selinux-refpolicy

Author	SHA1	Message	Date
Chris PeBenito	a7ac056982	Merge pull request #351 from 0xC0ncord/feature/postfix_dovecot_backend	2021-02-03 13:05:27 -05:00
Kenton Groombridge	5b0eee1093	dovecot, postfix: add missing accesses postfix_pipe_t requires reading dovecot configuration and connecting to dovecot stream sockets if configured to use dovecot for local mail delivery. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-03 11:36:42 -05:00
Chris PeBenito	ff983a6239	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-03 08:38:26 -05:00
Chris PeBenito	255c5a4ccd	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:30:10 -05:00
Chris PeBenito	5ab1b2ee67	Merge pull request #350 from 0xC0ncord/bugfix/various_dontaudit_20200202	2021-02-02 14:28:42 -05:00
Chris PeBenito	6aaa8ee1c7	Merge pull request #349 from 0xC0ncord/bugfix/lvm_tmpfs_perms	2021-02-02 14:28:40 -05:00
Chris PeBenito	8c042fb9be	systemd: Rename systemd_use_machined_devpts(). Renamed to systemd_use_inherited_machined_ptys(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:11:47 -05:00
Chris PeBenito	e6fbff4948	systemd: Fix lint errors. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 14:02:49 -05:00
Chris PeBenito	4436cd0d6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:58:24 -05:00
Chris PeBenito	a673712d8a	systemd: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:50:45 -05:00
Russell Coker	ab0367b4b6	machined This patch is for systemd-machined. Some of it will probably need discussion but some is obviously good, so Chris maybe you could take the bits you like for this release? Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 13:46:42 -05:00
Chris PeBenito	eae12d8418	apt, bootloader: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 13:32:42 -05:00
Russell Coker	8b4f1e3384	misc apps and admin patches Send again without the section Dominick didn't like. I think it's ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 13:29:48 -05:00
Kenton Groombridge	edd4ba6f32	Various fixes Allow dovecot to watch the mail spool, and add various dontaudit rules for several other domains. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-02 10:52:59 -05:00
Chris PeBenito	cfb48c28d0	screen: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:47:55 -05:00
Chris PeBenito	460cd1a4b1	Merge pull request #346 from jpds/tmux-xdg-config	2021-02-02 08:47:31 -05:00
Chris PeBenito	aa35a710a5	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:47:00 -05:00
Chris PeBenito	9e195ea6ae	dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. Rename interfaces from `a7f3fdabad`. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-02 08:46:41 -05:00
Russell Coker	a7f3fdabad	new version of filetrans patch Name changes suggested by Dominick and some more additions. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-02-02 08:31:14 -05:00
Jonathan Davies	9ec80c1b2f	apps/screen.te: Allow screen to search xdg directories. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2021-02-01 21:42:12 +00:00
Chris PeBenito	e7065e2442	certbot: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-02-01 15:56:31 -05:00
Kenton Groombridge	ed5d860a8c	lvm: add lvm_tmpfs_t type and rules cryptsetup uses tmpfs when performing some operations on encrypted volumes such as changing keys. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-01 15:46:24 -05:00
Kenton Groombridge	3ce27e68d9	certbot: add support for acme.sh Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-02-01 15:29:24 -05:00
Jonathan Davies	2bdfc5c742	apps/screen.fc: Added fcontext for tmux xdg directory. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2021-01-29 14:56:29 +00:00
Chris PeBenito	072c0a9458	userdomain, gpg: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-29 08:35:12 -05:00
Dave Sugar	09bd4af708	Work with xdg module disabled These two cases I see when building on a system without graphical interface. Move userdom_xdg_user_template into optional block gpg module doesn't require a graphical front end, move xdg_read_data_files into optional block Signed-off-by: Dave Sugar <dsugar@tresys.com>	2021-01-28 18:13:33 -05:00
Chris PeBenito	3d8e755d85	pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 15:28:06 -05:00
Chris PeBenito	9a40ead091	Merge pull request #341 from dsugar100/master	2021-01-28 15:27:53 -05:00
Chris PeBenito	bc746ff391	sudo, spamassassin: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 15:27:03 -05:00
Chris PeBenito	2e6d7b8cb9	Merge pull request #339 from 0xC0ncord/feature/sudodomain_http_connect_boolean	2021-01-28 15:24:38 -05:00
Chris PeBenito	733e8519cc	Merge pull request #336 from 0xC0ncord/feature/rspamd_extra_rules	2021-01-28 15:24:34 -05:00
Dave Sugar	f6987e9d82	pcs_snmpd_agent_t fix denials to allow it to read needed queues Jan 27 18:16:51 audispd: node=virtual type=AVC msg=audit(1611771411.553:9337): avc: denied { search } for pid=13880 comm="cibadmin" name="qb-6671-13880-13-bRhDEX" dev="tmpfs" ino=88809 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=dir permissive=0 Jan 27 19:53:46 audispd: node=virtual type=AVC msg=audit(1611777226.144:25975): avc: denied { getattr } for pid=29489 comm="systemctl" name="/" dev="tmpfs" ino=14072 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2021-01-28 15:20:20 -05:00
Kenton Groombridge	95dd9ebf61	sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-28 15:11:19 -05:00
Chris PeBenito	98681ea89e	samba: Fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:57:19 -05:00
Chris PeBenito	a404dc677e	aptcacher: Drop broken config interfaces. The aptcacher_etc_t type does not exist in the policy. The block in cron will never be enabled because of this, so drop that too. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:57:08 -05:00
Chris PeBenito	920ecf48ce	apache: Really fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:34:02 -05:00
