +01:00
Chris PeBenito
e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito
e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Chris PeBenito
d01b3a1169 Merge branch 'services_single_usr_bin' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:53:58 -05:00
Sugar, David
f0860ff0bb Add interface to start/stop iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-12 14:32:00 -05:00
Russell Coker
da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss
c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Nicolas Iooss
80fb19a9ba
Label service binaries in /usr/bin like /usr/sbin 
For some services, the program responsible for the service has a file
context which is defined only when it is installed in /usr/sbin. This
does not work on Arch Linux, where every program is in /usr/bin
(/usr/sbin is a symlink to /usr/bin).

Add relevant file contexts for /usr/bin/$PROG when /usr/sbin/$PROG
exists.
 2019-01-12 17:08:09 +01:00
Chris PeBenito
143ed2cc1b init, logging: Module version bump. 2019-01-10 20:26:36 -05:00
Nicolas Iooss
6f5e31431e
Allow systemd-journald to read systemd unit symlinks 
type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:user@1000.service"
    dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0
    type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:dbus.service"
    dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

"ls -lZ" on these files gives:

    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7
    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214
 2019-01-10 23:51:08 +01:00
Chris PeBenito
85536c64e1 kernel, jabber, ntp, init, logging, systemd: Module version bump. 2019-01-09 19:36:41 -05:00
Russell Coker
4a95d08da1 logging 
Prosody and ntpd don't just need append access to their log files.
 2019-01-09 19:30:25 -05:00
Chris PeBenito
d2a1333fdc kernel, systemd: Move lines. 2019-01-09 19:30:15 -05:00
Russell Coker
9cb572bd02 mls stuff 
Here are the patches I used last time I tried to get MLS going on Debian.
 2019-01-09 19:20:35 -05:00
Chris PeBenito
1ff4b35ec2 iptables: Module version bump. 2019-01-07 18:48:44 -05:00
Sugar, David
43a77c30fa Add interface to get status of iptables service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-07 18:40:13 -05:00
Chris PeBenito
e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito
599112a85c Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:54 -05:00
Chris PeBenito
bd50873362 Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:07:24 -05:00
Chris PeBenito
559d4b830a Merge branch 'ssh_dac_read_search' of git://github.com/fishilico/selinux-refpolicy 2019-01-06 14:06:47 -05:00
Chris PeBenito
38839b3e6c nsd: Merge two rules into one. 2019-01-06 14:03:29 -05:00
Chris PeBenito
ea11d5bbc2 Merge branch 'nsd' of https://github.com/alexminder/refpolicy 2019-01-06 14:02:06 -05:00
Sugar, David
82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Sugar, David
2791589f9e Allow greeter to start dbus 
The display manager lightdm (and I think gdm) start a dbus binary.

v3 - Updated based on feedback

type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute } for  pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { read open } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { execute_no_trans } for  pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc:  denied  { map } for  pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.112:208): avc:  denied  { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1

type=AVC msg=audit(1546551459.116:209): avc:  denied  { read } for pid=6275 comm="dbus-daemon" name="995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:209): avc:  denied  { open } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:210): avc:  denied  { getattr } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Chris PeBenito
6780e6d2e2 init: Remove inadvertent merge. 2019-01-06 13:53:02 -05:00
Russell Coker
3133587825 cron trivial 
Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.
 2019-01-06 13:50:31 -05:00
Chris PeBenito
61b83b30be systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). 
Move implementation with other networkd_runtime interfaces.
 2019-01-06 13:49:02 -05:00
Russell Coker
b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Nicolas Iooss
150bd4e179
systemd: allow systemd-logind to use getutxent() 
systemd-logind reads /run/utmp in order to warn users who are currently
logged in about an imminent shutdown. It calls utmp_wall() in
https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87
This function calls glibc's getutxent() here:
https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401
This function, implemented in
https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b
, opens and locks /run/utmp in order to enumerate the users.
 2019-01-06 16:28:32 +01:00
Nicolas Iooss
49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs 
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):

    /*
     * This is called once when selinux_restorecon() is first called.
     * Searches /proc/mounts for all file systems that do not support extended
     * attributes and adds them to the exclude directory table.  File systems
     * that support security labels have the seclabel option, return
     * approximate total file count.
     */

The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().

