selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	cd929e846b	various: fixes for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:15 -05:00
Kenton Groombridge	1512723b36	kubernetes: add policy for kubectl Add a private type for kubectl because kubectl edit will invoke a text editor for editing. This execution should transition back to the user domain. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 14:25:52 -04:00
Kenton Groombridge	141971a291	various: fixes for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 14:25:52 -04:00
Kenton Groombridge	466ea4b323	container: add type for container plugins Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	16a928df4e	crio, kubernetes: allow k8s admins to run CRI-O Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	12590a88d6	crio: new policy module Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	f1718529d2	sysadm: allow running kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	d387288693	kubernetes: initial policy module Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:14 -04:00
Kenton Groombridge	79aeab71c8	corenet: add portcon for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-03 17:33:14 -04:00
Chris PeBenito	03d486e306	Update Changelog and VERSION for release 2.20221101. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2022-11-01 09:54:51 -04:00
Chris PeBenito	89488a5b26	Merge pull request #559 from yizhao1/fixes Systemd fixes	2022-11-01 09:16:37 -04:00
Yi Zhao	c57259582d	systemd: add capability sys_admin to systemd_generator_t Fixes: systemd-gpt-auto-generator[116]: Failed to dissect: Permission denied systemd[112]: /lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. avc: denied { sys_admin } for pid=116 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 tclass=capability permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	72399fc077	systemd: allow systemd-hostnamed to read selinux configuration files Fixes: systemd[1]: Starting Hostname Service... systemd-hostnamed[395]: Failed to initialize SELinux labeling handle: No such file or directory systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'. systemd[1]: Failed to start Hostname Service. avc: denied { read } for pid=341 comm="systemd-hostnam" name="config" dev="vda" ino=345 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	d4b19952c2	systemd: allow systemd-rfkill to get attributes of all fs Fixes: avc: denied { getattr } for pid=238 comm="systemd-rfkill" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	c98bb9c716	systemd: allow systemd-backlight to read kernel sysctl settings Fixes: avc: denied { read } for pid=359 comm="systemd-backlig" name="osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { open } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { ioctl } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 avc: denied { search } for pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-31 15:54:10 +08:00
Yi Zhao	31a32f53ee	rpm: add label for dnf-automatic and dnf-3 Now dnf is a symlink to dnf-3, and dnf-automatic is a symlink to dnf-automatic-3. Add rpm_exec_t label for them. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-31 15:38:14 +08:00
Chris PeBenito	eff8a2bc05	Merge pull request #549 from yizhao1/dhcpcd-fixes Dhcpcd fixes	2022-10-27 09:07:51 -04:00
Yi Zhao	6ed9c66d62	sysnetwork: allow dhcpcd to send and receive messages from systemd resolved The dhcpcd can send DNS information to systemd-resolved to update resolv.conf. Fixes: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=RevertLink dest=org.freedesktop.resolve1 spid=340 tpid=345 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tclass=dbus permissive=0 avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345 tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Yi Zhao	77fd73e6b8	sysnetwork: fix privilege separation functionality of dhcpcd Fixes: dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted dhcpcd[410]: failed to drop privileges: Operation not permitted dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setrlimit } for pid=332 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process permissive=0 avc: denied { getattr } for pid=330 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Yi Zhao	b1f16bf755	systemd: allow systemd-resolved to manage link files The systemd-resolved may create a symlink stub-resolv.conf pointing to resolv.conf under /run/system/resolve directory. Fixes: avc: denied { create } for pid=329 comm="systemd-resolve" name=".#stub-resolv.conf53cb7f9d1e3aa72b" scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Chris PeBenito	e639a14d4c	Merge pull request #558 from yizhao1/watchdog watchdog: allow watchdog to create /var/log/watchdog directory	2022-10-19 10:39:03 -04:00
Yi Zhao	44873ba42a	watchdog: allow watchdog to create /var/log/watchdog directory Allow watchdog to create log directory with correct label. Fixes: avc: denied { create } for pid=315 comm="watchdog" name="watchdog" scontext=system_u:system_r:watchdog_t tcontext=system_u:object_r:var_log_t tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-19 15:42:43 +08:00
Chris PeBenito	8b3fee99c0	Merge pull request #555 from pebenito/container-engine-udp-bind container: Add missing UDP node bind access on container engines.	2022-10-17 11:04:13 -04:00
Chris PeBenito	c15094f804	Merge pull request #557 from yizhao1/udev udev: allow udev_read_runtime_files to read link files	2022-10-17 11:03:49 -04:00