Chris PeBenito	cf91901018	apache: Fix lint error. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:29:26 -05:00
Chris PeBenito	744290159e	apache, fail2ban, stunnel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 14:26:31 -05:00
Chris PeBenito	981e741a51	Merge pull request #337 from 0xC0ncord/bugfix/fail2ban_journald_map	2021-01-28 13:54:16 -05:00
Chris PeBenito	7bf7abd525	Merge pull request #340 from 0xC0ncord/feature/apache_list_dirs_interface	2021-01-28 13:51:17 -05:00
Chris PeBenito	63b25831a4	Merge pull request #338 from 0xC0ncord/feature/stunnel_logging_type	2021-01-28 13:50:46 -05:00
Chris PeBenito	a3e13450e2	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:39:49 -05:00
Chris PeBenito	09fd2a29cf	samba: Add missing userspace class requirements in unit interfaces. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:39:34 -05:00
Chris PeBenito	94e424aa9b	sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba block. This moves the existing samba_manage_config(dhcpc_t) that is not tunable into the tunable block. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:30:40 -05:00
Chris PeBenito	5d29c35b89	samba: Move service interface definitions. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 11:27:54 -05:00
Russell Coker	ac5b8737fd	misc network patches with Dominick's changes*2 I think this one is good for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-28 11:22:07 -05:00
Chris PeBenito	621baf7752	samba: Fix samba_runtime_t alias use. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:54 -05:00
Chris PeBenito	882633aa13	cron: Make backup call for system_cronjob_t optional. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:35 -05:00
Chris PeBenito	9f8164d35d	devicekit, jabber, samba: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:55:09 -05:00
Chris PeBenito	982cb068c2	apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-28 10:53:04 -05:00
Russell Coker	55c3c1dcaa	misc services patches with changes Dominick and Chris wanted I think this one is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-28 10:06:16 -05:00
Kenton Groombridge	4e15f5dfe4	apache: add interface for list dir perms on httpd content This is needed by some webservers such as nginx when autoindexing is enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-27 15:41:16 -05:00
Kenton Groombridge	c8f723b96e	spamassassin: add rspamd support and tunable Additional rules are required to enable rspamd support. This commit adds file contexts for rspamd's files and adds a tunable that enables the additional rules needed for rspamd to function. Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 20:10:54 -05:00
Kenton Groombridge	8fc4aa59a9	fail2ban: allow reading systemd journal Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 18:19:20 -05:00
Kenton Groombridge	e34e339b96	stunnel: add log type and rules Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-26 18:05:56 -05:00
Chris PeBenito	c521270688	memlockd: Fix lint issue. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 10:29:42 -05:00
Chris PeBenito	87ffc9472a	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:48:59 -05:00
Chris PeBenito	9f98b92ee5	memlockd: Whitespace fixes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:46:20 -05:00
Chris PeBenito	157b7edcbb	memlockd: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:46:04 -05:00
Russell Coker	88c8189207	latest memlockd patch Includes the ifndef(`distro_debian' section that was requested. Should be ready for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:39:26 -05:00
Russell Coker	da9b6306ea	more Chrome stuff Patches for some more Chrome stuff Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:36:56 -05:00
Russell Coker	eef53e3ddc	remove deprecated from 20190201 This patch removes every macro and interface that was deprecated in 20190201. Some of them date back to 2016 or 2017. I chose 20190201 as that is the one that is in the previous release of Debian. For any distribution I don't think it makes sense to carry interfaces that were deprecated in version N to version N+1. One thing that particularly annoys me is when audit2allow -R gives deprecated interfaces in it's output. Removing some of these should reduce the incidence of that. I believe this is worthy of merging. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 08:59:34 -05:00
Chris PeBenito	221813c947	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 08:27:35 -05:00
Chris PeBenito	cb93093f4e	Merge pull request #335 from pebenito/drop-dead-modules	2021-01-25 08:22:09 -05:00
Chris PeBenito	ea6002ddf9	devices, virt: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:08:02 -05:00
Chris PeBenito	6c2432c8bc	Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable	2021-01-19 10:07:29 -05:00
Chris PeBenito	0179413fa3	certbot: Fix lint issues. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:01:27 -05:00
Chris PeBenito	0f6c861dfb	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:51:56 -05:00
Chris PeBenito	81b20d6b08	userdomain: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:24:14 -05:00
Russell Coker	c42c407bdc	yet more strict patches fixed More little strict patches, much of which are needed for KDE. With the lines that Chris didn't like removed. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 09:14:16 -05:00
Chris PeBenito	a686e854af	miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:02:13 -05:00
Chris PeBenito	0f02829c61	certbot: Reorder fc lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:57 -05:00
Chris PeBenito	fb95355f98	certbot: Drop aliases since they have never had the old names in refpolicy. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:40 -05:00
Chris PeBenito	3927e3ca50	certbot: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:09 -05:00
Russell Coker	08d32dbc2d	latest iteration of certbot policy as patch Same .te as sent a few days ago, but as a patch and with the other files needed. I think this is ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:49:30 -05:00