The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:

    type=AVC msg=audit(1546727200.623:67): avc:  denied  { getattr } for
    pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
    scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0

    type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
    success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
    a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
    ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
    subj=system_u:system_r:restorecond_t key=(null)

    type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"

Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
 2019-01-05 23:51:36 +01:00
Nicolas Iooss
3734d7e76c ssh: use dac_read_search instead of dac_override 
When creating a session for a new user, sshd performs a stat() call
somewhere:

    type=AVC msg=audit(1502951786.649:211): avc:  denied  {
    dac_read_search } for  pid=274 comm="sshd" capability=2
    scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t
    tclass=capability permissive=1

    type=SYSCALL msg=audit(1502951786.649:211): arch=c000003e syscall=4
    success=no exit=-2 a0=480e79b300 a1=7ffe0e09b080 a2=7ffe0e09b080
    a3=7fb2aa321b20 items=0 ppid=269 pid=274 auid=1000 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
    comm="sshd" exe="/usr/bin/sshd" subj=system_u:system_r:sshd_t
    key=(null)

    type=PROCTITLE msg=audit(1502951786.649:211):
    proctitle=737368643A2076616772616E74205B707269765D
 2019-01-05 21:21:18 +01:00
Chris PeBenito
d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito
da9ff19d94 sudo: Whitespace fix. 2019-01-05 14:17:18 -05:00
Russell Coker
e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito
6f12a29ecc apt, rpm: Remove and move lines to fix fc conflicts. 2019-01-05 14:09:57 -05:00
Chris PeBenito
39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Chris PeBenito
5a9982de70 sysnetwork: Move lines. 2019-01-05 13:56:15 -05:00
Russell Coker
5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Chris PeBenito
57df6fa0d5 sysnetwork: Move optional block in sysnet_dns_name_resolve(). 2019-01-05 13:42:11 -05:00
Russell Coker
73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito
713f9000b5 networkmanager: Add ICMPv6 comment 2019-01-05 13:34:18 -05:00
Russell Coker
678c9e0b7a misc services patches 
Lots of little patches to services.
 2019-01-05 13:30:30 -05:00
Alexander Miroshnichenko
c947258610 Remove unneeded braces from nsd.te. 2019-01-04 15:59:02 +03:00
Chris PeBenito
56b7919589 sigrok: Remove extra comments. 2019-01-03 20:52:26 -05:00
Guido Trentalancia
9e6febb049 Add sigrok contrib module 
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2019-01-03 20:51:18 -05:00
Chris PeBenito
65b7fa3f43 lvm, syncthing: Module version bump. 2019-01-03 17:52:03 -05:00
Chris PeBenito
82e652df04 Merge branch 'lvm' of https://github.com/alexminder/refpolicy 2019-01-03 17:45:16 -05:00
Chris PeBenito
9e3bb1bfde syncthing: Whitespace change 2019-01-03 17:44:48 -05:00
Alexander Miroshnichenko
972654cf09 Remove syncthing tunable_policy. 
kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.
 2019-01-03 13:26:08 +03:00
Alexander Miroshnichenko
29bbe7b958 Add comment for map on lvm_metadata_t. 2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko
eca583b86c Add map permission to lvm_t on lvm_metadata_t. 
On musl libc system lvm requires map permission.
 2018-12-30 18:57:56 +03:00
Alexander Miroshnichenko
faa2b15910 Add nsd_admin interface to sysadm.te. 
Allow users with sysadm_r role to start/stop NSD daemon.
 2018-12-30 18:30:23 +03:00
Alexander Miroshnichenko
e426b5785f Add required permissions for nsd_t to be able running. 
Add required permissions to nsd_t for NSD work properly.
 2018-12-30 18:27:30 +03:00
Alexander Miroshnichenko
8b2add4140 Allow syncthing_t to execute ifconfig/iproute2. 
Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.
 2018-12-30 17:43:16 +03:00
Alexander Miroshnichenko
2b3473c40c Allow syncthing_t to read network state. 
Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).
 2018-12-30 17:42:26 +03:00
Alexander Miroshnichenko
eb588f836e Add corecmd_exec_bin permissions to syncthing_t. 
corecmd_exec_bin required to run application.
 2018-12-30 17:41:31 +03:00
Alexander Miroshnichenko
d2569bb877 Add signal_perms setpgid setsched permissions to syncthing_t. 
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
 2018-12-30 17:39:38 +03:00
Chris PeBenito
e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar
6167b9b6e5 Allow auditctl_t to read bin_t symlinks. 
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod.  But policy didn't allow auditctl_t to follow
that link.

