selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	a1a9c33e88	iptables: allow reading initrc pipes The systemd service calls a script which reads the saved rules from a file piped to stdin. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	7ca9dcea1f	init: modify interface to allow reading all pipes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	c46bbef5f7	udev: various fixes Mostly mdraid stuff and a few dontaudits. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	a6df5e653c	devicekit: allow devicekit_disk_t to setsched Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	342eefd3b0	ssh: allow ssh_keygen_t to read localization Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:04 -04:00
Kenton Groombridge	497cb3ca2b	files, init, systemd: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:56:01 -04:00
Kenton Groombridge	dac8c8af27	devices, userdomain: dontaudit userdomain setattr on null device nodes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-04-08 09:43:54 -04:00
Kenton Groombridge	02b9bf0a1c	redis: allow reading net and vm overcommit sysctls Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:56 -04:00
Kenton Groombridge	9051a09617	spamassassin: allow rspamd to read network sysctls Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:55 -04:00
Kenton Groombridge	d91bef2d24	devices, userdomain: dontaudit userdomain setattr on null device nodes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:53 -04:00
Kenton Groombridge	f137b5cdcc	modutils: allow kmod to read src_t symlinks Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:51 -04:00
Kenton Groombridge	6371411e50	getty: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:49 -04:00
Kenton Groombridge	173d2a2bd0	rngd: allow reading sysfs rngd tries to read the rng state at boot. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:47 -04:00
Kenton Groombridge	00e210d703	redis: allow reading certs Required if redis is to be used with SSL/TLS Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:44 -04:00
Kenton Groombridge	fa5f878f13	usbguard: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:42 -04:00
Kenton Groombridge	45dd9358e5	fail2ban: allow reading vm overcommit sysctl Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:37 -04:00
Kenton Groombridge	372f9cc658	systemd, fail2ban: allow fail2ban to watch journal Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-27 19:53:27 -04:00
Chris PeBenito	4aa1562208	files, kernel, selinux: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-27 14:21:06 -04:00
Chris PeBenito	838c145fb9	kernel: Add dontaudits when secure_mode_insmod is enabled. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:50:59 -04:00
Chris PeBenito	3d0a6f966f	selinux: Add dontaudits when secure mode Booleans are enabled. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:50:59 -04:00
Chris PeBenito	b36334e937	selinux: Set regular file for labeled Booleans genfscons. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:50:59 -04:00
Chris PeBenito	9d57bf3a2e	selinux: Change generic Boolean type to boolean_t. This will prevent other security_t writers from setting Boolean pending values, which could be activated unwittingly by setbool processes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:50:25 -04:00
Chris PeBenito	3a22e9279c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-19 15:17:54 -04:00
Chris PeBenito	93fda6e15d	Merge pull request #357 from 0xC0ncord/feature/systemd_user_service	2021-03-19 15:14:24 -04:00
Kenton Groombridge	cc8374fd24	various: systemd user fixes and additional support This finishes up a lot of the work originally started on systemd --user support including interacting with user units, communicating with the user's systemd instance, and reading the system journal. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-03-18 15:58:17 -04:00
Chris PeBenito	ab702bb825	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-17 11:16:40 -04:00
Chris PeBenito	4dba24e2ad	Merge pull request #356 from pebenito/drop-dead-modules2	2021-03-17 11:15:11 -04:00
Chris PeBenito	d84e0ee70f	selinux: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-12 09:57:36 -05:00
Chris PeBenito	8934069f82	Remove additional unused modules Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-07 09:29:34 -05:00
Chris PeBenito	3ab2274e3d	selinux: Add a secure_mode_setbool Boolean. Enabling this will disable all permissions for setting SELinux Booleans, even for unconfined domains. This does not affect setenforce. Enable secure_mode_policyload along with secure_mode_setbool to fully lock the SELinux security interface. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-03-05 16:13:11 -05:00
Chris PeBenito	1167739da1	rpc: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-16 09:30:31 -05:00
Chris PeBenito	05c08f7b1f	rpc: Move lines. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-16 09:30:13 -05:00
Russell Coker	0a2e267937	blkmapd Patch for the blkmapd daemon that's part of the NFS server. I think this is ready for mergikng. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-16 09:24:55 -05:00
Chris PeBenito	3fa4315772	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-12 11:18:53 -05:00