Chris PeBenito	437e0c4b97	chromium: Move naclhelper lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:53 -05:00
Chris PeBenito	34a8c10cb9	chromium: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:45 -05:00
Russell Coker	31a2b463f7	base chrome/chromium patch fixed This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:39:40 -05:00
Kenton Groombridge	fb377e0953	virt: add boolean to allow evdev passthrough Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-14 18:22:14 -05:00
Chris PeBenito	7b15003eae	Remove modules for programs that are deprecated or no longer supported. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-14 17:14:30 -05:00
Daniel Burgener	93f5fe30f3	Fix typo in comment Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2021-01-14 15:07:34 -05:00
Chris PeBenito	bb471c3f1c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:20:47 -05:00
Chris PeBenito	df5227d6d7	devicekit: Udisks uses udevadm, it does not exec udev. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	ac51d56ddc	udev: Systemd 246 merged udev and udevadm executables. Drop init_system_domain() for udevadm to break type transition conflicts. Also fix interface naming issues for udevadm interfaces. Fixes #292 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	6c69f6e3de	udev: Drop udev_tbl_t. This usage under /dev/.udev has been unused for a very long time and replaced by functionality in /run/udev. Since these have separate types, take this opportunity to revoke these likely unnecessary rules. Fixes #221 Derived from Laurent Bigonville's work in #230 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:11 -05:00
Chris PeBenito	8c756108db	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 14:46:10 -05:00
Kenton Groombridge	03713214e2	devices: add interface for IOCTL on input devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-13 10:04:53 -05:00
David Schadlich	9fd6bcbcf5	add policy for pcs_snmp_agent create corosync_read_state interface, used by pcs_snmp_agent policy update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it denial for execmem type=AVC msg=audit(1610036202.427:3772): avc: denied { execmem } for pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1 create contexts for pcs_snmp_agent_t and allow it some self permissions allow pcs_snmp_agent_t to create allows and transision context of those logs allow pcs_snmp_agent_t to read kernel sysctls allow pcs_snmp_agent_t to exec bin_t allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib) type=AVC msg=audit(1610037438.918:4524): avc: denied { read write } for pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037438.918:4524): avc: denied { open } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.919:4525): avc: denied { map } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.906:4523): avc: denied { connectto } for pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) allow pcs_snmp_agent_t to read files with usr_t context type=AVC msg=audit(1610037437.737:4513): avc: denied { getattr } for pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037439.029:4532): avc: denied { read } for pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { read } for pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { open } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4616): avc: denied { getattr } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.020:4617): avc: denied { ioctl } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to to get cgroup information type=AVC msg=audit(1610036387.957:3864): avc: denied { getattr } for pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036480.913:3921): avc: denied { read } for pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036665.036:4019): avc: denied { read } for pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036788.922:4099): avc: denied { read } for pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036944.042:4202): avc: denied { read } for pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { read } for pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { open } for pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read nsswitch type=AVC msg=audit(1610037562.211:4626): avc: denied { open } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037562.212:4627): avc: denied { getattr } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read zoneinfo type=AVC msg=audit(1610035641.390:3398): avc: denied { search } for pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610035767.532:3480): avc: denied { getattr } for pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { read } for pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { open } for pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read certificates type=AVC msg=audit(1610037375.994:4485): avc: denied { getattr } for pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037499.874:4565): avc: denied { read } for pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { read } for pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { open } for pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t get service status type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s ystem exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas s=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1610034251.757:2361): avc: denied { getattr } for pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to search init_t dirs type=AVC msg=audit(1610037317.490:4460): avc: denied { search } for pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to connecto to systemd unix socket type=AVC msg=audit(1610037533.196:4600): avc: denied { connectto } for pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to run corosync in corosync_t domain type=AVC msg=audit(1610037437.793:4515): avc: denied { execute } for pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { read open } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { execute_no_trans } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { map } for pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610034246.149:2265): avc: denied { execute } for pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read corosync state type=AVC msg=audit(1610037503.610:4570): avc: denied { open } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037503.611:4571): avc: denied { getattr } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to exec hostname type=AVC msg=audit(1610037469.569:4545): avc: denied { execute } for pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { read open } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { execute_no_trans } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { map } for pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to connecto to snmp socket type=AVC msg=audit(1610034242.897:2197): avc: denied { write } for pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1610034242.897:2197): avc: denied { connectto } for pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to read systemd journal files type=AVC msg=audit(1610037472.176:4552): avc: denied { map } for pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { read } for pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { open } for pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>	2021-01-12 10:30:32 -05:00
Chris PeBenito	010692dda2	Merge pull request #326 from dburgener/no-self Use self keyword when an AV rule source type matches destination	2021-01-04 09:14:46 -05:00
Chris PeBenito	8a1bc98a31	authlogin, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-17 09:23:18 -05:00
Chris PeBenito	a63c24c6b7	Merge pull request #269 from bauen1/systemd-userdb	2020-12-17 09:22:55 -05:00
Daniel Burgener	37cc0aae1d	Use self keyword when an AV rule source type matches destination This is reported in a new SELint check in soon to be released selint version 1.2.0 Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2020-12-15 10:29:52 -05:00
Peter Morrow	b3bfd10ccd	selinux: add selinux_get_all_booleans() interface Allow the caller to read the state of selinuxfs booleans. Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>	2020-12-15 15:19:30 +00:00
Chris PeBenito	cef667fa31	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-15 09:40:48 -05:00
Chris PeBenito	2c2d27ce70	Merge pull request #324 from dburgener/dburgener/systemd-watch	2020-12-15 09:33:50 -05:00
Daniel Burgener	b3204ea4c1	Allow systemd-ask-password to watch files On systems that use plymouth, systemd-ask-password may set watches on the contents on /run/systemd/ask-password, whereas other scenarions only set watch on the parent directory. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-12-11 19:47:13 +00:00
Chris PeBenito	c8c418267d	systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-12-11 19:45:54 +00:00
Chris PeBenito	87c4adc790	kernel, modutils, userdomain, xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:13:57 -05:00
Chris PeBenito	97eda18388	Merge pull request #323 from dsugar100/master	2020-12-08 15:09:54 -05:00
Chris PeBenito	7fd6d78c2c	userdomain: Fix error in calling userdom_xdg_user_template(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:09:27 -05:00
Chris PeBenito	cdfcec0e9a	Merge pull request #320 from 0xC0ncord/master	2020-12-08 15:01:27 -05:00
0xC0ncord	1d15c9e009	userdomain, xserver: move xdg rules to userdom_xdg_user_template xdg rules are normally set in xserver. But, if a modular policy is being used and the xserver module is not present, the required rules for users to be able to access xdg content are never created and thus these files and directories cannot be interacted with by users. This change adds a new template that can be called to grant these privileges to userdomain types as necessary. Signed-off-by: Kenton Groombridge <me@concord.sh>	2020-12-08 10:59:17 -05:00
Dave Sugar	ca5f1a5662	Allow systemd-modules-load to search kernel keys I was seeing the following errors from systemd-modules-load without this search permission. Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13 Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load" Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules. This is the denial: Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-12-08 10:51:44 -05:00
Chris PeBenito	699268ff41	init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:32:57 -05:00
Chris PeBenito	b31d8308da	systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:22 -05:00
Chris PeBenito	42b184c2a8	systemd: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:17 -05:00
(GalaxyMaster)	c98d287fa3	added policy for systemd-socket-proxyd Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>	2020-12-02 17:38:00 +11:00
Chris PeBenito	fe29a74cad	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-22 14:03:11 -05:00
Jason Zaman	d03b8ffdf5	systemd: make remaining dbus_* optional Almost all calls to dbus_ interfaces were already optional, this makes the remaining one optional_policy so that the modules can be installed / upgraded easier. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	6dd6823280	init: upstream fcontexts from gentoo policy Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	c9880f52d5	Add transition on gentoo init_t to openrc Commit "init: replace call to init_domtrans_script" (`be231899f5` in upstream repo) removed the call to init_domtrans_script which removed the openrc domtrans. This adds it back directly in the distro_gentoo block. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b1927e9f39	init: Added fcontext for openrc-shutdown. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b7acd3c4f9	init: Added fcontext for openrc-init. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	1a39e4dfbe	portage: Added /var/cache/distfiles path. Closes: https://github.com/perfinion/hardened-refpolicy/pull/1 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	0ad23a33ef	getty: allow watching file /run/agetty.reload avc: denied { watch } for pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	a98f25ce73	userdomain: Add watch on home dirs avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Chris PeBenito	82c0b4dd3e	dbus: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-20 09:54:32 -05:00
