selinux-refpolicy

Author	SHA1	Message	Date
Nicolas Iooss	9686bf05a7	ulogd: allow starting on a Debian system When ulogd is run by systemd on Debian, it logs messages to the journal, it used a PID file in /run/ulog/ulogd.pid, and logs packets to /var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search capability check because the directory is configured as: drwxrwx---. ulog adm /var/log/ulog (root does not have an access to the directory without bypassing the DAC.) Add a comment describing how to avoid allowing dac_read_search to ulogd_t. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>	2019-08-17 16:03:39 +02:00
Nicolas Iooss	d91d41b53a	ulogd: allow creating a netlink-netfilter socket This is used to get the packets logged by the firewall. I experienced this on a Debian system which uses nftables rules with the "log" keyword: type=AVC msg=audit(1565901600.257:348): avc: denied { create } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tcla ss=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901103.154:327): avc: denied { read } for pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45 success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1 pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111 egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd" exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null) type=PROCTITLE msg=audit(1565901103.154:327): proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964 [ ... ] type=AVC msg=audit(1565901600.241:338): avc: denied { write } for pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:348): avc: denied { create } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:349): avc: denied { getattr } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:350): avc: denied { bind } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>	2019-08-17 15:53:32 +02:00
Nicolas Iooss	f37b4b5ddd	ulogd: add Debian's log directory Debian uses /var/log/ulog/syslogemu.log by default to log network packets sent through a netlink multicast group by the firewall. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>	2019-08-17 15:52:58 +02:00
Sugar, David	566fd554a6	Module for tpm2 Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-08-11 15:02:20 -04:00
Chris PeBenito	fb04518b9d	devices, storage: Module version bump Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-29 20:50:45 -04:00
Chris PeBenito	4ef04d8adb	Merge pull request #58 from pebenito/more-device-updates	2019-07-29 20:50:23 -04:00
Chris PeBenito	f191b07166	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-21 14:34:09 -04:00
Laurent Bigonville	6b12bd3aca	Allow systemd_modules_load_t to module_request and map modules_object_t files [ 10.685610] audit: type=1400 audit(1563706740.429:3): avc: denied { map } for pid=394 comm="systemd-modules" path="/usr/lib/modules/4.19.0-5-amd64/kernel/drivers/parport/parport.ko" dev="dm-0" ino=795927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1 [ 10.695021] audit: type=1400 audit(1563706740.437:5): avc: denied { module_request } for pid=394 comm="systemd-modules" kmod="parport_lowlevel" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2019-07-21 19:46:47 +02:00
Chris PeBenito	a5db4b262d	devices: Add types for trusted execution environment interfaces. These are interfaces for trusted OSes such as ARM TrustZone. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-07-16 16:38:50 -04:00
Chris PeBenito	a159153d82	devices, storage: Add fc entries for mtd char devices and ndctl devices. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-07-16 16:38:43 -04:00
Chris PeBenito	921eb37a97	rpm, selinux, sysadm, init: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-13 14:07:11 -04:00
Chris PeBenito	de8cf73de0	knot: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-13 14:06:44 -04:00
Chris PeBenito	7a1260ffe3	knot: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-13 14:06:02 -04:00
Alexander Miroshnichenko	491ae9991a	Add knot module Add a SELinux Reference Policy module for the Knot authoritative-only DNS server. Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2019-07-13 14:00:31 -04:00
Sugar, David	2831598bb5	grant rpm_t permission to map security_t type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 v2 - Create new interface to allow mapping security_t and use this interface by rpm_t Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-13 14:00:23 -04:00
Chris PeBenito	b85c93b582	rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-07-08 20:49:31 -04:00
Sugar, David	72cc3e9136	Allow rpm scripts to alter systemd services In RPM scripts it is common to enable/start services that are being installed. This allows rpm_script_t to manage sysemd units type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	66bbd568e4	Allow rpm to map file contexts type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	79fd6ddb3e	grant rpm permissions to map locale_t type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:38:46 -04:00
Sugar, David	8e09ba5637	grant permission for rpm to write to audit log Messages like this are added to the audit log when an rpm is installed: type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success' These are the denials that I'm seeing: type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 v2 - Use interface rather than adding permissions here - this change may confuse subsequent patches in this set, if so let me know and I will submit a pull request on github. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:37:19 -04:00
Sugar, David	c2f504c25e	grant rpm permission to map rpm_var_lib_t type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-07-08 20:37:19 -04:00
Chris PeBenito	8c3893e427	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-06-09 14:05:19 -04:00
Chris PeBenito	10784f3b33	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-06-09 13:37:51 -04:00
Chris PeBenito	af2e1f91fd	Merge pull request #57 from pebenito/pmem-dax	2019-06-09 13:26:49 -04:00
Chris PeBenito	c00bf89d73	Merge pull request #56 from pebenito/apache-simplify	2019-06-09 13:26:46 -04:00
Chris PeBenito	91028527fc	Merge pull request #55 from pebenito/modules-load	2019-06-09 13:26:43 -04:00
Chris PeBenito	666b744714	devices: Add type for /dev/daxX.Y. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-06-04 15:10:28 -04:00
Chris PeBenito	f0e8bdbf50	storage: Add fc entry for /dev/pmem* Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2019-06-04 15:10:06 -04:00
Chris PeBenito	d348413004	apache: Web content rules simplification. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-06-03 15:01:43 -04:00
Chris PeBenito	b07f7b4495	systemd: modules-load updates. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-06-03 08:42:53 -04:00
Chris PeBenito	4aafedd872	init: Add systemd block to init_script_domain(). Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-05-31 08:57:17 -04:00