Krzysztof Nowicki	6d0ade349e	Allow systemd-tmpfilesd to access nsswitch information Fixes io.systemd.DynamicUser denials. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:21 +01:00
Krzysztof Nowicki	f70f84310a	Fix setting-up sandbox environment for systemd-networkd Systemd starts networkd in a sandbox enviroment for enhanced security. As part of that, several mounts need to be prepared, of which one fails: avc: denied { mounton } for pid=711 comm="(networkd)" path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir permissive=1 Fix this by declaring directories of systemd_networkd_runtime_t type as an init daemon mount point. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:21 +01:00
Krzysztof Nowicki	014b2c41d2	Allow systemd-tmpfilesd handle faillog directory Is is being created from a pam-provided tmpfiles.d config. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:20 +01:00
Krzysztof Nowicki	cfe0502ed2	Mark lvm_lock_t as systemd_tmpfilesd-managed lvm2 installs a file into /usr/lib/tmpfliles.d/ to create /run/lock/lvm so systemd-tmpfilesd needs the rights to create it. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:20 +01:00
Krzysztof Nowicki	017d9750a4	Allow systemd-tmpfilesd to set attributes of /var/lock Fixes: avc: denied { setattr } for pid= comm="systemd-tmpfile" name="lock" dev="tmpfs" ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:53:19 +01:00
Krzysztof Nowicki	900a51f134	Allow systemd-tmpfilesd to relabel generic files inside /etc Enable this only with the systemd_tmpfilesd_factory tunable, otherwise silence the messages with a dontaudit rule. Fixes: avc: denied { relabelfrom } for comm="systemd-tmpfile" name="pam.d" dev= ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:52:01 +01:00
Krzysztof Nowicki	68e5f4d3f3	Enable factory directory support in systemd-tmpfilesd /usr/share/factory serves as a template directory for systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this directory as a default source for files, which should be placed in the filesystem. This behaiour is controlled via a tunable as it gives systemd-tmpfilesd manage permissions over etc, which could be considered as a security risk. Relevant denials are silenced in case the policy is disabled. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	b30437e487	When using systemd_tmpfilesd_managed also grant directory permissions This allows systemd-tmpfilesd to create files inside directories belonging to the subject domain. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	0111384000	Allow systemd-tmpfilesd populating of /var/lib/dbus Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:52 +01:00
Krzysztof Nowicki	0aac6a3d3b	Fix systemd-journal-flush service This service executes journalctl, which needs access to the journald socket. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:51 +01:00
Krzysztof Nowicki	364621e6ec	Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki <krissn@op.pl> tmp	2021-02-09 13:24:51 +01:00
Krzysztof Nowicki	2cd6ffb654	Also grant directory permissions in sysnet_manage_config On systemd, systemd-networkd keeps its configuration in /etc/systemd/network, where both files and directories are labelled as net_conf_t. When granting network configuration management permissions also include directory management rights when systemd is in use. This fixes denials from udev trying to parse systemd network configuration. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:50 +01:00
Krzysztof Nowicki	ba9fa00010	Allow execution of shell-scripted systemd generators While systemd recommends to use native binaries as generators due to performance reasons, there is nothing that really prevents from them being shell scripts. This is Gentoo-specific as the affected generator is provided by the distribution, not by upstream systemd. Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:50 +01:00
Krzysztof Nowicki	b9470d408a	Allow systemd to relabel startup-important directories Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:49 +01:00
Krzysztof Nowicki	5082648629	Fix interface naming convention (plural predicates) Signed-off-by: Krzysztof Nowicki <krissn@op.pl>	2021-02-09 13:24:43 +01:00
Chris PeBenito	bfa73f3c59	dovecot, postfix: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-03 13:05:46 -05:00
Chris PeBenito	a7ac056982	Merge pull request #351 from 0xC0ncord/feature/postfix_dovecot_backend	2021-02-03 13:05:27 -05:00
Kenton Groombridge	5b0eee1093	dovecot, postfix: add missing accesses postfix_pipe_t requires reading dovecot configuration and connecting to dovecot stream sockets if configured to use dovecot for local mail delivery. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-03 11:36:42 -05:00
Chris PeBenito	ff983a6239	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-03 08:38:26 -05:00
Chris PeBenito	255c5a4ccd	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:30:10 -05:00
Chris PeBenito	5ab1b2ee67	Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202	2021-02-02 14:28:42 -05:00
Chris PeBenito	6aaa8ee1c7	Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms	2021-02-02 14:28:40 -05:00
