nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,809 Commits 1 Branch 0 Tags 16 MiB
49af56f3b5
Commit Graph

1058 Commits

Author SHA1 Message Date
Chris PeBenito
d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Russell Coker
e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Russell Coker
73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito
713f9000b5 networkmanager: Add ICMPv6 comment 2019-01-05 13:34:18 -05:00
Russell Coker
678c9e0b7a misc services patches 
Lots of little patches to services.
 2019-01-05 13:30:30 -05:00
Chris PeBenito
e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar
55c3fab804 Allow dbus to access /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
David Sugar
3425d22c24 Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1543761322.221:211): avc:  denied  { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc:  denied  { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73 cron, minissdpd, ntp, systemd: Module version bump. 2018-11-17 19:02:54 -05:00
Chris PeBenito
45a8ddd39f Merge branch 'minissdpd' of https://github.com/bigon/refpolicy 2018-11-17 18:58:09 -05:00
David Sugar
b73758bb97 Interface to read cron_system_spool_t 
Useful for the case that manage isn't requied.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
David Sugar
5deea1b940 Add interfaces to control ntpd_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-17 18:52:31 -05:00
Chris PeBenito
cd4be3dcd0 dnsmasq: Module version bump. 2018-11-17 18:50:18 -05:00
Petr Vorel
da49b37d87 dnsmasq: Require log files to have .log suffix 
+ allow log rotate as well.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
 2018-11-17 18:49:59 -05:00
Laurent Bigonville
a71cc466fc Allow minissdpd_t to create a unix_stream_socket 
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc:  denied  { listen } for  pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc:  denied  { accept } for  pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
 2018-11-12 16:24:54 +01:00
Chris PeBenito
b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Laurent Bigonville
df58008c2b Allow ntpd_t to read init state 
With systemd-timesyncd, the following AVC denials are generated:
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { open } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { read } for  pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc:  denied  { getattr } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
 2018-11-10 19:01:33 +01:00
Laurent Bigonville
2f054c67a2 irqbalance now creates an abstract socket 2018-11-10 19:01:28 +01:00
Chris PeBenito
4ff893bca0 dnsmasq: Reorder lines in file contexts. 2018-11-09 19:35:14 -05:00
Chris PeBenito
f583b6b061 dnsmasq: Whitespace fix in file contexts. 2018-11-09 19:34:49 -05:00
Chris PeBenito
1431ba9d41 amavis, apache, clamav, exim, mta, udev: Module version bump. 2018-11-09 19:32:08 -05:00
David Sugar
75dd54edc7 Allow clamd to use sent file descriptor 
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:09:49 -05:00
David Sugar
2fa76a4b9e Add interfaces to control clamav_unit_t systemd services 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar
81953475a5 Interface to add domain allowed to be read by ClamAV for scanning. 
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
David Sugar
03f248c9e1 Allow clamd_t to read /proc/sys/crypt/fips_enabled 
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc:  denied  { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc:  denied  { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc:  denied  { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc:  denied  { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-11-09 19:06:01 -05:00
Chris PeBenito
35463351a0 clamav, ssh, init: Module version bump. 2018-10-27 15:10:10 -04:00
Luis Ressel
a42ff404bd services/ssh: Don't audit accesses from ssh_t to /dev/random 
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
 2018-10-27 14:56:34 -04:00
David Sugar
1941eefa13 Interface to allow reading of virus signature files. 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-10-27 14:56:34 -04:00
Chris PeBenito
bf16b6d4b9 xserver: Module version bump. 2018-10-03 22:08:23 -04:00
Luis Ressel
9be8cfac19 xserver: Allow user fonts (and caches) to be mmap()ed. 
Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
 2018-10-03 22:07:59 -04:00
Chris PeBenito
d301e83161 mozilla, devices, selinux, xserver, init, iptables: Module version bump. 2018-07-10 20:11:40 -04:00
Jason Zaman
d53047dc58 Allow map xserver_misc_device_t for nvidia driver 2018-07-10 17:25:11 -04:00
Jason Zaman
871d47888b xserver: label .cache/fontconfig as user_fonts_cache_t 2018-07-10 17:25:11 -04:00
Chris PeBenito
65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito
87b0512036 xdg, xserver, mplayer, games: Module version bump. 2018-06-24 20:32:02 -04:00
Jason Zaman
6f32775885 xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/ 2018-06-24 19:11:14 -04:00
Chris PeBenito
3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito
54f0118bc7 XDG: Module version bump. 2018-06-10 13:40:20 -04:00
Sven Vermeulen
442849be7f Allow X server users to manage all xdg resources 
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.

The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).

The necessary file transitions for the directories are added as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
 2018-06-10 13:23:01 -04:00
Chris PeBenito
e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter
93238de580 Remove undeclared identifiers from xserver interface 
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
8e19b3103e mls, xserver, systemd, userdomain: Module version bump. 2017-12-12 20:25:32 -05:00
David Sugar
248b914d4d Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type) 
Setup type  xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
Chris PeBenito
7d910a92d4 xserver: Module version bump. 2017-12-08 21:04:20 -05:00
David Sugar
87d4a65059 Create interfaces to write to inherited xserver log files. 
Updated based on feedback

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-08 21:03:53 -05:00
Chris PeBenito
61a31f6cea xserver, sysnetwork, systemd: Module version bump. 2017-12-07 19:02:02 -05:00
David Sugar via refpolicy
c0ad70ef64 Allow xdm_t to read /proc/sys/crypto/fips_enabled 
type=AVC msg=audit(1512047222.742:53): avc:  denied  { search } for pid=1174 comm="lightdm-gtk-gre" name="crypto" dev="proc" ino=6218 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1512047222.742:53): avc:  denied  { read } for pid=1174 comm="lightdm-gtk-gre" name="fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.742:53): avc:  denied  { open } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.743:54): avc:  denied  { getattr } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-07 18:55:26 -05:00
Chris PeBenito
6ca6a2e1db corcmd, fs, xserver, init, systemd, userdomain: Module version bump. 2017-12-03 16:48:54 -05:00
David Sugar
e6f28c51a2 Change label for ~/.xsession-errors 
Currently .xsession-errors is labeled user_home_t when created by xdm_t.  Switch to using existing interface xserver_user_home_dir_filetrans_user_xsession_log to create file with label xsession_log_t.  This includes using the interface manage the type xsession_log_t.

type=AVC msg=audit(1511962175.985:77): avc:  denied  { create } for  pid=1163 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962175.985:77): avc:  denied  { write open } for  pid=1163 comm="lightdm" path="/home/user/.xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962941.991:268): avc:  denied  { rename } for  pid=1721 comm="lightdm" name=".xsession-errors" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file
type=AVC msg=audit(1511962977.779:419): avc:  denied  { unlink } for  pid=1814 comm="lightdm" name=".xsession-errors.old" dev="dm-0" ino=17153285 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-03 16:38:39 -05:00