Chris PeBenito	3a6b7c1856	logrotate: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-05-27 19:30:24 -04:00
Chris PeBenito	5a8c36f390	logrotate: Make MTA optional. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-05-16 11:48:05 -04:00
Chris PeBenito	2d9ad29d04	dovecot, logrotate: Module version bump.	2019-05-03 20:39:36 -04:00
Chris PeBenito	43a682068d	Merge pull request #49 from bigon/fail2ban_logrotate	2019-05-03 08:00:43 -04:00
Chris PeBenito	eaed7a9123	Merge pull request #48 from bigon/dovecot_lmtp	2019-05-03 08:00:41 -04:00
Laurent Bigonville	83f8240f04	Allow logrotate to execute fail2ban-client fail2ban logrotate configuration runs "fail2ban-client flushlogs" after rotating the logs	2019-05-03 13:34:16 +02:00
Laurent Bigonville	8215279af4	Add dovecot to listen to LMTP port Mails can be injected in dovecot directly using LMTP	2019-05-03 12:33:09 +02:00
Dave Sugar	de0e70f07a	create interfaces for NetworkManager units Create interfaces to allow start/stop, enable/disable and status of NetworkManager systemd unit	2019-05-02 11:16:41 -04:00
Chris PeBenito	5d345b79ee	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-27 10:51:06 -04:00
Chris PeBenito	6857cda019	Merge pull request #46 from pebenito/systemd-user	2019-04-27 10:50:32 -04:00
Chris PeBenito	a77e0f6837	Merge pull request #45 from pebenito/systemd-update-done-tweak	2019-04-27 10:50:30 -04:00
Chris PeBenito	e5d14ad308	Merge pull request #44 from pebenito/http-mta-optional	2019-04-27 10:50:29 -04:00
Chris PeBenito	54dbc8a7a7	Merge pull request #43 from pebenito/various-device-labels	2019-04-27 10:50:27 -04:00
Chris PeBenito	da156aea1e	systemd: Add initial policy for systemd --user. This is just a start; it does not cover all uses. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-25 11:18:58 -04:00
Chris PeBenito	4bca3dade2	devices: Change netcontrol devices to pmqos. Devices with the netcontrol_device_t type are actually PM QoS devices. Rename the type and add labeling for /dev/memory_bandwidth. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 09:17:36 -04:00
Chris PeBenito	3b0d0ea330	devices: Add type for GPIO chips, /dev/gpiochip[0-9] Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	b1a312152c	devices: Label /dev/tpmrm[0-9]. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	77161ca8b7	storage: Label /dev/mmcblk* character nodes. An example is mmcblk0rpmb, which is for the replay protected memory block subsystem. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-24 08:50:41 -04:00
Chris PeBenito	ae2d2ec470	kernel, devices, plymouthd, xserver: Module version bump.	2019-04-23 18:37:22 -04:00
Chris PeBenito	ff9bd742b7	systemd: Remove unnecessary names in systemd-update-done filetrans. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-23 15:22:17 -04:00
Chris PeBenito	2f0ead8ecf	apache: Make MTA optional. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-23 15:17:33 -04:00
Dave Sugar	51aadce3c2	Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0	2019-04-23 07:48:15 -04:00
Dave Sugar	2b42f0c13d	Allow xdm (lightdm) start plymouth type=AVC msg=audit(1554917007.995:194): avc: denied { execute } for pid=7647 comm="lightdm" name="plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { read open } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { execute_no_trans } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917007.995:194): avc: denied { map } for pid=7647 comm="plymouth" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1	2019-04-16 22:20:29 -04:00
Chris PeBenito	e2e4094bd4	various: Module version bump Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-16 22:08:11 -04:00
Sugar, David	a49163250f	Add kernel_dgram_send() into logging_send_syslog_msg() This patch is based on comments from previous a patch to remove the many uses of kernel_dgram_send() and incorporate it into logging_send_syslog_msg(). v2 - enclose in ifdef for redhat v3 - rebase this patch on `e41def136a` Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-04-16 20:51:55 -04:00
Chris PeBenito	e41def136a	xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-14 14:20:55 -04:00
Chris PeBenito	2356eda7fc	Merge pull request #40 from gtrentalancia/master	2019-04-14 14:15:16 -04:00
Guido Trentalancia	db33386c01	The Qt library version 5 requires to write xserver_tmp_t files upon starting up applications (tested on version 5.12.1). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 3 +++ 1 file changed, 3 insertions(+)	2019-04-12 17:52:50 +02:00
Chris PeBenito	32ce73f9b8	kernel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-04-12 07:57:00 -04:00
Lukas Vrabec	ce570ab34d	Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t CRIU can influence the PID of the threads it wants to create. CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which PID it wants for the next clone(). So it has to write to that file. This feels like a problematic as it opens up the container writing to all sysctl_kernel_t. Using new label container_t will just write to sysctl_kernel_ns_last_pid_t instad writing to more generic sysctl_kernel_t files.	2019-04-12 07:52:27 -04:00
Chris PeBenito	beb4a290b0	init: Module version bump.	2019-04-07 20:56:22 -04:00
Chris PeBenito	4c2f16bb26	Merge pull request #39 from pebenito/revise-init-stopstart	2019-04-07 20:54:40 -04:00
Chris PeBenito	b06126dca3	init: Revise conditions in init_startstop_service(). Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-04-05 15:18:29 -04:00
Chris PeBenito	df696a3254	kernel, init, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-27 18:58:15 -04:00
Chris PeBenito	98c16077ba	Merge pull request #37 from pebenito/master Misc system fixes. Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.	2019-03-27 18:57:39 -04:00
Chris PeBenito	4f6614ba7f	ntp, init, lvm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-27 18:49:54 -04:00
Sugar, David	d3c4e19f72	Denial of cryptsetup reading cracklib database When setting up a LUKS encrypted partition, cryptsetup is reading the cracklib databases to ensure password strength. This is allowing the needed access. type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-27 18:48:01 -04:00
Sugar, David	7525ba9c1e	Allow ntpd to read unit files Adding missing documenation (sorry about that). type=AVC msg=audit(1553013917.359:9935): avc: denied { read } for pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9935): avc: denied { open } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013917.359:9936): avc: denied { getattr } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1 type=AVC msg=audit(1553013821.622:9902): avc: denied { getattr } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { read } for pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553013821.622:9903): avc: denied { open } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-27 18:48:01 -04:00
