nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,076 Commits 1 Branch 0 Tags 16 MiB
8374a05cb5
Commit Graph

6076 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
8374a05cb5 Merge pull request #416 from yizhao1/fixes 2021-10-27 09:14:45 -04:00
Yi Zhao
1afa56d20b selinuxutil: allow setfiles_t to read kernel sysctl 
Fixes:
avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap"
dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0

avc: denied { open } for pid=171 comm="restorecon"
path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0

avc: denied { getattr } for pid=171 comm="restorecon" name="/"
dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Yi Zhao
7a509f0dbf usermanage: do not audit attempts to getattr of proc for passwd_t and useradd_t 
Fixes:
avc: denied { getattr } for pid=325 comm="passwd" name="/" dev="proc"
ino=1 scontext=root:sysadm_r:passwd_t tcontext=system_u:object_r:proc_t
tclass=filesystem permissive=0

avc: denied { getattr } for pid=491 comm="useradd" name="/" dev="proc"
ino=1 scontext=root:sysadm_r:useradd_t tcontext=system_u:object_r:proc_t
tclass=filesystem permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Yi Zhao
db42fb615e rpc: allow rpc.mountd to list/watch NFS server directory 
Fixes:
avc: denied { read } for pid=484 comm="rpc.mountd" name="clients"
dev="nfsd" ino=22 scontext=system_u:system_r:nfsd_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir permissive=0

avc: denied { watch } for pid=487 comm="rpc.mountd"
path="/proc/fs/nfsd/clients" dev="nfsd" ino=22
scontext=system_u:system_r:nfsd_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Yi Zhao
7ae40510fd udev: allow udev_t to watch udev_rules_t dir 
Fixes:
avc: denied { watch } for pid=187 comm="udevd" path="/lib/udev/rules.d"
dev="vda" ino=1060 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:lib_t tclass=dir permissive=0

avc: denied { watch } for pid=187 comm="udevd" path="/etc/udev/rules.d"
dev="vda" ino=886 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_rules_t tclass=dir permissive=0

avc: denied { watch } for pid=187 comm="udevd" path="/run/udev/rules.d"
dev="tmpfs" ino=4 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0

avc: denied { watch } for pid=196 comm="udevadm" path="/run/udev"
dev="tmpfs" ino=2 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Yi Zhao
44cd27ad32 avahi: allow avahi_t to watch /etc/avahi directory 
Fixes:
avc: denied { watch } for pid=420 comm="avahi-daemon" path="/services"
dev="vda" ino=173 scontext=system_u:system_r:avahi_t
tcontext=system_u:object_r:etc_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Yi Zhao
017a321811 bluetooth: fixes for bluetoothd 
* Allow bluetooth_t to create and use bluetooth_socket.
* Allow bluetooth_t to send messages to init scripts over dbus.
* Allow bluetooth_t to send messages from systemd hostnamed over dbus.

Fixes:
avc: denied { create } for pid=377 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { bind } for pid=377 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { write } for pid=377 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { getattr } for pid=377 comm="bluetoothd"
path="socket:[12424]" dev="sockfs" ino=12424
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { listen } for pid=377 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { read } for pid=377 comm="bluetoothd" path="socket:[12424]"
dev="sockfs" ino=12424 scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
permissive=1

avc: denied { send_msg } for msgtype=method_return dest=:1.2 spid=377
tpid=431 scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:initrc_t tclass=dbus permissive=1

