selinux-refpolicy

Author	SHA1	Message	Date
Chris PeBenito	de8cf73de0	knot: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-13 14:06:44 -04:00
Chris PeBenito	7a1260ffe3	knot: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-13 14:06:02 -04:00
Alexander Miroshnichenko	491ae9991a	Add knot module Add a SELinux Reference Policy module for the Knot authoritative-only DNS server. Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2019-07-13 14:00:31 -04:00
Sugar, David	2831598bb5	grant rpm_t permission to map security_t type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 v2 - Create new interface to allow mapping security_t and use this interface by rpm_t Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-13 14:00:23 -04:00
Chris PeBenito	b85c93b582	rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-08 20:49:31 -04:00
Sugar, David	72cc3e9136	Allow rpm scripts to alter systemd services In RPM scripts it is common to enable/start services that are being installed. This allows rpm_script_t to manage sysemd units type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	66bbd568e4	Allow rpm to map file contexts type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	79fd6ddb3e	grant rpm permissions to map locale_t type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	8e09ba5637	grant permission for rpm to write to audit log Messages like this are added to the audit log when an rpm is installed: type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success' These are the denials that I'm seeing: type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 v2 - Use interface rather than adding permissions here - this change may confuse subsequent patches in this set, if so let me know and I will submit a pull request on github. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:37:19 -04:00
Sugar, David	c2f504c25e	grant rpm permission to map rpm_var_lib_t type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:37:19 -04:00
Chris PeBenito	8c3893e427	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-06-09 14:05:19 -04:00
Chris PeBenito	10784f3b33	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-06-09 13:37:51 -04:00
Chris PeBenito	af2e1f91fd	Merge pull request #57 from pebenito/pmem-dax	2019-06-09 13:26:49 -04:00
Chris PeBenito	c00bf89d73	Merge pull request #56 from pebenito/apache-simplify	2019-06-09 13:26:46 -04:00
Chris PeBenito	91028527fc	Merge pull request #55 from pebenito/modules-load	2019-06-09 13:26:43 -04:00
Chris PeBenito	666b744714	devices: Add type for /dev/daxX.Y. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-06-04 15:10:28 -04:00
Chris PeBenito	f0e8bdbf50	storage: Add fc entry for /dev/pmem* Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-06-04 15:10:06 -04:00
Chris PeBenito	d348413004	apache: Web content rules simplification. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-06-03 15:01:43 -04:00
Chris PeBenito	b07f7b4495	systemd: modules-load updates. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-06-03 08:42:53 -04:00
Chris PeBenito	4aafedd872	init: Add systemd block to init_script_domain(). Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-05-31 08:57:17 -04:00
Chris PeBenito	3a6b7c1856	logrotate: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-05-27 19:30:24 -04:00
Chris PeBenito	5a8c36f390	logrotate: Make MTA optional. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-05-16 11:48:05 -04:00
Chris PeBenito	2d9ad29d04	dovecot, logrotate: Module version bump.	2019-05-03 20:39:36 -04:00
Chris PeBenito	43a682068d	Merge pull request #49 from bigon/fail2ban_logrotate	2019-05-03 08:00:43 -04:00
Chris PeBenito	eaed7a9123	Merge pull request #48 from bigon/dovecot_lmtp	2019-05-03 08:00:41 -04:00
Laurent Bigonville	83f8240f04	Allow logrotate to execute fail2ban-client fail2ban logrotate configuration runs "fail2ban-client flushlogs" after rotating the logs	2019-05-03 13:34:16 +02:00
Laurent Bigonville	8215279af4	Add dovecot to listen to LMTP port Mails can be injected in dovecot directly using LMTP	2019-05-03 12:33:09 +02:00
Dave Sugar	de0e70f07a	create interfaces for NetworkManager units Create interfaces to allow start/stop, enable/disable and status of NetworkManager systemd unit	2019-05-02 11:16:41 -04:00
Chris PeBenito	5d345b79ee	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-27 10:51:06 -04:00
Chris PeBenito	6857cda019	Merge pull request #46 from pebenito/systemd-user	2019-04-27 10:50:32 -04:00
Chris PeBenito	a77e0f6837	Merge pull request #45 from pebenito/systemd-update-done-tweak	2019-04-27 10:50:30 -04:00
Chris PeBenito	e5d14ad308	Merge pull request #44 from pebenito/http-mta-optional	2019-04-27 10:50:29 -04:00
Chris PeBenito	54dbc8a7a7	Merge pull request #43 from pebenito/various-device-labels	2019-04-27 10:50:27 -04:00
Chris PeBenito	da156aea1e	systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-25 11:18:58 -04:00
Chris PeBenito	4bca3dade2	devices: Change netcontrol devices to pmqos. Devices with the netcontrol_device_t type are actually PM QoS devices. Rename the type and add labeling for /dev/memory_bandwidth. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 09:17:36 -04:00