Chris PeBenito	32f3f09dc4	authlogin, dbus, ntp: Module version bump.	2019-03-24 14:43:35 -04:00
Sugar, David	142651a8b4	Resolve denial about logging to journal from dbus type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:37:22 -04:00
Sugar, David	5f14e530ad	Resolve denial about logging to journal from chkpwd type=AVC msg=audit(1553029357.588:513): avc: denied { sendto } for pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:37:22 -04:00
Sugar, David	9f2b1e2b4c	Allow ntpd to update timezone symlink type=AVC msg=audit(1553013821.624:9907): avc: denied { create } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1553013821.624:9908): avc: denied { rename } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1553013821.624:9908): avc: denied { unlink } for pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Sugar, David	1b4ffb7806	Allow ntpd to update chronyd service type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=? type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Sugar, David	a50afdcc84	Add interface ntp_dbus_chat type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-24 14:35:44 -04:00
Chris PeBenito	e19f3d658c	init: Remove duplicate setenforce rule for init scripts. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:10:23 -04:00
Chris PeBenito	99f967d3b5	udev: Drop write by udev to its executable. This removes one vector for arbitrary code execution if udev is compromised. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:10:10 -04:00
Chris PeBenito	40bf663090	systemd: Drop unconfined kernel access for systemd_nspawn. Revise kernel assertion to /proc/kmsg to be more precise. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>	2019-03-20 10:09:37 -04:00
Chris PeBenito	c46eba9c02	sysadm, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:27:34 -04:00
Chris PeBenito	ceadf42b75	udev: Move one line and remove a redundant line. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:25:28 -04:00
Chris PeBenito	2297487654	udev: Whitespace fix. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2019-03-17 16:25:03 -04:00
Sugar, David	ba31e59cd1	Separate out udevadm into a new domain This is the update I have made based on suggestions for the previous patches to add a udev_run interface. This adds the new domain udevadm_t which is entered from /usr/bin/udevadm. It seems to meet the needs that I have, but there are some things to note that are probably important. 1) There are a few systemd services that use udevadm during startup. I have granted the permisssions that I need based on denials I was seeing during startup (the machine would fail to start without the permisions). 2) In the udev.fc file there are other binaries that I don't have on a RHEL7 box that maybe should also be labeled udevadm_exec_t. e.g. /usr/bin/udevinfo and /usr/bin/udevsend But as I don't have those binaries to test, I have not updated the type of that binary. 3) There are some places that call udev_domtrans that maybe should now be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again, these are not things that I am using in my current situation and am unable to test the interactions to know if the change is correct. Other than that, I think this was a good suggestion to split udevadm into a different domain. Only change for v4 is to use stream_connect_pattern as suggested. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-17 16:15:21 -04:00
Chris PeBenito	60b8e08f4f	systemd, udev, usermanage: Module version bump.	2019-03-11 20:59:21 -04:00
Chris PeBenito	5260679657	usermanage: Move kernel_dgram_send(passwd_t) to systemd block.	2019-03-11 20:59:16 -04:00
Sugar, David	1cc0045642	Resolve denial while changing password I'm seeing the following denials reading /proc/sys/crypto/fips_enabled and sending message for logging. This resolves those denials. type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-11 20:54:29 -04:00
Sugar, David	9d2b68e0ba	Allow additional map permission when reading hwdb I'm seeing a denial for udev to map /etc/udev/hwdb.bin. This creates and uses a new interface to allow the needed permission for udev. type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Updated from previous to create a new interface. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-11 20:53:30 -04:00
Chris PeBenito	bb83a721cf	filesystem, cron, authlogin: Module version bump.	2019-03-07 19:02:57 -05:00
Sugar, David	3fd0d7df8b	Update cron use to pam interface I'm seeing a many denials for cron related to faillog_t, lastlog_t and wtmp_t. These are all due to the fact cron is using pam (and my system is configured with pam_faillog). I have updated cron to use auth_use_pam interface to grant needed permissions. Additional change to allow systemd_logind dbus for cron. I have included many of the denials I'm seeing, but there are probably others I didn't capture. type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins" type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-07 19:02:57 -05:00
Sugar, David	4f8d21ea71	Add interface to allow relabeling of iso 9660 filesystems. I have a case where I'm labeling media with my own types to control access. But that is requiring that I relabel from iso9660_t to my own type. This interface allows that relabel. type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-03-07 19:02:57 -05:00
Chris PeBenito	712e6056d9	aide, clamav: Module version bump.	2019-02-26 19:21:27 -08:00
Sugar, David	59413b10b8	Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	e5b8318420	Allow AIDE to read kernel sysctl_crypto_t type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	2f063edd88	Allow AIDE to sendto kernel datagram socket type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	c418d0e81d	Add interfaces to run freshclam Currently freshclam can only be started from cron or init. This adds the option of starting from a different process and optionally transitioning or staying in the callers domain. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	899520233d	Allow freshclam to read sysctl_crypto_t type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Sugar, David	2d105029d0	Fix incorrect type in clamav_enableddisable_clamd interface Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-26 19:11:33 -08:00
Chris PeBenito	e6dcad5002	systemd: Module version bump.	2019-02-24 08:19:27 -08:00
Nicolas Iooss	2fb15c8268	Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1	2019-02-24 11:08:20 +01:00
Chris PeBenito	2623984b83	logging, selinuxutil: Module version bump.	2019-02-23 19:30:58 -08:00
Chris PeBenito	0805aaca8d	Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy	2019-02-23 18:43:02 -08:00