Daniel Burgener	47c495d6f1	Allow init to mount over the system bus In portable profiles, systemd bind mounts the system bus into process namespaces Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-11-13 14:44:22 +00:00
Chris PeBenito	f1b83f8ef4	lvm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-09 11:45:32 -05:00
Guido Trentalancia	7122154c19	Add LVM module permissions needed to open cryptsetup devices. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/lvm.te \| 2 ++ 1 file changed, 2 insertions(+)	2020-11-09 15:43:01 +01:00
Chris PeBenito	aa8d432584	filesystem, xen: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-05 06:55:25 -05:00
Anthony PERARD	4f23a54b52	xen: Allow xenstored to map /proc/xen/xsd_kva xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux boolean "domain_can_mmap_files" in CentOS is set to false the mmap() call fails. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>	2020-11-05 06:55:17 -05:00
Chris PeBenito	493f56b59d	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-13 15:25:24 -04:00
Dave Sugar	871348f040	Allow pacemaker to map/read/write corosync shared memory files Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	f36e39b45e	pacemaker systemd permissions Allow pacemaker to get status of all running services and reload systemd Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow pacemaker to start/sotp all units (when enabled) Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow for dynamic creation of unit files (with private type) By using a private type pacemaker doesn't need permission to read/write all init_runtime_t files. Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	428cc2ef9c	To get pacemaker working in enforcing Allow pacemaker to map its shared memory Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 Label pacemaker private log file Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 It writes to log, but also reads Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1 Pacemaker can read stuff in /usr/share/pacemaker/ Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 pacemaker dbus related stuff Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Pacemaker execute network monitoring Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Update pacemaker process perms Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 pacemaker network communication Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1 Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Let pacemaker exec lib_t files Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:43:41 -04:00
Dave Sugar	ea1e0e7a9b	Updates for corosync to work in enforcing Allow corosync to map its own shared memory Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc: denied { map } for pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Setup corosync lock file type Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { read } for pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { search } for pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { add_name } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { create } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 10:28:00 -04:00
Chris PeBenito	14a45a594b	devices, filesystem, systemd, ntp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:45:11 -04:00
Chris PeBenito	785677771d	Merge pull request #313 from bootlin/buildroot-systemd-fixes	2020-10-09 09:42:40 -04:00
Chris PeBenito	b5525a3fca	systemd: Move systemd-pstore block up in alphabetical order. No rule change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:42:31 -04:00
Antoine Tenart	35a417d0ef	ntp: allow systemd-timesyn to setfscreate Fixes: avc: denied { setfscreate } for pid=68 comm="systemd-timesyn" scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=process permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	32e5008867	ntp: allow systemd-timesyn to watch dbus objects Fixes: avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=2707 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=2716 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	e9228b49bb	systemd: allow systemd-network to list the runtime directory Fixes: avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	49a0771dd3	systemd: allow systemd-getty-generator to read and write unallocated ttys Fixes: avc: denied { read write } for pid=40 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { open } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Deepak Rawat	f5c8a117d9	Add selinux-policy for systemd-pstore service systemd-pstore is a service to archive contents of pstore. Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>	2020-10-09 03:20:09 +00:00
Chris PeBenito	bc7a84d643	snmp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-05 09:55:13 -04:00
Dave Sugar	9da3f3a131	Allow snmpd to read hwdata Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc: denied { getattr } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { read } for pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { open } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-01 22:11:28 -04:00
Chris PeBenito	39e2af539d	corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-22 08:27:05 -04:00
Chris PeBenito	941620c89c	Merge pull request #309 from yizhao1/dhcpcd	2020-09-22 08:23:49 -04:00