Chris PeBenito	3b0d0ea330	devices: Add type for GPIO chips, /dev/gpiochip[0-9] Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	b1a312152c	devices: Label /dev/tpmrm[0-9]. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	77161ca8b7	storage: Label /dev/mmcblk* character nodes. An example is mmcblk0rpmb, which is for the replay protected memory block subsystem. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	ae2d2ec470	kernel, devices, plymouthd, xserver: Module version bump.	2019-04-23 18:37:22 -04:00
Chris PeBenito	ff9bd742b7	systemd: Remove unnecessary names in systemd-update-done filetrans. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-23 15:22:17 -04:00
Chris PeBenito	2f0ead8ecf	apache: Make MTA optional. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-23 15:17:33 -04:00
Dave Sugar	51aadce3c2	Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0	2019-04-23 07:48:15 -04:00
Dave Sugar	2b42f0c13d	Allow xdm (lightdm) start plymouth type=AVC msg=audit(1554917007.995:194): avc: denied { execute } for pid=7647 comm="lightdm" name="plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { read open } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { execute_no_trans } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { map } for pid=7647 comm="plymouth" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1	2019-04-16 22:20:29 -04:00
Chris PeBenito	e2e4094bd4	various: Module version bump Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-16 22:08:11 -04:00
Sugar, David	a49163250f	Add kernel_dgram_send() into logging_send_syslog_msg() This patch is based on comments from previous a patch to remove the many uses of kernel_dgram_send() and incorporate it into logging_send_syslog_msg(). v2 - enclose in ifdef for redhat v3 - rebase this patch on `e41def136a` Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-04-16 20:51:55 -04:00
Chris PeBenito	e41def136a	xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-14 14:20:55 -04:00
Chris PeBenito	2356eda7fc	Merge pull request #40 from gtrentalancia/master	2019-04-14 14:15:16 -04:00
Guido Trentalancia	db33386c01	The Qt library version 5 requires to write xserver_tmp_t files upon starting up applications (tested on version 5.12.1). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 3 +++ 1 file changed, 3 insertions(+)	2019-04-12 17:52:50 +02:00
Chris PeBenito	32ce73f9b8	kernel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-12 07:57:00 -04:00
Lukas Vrabec	ce570ab34d	Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t CRIU can influence the PID of the threads it wants to create. CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which PID it wants for the next clone(). So it has to write to that file. This feels like a problematic as it opens up the container writing to all sysctl_kernel_t. Using new label container_t will just write to sysctl_kernel_ns_last_pid_t instad writing to more generic sysctl_kernel_t files.	2019-04-12 07:52:27 -04:00
Chris PeBenito	beb4a290b0	init: Module version bump.	2019-04-07 20:56:22 -04:00
Chris PeBenito	4c2f16bb26	Merge pull request #39 from pebenito/revise-init-stopstart	2019-04-07 20:54:40 -04:00
Chris PeBenito	b06126dca3	init: Revise conditions in init_startstop_service(). Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-05 15:18:29 -04:00
Chris PeBenito	df696a3254	kernel, init, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-27 18:58:15 -04:00
Chris PeBenito	98c16077ba	Merge pull request #37 from pebenito/master Misc system fixes. Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.	2019-03-27 18:57:39 -04:00
Chris PeBenito	4f6614ba7f	ntp, init, lvm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-27 18:49:54 -04:00
Sugar, David	d3c4e19f72	Denial of cryptsetup reading cracklib database When setting up a LUKS encrypted partition, cryptsetup is reading the cracklib databases to ensure password strength. This is allowing the needed access. type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-27 18:48:01 -04:00
Sugar, David	7525ba9c1e	Allow ntpd to read unit files Adding missing documenation (sorry about that). type=AVC msg=audit(1553013917.359:9935): avc: denied { read } for pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9935): avc: denied { open } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9936): avc: denied { getattr } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013821.622:9902): avc: denied { getattr } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { read } for pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { open } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-27 18:48:01 -04:00
Chris PeBenito	32f3f09dc4	authlogin, dbus, ntp: Module version bump.	2019-03-24 14:43:35 -04:00
Sugar, David	142651a8b4	Resolve denial about logging to journal from dbus type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:37:22 -04:00
Sugar, David	5f14e530ad	Resolve denial about logging to journal from chkpwd type=AVC msg=audit(1553029357.588:513): avc: denied { sendto } for pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:37:22 -04:00
