nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,832 Commits 1 Branch 0 Tags 16 MiB
56db40c099
Commit Graph

6832 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dave Sugar
56db40c099 Updates for utempter 
Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter
Allow utempter to write to xsession log

Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc:  denied  { write } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc:  denied  { getattr } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 21:52:05 -04:00
Chris PeBenito
9d03d2ef9e
Merge pull request #656 from gtrentalancia/kernel_fixes_pr 
Update the kernel module to remove misplaced or obsolete permissions
 2023-09-06 13:29:48 -04:00
Chris PeBenito
663284394c
Merge pull request #654 from gtrentalancia/smartmon_fixes_pr 
Smartmon policy update
 2023-09-06 13:28:08 -04:00
Chris PeBenito
246c1aab40
Merge pull request #653 from etbe/master 
Add iio-sensor-proxy.
 2023-09-06 13:27:41 -04:00
Guido Trentalancia
7e5292de29 Update the kernel module to remove misplaced or at least really 
obsolete permissions during kernel module loading.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |   12 ------------
 1 file changed, 12 deletions(-)
 2023-09-06 17:50:52 +02:00
Guido Trentalancia
86f9bfe0ee Revert the following commit (ability to read /usr files), 
as it is no longer needed, after the database file got its
own label:

 Date:   Wed Feb 16 07:24:34 2011 +0100
 patch to allow smartmon to read usr files
 37ba0d0437

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/smartmon.te |    1 -
 1 file changed, 1 deletion(-)
 2023-09-06 17:12:48 +02:00
Russell Coker
4bd63b2b11 Comment sysfs better 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-07 00:52:24 +10:00
Chris PeBenito
02da19b0e9
Merge pull request #641 from gtrentalancia/mix_fixes_pr 
Minor miscellaneous fixes for various policy modules
 2023-09-06 08:46:40 -04:00
Chris PeBenito
c57e1f1a6d
Merge pull request #650 from gtrentalancia/xscreensaver_fixes_pr 
Update the xscreensaver module in order to work with the latest version
 2023-09-06 08:31:40 -04:00
Chris PeBenito
92840e9284
Merge pull request #646 from dsugar100/iceauth_xsession_log 
Allow iceauth write to xsession log
 2023-09-06 08:29:33 -04:00
Russell Coker
bc25ff1354 Fixed dependency on unconfined_t 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-06 21:12:23 +10:00
Russell Coker
2cf4a28321 iio-sensor-proxy (Debian package iio-sensor-proxy) 
IIO sensors to D-Bus proxy
 Industrial I/O subsystem is intended to provide support for devices
 that in some sense are analog to digital or digital to analog convertors
 .
 Devices that fall into this category are:
  * ADCs
  * Accelerometers
  * Gyros
  * IMUs
  * Capacitance to Digital Converters (CDCs)
  * Pressure Sensors
  * Color, Light and Proximity Sensors
  * Temperature Sensors
  * Magnetometers
  * DACs
  * DDS (Direct Digital Synthesis)
  * PLLs (Phase Locked Loops)
  * Variable/Programmable Gain Amplifiers (VGA, PGA)