Nicolas Iooss	0ab9035efa	Remove a broad read-files rule for restorecond When the policy for restorecond was introduced, it contained a rule which allowed restorecond to read every file except shadow_t (cf. `724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)` ): auth_read_all_files_except_shadow(restorecond_t) Since 2006, the policy changed quite a bit, but this access remained. However restorecond does not need to read every available file. This is related to this comment: https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379	2019-02-23 21:20:21 +01:00
Nicolas Iooss	7bb9172b67	Allow restorecond to read customizable_types When trying to remove files_read_non_auth_files(restorecond_t), the following AVC denial occurs: type=AVC msg=audit(1550921968.443:654): avc: denied { open } for pid=281 comm="restorecond" path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1" ino=928006 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:default_context_t tclass=file permissive=1 type=AVC msg=audit(1550921968.443:654): avc: denied { read } for pid=281 comm="restorecond" name="customizable_types" dev="vda1" ino=928006 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:default_context_t tclass=file permissive=1 As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by restorecond, allow this access.	2019-02-23 21:14:10 +01:00
Nicolas Iooss	5250bd4863	Allow systemd-journald to use kill(pid, 0) on its clients Since systemd 241, systemd-journald is using kill(pid, 0) in order to find dead processes and reduce its cache. The relevant commit is `91714a7f42` ("journald: periodically drop cache for all dead PIDs"). This commit added a call to pid_is_unwaited(c->pid), which is a function implemented in https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 : bool pid_is_unwaited(pid_t pid) { /* Checks whether a PID is still valid at all, including a zombie / if (pid < 0) return false; if (pid <= 1) / If we or PID 1 would be dead and have been waited for, this code would not be running */ return true; if (pid == getpid_cached()) return true; if (kill(pid, 0) >= 0) return true; return errno != ESRCH; } This new code triggers the following AVC denials: type=AVC msg=audit(1550911933.606:332): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:auditd_t tclass=process permissive=1 type=AVC msg=audit(1550911933.606:333): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1 type=AVC msg=audit(1550911933.606:334): avc: denied { signull } for pid=224 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:sshd_t tclass=process permissive=1	2019-02-23 20:55:17 +01:00
Chris PeBenito	5986fdc4df	logging, miscfiles, authlogin: Module version bump.	2019-02-20 19:38:55 -08:00
Sugar, David	81c10b077a	New interface to dontaudit access to cert_t I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. The tunable authlogin_nsswitch_use_ldap controls access to cert_t (for domains that are part of nsswitch_domain attribute). Use this new interface when that tunable is off to quiet the denials. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-20 19:28:45 -08:00
Sugar, David	d8492558b3	Add interface to get status of rsyslog service Updated based on feedback. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-20 19:28:45 -08:00
Chris PeBenito	98a7f0446d	init, systemd, cdrecord: Module version bump.	2019-02-19 19:31:04 -08:00
Chris PeBenito	b3e8e5a4ba	systemd: Remove unnecessary brackets.	2019-02-19 19:20:57 -08:00
Sugar, David	31ac26dd58	Add interface to run cdrecord in caller domain Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-19 19:19:28 -08:00
Sugar, David	b3cbf00cba	Allow systemd-hostnamed to set the hostname When calling hostnamectl to set the hostname it needs sys_admin capability to actually set the hostname. Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted type=AVC msg=audit(1550058524.656:1988): avc: denied { sys_admin } for pid=7873 comm="systemd-hostnam" capability=21 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-19 19:06:40 -08:00
Sugar, David	61d12f722d	Allow init_t to read net_conf_t init (systemd) needs to read /etc/hostname during boot to retreive the hostname to apply to the system. Feb 06 18:37:06 localhost.localdomain kernel: type=1400 audit(1549478223.842:3): avc: denied { read } for pid=1 comm="systemd" name="hostname" dev="dm-1" ino=1262975 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-19 19:06:40 -08:00
Chris PeBenito	807cf71287	corenetwork: Module version bump.	2019-02-17 21:11:43 -05:00
Nicolas Iooss	919c889b7d	Add policy for stubby DNS resolver Stubby is a DNS resolver that encrypts DNS queries and transmits them to a resolver in a TLS channel. It therefore requires less permissions than a traditionnal DNS resolver such as named or unbound (provided by module "bind"). cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby This program is packaged for Arch Linux, Debian, etc. DNS-over-TLS uses TCP port 853, which does not seem to conflict with existing ports. Label it like other DNS ports. init_dbus_chat(stubby_t) is required on systemd-based distributions because stubby's service uses DynamicUser=yes [1]. Without this statement, the following denials are reported by dbus: type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=649 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649 tpid=1 scontext=system_u:system_r:stubby_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_return dest=:1.39 spid=1 tpid=649 scontext=system_u:system_r:init_t tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' [1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8	2019-02-17 22:16:33 +01:00
Chris PeBenito	e3f90ef0b5	sysadm: Module version bump.	2019-02-13 18:53:56 -05:00
Nicolas Iooss	4aa9acca0a	sysadm: allow resolving dynamic users On a virtual machine using haveged daemon, running "ps" from a sysadm_t user leads to the following output: $ ps -eH -o label,user,pid,cmd ... system_u:system_r:init_t root 1 /sbin/init system_u:system_r:syslogd_t root 223 /usr/lib/systemd/systemd-journald system_u:system_r:lvm_t root 234 /usr/bin/lvmetad -f system_u:system_r:udev_t root 236 /usr/lib/systemd/systemd-udevd system_u:system_r:entropyd_t 65306 266 /usr/bin/haveged --Foreground --verbose=1 User 65306 is a dynamic user attributed by systemd: $ cat /var/run/systemd/dynamic-uid/65306 haveged Running ps leads to the following log: type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:system_r:init_t tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Allow sysadm_t to resolve dynamic users when systemd is used. After this, "ps" works fine: system_u:system_r:entropyd_t haveged 266 /usr/bin/haveged --Foreground --verbose=1	2019-02-12 21:43:08 +01:00
Chris PeBenito	e727079acc	systemd: Module version bump.	2019-02-09 09:06:37 -05:00
Sugar, David	24da4bf370	Separate domain for systemd-modules-load systemd-modules-load is used to pre-load kernal modules as the system comes up. It was running initc_t which didn't have permissions to actually load kernel modules. This change sets up a new domain for this service and grants permission necessary to load kernel modules. Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc: denied { read } for pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1 Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc: denied { open } for pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-09 09:01:05 -05:00