type=AVC msg=audit(1543853530.925:141): avc:  denied  { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc:  denied  { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc:  denied  { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc:  denied  { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
e73e9e7734 Add missing require for 'daemon' attribute. 
Not sure how I didn't notice this missing require before.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
55c3fab804 Allow dbus to access /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
241b917d37 Allow kmod to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769402.716:165): avc:  denied  { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc:  denied  { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
3425d22c24 Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543761322.221:211): avc:  denied  { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc:  denied  { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73 cron, minissdpd, ntp, systemd: Module version bump. 2018-11-17 19:02:54 -05:00
Chris PeBenito
45a8ddd39f Merge branch 'minissdpd' of https://github.com/bigon/refpolicy 2018-11-17 18:58:09 -05:00
David Sugar
b73758bb97 Interface to read cron_system_spool_t 
Useful for the case that manage isn't requied.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
David Sugar
56e8f679b2 interface to enable/disable systemd_networkd service 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
David Sugar
5deea1b940 Add interfaces to control ntpd_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
Chris PeBenito
cd4be3dcd0 dnsmasq: Module version bump. 2018-11-17 18:50:18 -05:00
Petr Vorel
da49b37d87 dnsmasq: Require log files to have .log suffix 
+ allow log rotate as well.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
 2018-11-17 18:49:59 -05:00
Laurent Bigonville
a71cc466fc Allow minissdpd_t to create a unix_stream_socket 
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc:  denied  { listen } for  pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc:  denied  { accept } for  pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
 2018-11-12 16:24:54 +01:00
Chris PeBenito
b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Chris PeBenito
205b5e705a Merge branch 'iscsi' of https://github.com/bigon/refpolicy 2018-11-11 15:53:19 -05:00
Chris PeBenito
0e868859c4 Merge branch 'resolved' of https://github.com/bigon/refpolicy 2018-11-11 15:52:51 -05:00
Laurent Bigonville
7316be9c2a Allow iscsid_t to create a netlink_iscsi_socket 
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc:  denied  { bind } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc:  denied  { create } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
 2018-11-11 20:04:21 +01:00
Laurent Bigonville
d5d6fe0046 Allow systemd_resolved_t to bind to port 53 and use net_raw 
resolved also binds against port 53 on lo interface
 2018-11-11 14:27:01 +01:00
Laurent Bigonville
404dcf2af4 Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names 
Also allow unconfined_t to talk with the resolved daemon
 2018-11-11 13:36:05 +01:00
Laurent Bigonville
06588b55b4 Add systemd_dbus_chat_resolved() interface 2018-11-11 13:33:00 +01:00
Laurent Bigonville
df58008c2b Allow ntpd_t to read init state 
With systemd-timesyncd, the following AVC denials are generated:
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { open } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { read } for  pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc:  denied  { getattr } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
 2018-11-10 19:01:33 +01:00
Laurent Bigonville
6060f35f03 Allow semanage_t to connect to system D-Bus bus 
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
 2018-11-10 19:01:33 +01:00
Laurent Bigonville
2f054c67a2 irqbalance now creates an abstract socket 2018-11-10 19:01:28 +01:00
Chris PeBenito
4ff893bca0 dnsmasq: Reorder lines in file contexts. 2018-11-09 19:35:14 -05:00
Chris PeBenito
f583b6b061 dnsmasq: Whitespace fix in file contexts. 2018-11-09 19:34:49 -05:00
Chris PeBenito
1431ba9d41 amavis, apache, clamav, exim, mta, udev: Module version bump. 2018-11-09 19:32:08 -05:00
David Sugar
75dd54edc7 Allow clamd to use sent file descriptor 
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:09:49 -05:00
David Sugar
2fa76a4b9e Add interfaces to control clamav_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar
81953475a5 Interface to add domain allowed to be read by ClamAV for scanning. 
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar
03f248c9e1 Allow clamd_t to read /proc/sys/crypt/fips_enabled 
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc:  denied  { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc:  denied  { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc:  denied  { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc:  denied  { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar
f0047d0247 Add interface udev_run_domain 
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action.  This interface allows a domain transition to occur for the run action.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:04:22 -05:00
Chris PeBenito
35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
Luis Ressel
9dd80c6a67 system/init: Give init_spec_daemon_domain()s the "daemon" attribute 
init_daemon_domain() applies this attribute too.
 2018-10-27 14:56:34 -04:00
Luis Ressel
a42ff404bd services/ssh: Don't audit accesses from ssh_t to /dev/random 
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
 2018-10-27 14:56:34 -04:00
David Sugar
1941eefa13 Interface to allow reading of virus signature files. 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-10-27 14:56:34 -04:00
Chris PeBenito
66a337eec6 obj_perm_sets.spt: Add xdp_socket to socket_class_set. 2018-10-23 17:18:43 -04:00
Laurent Bigonville
109ab3296b Add xdp_socket security class and access vectors 
Added in 4.18 release
 2018-10-21 13:01:22 +02:00
Chris PeBenito
5a3207fb45 miscfiles: Module version bump. 2018-10-14 13:55:21 -04:00
Luis Ressel
75dcc276c0 miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t 
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
 2018-10-14 13:50:27 -04:00
Chris PeBenito
e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00
Luis Ressel
14b4c0c8c7 Realign logrotate.fc, remove an obvious comment 2018-10-13 13:39:18 -04:00
Luis Ressel
a604ae7ca2 Add fc for /var/lib/misc/logrotate.status 
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
 2018-10-13 13:39:18 -04:00
Chris PeBenito
65da822c1b Remove unused translate permission in context userspace class. 
mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
 2018-10-13 13:39:18 -04:00
Laurent Bigonville
606e486876 policy/support/obj_perm_sets.spt: modify indentation of mmap_file_perms to make sepolgen-ifgen happy 
Currently, sepolgen-ifgen fails with the following error:
  /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]
  error parsing headers
  error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]"
 2018-10-09 12:53:44 +02:00
Chris PeBenito
bf16b6d4b9 xserver: Module version bump. 2018-10-03 22:08:23 -04:00
Luis Ressel
9be8cfac19 xserver: Allow user fonts (and caches) to be mmap()ed. 
Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
 2018-10-03 22:07:59 -04:00
Chris PeBenito
b3a1e8a8f8 corecommands: Module version bump. 2018-09-28 15:20:46 -04:00
Luis Ressel
e751959925 corecommands: Fix /usr/share/apr* fc 
Both apr and apr-1 are possible
 2018-09-28 15:14:43 -04:00
Chris PeBenito
3899825c1c fstools: Module version bump. 2018-08-04 08:51:00 -04:00
Nicolas Iooss
094409b735 fstools: label e2mmpstatus as fsadm_exec_t 
e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:

Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t

Fix this by labelling e2mmpstatus like dumpe2fs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2018-08-04 08:50:06 -04:00
Chris PeBenito
e1caae17a2 ipsec: Module version bump. 2018-07-28 09:02:22 -04:00
Yuli Khodorkovskiy
305bd29f65 ipsec: add missing permissions for pluto 
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
 2018-07-28 08:58:34 -04:00
Chris PeBenito
9285d9f450 misc_patterns.spt: Remove unnecessary brackets. 2018-07-19 19:49:21 -04:00
Lukas Vrabec
a7edcc9f2b Improve domain_transition_pattern to allow mmap entrypoint bin file. 
In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };

map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.
 2018-07-19 19:48:08 -04:00
Chris PeBenito
e9eec95de4 devices: Module version bump. 2018-07-15 16:56:51 -04:00
Jagannathan Raman
ce4fe74fe3 vhost: Add /dev/vhost-scsi device of type vhost_device_t. 
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
 2018-07-15 16:43:45 -04:00
Chris PeBenito
d301e83161 mozilla, devices, selinux, xserver, init, iptables: Module version bump. 2018-07-10 20:11:40 -04:00
Jason Zaman
6bf506ec68 iptables: fcontexts for 1.8.0 
The binary changed from /sbin/xtables-multi to xtables-legacy-multi and
xtables-nft-multi
 2018-07-10 17:25:11 -04:00
Jason Zaman
d53047dc58 Allow map xserver_misc_device_t for nvidia driver 2018-07-10 17:25:11 -04:00
Jason Zaman
871d47888b xserver: label .cache/fontconfig as user_fonts_cache_t 2018-07-10 17:25:11 -04:00
Jason Zaman
3c4f0dfaae mozilla: xdg updates 2018-07-10 17:25:11 -04:00
Jason Zaman
181298ab8b selinux: compute_access_vector requires creating netlink_selinux_sockets 2018-07-10 17:25:11 -04:00
Chris PeBenito
65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito
87b0512036 xdg, xserver, mplayer, games: Module version bump. 2018-06-24 20:32:02 -04:00
Jason Zaman
452c100212 apps: rw mesa_shader_cache 2018-06-24 19:11:14 -04:00
Jason Zaman
6f32775885 xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ 2018-06-24 19:11:14 -04:00
Jason Zaman
5b85f31124 xdg: Introduce xdg_search_cache_dirs 2018-06-24 19:11:14 -04:00
Jason Zaman
49a5d06120 xdg: filetrans should not add filetrans from user_home_dir 
SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.

Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.
 2018-06-24 19:11:14 -04:00
Jason Zaman
b9bbe78f9e xdg: Add map perms, also make lnk_file, dirs consistent 2018-06-24 19:11:14 -04:00
Chris PeBenito
a6313231d6 sysnetwork: Module version bump. 2018-06-23 10:50:14 -04:00
Laurent Bigonville
66a0e1b8eb Label /etc/hosts.allow as net_conf_t 
/etc/hosts.deny is labeled as net_conf_t so it makes sense to label
hosts.allow the same way

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2018-06-23 10:50:01 -04:00
Chris PeBenito
3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito
0f3132c795 Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 09:00:56 -04:00
Chris PeBenito
afb14bd300 Remove refpolicy-contrib submodule. 2018-06-23 08:55:49 -04:00
Chris PeBenito
54f0118bc7 XDG: Module version bump. 2018-06-10 13:40:20 -04:00
Jason Zaman
8bb4fdfc29 userdom: remove filetrans from userdom_user_content_access_template 2018-06-10 13:23:58 -04:00
Sven Vermeulen
b64a53494f tunable-managed user content access template 
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.

- The *_read_generic_user_content boolean will enable the application
  domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
  resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
  manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
  reosurces (those associated with the user_home_content_type attribute).

Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.

In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.

Changes since v2:
 - Fix typo in gen_require (had a closing : instead of ;)

Changes since v1:
 - Use in-line XML comment and tunable definition

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2018-06-10 13:23:01 -04:00
Sven Vermeulen
d4dad1950d helper interfaces to read/manage all user content 
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:

- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content

Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.

As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.

Changes since v2:
- Fix typo in pattern call

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2018-06-10 13:23:01 -04:00
Sven Vermeulen
442849be7f Allow X server users to manage all xdg resources 
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.

The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).

The necessary file transitions for the directories are added as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2018-06-10 13:23:01 -04:00
Sven Vermeulen
0a4d55da7a freedesktop location support 
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).

Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.

The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
  here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
  xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
  type here is xdg_config_t, which is generally at $HOME/.config

The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.

This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.

The second set of types are:
- User documents, with xdg_documents_t as the type. This is
  generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
  generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
  the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
  for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
  the ~/Videos location.

Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.

[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2018-06-10 13:23:01 -04:00
Chris PeBenito
e2bae7b65d corecommands: Module version bump. 2018-06-10 13:19:13 -04:00
Jason Zaman
ece7bdc282 corecommands: adjust gcc fcontext to also work on musl 2018-06-10 13:05:57 -04:00
Chris PeBenito
0252046c95 systemd: Move lines. 2018-06-07 20:17:15 -04:00
Dave Sugar
f4713393ae policy for systemd-hwdb 
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar
2408d45a3d policy for systemd-update-done 
systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar
664d932c0f systemd-resolved uses notify to indicate status 
type=AVC msg=audit(1528207926.219:1609): avc:  denied  { write } for  pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc:  denied  { sendto } for  pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar
fd466a380e Allow systemd-resolved to connect to system dbusd 
type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar
0ddccc81ad Allow systemd_resolved to read systemd_networkd runtime files 
type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:47 -04:00
Dave Sugar
1dd2e5aca4 Allow systemd-resolved to read sysctl 
type=AVC msg=audit(1527698300.007:150): avc:  denied  { search } for  pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

type=AVC msg=audit(1527698300.006:148): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:47 -04:00
Chris PeBenito
4b91cc3a18 Remove deprecated flask.py script. 2018-05-31 17:40:10 -04:00
Chris PeBenito
6b0abaf880 init: Module version bump. 2018-05-02 17:22:52 -04:00
Jason Zaman
9219bde71e init: Add filetrans for /run/initctl 
sysvinit 2.89 moved /dev/initctl to /run/initctl.