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-06 20:31:37 +10:00
Dave Sugar
be5a1e168e Allow iceauth write to xsession log 
node=localhost type=AVC msg=audit(1689822970.302:4180): avc:  denied  { write } for  pid=2610 comm="iceauth" path="/home/toor/.xsession-errors" dev="dm-9" ino=129541 scontext=toor_u:staff_r:iceauth_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-05 16:58:19 -04:00
Guido Trentalancia
8ca93044b1 Update the xscreensaver module in order to work with 
the latest version (tested with version 6.06).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/wm.if           |    4 +++
 policy/modules/apps/xscreensaver.fc |    1
 policy/modules/apps/xscreensaver.if |   46 ++++++++++++++++++++++++++++++++++++
 policy/modules/apps/xscreensaver.te |   16 ++++++++++--
 4 files changed, 65 insertions(+), 2 deletions(-)
 2023-09-05 21:56:04 +02:00
Guido Trentalancia
6e965d40c2 Add permissions to watch libraries directories to the 
userdomain login user template interface.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/userdomain.if |    1 +
 1 file changed, 1 insertion(+)
 2023-09-05 21:27:05 +02:00
Guido Trentalancia
db408f7f17 Add the permissions to manage the fonts cache (fontconfig) 
to the window manager role template.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/wm.if |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-05 21:27:05 +02:00
Guido Trentalancia
dbbfa9877e Add missing permissions to execute binary files for 
the evolution_alarm_t domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/evolution.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-05 21:27:05 +02:00
Chris PeBenito
49420a8638
Merge pull request #643 from etbe/master 
policy for eg25-manager to manage Quectel EG25 modem
 2023-09-05 11:39:25 -04:00
Chris PeBenito
d2ee8ac352
Merge pull request #635 from gtrentalancia/main 
The kernel domain should be able to mounton default and runtime directories
 2023-09-05 11:06:35 -04:00
Chris PeBenito
20c53171b7
Merge pull request #645 from dsugar100/write_net_sysctl 
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
 2023-09-05 11:00:02 -04:00
Chris PeBenito
66a480087a
Update eg25manager.te 
Minor style fix.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-05 10:56:17 -04:00
Chris PeBenito
9fae196c53
Merge pull request #637 from gtrentalancia/pulseaudio_fixes_pr 
Pulseaudio fixes
 2023-09-05 10:48:48 -04:00
Chris PeBenito
ec6a4ddd47
Merge pull request #640 from gtrentalancia/dbus_fixes_pr 
Dbus module: fix automatic named socket file transitions and write permissions for bus clients
 2023-09-05 10:46:05 -04:00
Dave Sugar
970ef05e19 To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf 
node=localhost type=AVC msg=audit(1691097149.019:422): avc:  denied  { search } for  pid=2332 comm="sysctl" name="net" dev="proc" ino=11426 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1691097149.019:422): avc:  denied  { getattr } for  pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1691097149.020:423): avc:  denied  { write } for  pid=2332 comm="sysctl" name="nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1691097149.020:423): avc:  denied  { open } for  pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-01 20:22:55 -04:00
Russell Coker
810f333ac5 eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring 
and monitoring the Quectel EG25 modem on a running system. It is used on the
PinePhone (Pro) and performs the following functions:
  * power on/off
  * startup configuration using AT commands
  * AGPS data upload
  * status monitoring (and restart if it becomes unavailable)
Homepage: https://gitlab.com/mobian1/eg25-manager

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-01 20:15:13 +10:00
Guido Trentalancia
519fe6f81a Let pulseaudio search debugfs directories, as currently 
done with other modules.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/pulseaudio.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-31 16:35:01 +02:00
Guido Trentalancia
5b89b4120e Update the dbus role template so that permissions to get 
the attributes of the proc filesystem are included.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/dbus.if |    2 ++
 1 file changed, 2 insertions(+)
 2023-08-30 16:30:54 +02:00
Guido Trentalancia
5ff0aa1b61 Fix the dbus module so that temporary session named sockets 
can be read and written in the role template and by system
and session bus clients.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.if |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 2023-08-30 16:19:27 +02:00
Guido Trentalancia
de026627fe Fix the dbus module so that automatic file type transitions 
are used not only for files and directories, but also for
named sockets.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/dbus.te |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 2023-08-30 16:07:13 +02:00
Guido Trentalancia
1f5bd26210 Fix the pulseaudio module file transition for named 
sockets in tmp directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/pulseaudio.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-08-30 15:40:20 +02:00
Guido Trentalancia
911c02feef The pulseaudio module should be able to read alsa 
library directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-30 15:39:44 +02:00
Guido Trentalancia
191f6d28e1 The kernel domain should be able to mounton default directories 
during switch_root.

Corresponding suspicious permissions are removed from the init
domain, however this might need further testing on a wider number
of systems.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |    1 +
 policy/modules/system/init.te   |    4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)
 2023-08-24 21:34:52 +02:00
Guido Trentalancia
718139ca87 The kernel domain should be able to mounton runtime directories 
during switch_root, otherwise parts of the boot process might
fail on some systems (for example, the udev daemon).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-23 17:49:05 +02:00
Chris PeBenito
f3f761c4a8
Merge pull request #631 from dsugar100/label_pwhistory_helper 
Label pwhistory_helper
 2023-08-18 11:53:50 -04:00
Chris PeBenito
626848ad94
Merge pull request #632 from dsugar100/dbsud_var_lib_symlinks 
If domain can read system_dbusd_var_lib_t files, also allow symlinks
 2023-08-18 11:48:06 -04:00
Chris PeBenito
46812c0d52
Merge pull request #634 from dsugar100/read_rfkill 
systemd-rfkill.socket reads and writes /dev/rfkill (with ListenSocket=) option.
 2023-08-18 11:46:51 -04:00
Dave Sugar
e0970d55e6 systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. 
Need to allow this to open the file so the service starts properly.