Chris PeBenito	8c042fb9be	systemd: Rename systemd_use_machined_devpts(). Renamed to systemd_use_inherited_machined_ptys(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:11:47 -05:00
Chris PeBenito	e6fbff4948	systemd: Fix lint errors. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:02:49 -05:00
Chris PeBenito	4436cd0d6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:58:24 -05:00
Chris PeBenito	a673712d8a	systemd: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:50:45 -05:00
Russell Coker	ab0367b4b6	machined This patch is for systemd-machined. Some of it will probably need discussion but some is obviously good, so Chris maybe you could take the bits you like for this release? Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 13:46:42 -05:00
Chris PeBenito	eae12d8418	apt, bootloader: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:32:42 -05:00
Russell Coker	8b4f1e3384	misc apps and admin patches Send again without the section Dominick didn't like. I think it's ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 13:29:48 -05:00
Kenton Groombridge	edd4ba6f32	Various fixes Allow dovecot to watch the mail spool, and add various dontaudit rules for several other domains. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-02 10:52:59 -05:00
Chris PeBenito	cfb48c28d0	screen: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:47:55 -05:00
Chris PeBenito	460cd1a4b1	Merge pull request #346 from jpds/tmux-xdg-config	2021-02-02 08:47:31 -05:00
Chris PeBenito	aa35a710a5	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:47:00 -05:00
Chris PeBenito	9e195ea6ae	dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. Rename interfaces from `a7f3fdabad`. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:46:41 -05:00
Russell Coker	a7f3fdabad	new version of filetrans patch Name changes suggested by Dominick and some more additions. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 08:31:14 -05:00
Jonathan Davies	9ec80c1b2f	apps/screen.te: Allow screen to search xdg directories. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2021-02-01 21:42:12 +00:00
Chris PeBenito	e7065e2442	certbot: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-01 15:56:31 -05:00
Kenton Groombridge	ed5d860a8c	lvm: add lvm_tmpfs_t type and rules cryptsetup uses tmpfs when performing some operations on encrypted volumes such as changing keys. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-01 15:46:24 -05:00
Kenton Groombridge	3ce27e68d9	certbot: add support for acme.sh Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-01 15:29:24 -05:00
Jonathan Davies	2bdfc5c742	apps/screen.fc: Added fcontext for tmux xdg directory. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2021-01-29 14:56:29 +00:00
Chris PeBenito	072c0a9458	userdomain, gpg: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-29 08:35:12 -05:00
Dave Sugar	09bd4af708	Work with xdg module disabled These two cases I see when building on a system without graphical interface. Move userdom_xdg_user_template into optional block gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block Signed-off-by: Dave Sugar <dsugar@tresys.com>	2021-01-28 18:13:33 -05:00
Chris PeBenito	3d8e755d85	pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 15:28:06 -05:00
Chris PeBenito	9a40ead091	Merge pull request #341 from dsugar100/master	2021-01-28 15:27:53 -05:00
Chris PeBenito	bc746ff391	sudo, spamassassin: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 15:27:03 -05:00
Chris PeBenito	2e6d7b8cb9	Merge pull request #339 from 0xC0ncord/feature/sudodomain_http_connect_boolean	2021-01-28 15:24:38 -05:00
Chris PeBenito	733e8519cc	Merge pull request #336 from 0xC0ncord/feature/rspamd_extra_rules	2021-01-28 15:24:34 -05:00
Dave Sugar	f6987e9d82	pcs_snmpd_agent_t fix denials to allow it to read needed queues Jan 27 18:16:51 audispd: node=virtual type=AVC msg=audit(1611771411.553:9337): avc: denied { search } for pid=13880 comm="cibadmin" name="qb-6671-13880-13-bRhDEX" dev="tmpfs" ino=88809 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=dir permissive=0 Jan 27 19:53:46 audispd: node=virtual type=AVC msg=audit(1611777226.144:25975): avc: denied { getattr } for pid=29489 comm="systemctl" name="/" dev="tmpfs" ino=14072 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2021-01-28 15:20:20 -05:00
Kenton Groombridge	95dd9ebf61	sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-28 15:11:19 -05:00
Chris PeBenito	98681ea89e	samba: Fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:57:19 -05:00
Chris PeBenito	a404dc677e	aptcacher: Drop broken config interfaces. The aptcacher_etc_t type does not exist in the policy. The block in cron will never be enabled because of this, so drop that too. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:57:08 -05:00
Chris PeBenito	920ecf48ce	apache: Really fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:34:02 -05:00
Chris PeBenito	cf91901018	apache: Fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:29:26 -05:00
Chris PeBenito	744290159e	apache, fail2ban, stunnel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:26:31 -05:00
