Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Make sure various virt user home content gets created with a type
transition and proper file contexts for common users
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Just adding zfs to the list of defined filesystems in filesystem.te
Signed-off-by: Matthew Thode <mthode@mthode.org>
In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.
This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.
This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.
It is used by svirt and probably also by sandbox
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The /var/log/cron[^/]* line in the context definition takes higher precedence
than the /var/log/cron.* line in the cron.fc file. As a result, when
/var/log/cron.log is created it gets relabeled to var_log_t instead of staying
with the cron_log_t type it should be.
Removing the line so that the definitions in cron.log are used.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.
Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied
Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied
See also https://bugs.gentoo.org/show_bug.cgi?id=443624
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Create various interfaces using the user_home_content_type attribute for
tmpreaper
user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.
This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:
* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".
When done, it will create symlinks in /var towards the new locations.
As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Content that (at least) common users need to be able to relabel and
create with a type transition
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
modutils_read_module_config() provides access to list modules_conf_t
directories so that we do not need a seperate
modutils_list_modules_config()
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Remove evolution and evolution alarm dbus chat from common user template
since callers of the evolution role are now allowed to dbus chat to
evolution and evolution alarm.
Common users need to be able to dbus chat with policykit and consolekit
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Domains that are granted postgresql_stream_connect() need to be able to search
through the postgresql_var_run_t directory (in which the socket is located).
Update the interface to use the stream_connect_pattern definition to simplify
the interface and make it more readable.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Used by kernel to communicate with user space (cachefilesd)
Label the character file accordingly
Create a dev_rw_cachefiles_dev() for cachefilesd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The /var/cfengine/output location will be labeled in the forthcoming
cfengine policy module that will be ported from Fedora
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the postgresql service.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use the init_daemon_run_dir interface in order to allow initrc_t to create the
run dirs of the udev daemon with the proper file transition.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted. Because it often needs to change the attributes or
ownership of the directories as well, we also grant the setattr rights on the
directory.
Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t creates
this directory:
init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Intel® AMT Linux support includes two components that allow interaction
between the Intel® AMT FW and the Linux OS: Intel® MEI (Intel® Management Engine Interface)
driver and LMS (Local Management Service) driver. Intel® MEI driver
allows application to communicate with the FW using host interface,
and LMS driver allows applications to access the Intel® AMT FW via the
local Intel® Management Engine Interface (Intel® MEI).
In addition, Intel has validated a kernel patch to enable
IDE-redirection. This is a community maintained patch, but Intel is
distributing the version used in the validation of the other Intel® AMT
components released here:
http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/
Declare a mei_device_t device node tyoe and label /dev/mei accordingly.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This directory contains the working files for updating network-related files
(like resolv.conf for name servers) before they are copied to the fixed
location. Although already in use previously, this location (/var/run/dhcpc or
/var/run/dhcpcd) was statically defined on the system.
With the introduction of /run and systems having /var/run -> /run, this is now a
dynamically created directory by dhcpc_t. Hence, the policy is enhanced allowing
dhcpc_t to create dhcpc_var_run_t directories, and include a file transition for
directories created in the var_run_t location(s).
Changes since v1
----------------
- Use create_dirs_pattern instead of manage_dirs_pattern
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce the substitutions for the /usr/local/lib* locations (towards /usr/lib)
and /etc/init.d (towards /etc/rc.d/init.d).
Update the file contexts of the translated locations.
Rebased (collided with Guido's patch for commenting within the
file_contexts.subs_dist file) since v3.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent udev installs its main binary in /usr/lib/systemd (called systemd-udevd).
Update file contexts to support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With udev now using /run for its data, the init script responsible for preparing
the environment to start up udev needs to be able to setup this location as
well.
We here allow init scripts to create the /run/udev location (transitioning to
udev_var_run_t) and manage this content (creating the /run/udev subdirectories).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent udev implementations now use /run (actually, /run/udev) for storing
database files, rules and more. Hence, we need to extend existing interfaces to
support searching through the udev_var_run_t location (as most of that was
previously only in device_t and/or etc_t or udev_etc_t)
Next to enhancing the interfaces, we provide additional ones that will be used
by the init script (for udev) which needs to create and support the new
/run/udev locations.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
At boot up, the /run location is empty, and init scripts are responsible for
creating the necessary structure within to support their services. This means,
adding entries like for the lock folder (/run/lock).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since most distributions now support /run (which, thanks the the
file context substitutions, is marked as var_run_t), we need to update the
SELinux policies to support "dynamically" building up /run. Unlike /var/run,
which is most likely statically defined during distribution installation, /run
is a tmpfs which is built up from scratch on each and every boot.
But not only that, many services also use this location for other purposes than
just PID files (which is to be expected as these "other reasons" is why /run
came to be in the first place), so we need to support other types within this
location easily.
For this reason, we introduce support to
- creating the /run/lock location
- supporting named file transitions when init scripts create stuff in /run
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent init script packages allow for logging init script progress (service
start/stop state information, sometimes even duration, etc.) so we introduce an
initrc_var_log_t logtype and allow initrc_t to manage this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
This patch includes the necessary refactoring to support python 3.
Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.
Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent syslog-ng implementation uses a threading library that requires the getsched permission.
See also https://bugs.gentoo.org/show_bug.cgi?id=405425
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