Antoine Tenart	86476f30cf	corecommands: add entry for Busybox shell Fixes: vc: denied { execute } for pid=87 comm="login" name="sh" dev="vda" ino=408 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	fdda7befa5	systemd: allow systemd-resolve to read in tmpfs Fixes: avc: denied { read } for pid=76 comm="systemd-resolve" name="/" dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	34547434b8	systemd: allow systemd-network to get attributes of fs Fixes: avc: denied { getattr } for pid=57 comm="systemd-network" name="/" dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	1ee738f708	systemd: allow systemd-hwdb to search init runtime directories Fixes: avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f71d288e54	systemd: add extra systemd_generator_t rules Fixes: avc: denied { setfscreate } for pid=41 comm="systemd-getty-g" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1 avc: denied { dac_override } for pid=40 comm="systemd-fstab-g" capability=1 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=capability permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f99b6907f4	dbus: allow clients to list runtime dirs and named sockets Fixes: avc: denied { read } for pid=77 comm="systemd-resolve" name="dbus" dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=77 comm="systemd-resolve" name="system_bus_socket" dev="tmpfs" ino=2765 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="dbus" dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="system_bus_socket" dev="tmpfs" ino=2791 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	66c2ff9060	dbus: add two interfaces to allow reading from directories and named sockets Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Yi Zhao	25251b1f3b	sysnet: allow dhcpcd to create socket file The dhcpcd needs to create socket file under /run/dhcpcd directory. Fixes: AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { setattr } for pid=331 comm="dhcpcd" name="eth0.sock" dev="tmpfs" ino=19153 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { sendto } for pid=331 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-09-21 14:23:09 +08:00
Antoine Tenart	23f1e4316b	sysnetwork: allow to read network configuration files Fixes: avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { search } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	5c604e806b	logging: allow systemd-journal to write messages to the audit socket Fixes: avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	8cb806fbdf	locallogin: allow login to get attributes of procfs Fixes: avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	7014af08ff	udev: allow udevadm to retrieve xattrs Fixes: avc: denied { getattr } for pid=50 comm="udevadm" name="/" dev="vda" ino=2 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 avc: denied { getattr } for pid=52 comm="udevadm" name="/" dev="vda" ino=2 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Chris PeBenito	c33866e1f6	selinux, init, systemd, rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-09 16:55:06 -04:00
Chris PeBenito	4e2b3545c6	Merge pull request #308 from cgzones/systemd_status	2020-09-09 16:54:23 -04:00
Christian Göttsche	24827d8073	selinux: add selinux_use_status_page and deprecate selinux_map_security_files Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-09 21:00:47 +02:00
Chris PeBenito	a0aee3cbcc	bind: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-09 11:25:28 -04:00
Dominick Grift	93113bce78	bind: add a few fc specs for unbound unbound-checkconf is the unbound bind-checkconf equivalent unbound-control is the unbound bind ndc equivalent Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>	2020-09-09 11:24:43 -04:00
Christian Göttsche	1103350ee3	init/systemd: allow systemd to map the SELinux status page systemd v247 will access the SELinux status page. This affects all domains currently opening the label database, having the permission seutil_read_file_contexts. see https://github.com/systemd/systemd/pull/16821 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-08 13:18:18 +02:00
Chris PeBenito	dcf7ae9f48	userdomain: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-31 15:36:14 -04:00
Jonathan Davies	9d3321e4fe	userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. Thanks to Dominick Grift for helping me pin-point this. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-29 20:43:38 +00:00
Chris PeBenito	72e221fd4d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-28 15:30:52 -04:00
Chris PeBenito	cc15ff2086	Merge pull request #302 from dsugar100/master	2020-08-28 15:26:50 -04:00
Chris PeBenito	74b37e16db	Merge pull request #301 from bauen1/fix-selint-s-010	2020-08-28 15:26:47 -04:00
bauen1	fa59d0e9bc	selint: fix S-010 Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-28 17:39:09 +02:00
Dave Sugar	1627ab361e	Looks like this got dropped in pull request #294 Seeing the following denial - adding back in: localhost kernel: type=1400 audit(1598497795.109:57): avc: denied { map } for pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2020-08-27 08:10:58 -04:00
Chris PeBenito	f8b0c1641c	acpi: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-26 12:52:59 -07:00
Chris PeBenito	3991ecf54f	Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown	2020-08-26 12:49:14 -07:00
Jonathan Davies	99ad371868	acpi.te: Removed unnecessary init_write_initctl(). Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-25 22:53:40 +00:00
Christian Göttsche	850fefc626	postfixpolicyd: split multi-class rule The rule uses the permission manage_file_perms on the classes file and sock_file. This won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues. Found by SELint Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-25 20:44:16 +02:00
bauen1	b172fd71d2	systemd-logind: utilize nsswitch Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:10 +02:00
bauen1	69b709930a	authlogin: connect to userdb Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:10 +02:00