avc: denied { send_msg } for msgtype=signal
interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded
dest=org.freedesktop.DBus spid=319 tpid=241
scontext=system_u:system_r:bluetooth_t
tcontext=system_u:system_r:initrc_t tclass=dbus permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-27 11:20:11 +08:00
Chris PeBenito
86812d22b3 Merge pull request #422 from dsugar100/sshd_fips_check 2021-10-26 15:44:09 -04:00
Chris PeBenito
43c4c154c6 Merge pull request #421 from cgzones/fc_check 2021-10-26 15:44:05 -04:00
Chris PeBenito
81738db161 Merge pull request #420 from yizhao1/samba-fixes 2021-10-26 15:44:00 -04:00
Chris PeBenito
9a7fb240fb Merge pull request #418 from dsugar100/master 2021-10-26 15:43:57 -04:00
Dave Sugar
ecc0cff7c0 sshd: allow to run /usr/bin/fipscheck (to check fips state) 
type=AVC msg=audit(1634644085.903:245): avc:  denied  { search } for pid=1825 comm="sshd" name="crypto" dev="proc" ino=1386 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1634644085.903:245): avc:  denied  { read } for pid=1825 comm="sshd" name="fips_enabled" dev="proc" ino=1387 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634644085.903:245): avc:  denied  { open } for pid=1825 comm="sshd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=1387 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1634644085.903:245): arch=c000003e syscall=2 success=yes exit=3 a0=7f905129f682 a1=0 a2=1 a3=7ffdda768660 items=0 ppid=1 pid=1825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1634644085.905:247): avc:  denied  { getattr } for pid=1825 comm="sshd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=1387 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1634644085.905:247): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdda768fc0 a2=7ffdda768fc0 a3=0 items=0 ppid=1 pid=1825 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1634644085.944:258): avc:  denied  { execute } for pid=1913 comm="sshd" name="fipscheck" dev="dm-2" ino=283611 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634644085.944:258): avc:  denied  { read open } for pid=1913 comm="sshd" path="/usr/bin/fipscheck" dev="dm-2" ino=283611 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634644085.944:258): avc:  denied  { execute_no_trans } for  pid=1913 comm="sshd" path="/usr/bin/fipscheck" dev="dm-2" ino=283611 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634644085.944:258): avc:  denied  { map } for pid=1913 comm="fipscheck" path="/usr/bin/fipscheck" dev="dm-2" ino=283611 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1634644085.944:258): arch=c000003e syscall=59 success=yes exit=0 a0=7f9051ff76ba a1=55ce27ee83c0 a2=7f90521f8118 a3=7ffdda766ca0 items=0 ppid=1825 pid=1913 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fipscheck" exe="/usr/bin/fipscheck" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-10-19 17:06:48 -04:00
Christian Goettsche
303857caca check_fc_files: allow optional @ character 
Do not warn on /usr/lib/systemd/system/ssh@?\.service

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2021-10-19 20:59:22 +02:00
Yi Zhao
a7700d9bb7 rpc: add dac_read_search capability for rpcd_t 
Fixes:
avc: denied { dac_read_search } for pid=473 comm="sm-notify"
capability=2  scontext=system_u:system_r:rpcd_t
tcontext=system_u:system_r:rpcd_t tclass=capability permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-19 11:04:45 +08:00
Yi Zhao
6a3bba766f samba: allow smbd_t to send and receive messages from avahi over dbus 
Fixes:
avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.Avahi.Server member=GetAPIVersion
dest=org.freedesktop.Avahi spid=481 tpid=508
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:avahi_t
tclass=dbus permissive=1

avc: denied { send_msg } for msgtype=signal
interface=org.freedesktop.Avahi.Server member=StateChanged
dest=org.freedesktop.DBus spid=508 tpid=481
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:smbd_t
tclass=dbus permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-19 11:04:38 +08:00
Dave Sugar
b9231040bb Allow iscsid to check fips_enabled 
type=AVC msg=audit(1634568931.358:227): avc:  denied  { search } for pid=1832 comm="iscsid" name="crypto" dev="proc" ino=9307 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1634568931.358:227): avc:  denied  { read } for pid=1832 comm="iscsid" name="fips_enabled" dev="proc" ino=9308 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634568931.358:227): avc:  denied  { open } for pid=1832 comm="iscsid" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9308 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1634568931.358:228): avc:  denied  { getattr } for pid=1832 comm="iscsid" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9308 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-10-18 15:58:26 -04:00
Dave Sugar
abf8202e47 Allow iscsid to request kernel module load 
type=AVC msg=audit(1634568931.426:263): avc:  denied  { module_request } for  pid=1832 comm="iscsid" kmod="net-pf-16-proto-8" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2021-10-18 15:58:18 -04:00
Chris PeBenito
e9ee912643 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-13 09:59:04 -04:00
Chris PeBenito
d2c91d1c70 Merge pull request #414 from yizhao1/fix2 2021-10-13 09:58:35 -04:00
Yi Zhao
0081916abb secadm: allow secadm to read selinux policy 
Fixes:
$ newrole -r secadm_r -- -c "sesearch -A -s mount_t -t shell_exec_t -c file"
[Errno 13] Permission denied: '/sys/fs/selinux/policy'

avc:  denied  { read_policy } for  pid=575 comm="python3"
scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:security_t:s15:c0.c1023 tclass=security
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-10-12 22:35:24 +08:00
Chris PeBenito
e49243a08f authlogin: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-08 10:41:12 -04:00
Chris PeBenito
b51a297af5 Merge pull request #411 from besser82/topic/besser82/tcb 2021-10-08 10:40:53 -04:00
Björn Esser
bc88a1ca4b
authlogin: add fcontext for tcb 
tcb is an alternative password shadowing scheme used by some Linux
distributions, like ALT Linux, Mandriva, OWL, and some others.

The /etc/tcb directory tree is used to store a single shadow file
inside of a subdirectory created for every local user.

The tcb_chkpwd binary is meant to provide the same functionality
as the unix_chkpwd binary.