Sugar, David	9f2b1e2b4c	Allow ntpd to update timezone symlink type=AVC msg=audit(1553013821.624:9907): avc: denied { create } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1553013821.624:9908): avc: denied { rename } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1553013821.624:9908): avc: denied { unlink } for pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Sugar, David	1b4ffb7806	Allow ntpd to update chronyd service type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=? type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Sugar, David	a50afdcc84	Add interface ntp_dbus_chat type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Chris PeBenito	e19f3d658c	init: Remove duplicate setenforce rule for init scripts. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:10:23 -04:00
Chris PeBenito	99f967d3b5	udev: Drop write by udev to its executable. This removes one vector for arbitrary code execution if udev is compromised. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:10:10 -04:00
Chris PeBenito	40bf663090	systemd: Drop unconfined kernel access for systemd_nspawn. Revise kernel assertion to /proc/kmsg to be more precise. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:09:37 -04:00
Chris PeBenito	c46eba9c02	sysadm, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:27:34 -04:00
Chris PeBenito	ceadf42b75	udev: Move one line and remove a redundant line. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:25:28 -04:00
Chris PeBenito	2297487654	udev: Whitespace fix. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:25:03 -04:00
Sugar, David	ba31e59cd1	Separate out udevadm into a new domain This is the update I have made based on suggestions for the previous patches to add a udev_run interface. This adds the new domain udevadm_t which is entered from /usr/bin/udevadm. It seems to meet the needs that I have, but there are some things to note that are probably important. 1) There are a few systemd services that use udevadm during startup. I have granted the permisssions that I need based on denials I was seeing during startup (the machine would fail to start without the permisions). 2) In the udev.fc file there are other binaries that I don't have on a RHEL7 box that maybe should also be labeled udevadm_exec_t. e.g. /usr/bin/udevinfo and /usr/bin/udevsend But as I don't have those binaries to test, I have not updated the type of that binary. 3) There are some places that call udev_domtrans that maybe should now be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again, these are not things that I am using in my current situation and am unable to test the interactions to know if the change is correct. Other than that, I think this was a good suggestion to split udevadm into a different domain. Only change for v4 is to use stream_connect_pattern as suggested. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-17 16:15:21 -04:00
Chris PeBenito	60b8e08f4f	systemd, udev, usermanage: Module version bump.	2019-03-11 20:59:21 -04:00
Chris PeBenito	5260679657	usermanage: Move kernel_dgram_send(passwd_t) to systemd block.	2019-03-11 20:59:16 -04:00
Sugar, David	1cc0045642	Resolve denial while changing password I'm seeing the following denials reading /proc/sys/crypto/fips_enabled and sending message for logging. This resolves those denials. type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-11 20:54:29 -04:00
Sugar, David	9d2b68e0ba	Allow additional map permission when reading hwdb I'm seeing a denial for udev to map /etc/udev/hwdb.bin. This creates and uses a new interface to allow the needed permission for udev. type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Updated from previous to create a new interface. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-11 20:53:30 -04:00
Chris PeBenito	5fda529636	Remove incorrect comment about capability2:mac_admin.	2019-03-11 20:49:42 -04:00
Chris PeBenito	bb83a721cf	filesystem, cron, authlogin: Module version bump.	2019-03-07 19:02:57 -05:00
Sugar, David	3fd0d7df8b	Update cron use to pam interface I'm seeing a many denials for cron related to faillog_t, lastlog_t and wtmp_t. These are all due to the fact cron is using pam (and my system is configured with pam_faillog). I have updated cron to use auth_use_pam interface to grant needed permissions. Additional change to allow systemd_logind dbus for cron. I have included many of the denials I'm seeing, but there are probably others I didn't capture. type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins" type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-07 19:02:57 -05:00
Sugar, David	4f8d21ea71	Add interface to allow relabeling of iso 9660 filesystems. I have a case where I'm labeling media with my own types to control access. But that is requiring that I relabel from iso9660_t to my own type. This interface allows that relabel. type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-07 19:02:57 -05:00
Chris PeBenito	712e6056d9	aide, clamav: Module version bump.	2019-02-26 19:21:27 -08:00
