The ubifs in linux kernel supported the security xattr handler as early
as version 3.19.0 -rc6. Now add ubifs to the filesystem policy.
Signed-off-by: Xiongwei Song <xiongwei.song@windriver.com>
After commit cc8374fd24 (various: systemd
user fixes and additional support), the dbus_role_template is required
for all roles. Move it to userdom_common_user_template.
Before the patch if set DISTRO=redhat:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_t 240 ? Ss 0:00 /lib/systemd/systemd --user
After the patch:
root@qemux86-64:~# ps xZ | grep "systemd --user"
root:sysadm_r:sysadm_systemd_t 218 ? Ss 0:00 /lib/systemd/systemd --user
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Following the guideline of interfaces not allowed to declare anything
and not use prefix parameters, declare interfaces doing so as templates.
Also declare templates not using those features and not calling
templates themselves as interfaces.
These changes originate from the discussion in
https://github.com/TresysTechnology/selint/issues/205 and are found by
new proposed SELint checks at
https://github.com/TresysTechnology/selint/pull/206.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
/usr/bin/checkpolicy -c 31 -U deny policy.conf -o policy.31
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/roles/secadm.te:10:ERROR 'duplicate filename transition for: filename_trans generator.early auditadm_systemd_t systemd_user_runtime_t:dir' at token ';' on line 2191007:
type_transition systemd_user_session_type systemd_user_runtime_t:dir systemd_user_runtime_unit_t "generator.early";
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.31] Error 1
This was introduced in cc8374fd24 but becuase
they are in a template used multiple times they are getting defined
multiple times and maybe checkpolicy on RHEL7 isn't happy with that.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This normally uses memfd which uses posix shm under the hood.
Additionally, a direct shm use is a fallback if memfd is not available.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This finishes up a lot of the work originally started on systemd --user
support including interacting with user units, communicating with the
user's systemd instance, and reading the system journal.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.
This does not affect setenforce. Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:
avc: denied { mounton } for pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1
Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
lvm2 installs a file into /usr/lib/tmpfliles.d/ to create
/run/lock/lvm so systemd-tmpfilesd needs the rights to create it.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.
Fixes:
avc: denied { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.
This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.
Relevant denials are silenced in case the policy is disabled.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.
Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.
Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.
Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.
[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
tmp
On systemd, systemd-networkd keeps its configuration in
/etc/systemd/network, where both files and directories are labelled as
net_conf_t. When granting network configuration management permissions
also include directory management rights when systemd is in use.
This fixes denials from udev trying to parse systemd network
configuration.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.
This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
These two cases I see when building on a system without graphical interface.
Move userdom_xdg_user_template into optional block
gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The aptcacher_etc_t type does not exist in the policy. The block in cron
will never be enabled because of this, so drop that too.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