Sugar, David	21351f6bd9	Allow systemd-networkd to get IP address from dhcp server I'm seeing the following denials when attempting to get a DHCP address. type=AVC msg=audit(1549471325.440:199): avc: denied { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1 type=AVC msg=audit(1549471325.440:199): avc: denied { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1 type=AVC msg=audit(1549471325.440:199): avc: denied { net_bind_service } for pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1 type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null) Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-02-09 09:01:05 -05:00
Chris PeBenito	445cbed7c7	Bump module versions for release.	2019-02-01 15:03:42 -05:00
Chris PeBenito	83ebbd23d3	corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump.	2019-02-01 14:21:55 -05:00
Russell Coker	044da0b8b9	more misc stuff Here's the latest stuff, most of which is to make staff_t usable as a login domain. Please merge whatever you think is good and skip the rest.	2019-02-01 14:16:57 -05:00
Chris PeBenito	4e5b6f39ff	redis: Module version bump.	2019-01-30 18:46:28 -05:00
Chris PeBenito	8e45aef50c	redis: Move line.	2019-01-30 18:46:07 -05:00
Alexander Miroshnichenko	2adbd7f732	minor updates redis module to be able to start the app Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2019-01-30 18:45:43 -05:00
Chris PeBenito	b6396ffe19	various: Module version bump.	2019-01-29 18:59:50 -05:00
Chris PeBenito	137aca70e3	hostapd: Move line.	2019-01-29 18:59:50 -05:00
Chris PeBenito	b54fd25c60	hostapd: Whitespace change.	2019-01-29 18:59:50 -05:00
Russell Coker	1574ac4a5d	chromium There are several nacl binaries that need labels. Put an ifdef debian for some chromium paths. Git policy misses chromium_role() lines, were they in another patch that was submitted at the same time? I don't know what this is for but doesn't seem harmful to allow it: type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY\|O_CREAT\|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null) type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { associate } for pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { create } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc: granted { add_name } for pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir Allow domain_use_interactive_fds() for running via ssh -X. Allow managing xdg data, cache, and config. Allow reading public data from apt and dpkg, probably from lsb_release or some other shell script. How does the whold naclhelper thing work anyway? I'm nervous about process share access involving chromium_sandbox_t, is that really what we want? Added lots of other stuff like searching cgroup dirs etc.	2019-01-29 18:59:33 -05:00
Russell Coker	3d65c79750	yet another little patch This should all be obvious.	2019-01-29 18:45:30 -05:00
Alexander Miroshnichenko	275c304dc1	Add hostapd service module Add a SELinux Reference Policy module for the hostapd IEEE 802.11 wireless LAN Host AP daemon.	2019-01-29 18:42:14 -05:00
Chris PeBenito	535cea9ad1	filesystem, postgresql: Module version bump.	2019-01-27 12:58:33 -05:00
Chris PeBenito	b78be0cc7a	Merge branch 'postgres' of git://github.com/alexminder/refpolicy	2019-01-27 12:44:39 -05:00
Alexander Miroshnichenko	548564099e	fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface	2019-01-26 21:50:12 +03:00
Chris PeBenito	30a46e5676	various: Module version bump.	2019-01-23 19:02:01 -05:00
Chris PeBenito	14505cb1ef	dovecot: Move lines.	2019-01-23 19:01:37 -05:00
Chris PeBenito	fce54c10fa	Merge branch 'dovecot' of git://github.com/alexminder/refpolicy	2019-01-23 18:52:35 -05:00
Chris PeBenito	08cb521ab0	chromium: Move line.	2019-01-23 18:44:45 -05:00
Chris PeBenito	71830b02c5	chromium: Whitespace fixes.	2019-01-23 18:43:16 -05:00
Jason Zaman	6d164216d9	Add chromium policy upstreamed from Gentoo Signed-off-by: Jason Zaman <jason@perfinion.com>	2019-01-23 18:40:57 -05:00
Jason Zaman	fa23645ca1	userdomain: introduce userdom_user_home_dir_filetrans_user_cert Signed-off-by: Jason Zaman <jason@perfinion.com>	2019-01-23 18:40:57 -05:00
Jason Zaman	4ed30f7492	kernel: introduce kernel_dontaudit_read_kernel_sysctl Signed-off-by: Jason Zaman <jason@perfinion.com>	2019-01-23 18:40:57 -05:00
Jason Zaman	d83a104eda	files: introduce files_dontaudit_read_etc_files Signed-off-by: Jason Zaman <jason@perfinion.com>	2019-01-23 18:40:57 -05:00
Jason Zaman	1bc0503d53	devices: introduce dev_dontaudit_read_sysfs Signed-off-by: Jason Zaman <jason@perfinion.com>	2019-01-23 18:40:57 -05:00
Chris PeBenito	7a1e0d0ca9	init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks().	2019-01-23 18:35:00 -05:00
Chris PeBenito	09a81f7220	init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks().	2019-01-23 18:34:10 -05:00
Russell Coker	eba35802cc	yet more tiny stuff I think this should be self-explanatory. I've added an audit trace for the sys_ptrace access that was previously rejected. Here is the audit log for sys_ptrace: type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/ type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0	2019-01-23 18:32:41 -05:00
Chris PeBenito	bf21c5c0d2	dpkg: Move interface implementations.	2019-01-23 18:30:15 -05:00
Chris PeBenito	ed79766651	dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans().	2019-01-23 18:28:51 -05:00
Russell Coker	05cd55fb51	tiny stuff for today Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't be necessary. Lots of little stuff for system_cronjob_t. Other minor trivial changes that should be obvious.	2019-01-23 18:26:45 -05:00
Alexander Miroshnichenko	de478dca3a	Add dovecot_can_connect_db boolean. Add dovecot_can_connect_db boolean. Grant connect dovecot_auth_t to DBs by dovecot_can_connect_db boolean.	2019-01-23 18:22:24 +03:00
Alexander Miroshnichenko	438786dfa7	Add map permission for postgresql_t to postgresql_tmp_t files.	2019-01-23 18:00:25 +03:00
Alexander Miroshnichenko	cff5e0026c	Add new interface fs_rmw_hugetlbfs_files. Add new interface fs_rmw_hugetlbfs_files and grant it to postgresql_t.	2019-01-23 17:58:54 +03:00
Chris PeBenito	a7f2394902	various: Module version bump.	2019-01-20 16:45:55 -05:00
Chris PeBenito	ecb4968238	systemd: Move interface implementation.	2019-01-20 16:36:36 -05:00
Sugar, David	6e86de0736	Add interface to read journal files When using 'systemctl status <service>' it will show recent log entries for the selected service. These recent log entries are coming from the journal. These rules allow the reading of the journal files. type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-20 16:34:14 -05:00