Yi Zhao	93575af48c	udev: allow udev_read_runtime_files to read link files There are some link files under /run/udev directory: $ ls -lZ /run/udev/static_node-tags/uaccess/ total 0 lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 12 Oct 16 08:32 'snd\x2fseq' -> /dev/snd/seq lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 14 Oct 16 08:32 'snd\x2ftimer' -> /dev/snd/timer Fixes: avc: denied { read } for pid=297 comm="systemd-logind" name="snd\x2fseq" dev="tmpfs" ino=125 scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-16 16:54:33 +08:00
Chris PeBenito	5399afbc7d	container: Add missing UDP node bind access on container engines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-12 09:40:50 -04:00
Chris PeBenito	cc2d06a20f	Merge pull request #554 from pebenito/sympa Add sympa mail list manager	2022-10-12 08:36:53 -04:00
Chris PeBenito	630c41bd86	Merge pull request #552 from 0xC0ncord/various-20220923 A few minor fixes	2022-10-11 13:32:40 -04:00
Kenton Groombridge	4f157b5f63	rpc: allow rpc admins to rw nfsd fs Seen when using exportfs. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-10 13:50:07 -04:00
Chris PeBenito	accdce94a2	sympa, logging; Fix lint errors. Logging is from new append_inherited_file_perms set. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:39:05 -04:00
Chris PeBenito	3fd5341bff	sympa, mta, exim: Revise interfaces. Revise interfaces added as part of sympa work. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:25:17 -04:00
Chris PeBenito	be2ba4e473	sympa: Drop module version. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:15:16 -04:00
Chris PeBenito	6a0a90065e	sympa: Move lines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:15:16 -04:00
Russell Coker	ef70117066	Sympa list server Policy for the Sympa mailing list server. I think this is ready to merge, it works well. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-10-10 09:29:42 -04:00
Kenton Groombridge	d4f3b21e18	systemd: allow systemd-generator to use dns resolution systemd-generator will create mount units for NFS shares in /etc/fstab, but will need to use DNS resolution if those fstab entries use hostnames. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:56 -04:00
Kenton Groombridge	d0f30da8cf	zfs: allow reading exports Needed for NFS on ZFS. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:56 -04:00
Kenton Groombridge	e1cdd5a944	dbus, init, mount, rpc: minor fixes for mount.nfs mount.nfs will attempt to start the rpc-statd.service unit but will fall back to executing start-statd directly. Dontaudit attempts to start the unit and perform a domain transition to start-statd from mount. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:56 -04:00
Kenton Groombridge	389ae8d0f2	git: add file contexts for other git utilities The git binary and its subcommands are hardlinks that live in /usr/bin and /usr/libexec/git-core. Add a file context to encompass all these binaries. This also fixes conflicting type specifications. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:56 -04:00
Kenton Groombridge	9ee16f9c41	init: add file context for systemd units in dracut modules Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:45 -04:00
Kenton Groombridge	56fed5bdb9	usbguard: add file context for usbguard in /usr/bin Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 15:31:48 -04:00
Kenton Groombridge	1206a74fa1	node_exporter: add file context for node_exporter in /usr/bin Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 15:31:47 -04:00
Kenton Groombridge	4257f875d8	usermanage: add file context for chpasswd in /usr/bin chpasswd is installed to /usr/bin in Gentoo. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 15:31:46 -04:00
Chris PeBenito	f8dabbe48c	Merge pull request #551 from dsugar100/fapolicyd_fixes Fapolicyd fixes	2022-10-08 12:31:58 -04:00
Dave Sugar	847cffd32e	Add 'DIRECT_INITRC' config to automated tests Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2022-10-07 20:55:29 -04:00
Dave Sugar	2b349d795a	fapolicyd: fagenrules chgrp's the compiled.rules node=localhost type=AVC msg=audit(1664829990.107:8051): avc: denied { chown } for pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2022-10-07 20:55:29 -04:00
Dave Sugar	cdfa072c0b	fix: issue #550 - compile failed when DIRECT_INITRC=y Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2022-10-07 20:55:29 -04:00
Chris PeBenito	e94bd845d9	Merge pull request #548 from yizhao1/systemd-journal logging: allow systemd-journal to write syslogd_runtime_t sock_file	2022-10-04 09:55:42 -04:00
Chris PeBenito	d7a7ea3e91	Merge pull request #545 from yizhao1/radius radius: fixes for freeradius	2022-10-04 09:55:02 -04:00
Yi Zhao	ac25e5ac3b	radius: fixes for freeradius * Add dac_read_search capability to radiusd_t * Add getcap to radiusd_t process Fixes: avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2 scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1 avc: denied { getcap } for pid=473 comm="radiusd" scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=process permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-09-29 15:25:33 +08:00
Yi Zhao	06f06bb236	logging: allow systemd-journal to manage syslogd_runtime_t sock_file Fixes: avc: denied { write } for pid=165 comm="systemd-journal" name="syslog" dev="tmpfs" ino=545 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-09-29 10:34:02 +08:00

1 2 3 4 5 ...

6627 Commits