nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,227 Commits 1 Branch 0 Tags 16 MiB
7d53784332
Commit Graph

4233 Commits

Author SHA1 Message Date
Kenton Groombridge
7d53784332 users: remove MCS categories from default users 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-06 20:58:22 -05:00
Chris PeBenito
78276fc43b Drop module versioning. 
Semodule stopped using this many years ago. The policy_module() macro will
continue to support an optional second parameter as version.
If it is not specified, a default value of 1 is set.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:19:13 -05:00
Chris PeBenito
60a3d5af67 modutils: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:11:09 -05:00
Yi Zhao
b7258b3d6d modutils: allow kmod_t to write keys 
Fixes:
$ modprobe cfg80211
kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database
kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
kernel: cfg80211: loaded regulatory.db is malformed or signature is missing/invalid

avc:  denied  { write } for  pid=219 comm="modprobe"
scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
tclass=key permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2022-01-06 10:10:50 +08:00
Chris PeBenito
23a8d103f3 su, corenetwork, bluetooth, chronyd, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-04 11:03:07 -05:00
Chris PeBenito
742b10b70d Merge pull request #452 from jpds/chronyd-nts 2022-01-04 11:00:05 -05:00
Jonathan Davies
f4f6465466 chronyd: Allow access to read certs. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 22:04:21 +00:00
Jonathan Davies
472325cbfd chronyd.te: Added support for bind/connect/recv/send NTS packets. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 17:26:30 +00:00
Jonathan Davies
53a6c9360a corenetwork.te.in: Added ntske port. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 17:26:30 +00:00
Yi Zhao
91d32c2162 su: allow su to map SELinux status page 
We encountered a su runtime error with selinux 3.3:
$ su - user1
su: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault

Fixes:
avc:  denied  { map } for  pid=558 comm="su"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19
scontext=root:sysadm_r:sysadm_su_t tcontext=system_u:object_r:security_t
tclass=file permissive=0

avc:  denied  { getattr } for  pid=570 comm="su" name="/" dev="proc"
ino=1 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:proc_t
tclass=filesystem permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:46:27 +08:00
Yi Zhao
4c515c9f8b systemd: allow systemd-hostnamed to read udev runtime files 
Fixes:
avc:  denied  { open } for  pid=392 comm="systemd-hostnam"
path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=392 comm="systemd-hostnam"
path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:38:26 +08:00
Yi Zhao
5eb43f0bca bluetooth: allow bluetoothd to create alg_socket 
Fixes:
avc:  denied  { create } for  pid=268 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:33:04 +08:00
Chris PeBenito
51dca5c89a acpi, ssh: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-12-20 09:52:39 -05:00
Chris PeBenito
f8ea1c2c2e Merge pull request #449 from yizhao1/acpid 2021-12-20 09:52:10 -05:00
Yi Zhao
0a1386e8ec acpid: allow acpid to watch the directories in /dev 
Fixes:
acpid: inotify_add_watch() failed: Permission denied (13)

avc:  denied  { watch } for  pid=269 comm="acpid" path="/dev/input"
dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-13 11:51:57 +08:00
Yi Zhao
8537bdaf23 ssh: do not audit attempts by ssh-keygen to read proc 
Fixes:
avc:  denied  { read } for  pid=353 comm="ssh-keygen" name="filesystems"
dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
tcontext=system_u:object_r:proc_t tclass=file permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-10 12:53:51 +08:00
Chris PeBenito
42c9eb9bcd systemd, tor: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-12-05 13:42:28 -05:00
Chris PeBenito
f9fe061cc6 Merge pull request #444 from jpds/obfs4proxy-policy 2021-12-05 13:41:14 -05:00
Jonathan Davies
dbd08aa705 tor: Added interfaces and types for obfs4proxy support. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-03 00:00:11 +00:00
Jonathan Davies
a329633889 obfs4proxy: Added policy. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-02 23:59:58 +00:00
Dave Sugar
b3bb98348a systemd: resolve error with systemd-sysctl 
Seeing the following errors (based on what is in /etc/sysctl.d/*)

Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/kptr_restrict': Operation not permitted
Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/dmesg_restrict': Operation not permitted
Nov 30 13:38:07 localhost systemd-sysctl: Failed to write '1' to '/proc/sys/kernel/yama/ptrace_scope': Operation not permitted
Nov 30 13:38:07 localhost systemd: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE

I saw the following denials:

type=AVC msg=audit(1638199548.807:52): avc:  denied  { sys_admin } for  pid=1038 comm="systemd-sysctl" capability=21  scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1638305206.666:347): avc:  denied  { sys_ptrace } for pid=1359 comm="systemd-sysctl" capability=19 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:system_r:systemd_sysctl_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-12-01 14:16:45 -05:00
Chris PeBenito
9788933467 ntp, samba: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-11-30 11:24:41 -05:00
Yi Zhao
f24f38f0f2 ntp: allow ntpd to set rlimit_memlock 
Fixes:
ntpd[249]: Cannot set RLIMIT_MEMLOCK: Operation not permitted

avc:  denied  { sys_resource } for  pid=247 comm="ntpd" capability=24
scontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:ntpd_t:s0-s15:c0.c1023 tclass=capability
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-11-30 21:53:02 +08:00
Yi Zhao
5e7b58612e samba: fixes for smbd/nmbd 
* Do not audit capability net_admin for smbd_t/nmbd_t
* Allow nmbd_t to manage samba_var_t dirs