Sugar, David	59413b10b8	Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	e5b8318420	Allow AIDE to read kernel sysctl_crypto_t type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	2f063edd88	Allow AIDE to sendto kernel datagram socket type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	c418d0e81d	Add interfaces to run freshclam Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally transitioning or staying in the callers domain. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	899520233d	Allow freshclam to read sysctl_crypto_t type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	2d105029d0	Fix incorrect type in clamav_enableddisable_clamd interface Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Chris PeBenito	e6dcad5002	systemd: Module version bump.	2019-02-24 08:19:27 -08:00
Nicolas Iooss	2fb15c8268	Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1	2019-02-24 11:08:20 +01:00
Chris PeBenito	2623984b83	logging, selinuxutil: Module version bump.	2019-02-23 19:30:58 -08:00
Chris PeBenito	0805aaca8d	Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy	2019-02-23 18:43:02 -08:00
Nicolas Iooss	0ab9035efa	Remove a broad read-files rule for restorecond When the policy for restorecond was introduced, it contained a rule which allowed restorecond to read every file except shadow_t (cf. `724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)` ): auth_read_all_files_except_shadow(restorecond_t) Since 2006, the policy changed quite a bit, but this access remained. However restorecond does not need to read every available file. This is related to this comment: https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379	2019-02-23 21:20:21 +01:00
Nicolas Iooss	7bb9172b67	Allow restorecond to read customizable_types When trying to remove files_read_non_auth_files(restorecond_t), the following AVC denial occurs: type=AVC msg=audit(1550921968.443:654): avc: denied { open } for pid=281 comm="restorecond" path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1" ino=928006 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:default_context_t tclass=file permissive=1 type=AVC msg=audit(1550921968.443:654): avc: denied { read } for pid=281 comm="restorecond" name="customizable_types" dev="vda1" ino=928006 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:default_context_t tclass=file permissive=1 As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by restorecond, allow this access.	2019-02-23 21:14:10 +01:00
Nicolas Iooss	5250bd4863	Allow systemd-journald to use kill(pid, 0) on its clients Since systemd 241, systemd-journald is using kill(pid, 0) in order to find dead processes and reduce its cache. The relevant commit is `91714a7f42` ("journald: periodically drop cache for all dead PIDs"). This commit added a call to pid_is_unwaited(c->pid), which is a function implemented in https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 : bool pid_is_unwaited(pid_t pid) { /* Checks whether a PID is still valid at all, including a zombie / if (pid < 0) return false; if (pid <= 1) / If we or PID 1 would be dead and have been waited for, this code would not be running */ return true; if (pid == getpid_cached()) return true; if (kill(pid, 0) >= 0) return true; return errno != ESRCH; } This new code triggers the following AVC denials: type=AVC msg=audit(1550911933.606:332): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:auditd_t tclass=process permissive=1 type=AVC msg=audit(1550911933.606:333): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1 type=AVC msg=audit(1550911933.606:334): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:sshd_t tclass=process permissive=1	2019-02-23 20:55:17 +01:00
Chris PeBenito	5986fdc4df	logging, miscfiles, authlogin: Module version bump.	2019-02-20 19:38:55 -08:00
Sugar, David	81c10b077a	New interface to dontaudit access to cert_t I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. The tunable authlogin_nsswitch_use_ldap controls access to cert_t (for domains that are part of nsswitch_domain attribute). Use this new interface when that tunable is off to quiet the denials. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-20 19:28:45 -08:00
Sugar, David	d8492558b3	Add interface to get status of rsyslog service Updated based on feedback. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-20 19:28:45 -08:00
Chris PeBenito	98a7f0446d	init, systemd, cdrecord: Module version bump.	2019-02-19 19:31:04 -08:00
Chris PeBenito	b3e8e5a4ba	systemd: Remove unnecessary brackets.	2019-02-19 19:20:57 -08:00
Sugar, David	31ac26dd58	Add interface to run cdrecord in caller domain Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-19 19:19:28 -08:00
Sugar, David	b3cbf00cba	Allow systemd-hostnamed to set the hostname When calling hostnamectl to set the hostname it needs sys_admin capability to actually set the hostname. Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted type=AVC msg=audit(1550058524.656:1988): avc: denied { sys_admin } for pid=7873 comm="systemd-hostnam" capability=21 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-19 19:06:40 -08:00

1 2 3 4 5 ...

3288 Commits