bauen1	ada848b352	systemd: private type for /run/systemd/userdb Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:07 +02:00
Jonathan Davies	ec0ebc8b11	acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298 . Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-23 20:00:29 +00:00
Chris PeBenito	d387e79989	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-18 09:09:10 -04:00
Chris PeBenito	ab47695bdb	files, init, modutils, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-14 09:38:09 -04:00
Chris PeBenito	e10d956f38	Merge pull request #294 from cgzones/selint	2020-08-14 09:36:44 -04:00
Chris PeBenito	60516aaeaa	xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-14 08:53:38 -04:00
Yi Zhao	afb2021524	xserver: allow xserver_t to connect to resmgrd This was probably a typo: resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t) Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 11:13:34 +08:00
Yi Zhao	8322f0e0d9	Remove duplicated rules Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 10:55:31 +08:00
Christian Göttsche	09ed84b632	files/modutils: unify modules_object_t usage into files module modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 21:23:43 +02:00
Christian Göttsche	e9b2e1ea4f	work on SELint issues - selinuxutil.te: ignore gen_require usage for bool secure_mode - corenetwork.te: ignore gen_require usage for type unlabeled_t - files.if: drop unneeded required types in interface - rpm.if: drop unneeded required type in interface - xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template - domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 21:23:43 +02:00
Chris PeBenito	fbc60f2319	Merge pull request #296 from cgzones/diff-check whitespace cleanup	2020-08-13 09:19:48 -04:00
Christian Göttsche	72b2c66256	whitespace cleanup Remove trailing white spaces and mixed up indents Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 14:34:57 +02:00
Christian Göttsche	3bb507efa6	Fix several misspellings Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 14:08:58 +02:00
Chris PeBenito	71e653980b	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-11 08:35:00 -04:00
Chris PeBenito	cd141fa2ea	Merge pull request #290 from pebenito/fs-image	2020-08-11 08:33:26 -04:00
Chris PeBenito	32b2332d36	Merge pull request #289 from pebenito/remove-unlabeled-file	2020-08-11 08:33:22 -04:00
Chris PeBenito	777fe47c19	kernel, fstools, lvm, mount: Update to use filesystem image interfaces. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-29 14:33:39 -04:00
Chris PeBenito	04fb9404c8	filesystem: Create a filesystem image concept. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-29 14:29:26 -04:00
Chris PeBenito	27deadbecd	files: Restore mounton access to files_mounton_all_mountpoints(). Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:33:09 -04:00
Chris PeBenito	fe737c405d	selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:33:07 -04:00
Chris PeBenito	662d55ed5e	kernel: Drop unlabeled_t as a files_mountpoint(). This made unlabeled_t a file and provided much more access than an unlabeled file should have. Access to unlabeled objects should be explicit. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:09:24 -04:00
Chris PeBenito	4c7926a3c0	init: Revise init_startstop_service() build option blocks. Revise to use ifelse to have a clear set of criteria for enabling the various options. Additionally, if no options are enabled, run_init permissions are provided as a default. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-27 11:40:36 -04:00
Chris PeBenito	aa6c3f4da3	apt, rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-27 09:05:53 -04:00
Laurent Bigonville	e4f0709788	Label /usr/libexec/packagekitd as apt_exec_t on debian The daemon has now moved from /usr/lib/packagekit/packagekitd to /usr/libexec/packagekitd Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2020-07-27 13:26:06 +02:00
Chris PeBenito	c5ac0d52c4	openvpn: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-16 09:31:56 -04:00
Chris PeBenito	7f601b8bcf	Merge pull request #284 from alexminder/openvpn	2020-07-16 09:31:06 -04:00
Alexander Miroshnichenko	67c4238e8e	openvpn: update file context regex for ipp.txt Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2020-07-14 13:34:58 +03:00
Chris PeBenito	ac02273502	tmp2: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-10 08:51:57 -04:00
Alexander Miroshnichenko	aff9c6e91c	openvpn: more versatile file context regex for ipp.txt Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2020-07-07 15:22:29 +03:00
Dave Sugar	7a03f4a00f	Interfaces for tpm2 Add interfaces tpm2_use_fds, tpm2_dontaudit_use_fds, and tpm2_read_pipes Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-07-06 22:34:39 -04:00
Chris PeBenito	613708cad6	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-04 09:30:45 -04:00
Chris PeBenito	0992763548	Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 16:03:45 -04:00
Chris PeBenito	be04bb3e7e	Rename "pid" interfaces to "runtime" interfaces. Rename interfaces to bring consistency with previous pid->runtime type renaming. See PR #106 or `69a403cd` original type renaming. Interfaces that are still in use were renamed with a compatibility interface. Unused interfaces were fully deprecated for removal. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 14:33:17 -04:00
Chris PeBenito	07c08fa41e	kernel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-18 08:30:42 -04:00
Dave Sugar	50c24ca481	Resolve neverallow failure introduced in #273 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-06-17 19:05:08 -04:00
Chris PeBenito	c63e5410a9	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-17 08:48:41 -04:00