Reported-by: revel
 2018-05-02 17:12:01 -04:00
Chris PeBenito
c95e835170 sysnetwork: Module version bump. 2018-04-25 17:34:13 -04:00
Chris PeBenito
71b2ed038c sysnetwork: Move lines in sysnet_read_config(). 2018-04-25 17:33:51 -04:00
Jason Zaman
0ae2abab2e sysnetwork: put systemd_read_resolved_runtime in an ifdef 
commit f865919872
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.
 2018-04-25 17:28:59 -04:00
Chris PeBenito
ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Dave Sugar
f865919872 Interface to read /run/systemd/resolve/resolv.conf 
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-04-17 20:14:50 -04:00
Dave Sugar
ceec13419f Fix problems booting with fips=1 
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-04-17 20:14:50 -04:00
Chris PeBenito
2c54bc4eaf Update contrib. 2018-04-12 19:11:36 -04:00
Chris PeBenito
e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter
93238de580 Remove undeclared identifiers from xserver interface 
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
b8d528ea62 Remove undeclared identifiers from interfaces 
These interfaces are not being called in the policy.

corenetwork.if.in:corenet_sctp_bind_generic_port(),
  corenet_dontaudit_sctp_bind_generic_port(), and
  corenet_sctp_connect_generic_port()
  Removed references to undeclared type ephemeral_port_t.

corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
  Removed references to undeclared type attribute corenet_unlabled_type.

devices.if:dev_read_printk()
  Removed references to undeclared type printk_device_t and marked
  interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
90b214c004 Move use of user_devpts_t from terminal.fc to userdomain.fc 
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.

Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
6226181924 Move use of systemd_unit_t from systemd.fc to init.fc 
The type systemd_unit_t is actually declared in init.te.

Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
d172b3b45d Move the use of initrc_var_run_t from files.fc to init.fc 
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.

Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
f43db58687 Move the use of var_log_t from authlogin.fc to logging.fc 
The type var_log_t is actually declared in logging.te.

Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
da0cf8e721 Mark unused parameters as unused 
Marked unused parameters as unused in the interfaces listed below.

userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
2268d42fee Removed unnecessary semicolons 
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
Chris PeBenito
ed60abef70 corenetwork, init: Module version bump. 2018-03-21 14:17:22 -04:00
Christian Göttsche
7b6042b29c add definition of bpf class and systemd perms 2018-03-21 14:16:52 -04:00
Richard Haines
437e48ac53 refpolicy: Update for kernel sctp support 
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
 2018-03-21 14:14:37 -04:00
Chris PeBenito
d0bac9a48e Update contrib. 2018-03-09 17:10:00 -05:00
Chris PeBenito
94e3f48a8e iptables: Module version bump. 2018-03-09 17:09:50 -05:00
Miroslav Grepl
b0b4bc947c xtables-multi wants to getattr of the proc fs 2018-03-01 12:32:22 +01:00
Chris PeBenito
9c0d0e66ff another trivial dbus patch from Russell Coker. 2018-02-18 11:25:29 -05:00
Chris PeBenito
03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Chris PeBenito
b492924414 Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
Chris PeBenito
88e821f369 Enable cgroup_seclabel and nnp_nosuid_transition. 2018-01-16 18:52:39 -05:00
Chris PeBenito
c20931323a Update Changelog and VERSION for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
f9f721028c init: Module version bump. 2018-01-05 16:20:50 -05:00
Christian Göttsche
288bc8471c init: add init_rw_inherited_stream_socket 2018-01-05 15:35:06 -05:00
Chris PeBenito
519cada9f1 Update contrib. 2018-01-03 16:56:53 -05:00
Christian Göttsche
c51e9e1bb4 filesystem: add fs_rw_inherited_hugetlbfs_files for apache module 2018-01-03 16:56:03 -05:00
Chris PeBenito
6c41a0a3af hostname: Module version bump. 2017-12-31 07:06:52 -05:00
Christian Göttsche
5b2db4fcb1 hostname: cmdline usage + signal perms sort 2017-12-31 06:51:13 -05:00
Chris PeBenito
e1fb2401fe Update contrib. 2017-12-26 05:38:55 -05:00
Nicolas Iooss
dbd8fbb01c corecommands: label systemd script directories bin_t 
systemd defines in /usr/lib/systemd several directories which can
contain scripts or executable files:
- system-environment-generators/ and user-environment-generators/
  documented in
  https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
- system-shutdown/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
- system-sleep/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html