Chris PeBenito	981e741a51	Merge pull request #337 from 0xC0ncord/bugfix/fail2ban_journald_map	2021-01-28 13:54:16 -05:00
Chris PeBenito	7bf7abd525	Merge pull request #340 from 0xC0ncord/feature/apache_list_dirs_interface	2021-01-28 13:51:17 -05:00
Chris PeBenito	63b25831a4	Merge pull request #338 from 0xC0ncord/feature/stunnel_logging_type	2021-01-28 13:50:46 -05:00
Chris PeBenito	a3e13450e2	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:39:49 -05:00
Chris PeBenito	09fd2a29cf	samba: Add missing userspace class requirements in unit interfaces. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:39:34 -05:00
Chris PeBenito	94e424aa9b	sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba block. This moves the existing samba_manage_config(dhcpc_t) that is not tunable into the tunable block. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:30:40 -05:00
Chris PeBenito	5d29c35b89	samba: Move service interface definitions. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:27:54 -05:00
Russell Coker	ac5b8737fd	misc network patches with Dominick's changes*2 I think this one is good for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-28 11:22:07 -05:00
Chris PeBenito	621baf7752	samba: Fix samba_runtime_t alias use. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:54 -05:00
Chris PeBenito	882633aa13	cron: Make backup call for system_cronjob_t optional. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:35 -05:00
Chris PeBenito	9f8164d35d	devicekit, jabber, samba: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:09 -05:00
Chris PeBenito	982cb068c2	apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:53:04 -05:00
Russell Coker	55c3c1dcaa	misc services patches with changes Dominick and Chris wanted I think this one is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-28 10:06:16 -05:00
Kenton Groombridge	4e15f5dfe4	apache: add interface for list dir perms on httpd content This is needed by some webservers such as nginx when autoindexing is enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-27 15:41:16 -05:00
Kenton Groombridge	c8f723b96e	spamassassin: add rspamd support and tunable Additional rules are required to enable rspamd support. This commit adds file contexts for rspamd's files and adds a tunable that enables the additional rules needed for rspamd to function. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 20:10:54 -05:00
Kenton Groombridge	8fc4aa59a9	fail2ban: allow reading systemd journal Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 18:19:20 -05:00
Kenton Groombridge	e34e339b96	stunnel: add log type and rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 18:05:56 -05:00
Chris PeBenito	c521270688	memlockd: Fix lint issue. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 10:29:42 -05:00
Chris PeBenito	87ffc9472a	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:48:59 -05:00
Chris PeBenito	9f98b92ee5	memlockd: Whitespace fixes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:46:20 -05:00
Chris PeBenito	157b7edcbb	memlockd: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:46:04 -05:00
Russell Coker	88c8189207	latest memlockd patch Includes the ifndef(`distro_debian' section that was requested. Should be ready for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:39:26 -05:00
Russell Coker	da9b6306ea	more Chrome stuff Patches for some more Chrome stuff Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:36:56 -05:00
Russell Coker	eef53e3ddc	remove deprecated from 20190201 This patch removes every macro and interface that was deprecated in 20190201. Some of them date back to 2016 or 2017. I chose 20190201 as that is the one that is in the previous release of Debian. For any distribution I don't think it makes sense to carry interfaces that were deprecated in version N to version N+1. One thing that particularly annoys me is when audit2allow -R gives deprecated interfaces in it's output. Removing some of these should reduce the incidence of that. I believe this is worthy of merging. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 08:59:34 -05:00
Chris PeBenito	221813c947	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 08:27:35 -05:00
Chris PeBenito	cb93093f4e	Merge pull request #335 from pebenito/drop-dead-modules	2021-01-25 08:22:09 -05:00
Chris PeBenito	ea6002ddf9	devices, virt: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:08:02 -05:00
Chris PeBenito	6c2432c8bc	Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable	2021-01-19 10:07:29 -05:00
Chris PeBenito	0179413fa3	certbot: Fix lint issues. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:01:27 -05:00
Chris PeBenito	0f6c861dfb	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:51:56 -05:00
Chris PeBenito	81b20d6b08	userdomain: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:24:14 -05:00
Russell Coker	c42c407bdc	yet more strict patches fixed More little strict patches, much of which are needed for KDE. With the lines that Chris didn't like removed. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 09:14:16 -05:00
Chris PeBenito	a686e854af	miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:02:13 -05:00
Chris PeBenito	0f02829c61	certbot: Reorder fc lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:57 -05:00