Chris PeBenito	c2a142d762	systemd: Merge generator domains. If these processes are compromised they can write units to do malicious actions, so trying to tightly protect the resources for each generator is not effective. Made the fstools_exec() optional, although it is unlikely that a system would not have the module. Only aliases for removed types in previous releases are added. The systemd_unit_generator() interface and systemd_generator_type attribute were not released and are dropped without deprecation. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 09:47:20 -04:00
Chris PeBenito	71002cdfe0	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:57:44 -04:00
Chris PeBenito	91087f8ff1	Merge pull request #274 from bauen1/remove-dead-weight	2020-06-15 08:56:42 -04:00
Chris PeBenito	9169113d42	Merge pull request #271 from bauen1/misc-fixes-2	2020-06-15 08:56:40 -04:00
Chris PeBenito	edbe7e9af7	Merge pull request #267 from bauen1/target-systemd-sysusers	2020-06-15 08:56:24 -04:00
bauen1	fc904634ac	dpkg: domaintrans to sysusers if necessary Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:52:53 +02:00
bauen1	77f891c7bf	Remove the ada module, it is unecessary and not touched since ~2008 It is only used to allow the compiler execmem / execstack but we have unconfined_execmem_t for that. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:47:14 +02:00
bauen1	cbdf1fad22	systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e12d84181b	corecommands: correct label for debian ssh-agent helper script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	cb2d84b0d1	gpg: don't allow gpg-agent to read /proc/kcore This was probably a typo and shouldn't have been merged. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	083e5d1d58	dpkg: dpkg scripts are part of dpkg and therefor also an application domain Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	583f435c7b	systemd: systemd --user add essential permissions Allow selinux awareness (libselinux) and access to setsockcreatecon to correctly set the label of sockets. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e7fc029a95	dpkg: allow dpkg frontends to acquire lock by labeling it correctly Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
Chris PeBenito	2f097a0c6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:43:30 -04:00
bauen1	66b4101b36	systemd: maintain /memfd:systemd-state Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	a42a15dd4d	authlogin: unix_chkpwd is linked to libselinux Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	6f7bc3da46	init: systemd will run chkpwd to start user@1000 This was likely also hidden by the unconfined module. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	a5c3c70385	thunderbird: label files under /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	6ce9865e6c	systemd: fixed systemd_rfkill_t denial spam Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	a9ff07d886	postfix: add filetrans for sendmail and postfix for aliases db operations Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	0f4eb2a324	init: fix systemd boot Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	93beef3ce5	systemd-logind.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	e20db26b7b	systemd-timesyncd.service sandbox requried permissions For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	83a39ad4fd	udev.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	0a596401f1	logrotate.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	d9a58c8434	terminal: cleanup term_create interfaces Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	aa6c7f28f2	allow most common permissions for systemd sandboxing options Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:28 +02:00
Chris PeBenito	309f655fdc	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-10 15:02:27 -04:00
bauen1	8f782ae820	systemd-sysusers: add policy On systems without the unconfined module this service needs additional privileges. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-04 19:53:47 +02:00
Topi Miettinen	1d8333d7a7	Remove unlabeled packet access When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-06-03 23:16:19 +03:00
Christian Göttsche	b4180614b6	apache: quote gen_tunable name argument Match the style of tunable_policy and gen_tunable statements in userdomain Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Christian Göttsche	dcb01ec4cc	devices/storage: quote arguments to tunable_policy Match the overall style and please sepolgen-ifgen Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Chris PeBenito	c950ada4ea	openvpn: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-02 13:35:57 -04:00
McSim85	95c43ef3a4	add rule for the management socket file fixed comments from @bauen1 Signed-off-by: McSim85 <maxim@kramarenko.pro>	2020-06-02 13:58:46 +03:00
Chris PeBenito	b38804e328	init, logging: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 11:36:44 -04:00
Chris PeBenito	fe0a8d2542	Merge pull request #261 from bauen1/confined-debian-fixes	2020-05-27 11:35:49 -04:00
bauen1	be231899f5	init: replace call to init_domtrans_script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 17:09:06 +02:00
Chris PeBenito	c75b2f3642	corecommands, files, filesystem, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:52:49 -04:00
Chris PeBenito	d8da662d5e	Merge pull request #262 from bauen1/misc-fixes-1	2020-05-27 10:52:07 -04:00
Chris PeBenito	382c5f7c09	domain, setrans: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:46:47 -04:00
Chris PeBenito	5374e1ac16	Merge pull request #264 from bauen1/reenable-setrans	2020-05-27 10:46:08 -04:00
bauen1	b184f71bed	init: fix init_manage_pid_symlinks to grant more than just create permissions This was introduced in `4e842fe209` by me. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:23:18 +02:00
bauen1	ab2c353048	systemd: allow systemd-user-runtime-dir to do its job It requires access to /run/user/UID while running as root Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	7eae84a8b4	lvm-activation-generator also needs to execute lvm lvm will also try to read localization. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00

... 3 4 5 6 7 ...

3988 Commits