Fixes:
avc:  denied  { net_admin } for  pid=334 comm="smbd" capability=12
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:smbd_t
tclass=capability permissive=1

avc:  denied  { net_admin } for  pid=273 comm="nmbd" capability=12
scontext=system_u:system_r:nmbd_t tcontext=system_u:system_r:nmbd_t
tclass=capability permissive=1

avc:  denied  { create } for  pid=273 comm="nmbd" name="msg.lock"
scontext=system_u:system_r:nmbd_t tcontext=system_u:object_r:samba_var_t
tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-11-30 21:52:43 +08:00
Chris PeBenito
0c6e887481 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-11-29 11:40:49 -05:00
Chris PeBenito
92da1b321b Merge pull request #441 from yizhao1/strongswan 2021-11-29 11:36:25 -05:00
Chris PeBenito
86931401b6 Merge pull request #438 from pebenito/auditd-stat-dispatched 2021-11-29 11:36:16 -05:00
Chris PeBenito
fd367d24eb Merge pull request #437 from pebenito/ntp-drift-symlink 2021-11-29 11:36:12 -05:00
Chris PeBenito
f3c10c83bd Merge pull request #436 from pebenito/udev-efi 2021-11-29 11:36:09 -05:00
Yi Zhao
9e71ad3551 ipsec: fixes for strongswan 
* Add fcontext for charon-systemd
* Allow ipsec_mgmt_t to list ipsec_conf_file_t dir
* Allow ipsec_mgmt_t to read cert files

Fixes:
avc:  denied  { search } for  pid=372 comm="swanctl" name="strongswan.d"
dev="vda" ino=1461
scontext=system_u:system_r:ipsec_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=372 comm="swanctl" name="strongswan.d"
dev="vda" ino=1461
scontext=system_u:system_r:ipsec_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir permissive=0

avc:  denied  { getattr } for  pid=323 comm="swanctl"
path="/etc/ssl/openssl.cnf" dev="vda" ino=1463
scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0

avc:  denied  { open } for  pid=323 comm="swanctl"
path="/etc/ssl/openssl.cnf" dev="vda" ino=1463
scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0

avc:  denied  { read } for  pid=323 comm="swanctl" name="openssl.cnf"
dev="vda" ino=1463 scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=file permissive=0

avc:  denied  { search } for  pid=323 comm="swanctl" name="ssl"
dev="vda" ino=1202 scontext=system_u:system_r:ipsec_mgmt_t
tcontext=system_u:object_r:cert_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-11-29 16:38:12 +08:00
Chris PeBenito
7e3b26e76c logging: Allow auditd to stat() dispatcher executables. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2021-11-18 16:37:01 -05:00
Chris PeBenito
89c83b8299 ntp: Handle symlink to drift directory. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2021-11-18 16:35:56 -05:00
Chris PeBenito
bc51e2afe0 udev: Manage EFI variables. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2021-11-18 16:34:54 -05:00
Chris PeBenito
51d0d6d15e logging: Add audit_control for journald. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-11-18 16:25:38 -05:00
Chris PeBenito
580c3da195 systemd: User runtime reads user cgroup files. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-11-18 16:25:35 -05:00
Chris PeBenito
c66fefcbf1 systemd: Revise tmpfiles factory to allow writing all configs. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-11-18 16:25:33 -05:00
Chris PeBenito
6ce1e64c49 systemd: Unit generator fixes. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-11-18 16:25:30 -05:00
Chris PeBenito
96ea14ed59 systemd, ssh, ntp: Read fips_enabled crypto sysctl. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2021-11-18 16:25:25 -05:00
Kenton Groombridge
64380b4d33 wine: fix roleattribute statement 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-16 12:11:59 -05:00
Chris PeBenito
096eb775fa various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-11-15 15:34:27 -05:00
Chris PeBenito
55d91c13f3 Merge pull request #415 from 0xC0ncord/constraints-update 2021-11-15 15:34:06 -05:00
Chris PeBenito
af39a6ed86
Merge pull request #432 from vmojzis/warning 
Report warning on duplicate definition of interface
 2021-11-15 08:56:21 -05:00
Vit Mojzis
051d166cd0 Improve error message on duplicate definition of interface 
Specify which file contains the original definition.

Old:
 ipa.if:284: Error: duplicate definition of
  ipa_cert_filetrans_named_content(). Original definition on 284.
New:
 ipa.if:284: Error: duplicate definition of
  ipa_cert_filetrans_named_content(). Original definition on
  /usr/share/selinux/devel/include/contrib/ipa.if:284.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2021-11-15 10:23:48 +01:00
Chris PeBenito
47a229198d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-11-14 18:57:40 -05:00
Chris PeBenito
e0d1b94c8e Merge pull request #412 from 0xC0ncord/bugfix/systemd-user-exec-apps-hookup 2021-11-14 18:57:19 -05:00
Kenton Groombridge
a29cb4a2b3 guest, xguest: remove apache role access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-12 14:57:36 -05:00
Kenton Groombridge
5ea601c011 mcs: only constrain mcs_constrained_type for db accesses 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-09 13:59:08 -05:00
Kenton Groombridge
b006b259f4 mcs: constrain context contain access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-09 13:56:27 -05:00
Kenton Groombridge
e701e18e7f corenet: make netlabel_peer_t mcs constrained 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-09 13:55:30 -05:00
Kenton Groombridge
e7fb65980f various: deprecate mcs override interfaces 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-11-09 13:55:26 -05:00