Currently the content of these directories is labelled lib_t, which
causes the following AVC on Arch Linux:

    avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
    path="/usr/lib/systemd/system-environment-generators/10-arch"
    dev="vda1" ino=543182 scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=1

For information /usr/lib/systemd/system-environment-generators/10-arch
only defines $PATH and its content is available on
https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
 2017-12-17 15:28:37 -05:00
Chris PeBenito
d91260b7b5 Revise mmap_file_perms deprecation warning message. 2017-12-17 15:24:48 -05:00
Chris PeBenito
94f1a1b3f3 Add missing mmap_*_files_pattern macros. 2017-12-13 19:01:45 -05:00
Chris PeBenito
78a49b640d Add new mmap permission set and pattern support macros. 
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.
 2017-12-13 18:58:34 -05:00
Chris PeBenito
84ce1a11a4 storage, userdomain: Module version bump. 2017-12-13 18:29:26 -05:00
Jason Zaman
7757827de9 storage: Add fcontexts for NVMe disks 
NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition
 2017-12-13 18:19:29 -05:00
Jason Zaman
d29486d4cf userdomain: Allow public content access 
All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.
 2017-12-13 18:19:29 -05:00
Chris PeBenito
8e19b3103e mls, xserver, systemd, userdomain: Module version bump. 2017-12-12 20:25:32 -05:00
David Sugar
dd4facd8af Allow systemd_logind to delete user_runtime_content_type files 
Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
David Sugar
248b914d4d Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type) 
Setup type  xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
David Sugar
9af24aeb9c Make an attribute for objects in /run/user/%{USERID}/* 
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
Chad Hanson
5a4f511ff4 Fix implementation of MLS file relabel attributes 
This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below.

Signed-off-by: Chad Hanson <dahchanson@gmail.com>
 2017-12-12 20:07:57 -05:00
Chris PeBenito
1461e89016 Update contrib. 2017-12-11 19:16:07 -05:00
Chris PeBenito
ceb6c4811f init: Module version bump. 2017-12-10 14:45:35 -05:00
David Sugar
8a7a8bd8c8 label systemd-shutdown so shutdown works 
I am seeing (on RHEL 7.4 w/systemd) that halting the system doesn't work.  It took me a long time (and a lot of help from Steve L.) to figure out what was going on.  It turns out in refpolicy the default label for /usr/lib/systemd/systemd-shutdown is bin_t.  But when systemd tried to execve systemd-shutdown it fails because init_t isn't allowed file entrypoint for bin_t.  When I labeled systemd-shutdown as init_exec_t shutting down the system works.

I was seeing the following log (from systemd) when I enabled systemd debug logging (which was very useful).

[   59.745037] systemd[1]: Starting Final Step.
[   59.746112] systemd[1]: Starting Power-Off...
[   59.776320] systemd[1]: Shutting down.
[   59.783559] systemd[1]: Failed to execute shutdown binary, freezing: Operation not permitted

At this point everything locks up instead of actually halting the system.

This is a patch to change the label for systemd-shutdown which solves the problem.  I'm happy to go through and make a distinct type of systemd-shutdown if someone doesn't think it is a good idea to share the type with systemd.  But based on what is going on, this might be reasonable.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-10 14:45:35 -05:00
Chris PeBenito
7d910a92d4 xserver: Module version bump. 2017-12-08 21:04:20 -05:00
David Sugar
87d4a65059 Create interfaces to write to inherited xserver log files. 
Updated based on feedback

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-08 21:03:53 -05:00
Chris PeBenito
61a31f6cea xserver, sysnetwork, systemd: Module version bump. 2017-12-07 19:02:02 -05:00
David Sugar via refpolicy
c0ad70ef64 Allow xdm_t to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1512047222.742:53): avc:  denied  { search } for pid=1174 comm="lightdm-gtk-gre" name="crypto" dev="proc" ino=6218 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1512047222.742:53): avc:  denied  { read } for pid=1174 comm="lightdm-gtk-gre" name="fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.742:53): avc:  denied  { open } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.743:54): avc:  denied  { getattr } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-07 18:55:26 -05:00
Laurent Bigonville
88b7c61bd7 Add private type for systemd logind inhibit files and pipes 2017-12-07 18:50:30 -05:00