Sugar, David	53ea0b2288	Add interface clamav_run Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-20 16:33:31 -05:00
Chris PeBenito	7d93336024	xserver: Move line	2019-01-20 16:22:01 -05:00
Russell Coker	54136fa311	more tiny stuff I think the old timesync labelling wasn't working anyway due to -- for a directory name. A couple of patches for devicekit calling dmidecode (this is part of replacing some kmem access that was discussed on this list and rejected as a misfeature in Debian DMI related code ages ago). The rest should be obvious.	2019-01-20 16:20:33 -05:00
Chris PeBenito	310a7b0b85	Merge branch 'dbus-dynamic-uid' of git://github.com/fishilico/selinux-refpolicy	2019-01-19 12:51:26 -05:00
Chris PeBenito	b5cda0e2c5	selinuxutil: Module version bump.	2019-01-16 18:20:51 -05:00
Chris PeBenito	038a5af1ed	Merge branch 'restorecond-dontaudit-symlinks' of git://github.com/fishilico/selinux-refpolicy	2019-01-16 18:20:05 -05:00
Chris PeBenito	238bd4f91f	logging, sysnetwork, systemd: Module version bump.	2019-01-16 18:19:22 -05:00
Sugar, David	69961e18a8	Modify type for /etc/hostname hostnamectl updates /etc/hostname This change is setting the type for the file /etc/hostname to net_conf_t and granting hostnamectl permission to edit this file. Note that hostnamectl is initially creating a new file .#hostname* which is why the create permissions are requied. type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-16 18:13:41 -05:00
Sugar, David	34e3505004	Interface with systemd_hostnamed over dbus to set hostname type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-16 18:12:50 -05:00
Sugar, David	9255dfbf4e	label journald configuraiton files syslog_conf_t journald already runs as syslogd_t label the config files similarly to allow editing by domains that can edit syslog configuration files. Also added some missing '\' before dot in filenames. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-16 18:11:43 -05:00
Nicolas Iooss	47b09d472e	dbus: allow using dynamic UID When using a systemd service with dynamic UID, dbus-daemon reads symlinks in /run/systemd/dynamic-uid/: type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800 a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:373): avc: denied { read } for pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1 type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800 a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t key=(null) type=AVC msg=audit(1547313774.993:374): avc: denied { read } for pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=1 This directory looks like this, on Arch Linux with systemd 240: # ls -alZ /run/systemd/dynamic-uid drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./ drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../ -rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306 lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306	2019-01-16 22:13:57 +01:00
Nicolas Iooss	6e2896098c	selinuxutil: restorecond is buggy when it dereferencies symlinks restorecond uses libselinux's selinux_restorecon() to relabel files, which dereferences symlinks in a useless call to statfs(). This produces AVC denials which are noisy. Fixes: https://github.com/SELinuxProject/refpolicy/pull/22	2019-01-16 22:10:38 +01:00
Chris PeBenito	4a90eae668	usermanage, cron, selinuxutil: Module version bump.	2019-01-14 17:45:24 -05:00
Russell Coker	dcb2d1d8b8	another trivial This adds a hostnamed rule and also corrects an error in a previous patch I sent (a copy/paste error).	2019-01-14 17:43:15 -05:00
Russell Coker	b1d309b42c	trivial system cronjob	2019-01-14 17:42:17 -05:00
Chris PeBenito	2c96e2fb56	Merge branch 'add_comment' of git://github.com/DefenSec/refpolicy	2019-01-14 17:41:28 -05:00
Dominick Grift	a4a219a733	unconfined: add a note about DBUS Addresses https://github.com/SELinuxProject/refpolicy/issues/18	2019-01-14 17:02:56 +01:00
Nicolas Iooss	ae35b48f8e	selinuxutil: allow restorecond to read symlinks As restorecond dereferences symlinks when it encounters them in user home directories, allow this access.	2019-01-13 22:47:11 +01:00
Chris PeBenito	353d92a77a	systemd: Module version bump.	2019-01-13 14:59:27 -05:00
Chris PeBenito	966f981fd8	systemd: Whitespace change	2019-01-13 14:47:34 -05:00
Nicolas Iooss	c53019f2c3	systemd: add policy for systemd-rfkill	2019-01-12 23:00:29 +01:00
Chris PeBenito	e6a67f295c	various: Module name bump.	2019-01-12 15:03:59 -05:00
Chris PeBenito	e8b70915b1	Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy	2019-01-12 14:55:36 -05:00
Chris PeBenito	d01b3a1169	Merge branch 'services_single_usr_bin' of git://github.com/fishilico/selinux-refpolicy	2019-01-12 14:53:58 -05:00
Sugar, David	f0860ff0bb	Add interface to start/stop iptables service Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-12 14:32:00 -05:00
Russell Coker	da1de46f66	some little stuff Tiny and I think they are all obvious.	2019-01-12 14:16:33 -05:00
Nicolas Iooss	c3b588bc65	init: rename _pid_ interfaces to use "runtime" The name of these interfaces is clearer that way. This comes from a suggestion from https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/	2019-01-12 17:11:00 +01:00
Nicolas Iooss	80fb19a9ba	Label service binaries in /usr/bin like /usr/sbin For some services, the program responsible for the service has a file context which is defined only when it is installed in /usr/sbin. This does not work on Arch Linux, where every program is in /usr/bin (/usr/sbin is a symlink to /usr/bin). Add relevant file contexts for /usr/bin/$PROG when /usr/sbin/$PROG exists.	2019-01-12 17:08:09 +01:00
Chris PeBenito	143ed2cc1b	init, logging: Module version bump.	2019-01-10 20:26:36 -05:00
Nicolas Iooss	6f5e31431e	Allow systemd-journald to read systemd unit symlinks type=AVC msg=audit(1546723651.696:2091): avc: denied { read } for pid=240 comm="systemd-journal" name="invocation:user@1000.service" dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 type=AVC msg=audit(1546723651.799:2092): avc: denied { read } for pid=240 comm="systemd-journal" name="invocation:dbus.service" dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 "ls -lZ" on these files gives: lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32 /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7 lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32 /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214	2019-01-10 23:51:08 +01:00
Chris PeBenito	85536c64e1	kernel, jabber, ntp, init, logging, systemd: Module version bump.	2019-01-09 19:36:41 -05:00
Russell Coker	4a95d08da1	logging Prosody and ntpd don't just need append access to their log files.	2019-01-09 19:30:25 -05:00
Chris PeBenito	d2a1333fdc	kernel, systemd: Move lines.	2019-01-09 19:30:15 -05:00
Russell Coker	9cb572bd02	mls stuff Here are the patches I used last time I tried to get MLS going on Debian.	2019-01-09 19:20:35 -05:00
