With udev now using /run for its data, the init script responsible for preparing
the environment to start up udev needs to be able to setup this location as
well.
We here allow init scripts to create the /run/udev location (transitioning to
udev_var_run_t) and manage this content (creating the /run/udev subdirectories).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent udev implementations now use /run (actually, /run/udev) for storing
database files, rules and more. Hence, we need to extend existing interfaces to
support searching through the udev_var_run_t location (as most of that was
previously only in device_t and/or etc_t or udev_etc_t)
Next to enhancing the interfaces, we provide additional ones that will be used
by the init script (for udev) which needs to create and support the new
/run/udev locations.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
At boot up, the /run location is empty, and init scripts are responsible for
creating the necessary structure within to support their services. This means,
adding entries like for the lock folder (/run/lock).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since most distributions now support /run (which, thanks the the
file context substitutions, is marked as var_run_t), we need to update the
SELinux policies to support "dynamically" building up /run. Unlike /var/run,
which is most likely statically defined during distribution installation, /run
is a tmpfs which is built up from scratch on each and every boot.
But not only that, many services also use this location for other purposes than
just PID files (which is to be expected as these "other reasons" is why /run
came to be in the first place), so we need to support other types within this
location easily.
For this reason, we introduce support to
- creating the /run/lock location
- supporting named file transitions when init scripts create stuff in /run
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent init script packages allow for logging init script progress (service
start/stop state information, sometimes even duration, etc.) so we introduce an
initrc_var_log_t logtype and allow initrc_t to manage this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).
Do the same with the standard mount temporary file /etc/mtab.tmp.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
This patch includes the necessary refactoring to support python 3.
Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.
Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Recent syslog-ng implementation uses a threading library that requires the getsched permission.
See also https://bugs.gentoo.org/show_bug.cgi?id=405425
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Reduce the binary policy size by eliminating some set expressions
related to file accesses and make Repolicy easier to convert into CIL.
- Moved the auth_file_type attribute.
- Created a new type attribute called non_auth_file_type.
- Created new interfaces to allow file accesses on non_auth_file_type
files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,
role newrole_roles types newrole_t;
so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.
Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.
Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.
By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.
Assign these privileges to the sysadm_r
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This changes the port declarations for cases where a type is used for
ports above and below 1024. The old code would give both the reserved
and unreserved port attribute. This new code only gives the reserved
port attribute.
Add a milter_port_t for use with inet sockets for communication
between milters and MTAs.
There are no defined ports with this type: admins are expected
to use semanage to specify the ports being used for milters.
The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.
We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to
portage_fetch_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).
To support this feature, we introduce a semanage_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Many users use portage from within cron (for instance to update the
portage tree or even automatically update their system). As such, we
allow to run portage from the (system) cronjob domains.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
We allow portage to call gpg. However, this requires that the location
where the trustdb is stored is marked as a read/write type. The default
location used within Gentoo is /etc/portage/gpg, which would lead to
portage_conf_t. However, this type should remain a read-only type.
As such, we introduce a type called portage_gpg_t for this location and
grant portage_fetch_t the necessary rights on this type.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some applications might want to execute gpg without requiring a
transition. A possible use case is to allow applications to validate
signatures (made by GnuPG). As long as the application doesn't need to
generate signatures itself and its trustdb is not marked as
gpg_secret_t, it suffices to grant it gpg_exec().
Note that it does require the application to have read/write rights in
the directory where the trustdb is stored (as gpg tries to generate lock
files where the trustdb file is located).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Enhance portage_fetch_t from an application type to a domain. Introduce
the proper portage_fetch_exec_t and add the necessary privileges to the
domain definition to allow portage_fetch_t to be used by Portage
management utilities like layman and emerge-webrsync.
We enhance portage_domtrans() to include portage_fetch_t support.
Providing a different interface (portage_fetch_domtrans) is possible
too, but since every application and role that needs to deal with
portage needs to deal with the fetching as well, and vice versa, we keep
this in portage_domtrans.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The /sbin/rc binary is used by the system administrator to manage
runlevels (add/delete), check runlevel state, etc. all which do not
require a transition to occur. Hence the /sbin/rc (now labeled
rc_exec_t) is allowed to be executed without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The gcc-config application uses some functions (from
/etc/init.d/functions.sh) which are simple wrappers on top of
/sbin/rc. Since this script is sourced and the functions executed
from within gcc_config_t, we allow gcc-config to execute /sbin/rc
without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc)
for all its functions, be it executing init scripts, managing runlevels,
checking state, etc. This binary is not allowed to be labeled
initrc_exec_t as that would trigger domain transitions where this isn't
necessary (or even allowed).
A suggested solution is to use a separate type declaration for /sbin/rc
(rc_exec_t) which transitions where necessary.
This patch includes support for the /sbin/rc rc_exec_t type and declares
the init_rc_exec() interface which allows domains to execute the binary
without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Puppet is a management utility to manage several dozens or even hundreds of
systems through a single application. Part of its job is to ensure that the
configuration and state of a system is as expected. Part of this is to ensure
that the proper mounts are available and, if not, mount them (or umount them).
This patch allows puppet_t to call mount.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).
Hence, we dontaudit this use.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