node=localhost type=AVC msg=audit(1689883855.890:419): avc:  denied  { open } for  pid=1 comm="systemd" path="/dev/rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1689883962.317:408): avc:  denied  { read write } for  pid=1 comm="systemd" name="rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:52:15 -04:00
Dave Sugar
b128e7ea2d If domain can read system_dbusd_var_lib_t files, also allow symlinks 
node=localhost type=AVC msg=audit(1689811752.145:511): avc:  denied  { read } for  pid=2622 comm="lightdm-gtk-gre" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0
node=localhost type=AVC msg=audit(1689811752.404:514): avc:  denied  { read } for  pid=2629 comm="at-spi-bus-laun" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:47:08 -04:00
Dave Sugar
9812e9c0ef Label pwhistory_helper 
pwhistory_helper is executed by pam_pwhistory (as configued in
/etc/pam.d/sysem-auth).  It updates /etc/security/opasswd which contains
old passwords.  Label /etc/security/opasswd as shadow_t to control access.

node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute } for  pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { read open } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute_no_trans } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { map } for  pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:45:13 -04:00
Chris PeBenito
97e35d8845
Merge pull request #626 from dsugar100/main 
Allow local login to read /run/motd
 2023-08-02 09:36:54 -04:00
Chris PeBenito
90d3f5c339
Merge pull request #619 from 0xC0ncord/container-caps-rework 
container: rework capabilities
 2023-07-18 14:43:08 -04:00
Dave Sugar
a120ea8c25 Allow local login to read /run/motd 
node=localhost type=AVC msg=audit(1689384764.155:53945): avc:  denied  { getattr } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { read } for  pid=5125 comm="login" name="motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { open } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-07-18 08:13:43 -04:00
Kenton Groombridge
f1e7404baa container: rework capabilities 
Rework (primarily) non-namespaced capabilities. These accesses are
leftovers from earlier policy versions before the container module was
introduced that are most likely too coarse for most container
applications.

Put all non-namespaced capability accesses for containers behind
tunables, borrowing ideas from container-selinux. For the more
privileged capabilities (sysadmin, mknod), add a tunable to control both
namespaced and non-namespaced access to these operations.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-07-17 09:40:09 -04:00
Chris PeBenito
bee1bcb496
Merge pull request #622 from chrisschnei/zram-permission 
systemd-generator: systemd_generator_t load kernel modules used for e…
 2023-07-11 10:06:15 -04:00
Christian Schneider
26eb377014 systemd-generator: systemd_generator_t load kernel modules used for e.g. zram-generator 
Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
 2023-07-11 09:37:28 +02:00
Chris PeBenito
c6424be02d
Merge pull request #623 from fajs/psi_t 
Add label and interfaces for kernel PSI files
 2023-07-06 10:29:08 -04:00
Florian Schmidt
cf09279eab Add label and interfaces for kernel PSI files 
The pressure stall information (PSI) special files in /proc/pressure
currently don't have a separate file context, and so default to proc_t.
Since users need read/write permissions to those files to use PSI, and
handing out blanket permissions to proc_t is strongly discouraged,
introduce a new proc_psi_t label, as well as interfaces for it.

Signed-off-by: Florian Schmidt <flosch@nutanix.com>
 2023-07-05 15:21:46 +00:00
Chris PeBenito
4370d6bcdf
Merge pull request #625 from rmsc/main 
kubernetes: allow kubelet to read /proc/sys/vm files.
 2023-07-05 11:07:24 -04:00
Renato Caldas
34cba22df8 kubernetes: allow kubelet to read /proc/sys/vm files. 
Kubelet checks the value of '/proc/sys/vm/panic_on_oom' before starting.

Signed-off-by: Renato Caldas <renato@calgera.com>
 2023-07-03 20:05:35 +01:00
Chris PeBenito
d4e64bb956
Merge pull request #621 from tormath1/tormath1/cilium 
container: fix cilium denial
 2023-06-21 15:32:33 -04:00