Chris PeBenito	fb95355f98	certbot: Drop aliases since they have never had the old names in refpolicy. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:40 -05:00
Chris PeBenito	3927e3ca50	certbot: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:09 -05:00
Russell Coker	08d32dbc2d	latest iteration of certbot policy as patch Same .te as sent a few days ago, but as a patch and with the other files needed. I think this is ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:49:30 -05:00
Chris PeBenito	437e0c4b97	chromium: Move naclhelper lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:53 -05:00
Chris PeBenito	34a8c10cb9	chromium: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:45 -05:00
Russell Coker	31a2b463f7	base chrome/chromium patch fixed This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:39:40 -05:00
Kenton Groombridge	fb377e0953	virt: add boolean to allow evdev passthrough Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-14 18:22:14 -05:00
Chris PeBenito	7b15003eae	Remove modules for programs that are deprecated or no longer supported. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-14 17:14:30 -05:00
Daniel Burgener	93f5fe30f3	Fix typo in comment Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2021-01-14 15:07:34 -05:00
Chris PeBenito	bb471c3f1c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:20:47 -05:00
Chris PeBenito	df5227d6d7	devicekit: Udisks uses udevadm, it does not exec udev. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	ac51d56ddc	udev: Systemd 246 merged udev and udevadm executables. Drop init_system_domain() for udevadm to break type transition conflicts. Also fix interface naming issues for udevadm interfaces. Fixes #292 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	6c69f6e3de	udev: Drop udev_tbl_t. This usage under /dev/.udev has been unused for a very long time and replaced by functionality in /run/udev. Since these have separate types, take this opportunity to revoke these likely unnecessary rules. Fixes #221 Derived from Laurent Bigonville's work in #230 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:11 -05:00
Chris PeBenito	8c756108db	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 14:46:10 -05:00
Kenton Groombridge	03713214e2	devices: add interface for IOCTL on input devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-13 10:04:53 -05:00
David Schadlich	9fd6bcbcf5	add policy for pcs_snmp_agent create corosync_read_state interface, used by pcs_snmp_agent policy update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it denial for execmem type=AVC msg=audit(1610036202.427:3772): avc: denied { execmem } for pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1 create contexts for pcs_snmp_agent_t and allow it some self permissions allow pcs_snmp_agent_t to create allows and transision context of those logs allow pcs_snmp_agent_t to read kernel sysctls allow pcs_snmp_agent_t to exec bin_t allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib) type=AVC msg=audit(1610037438.918:4524): avc: denied { read write } for pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037438.918:4524): avc: denied { open } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.919:4525): avc: denied { map } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.906:4523): avc: denied { connectto } for pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) allow pcs_snmp_agent_t to read files with usr_t context type=AVC msg=audit(1610037437.737:4513): avc: denied { getattr } for pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037439.029:4532): avc: denied { read } for pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { read } for pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { open } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4616): avc: denied { getattr } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.020:4617): avc: denied { ioctl } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to to get cgroup information type=AVC msg=audit(1610036387.957:3864): avc: denied { getattr } for pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036480.913:3921): avc: denied { read } for pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036665.036:4019): avc: denied { read } for pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036788.922:4099): avc: denied { read } for pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036944.042:4202): avc: denied { read } for pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { read } for pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { open } for pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read nsswitch type=AVC msg=audit(1610037562.211:4626): avc: denied { open } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037562.212:4627): avc: denied { getattr } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read zoneinfo type=AVC msg=audit(1610035641.390:3398): avc: denied { search } for pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610035767.532:3480): avc: denied { getattr } for pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { read } for pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { open } for pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read certificates type=AVC msg=audit(1610037375.994:4485): avc: denied { getattr } for pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037499.874:4565): avc: denied { read } for pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { read } for pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { open } for pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t get service status type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s ystem exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas s=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1610034251.757:2361): avc: denied { getattr } for pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to search init_t dirs type=AVC msg=audit(1610037317.490:4460): avc: denied { search } for pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to connecto to systemd unix socket type=AVC msg=audit(1610037533.196:4600): avc: denied { connectto } for pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to run corosync in corosync_t domain type=AVC msg=audit(1610037437.793:4515): avc: denied { execute } for pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { read open } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { execute_no_trans } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { map } for pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610034246.149:2265): avc: denied { execute } for pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read corosync state type=AVC msg=audit(1610037503.610:4570): avc: denied { open } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037503.611:4571): avc: denied { getattr } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to exec hostname type=AVC msg=audit(1610037469.569:4545): avc: denied { execute } for pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { read open } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { execute_no_trans } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { map } for pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to connecto to snmp socket type=AVC msg=audit(1610034242.897:2197): avc: denied { write } for pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1610034242.897:2197): avc: denied { connectto } for pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to read systemd journal files type=AVC msg=audit(1610037472.176:4552): avc: denied { map } for pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { read } for pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { open } for pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>	2021-01-12 10:30:32 -05:00
Chris PeBenito	010692dda2	Merge pull request #326 from dburgener/no-self Use self keyword when an AV rule source type matches destination	2021-01-04 09:14:46 -05:00
Chris PeBenito	8a1bc98a31	authlogin, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-17 09:23:18 -05:00
Chris PeBenito	a63c24c6b7	Merge pull request #269 from bauen1/systemd-userdb	2020-12-17 09:22:55 -05:00
Daniel Burgener	37cc0aae1d	Use self keyword when an AV rule source type matches destination This is reported in a new SELint check in soon to be released selint version 1.2.0 Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2020-12-15 10:29:52 -05:00
Peter Morrow	b3bfd10ccd	selinux: add selinux_get_all_booleans() interface Allow the caller to read the state of selinuxfs booleans. Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>	2020-12-15 15:19:30 +00:00
Chris PeBenito	cef667fa31	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-15 09:40:48 -05:00
Chris PeBenito	2c2d27ce70	Merge pull request #324 from dburgener/dburgener/systemd-watch	2020-12-15 09:33:50 -05:00
Daniel Burgener	b3204ea4c1	Allow systemd-ask-password to watch files On systems that use plymouth, systemd-ask-password may set watches on the contents on /run/systemd/ask-password, whereas other scenarions only set watch on the parent directory. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-12-11 19:47:13 +00:00
Chris PeBenito	c8c418267d	systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-12-11 19:45:54 +00:00
Chris PeBenito	87c4adc790	kernel, modutils, userdomain, xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:13:57 -05:00
Chris PeBenito	97eda18388	Merge pull request #323 from dsugar100/master	2020-12-08 15:09:54 -05:00
Chris PeBenito	7fd6d78c2c	userdomain: Fix error in calling userdom_xdg_user_template(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:09:27 -05:00
Chris PeBenito	cdfcec0e9a	Merge pull request #320 from 0xC0ncord/master	2020-12-08 15:01:27 -05:00
0xC0ncord	1d15c9e009	userdomain, xserver: move xdg rules to userdom_xdg_user_template xdg rules are normally set in xserver. But, if a modular policy is being used and the xserver module is not present, the required rules for users to be able to access xdg content are never created and thus these files and directories cannot be interacted with by users. This change adds a new template that can be called to grant these privileges to userdomain types as necessary. Signed-off-by: Kenton Groombridge <me@concord.sh>	2020-12-08 10:59:17 -05:00