The tcb_convert and tcb_uncovert binaries are used for conversions
from a UNIX shadow file to the tcb password shadowing scheme and
vice-versa.

Signed-off-by: Björn Esser <besser82@fedoraproject.org>
 2021-10-08 00:58:37 +02:00
Chris PeBenito
2ef2028c57 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:59:44 -04:00
Chris PeBenito
6e8ba12dcb Merge pull request #410 from pedrxd/nginxcache 2021-10-05 14:59:06 -04:00
Chris PeBenito
6c1f5fb926 Merge pull request #406 from 0xC0ncord/git-type 2021-10-05 14:58:17 -04:00
Chris PeBenito
0f2ed8ae16 filesystem: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-10-05 14:49:56 -04:00
Gao Xiang
a885f70d50 Add erofs as a SELinux capable file system 
EROFS supported the security xattr handler from Linux v4.19.
Add erofs to the filesystem policy now.

Reported-by: David Michael <fedora.dm0@gmail.com>
Signed-off-by: Gao Xiang <xiang@kernel.org>
 2021-10-05 14:49:16 -04:00
Pedro
26db30a650
File context for nginx cache files 
Signed-off-by: Pedro <peruvapedro99@gmail.com>
 2021-10-04 14:48:10 +02:00
Kenton Groombridge
64e637d895 git, roles: add policy for git client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-01 13:19:52 -04:00
Chris PeBenito
338d05482a wireguard: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-28 13:14:34 -04:00
Chris PeBenito
247b1300ad Merge pull request #408 from ffontaine/master 2021-09-28 13:13:52 -04:00
Chris PeBenito
f60be8247a
Merge pull request #409 from yizhao1/fix 
rpc: remove obsolete comment line
 2021-09-28 11:55:31 -04:00
Yi Zhao
5968e9eae0 rpc: remove obsolete comment line 
There is no fs_manage_nfsd_fs interface.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-09-27 11:25:45 +08:00
Fabrice Fontaine
67394d078c policy/modules/services/wireguard.te: make iptables optional 
Make iptables optional to avoid the following build failure raised since
version 2.20210908 and
7f1a7b1cac:

 Compiling targeted policy.33
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
 policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
 #line 66
	allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.33] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-22 23:55:59 +02:00
Kenton Groombridge
4264f9050a userdomain: add interface to allow mapping all user home content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:01:01 -04:00
Kenton Groombridge
261768bf10 ssh: add interface to execute and transition to ssh client 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-20 22:00:56 -04:00
Chris PeBenito
b19be25429 systemd, userdomain, wm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 13:55:26 -07:00
Chris PeBenito
938453ddb1 Merge pull request #381 from 0xC0ncord/bugfix/systemd-user-exec-apps 2021-09-14 13:23:23 -07:00
Kenton Groombridge
b91c6062ac wm: add user exec domain attribute to wm domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:48 -04:00
Kenton Groombridge
1a0d3bcfbd systemd: add interface to support monitoring and output capturing of 
child processes

The 'systemd_user_app_status' interface is intended to be used by any
interfaces or templates that grant run access to a user domain. These
rules are to support a situation in which an app run by a systemd user
instance runs another, and to allow that app to have its status and output
captured by the systemd user instance (i.e. to journald) without
explicitly granting permissions for the systemd user instance to run
that application.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 14:53:41 -04:00
Kenton Groombridge
f151d36e5b systemd: assign user exec attribute to systemd --user instances 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:43 -04:00
Kenton Groombridge
84e26170a1 userdomain: add user exec domain attribute and interface 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-09-14 12:12:39 -04:00
Chris PeBenito
24701593d2 chronyd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-14 06:37:22 -07:00
Chris PeBenito
3c0eccb2df Merge pull request #404 from jpds/chronyd/netadmin 2021-09-14 06:33:41 -07:00
Jonathan Davies
f3ff01e332 chronyd.te: Added chronyd_hwtimestamp boolean for chronyd_t to access net_admin 
capability, this is required for its `hwtimestamp` option, which otherwise returns:

    ioctl(SIOCSHWTSTAMP) failed : Operation not permitted

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-09-13 23:35:09 +01:00
Chris PeBenito
c804cef2c8 samba: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-13 13:21:56 -07:00
Chris PeBenito
3988924056 Merge pull request #407 from ffontaine/master 2021-09-13 13:20:12 -07:00
Fabrice Fontaine
ce436299be policy/modules/services/samba.te: make crack optional 
Make crack optional to avoid the following build failure:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
 	allow smbd_t crack_db_t:dir { getattr search open };
 #line 399
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2021-09-09 07:48:33 +02:00
Chris PeBenito
c2254a64b9 Update Changelog and VERSION for release 2.20210908. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-09-08 10:53:44 -04:00