Chris PeBenito	1ff4b35ec2	iptables: Module version bump.	2019-01-07 18:48:44 -05:00
Sugar, David	43a77c30fa	Add interface to get status of iptables service Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-07 18:40:13 -05:00
Chris PeBenito	e8ba31557d	various: Module version bump.	2019-01-06 14:11:08 -05:00
Chris PeBenito	599112a85c	Merge branch 'systemd-logind-getutxent' of git://github.com/fishilico/selinux-refpolicy	2019-01-06 14:07:54 -05:00
Chris PeBenito	bd50873362	Merge branch 'restorecond_getattr_cgroupfs' of git://github.com/fishilico/selinux-refpolicy	2019-01-06 14:07:24 -05:00
Chris PeBenito	559d4b830a	Merge branch 'ssh_dac_read_search' of git://github.com/fishilico/selinux-refpolicy	2019-01-06 14:06:47 -05:00
Chris PeBenito	38839b3e6c	nsd: Merge two rules into one.	2019-01-06 14:03:29 -05:00
Chris PeBenito	ea11d5bbc2	Merge branch 'nsd' of https://github.com/alexminder/refpolicy	2019-01-06 14:02:06 -05:00
Sugar, David	82494cedc1	pam_faillock creates files in /run/faillock These are changes needed when pam_fallock creates files in /run/faillock (which is labeled faillog_t). sudo and xdm (and probably other domains) will create files in this directory for successful and failed login attempts. v3 - Updated based on feedback type=AVC msg=audit(1545153126.899:210): avc: denied { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1545153131.091:215): avc: denied { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1545167205.531:626): avc: denied { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-06 13:57:18 -05:00
Sugar, David	2791589f9e	Allow greeter to start dbus The display manager lightdm (and I think gdm) start a dbus binary. v3 - Updated based on feedback type=AVC msg=audit(1544626796.378:201): avc: denied { execute } for pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544626796.378:201): avc: denied { read open } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544626796.378:201): avc: denied { execute_no_trans } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1544626796.378:201): avc: denied { map } for pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546551459.112:208): avc: denied { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1546551459.116:209): avc: denied { read } for pid=6275 comm="dbus-daemon" name="995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546551459.116:209): avc: denied { open } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546551459.116:210): avc: denied { getattr } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2019-01-06 13:57:18 -05:00
Chris PeBenito	6780e6d2e2	init: Remove inadvertent merge.	2019-01-06 13:53:02 -05:00
Russell Coker	3133587825	cron trivial Here are the most trivial cron patches I have, I would like to get this in before discussing the more significant cron patches.	2019-01-06 13:50:31 -05:00
Chris PeBenito	61b83b30be	systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime(). Move implementation with other networkd_runtime interfaces.	2019-01-06 13:49:02 -05:00
Russell Coker	b77b4cd610	missing from previous Here are the things that weren't applied from my previous patches, I think they are all worthy of inclusion.	2019-01-06 13:44:18 -05:00
Russell Coker	ef6c7f155e	systemd misc This patch has policy changes related to systemd and the systemd versions of system programs. Also has some dbus policy which probably isn't strictly a systemd thing, but it all came at the same time.	2019-01-06 13:11:51 -05:00
Nicolas Iooss	150bd4e179	systemd: allow systemd-logind to use getutxent() systemd-logind reads /run/utmp in order to warn users who are currently logged in about an imminent shutdown. It calls utmp_wall() in https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87 This function calls glibc's getutxent() here: https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401 This function, implemented in https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b , opens and locks /run/utmp in order to enumerate the users.	2019-01-06 16:28:32 +01:00
Nicolas Iooss	49af56f3b5	selinuxutil: allow restorecond to try counting the number of files in cgroup fs When restorecond calls selinux_restorecon(), libselinux scans /proc/mounts in a function named exclude_non_seclabel_mounts with the following comment (https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230): /* * This is called once when selinux_restorecon() is first called. * Searches /proc/mounts for all file systems that do not support extended * attributes and adds them to the exclude directory table. File systems * that support security labels have the seclabel option, return * approximate total file count. */ The "approximate total file count" is computed using statvfs(), which results in a system call to statfs(). The cgroup filesystem supports security label (/proc/mounts shows "seclabel") so restorecond uses statfs to try counting the number of its inodes. This result in the following denial: type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for pid=314 comm="restorecond" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:restorecond_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0 type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137 success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55 a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond" subj=system_u:system_r:restorecond_t key=(null) type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond" Allow this, like commit `5125b8eb2d` ("last misc stuff") did for setfiles_t.	2019-01-05 23:51:36 +01:00
Nicolas Iooss	3734d7e76c	ssh: use dac_read_search instead of dac_override When creating a session for a new user, sshd performs a stat() call somewhere: type=AVC msg=audit(1502951786.649:211): avc: denied { dac_read_search } for pid=274 comm="sshd" capability=2 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t tclass=capability permissive=1 type=SYSCALL msg=audit(1502951786.649:211): arch=c000003e syscall=4 success=no exit=-2 a0=480e79b300 a1=7ffe0e09b080 a2=7ffe0e09b080 a3=7fb2aa321b20 items=0 ppid=269 pid=274 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sshd" exe="/usr/bin/sshd" subj=system_u:system_r:sshd_t key=(null) type=PROCTITLE msg=audit(1502951786.649:211): proctitle=737368643A2076616772616E74205B707269765D	2019-01-05 21:21:18 +01:00
Chris PeBenito	d6b46686cd	many: Module version bumps for changes from Russell Coker.	2019-01-05 14:33:50 -05:00
Chris PeBenito	da9ff19d94	sudo: Whitespace fix.	2019-01-05 14:17:18 -05:00
Russell Coker	e1babbc375	systemd related interfaces This patch has interface changes related to systemd support as well as policy that uses the new interfaces.	2019-01-05 14:17:01 -05:00
Chris PeBenito	6f12a29ecc	apt, rpm: Remove and move lines to fix fc conflicts.	2019-01-05 14:09:57 -05:00
Chris PeBenito	39881a0e14	dpkg: Rename dpkg_read_script_tmp_links().	2019-01-05 13:56:43 -05:00