Dave Sugar	ca5f1a5662	Allow systemd-modules-load to search kernel keys I was seeing the following errors from systemd-modules-load without this search permission. Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13 Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load" Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules. This is the denial: Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-12-08 10:51:44 -05:00
Chris PeBenito	699268ff41	init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:32:57 -05:00
Chris PeBenito	b31d8308da	systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:22 -05:00
Chris PeBenito	42b184c2a8	systemd: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:17 -05:00
(GalaxyMaster)	c98d287fa3	added policy for systemd-socket-proxyd Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>	2020-12-02 17:38:00 +11:00
Chris PeBenito	fe29a74cad	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-22 14:03:11 -05:00
Jason Zaman	d03b8ffdf5	systemd: make remaining dbus_* optional Almost all calls to dbus_ interfaces were already optional, this makes the remaining one optional_policy so that the modules can be installed / upgraded easier. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	6dd6823280	init: upstream fcontexts from gentoo policy Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	c9880f52d5	Add transition on gentoo init_t to openrc Commit "init: replace call to init_domtrans_script" (`be231899f5` in upstream repo) removed the call to init_domtrans_script which removed the openrc domtrans. This adds it back directly in the distro_gentoo block. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b1927e9f39	init: Added fcontext for openrc-shutdown. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b7acd3c4f9	init: Added fcontext for openrc-init. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	1a39e4dfbe	portage: Added /var/cache/distfiles path. Closes: https://github.com/perfinion/hardened-refpolicy/pull/1 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	0ad23a33ef	getty: allow watching file /run/agetty.reload avc: denied { watch } for pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	a98f25ce73	userdomain: Add watch on home dirs avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Chris PeBenito	82c0b4dd3e	dbus: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-20 09:54:32 -05:00
Daniel Burgener	47c495d6f1	Allow init to mount over the system bus In portable profiles, systemd bind mounts the system bus into process namespaces Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-11-13 14:44:22 +00:00
Chris PeBenito	f1b83f8ef4	lvm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-09 11:45:32 -05:00
Guido Trentalancia	7122154c19	Add LVM module permissions needed to open cryptsetup devices. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/lvm.te \| 2 ++ 1 file changed, 2 insertions(+)	2020-11-09 15:43:01 +01:00
Chris PeBenito	aa8d432584	filesystem, xen: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-05 06:55:25 -05:00
Anthony PERARD	4f23a54b52	xen: Allow xenstored to map /proc/xen/xsd_kva xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux boolean "domain_can_mmap_files" in CentOS is set to false the mmap() call fails. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>	2020-11-05 06:55:17 -05:00
Chris PeBenito	493f56b59d	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-13 15:25:24 -04:00
Dave Sugar	871348f040	Allow pacemaker to map/read/write corosync shared memory files Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	f36e39b45e	pacemaker systemd permissions Allow pacemaker to get status of all running services and reload systemd Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow pacemaker to start/sotp all units (when enabled) Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow for dynamic creation of unit files (with private type) By using a private type pacemaker doesn't need permission to read/write all init_runtime_t files. Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	428cc2ef9c	To get pacemaker working in enforcing Allow pacemaker to map its shared memory Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 Label pacemaker private log file Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 It writes to log, but also reads Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1 Pacemaker can read stuff in /usr/share/pacemaker/ Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 pacemaker dbus related stuff Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Pacemaker execute network monitoring Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Update pacemaker process perms Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 pacemaker network communication Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1 Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Let pacemaker exec lib_t files Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:43:41 -04:00
