nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,938 Commits 1 Branch 0 Tags 16 MiB
59413b10b8
Commit Graph

481 Commits

Author SHA1 Message Date
Sugar, David
59413b10b8 Allow AIDE to mmap files 
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420 Allow AIDE to read kernel sysctl_crypto_t 
type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88 Allow AIDE to sendto kernel datagram socket 
type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Chris PeBenito
445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Russell Coker
eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito
bf21c5c0d2 dpkg: Move interface implementations. 2019-01-23 18:30:15 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Russell Coker
54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito
4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker
dcb2d1d8b8 another trivial 
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
 2019-01-14 17:43:15 -05:00
Chris PeBenito
e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito
e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Russell Coker
da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss
c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Chris PeBenito
e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Sugar, David
82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Russell Coker
b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Chris PeBenito
d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito
da9ff19d94 sudo: Whitespace fix. 2019-01-05 14:17:18 -05:00
Russell Coker
e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito
6f12a29ecc apt, rpm: Remove and move lines to fix fc conflicts. 2019-01-05 14:09:57 -05:00
Chris PeBenito
39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Russell Coker
5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Russell Coker
73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito
e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00
Luis Ressel
14b4c0c8c7 Realign logrotate.fc, remove an obvious comment 2018-10-13 13:39:18 -04:00
Luis Ressel
a604ae7ca2 Add fc for /var/lib/misc/logrotate.status 
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
 2018-10-13 13:39:18 -04:00
Chris PeBenito
65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito
3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
f522bc0b75 dmesg, locallogin, modutils: Module version bump. 2017-11-18 07:32:37 -05:00
Luis Ressel
96c917b41a dmesg: Grant read access to /usr/share/terminfo 
To determine whether the $TERM supports colored output, dmesg checks the
terminfo database, which can be either in /etc or /usr/share.
 2017-11-18 05:53:50 -05:00
Chris PeBenito
d2e201495a files, netutils: Module version bump. 2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy
68690d8e62 netutils: Grant netutils_t map perms for the packet_socket class 
This is required for the PACKET_RX_RING feature used by tcpdump.
 2017-10-25 17:16:06 -04:00
Chris PeBenito
495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito
aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito
4680d9c659 netutils: Module version bump for patch from Luis Ressel. 2017-06-18 19:26:29 -04:00
Luis Ressel
b6fe74c67c netutils: Allow tcpdump to reduce its capability bounding set 2017-06-18 19:23:21 -04:00
Luis Ressel
261e2772d1 netutils: Add some permissions required by nmap to traceroute_t 
nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
 2017-06-18 19:23:13 -04:00
Luis Ressel
afe26f2e2f netutils: Mix nmap perms in with the other traceroute_t perms 2017-06-18 19:23:02 -04:00
Chris PeBenito
6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones
ea74a35ba7 netutils: update 
v2:
 - keep files_read_etc_files interfaces
 2017-06-12 18:41:56 -04:00
Chris PeBenito
a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito
8ab6ff00f6 Merge branch 'usr_bin_fc' of git://github.com/fishilico/selinux-refpolicy-patched 2017-05-04 08:20:42 -04:00
Chris PeBenito
bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito
878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00