Chris PeBenito	5a9982de70	sysnetwork: Move lines.	2019-01-05 13:56:15 -05:00
Russell Coker	5125b8eb2d	last misc stuff More tiny patches. Note that this and the other 2 patches I just sent are not dependent on each other, please apply any that you like.	2019-01-05 13:54:38 -05:00
Chris PeBenito	57df6fa0d5	sysnetwork: Move optional block in sysnet_dns_name_resolve().	2019-01-05 13:42:11 -05:00
Russell Coker	73f8b85ef3	misc interfaces This patch has some small interface changes as well as the policy patches to use the new interfaces.	2019-01-05 13:36:20 -05:00
Chris PeBenito	713f9000b5	networkmanager: Add ICMPv6 comment	2019-01-05 13:34:18 -05:00
Russell Coker	678c9e0b7a	misc services patches Lots of little patches to services.	2019-01-05 13:30:30 -05:00
Alexander Miroshnichenko	c947258610	Remove unneeded braces from nsd.te.	2019-01-04 15:59:02 +03:00
Chris PeBenito	56b7919589	sigrok: Remove extra comments.	2019-01-03 20:52:26 -05:00
Guido Trentalancia	9e6febb049	Add sigrok contrib module Add a SELinux Reference Policy module for the sigrok signal analysis software suite (command-line interface). Signed-off-by: Guido Trentalancia <guido@trentalancia.com>	2019-01-03 20:51:18 -05:00
Chris PeBenito	65b7fa3f43	lvm, syncthing: Module version bump.	2019-01-03 17:52:03 -05:00
Chris PeBenito	82e652df04	Merge branch 'lvm' of https://github.com/alexminder/refpolicy	2019-01-03 17:45:16 -05:00
Chris PeBenito	9e3bb1bfde	syncthing: Whitespace change	2019-01-03 17:44:48 -05:00
Alexander Miroshnichenko	972654cf09	Remove syncthing tunable_policy. kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.	2019-01-03 13:26:08 +03:00
Alexander Miroshnichenko	29bbe7b958	Add comment for map on lvm_metadata_t.	2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko	eca583b86c	Add map permission to lvm_t on lvm_metadata_t. On musl libc system lvm requires map permission.	2018-12-30 18:57:56 +03:00
Alexander Miroshnichenko	faa2b15910	Add nsd_admin interface to sysadm.te. Allow users with sysadm_r role to start/stop NSD daemon.	2018-12-30 18:30:23 +03:00
Alexander Miroshnichenko	e426b5785f	Add required permissions for nsd_t to be able running. Add required permissions to nsd_t for NSD work properly.	2018-12-30 18:27:30 +03:00
Alexander Miroshnichenko	8b2add4140	Allow syncthing_t to execute ifconfig/iproute2. Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.	2018-12-30 17:43:16 +03:00
Alexander Miroshnichenko	2b3473c40c	Allow syncthing_t to read network state. Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).	2018-12-30 17:42:26 +03:00
Alexander Miroshnichenko	eb588f836e	Add corecmd_exec_bin permissions to syncthing_t. corecmd_exec_bin required to run application.	2018-12-30 17:41:31 +03:00
Alexander Miroshnichenko	d2569bb877	Add signal_perms setpgid setsched permissions to syncthing_t. setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied" setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied" signal_perms required to launch app.	2018-12-30 17:39:38 +03:00
Chris PeBenito	e5ac999aab	dbus, xserver, init, logging, modutils: Module version bump.	2018-12-11 17:59:31 -05:00
David Sugar	6167b9b6e5	Allow auditctl_t to read bin_t symlinks. on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks to ../bin/kmod. But policy didn't allow auditctl_t to follow that link. type=AVC msg=audit(1543853530.925:141): avc: denied { read } for pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1543853530.925:143): avc: denied { read } for pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1543853530.926:145): avc: denied { read } for pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0 type=AVC msg=audit(1543853797.766:60): avc: denied { read } for pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-12-11 17:54:44 -05:00
David Sugar	e73e9e7734	Add missing require for 'daemon' attribute. Not sure how I didn't notice this missing require before. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-12-11 17:54:44 -05:00
David Sugar	55c3fab804	Allow dbus to access /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-12-11 17:54:44 -05:00
David Sugar	241b917d37	Allow kmod to read /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543769402.716:165): avc: denied { search } for pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769402.716:165): avc: denied { read } for pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769402.716:165): avc: denied { open } for pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-12-11 17:54:44 -05:00
David Sugar	3425d22c24	Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled type=AVC msg=audit(1543761322.221:211): avc: denied { search } for pid=16826 comm="X" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543761322.221:211): avc: denied { read } for pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543761322.221:211): avc: denied { open } for pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-12-11 17:54:44 -05:00
Chris PeBenito	249e87ab73	cron, minissdpd, ntp, systemd: Module version bump.	2018-11-17 19:02:54 -05:00
Chris PeBenito	45a8ddd39f	Merge branch 'minissdpd' of https://github.com/bigon/refpolicy	2018-11-17 18:58:09 -05:00
David Sugar	b73758bb97	Interface to read cron_system_spool_t Useful for the case that manage isn't requied. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-11-17 18:52:31 -05:00
David Sugar	56e8f679b2	interface to enable/disable systemd_networkd service Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-11-17 18:52:31 -05:00
David Sugar	5deea1b940	Add interfaces to control ntpd_unit_t systemd services Signed-off-by: Dave Sugar <dsugar@tresys.com>	2018-11-17 18:52:31 -05:00
Chris PeBenito	cd4be3dcd0	dnsmasq: Module version bump.	2018-11-17 18:50:18 -05:00
Petr Vorel	da49b37d87	dnsmasq: Require log files to have .log suffix + allow log rotate as well. Signed-off-by: Petr Vorel <pvorel@suse.cz>	2018-11-17 18:49:59 -05:00
Laurent Bigonville	a71cc466fc	Allow minissdpd_t to create a unix_stream_socket ---- type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6 type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null) type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc: denied { listen } for pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1 ---- type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6 type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null) type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc: denied { accept } for pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1	2018-11-12 16:24:54 +01:00
Chris PeBenito	b4d7c65fc4	Various modules: Version bump.	2018-11-11 15:58:59 -05:00
Chris PeBenito	205b5e705a	Merge branch 'iscsi' of https://github.com/bigon/refpolicy	2018-11-11 15:53:19 -05:00
Chris PeBenito	0e868859c4	Merge branch 'resolved' of https://github.com/bigon/refpolicy	2018-11-11 15:52:51 -05:00

... 3 4 5 6 7 ...

3343 Commits