Dave Sugar	ea1e0e7a9b	Updates for corosync to work in enforcing Allow corosync to map its own shared memory Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc: denied { map } for pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Setup corosync lock file type Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { read } for pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { search } for pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { add_name } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { create } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 10:28:00 -04:00
Chris PeBenito	14a45a594b	devices, filesystem, systemd, ntp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:45:11 -04:00
Chris PeBenito	785677771d	Merge pull request #313 from bootlin/buildroot-systemd-fixes	2020-10-09 09:42:40 -04:00
Chris PeBenito	b5525a3fca	systemd: Move systemd-pstore block up in alphabetical order. No rule change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:42:31 -04:00
Antoine Tenart	35a417d0ef	ntp: allow systemd-timesyn to setfscreate Fixes: avc: denied { setfscreate } for pid=68 comm="systemd-timesyn" scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=process permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	32e5008867	ntp: allow systemd-timesyn to watch dbus objects Fixes: avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=2707 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=2716 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	e9228b49bb	systemd: allow systemd-network to list the runtime directory Fixes: avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	49a0771dd3	systemd: allow systemd-getty-generator to read and write unallocated ttys Fixes: avc: denied { read write } for pid=40 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { open } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Deepak Rawat	f5c8a117d9	Add selinux-policy for systemd-pstore service systemd-pstore is a service to archive contents of pstore. Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>	2020-10-09 03:20:09 +00:00
Chris PeBenito	bc7a84d643	snmp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-05 09:55:13 -04:00
Dave Sugar	9da3f3a131	Allow snmpd to read hwdata Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc: denied { getattr } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { read } for pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { open } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-01 22:11:28 -04:00
Chris PeBenito	39e2af539d	corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-22 08:27:05 -04:00
Chris PeBenito	941620c89c	Merge pull request #309 from yizhao1/dhcpcd	2020-09-22 08:23:49 -04:00
Antoine Tenart	86476f30cf	corecommands: add entry for Busybox shell Fixes: vc: denied { execute } for pid=87 comm="login" name="sh" dev="vda" ino=408 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	fdda7befa5	systemd: allow systemd-resolve to read in tmpfs Fixes: avc: denied { read } for pid=76 comm="systemd-resolve" name="/" dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	34547434b8	systemd: allow systemd-network to get attributes of fs Fixes: avc: denied { getattr } for pid=57 comm="systemd-network" name="/" dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	1ee738f708	systemd: allow systemd-hwdb to search init runtime directories Fixes: avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f71d288e54	systemd: add extra systemd_generator_t rules Fixes: avc: denied { setfscreate } for pid=41 comm="systemd-getty-g" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1 avc: denied { dac_override } for pid=40 comm="systemd-fstab-g" capability=1 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=capability permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f99b6907f4	dbus: allow clients to list runtime dirs and named sockets Fixes: avc: denied { read } for pid=77 comm="systemd-resolve" name="dbus" dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=77 comm="systemd-resolve" name="system_bus_socket" dev="tmpfs" ino=2765 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="dbus" dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="system_bus_socket" dev="tmpfs" ino=2791 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	66c2ff9060	dbus: add two interfaces to allow reading from directories and named sockets Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Yi Zhao	25251b1f3b	sysnet: allow dhcpcd to create socket file The dhcpcd needs to create socket file under /run/dhcpcd directory. Fixes: AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { setattr } for pid=331 comm="dhcpcd" name="eth0.sock" dev="tmpfs" ino=19153 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { sendto } for pid=331 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-09-21 14:23:09 +08:00
Antoine Tenart	23f1e4316b	sysnetwork: allow to read network configuration files Fixes: avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { search } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	5c604e806b	logging: allow systemd-journal to write messages to the audit socket Fixes: avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	8cb806fbdf	locallogin: allow login to get attributes of procfs Fixes: avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00

... 2 3 4 5 6 ...

3988 Commits