nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,256 Commits 1 Branch 0 Tags 16 MiB
d098ffc59d
Commit Graph

6256 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kenton Groombridge
d098ffc59d container: allow containers the chroot capability 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
cec7f0d3e2 various: various userns capability permissions 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
8d5d89c1e6 container, mount: allow mount to getattr on container fs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
6a1052077f container: allow containers to use container ptys 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
262cee592b container, gpg, userdom: allow container engines to execute gpg 
Container engines need to be able to execute gpg in order to verify
container image signatures if they are signed.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
ed054cc543 container: initial support for container engines 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:01 -05:00
Kenton Groombridge
ab36308baa container: add base attributes for containers and container engines 
And split container network access to container_net_domain

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:36 -05:00
Kenton Groombridge
8d904bb54f various: make various types a mountpoint for containers 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:35 -05:00
Kenton Groombridge
5f86d07ddc container: add interface to identify container mountpoints 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:34 -05:00
Kenton Groombridge
a3cd63ca9a container: fixup rules 
Move a common container rule to the proper location, remove a redundant
access, and make container files an entrypoint for containers.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:33 -05:00
Kenton Groombridge
172446cf66 container: svirt_lxc_net_t is now container_t 
svirt_lxc_domain is now container_domain and svirt_lxc_net_t is now
container_t.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:32 -05:00
Kenton Groombridge
729bb32388 container, virt: move svirt lxc domains to new container module 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:28 -05:00
Kenton Groombridge
c7ce013889 sysnetwork: add interfaces for /run/netns 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:27 -05:00
Kenton Groombridge
2de1dc6c39 init: allow systemd to renice all other domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:26 -05:00
Kenton Groombridge
43c778e646 init: add interface to setsched on init 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:25 -05:00
Kenton Groombridge
00d16e45f8 userdom: add interfaces to relabel generic user home content 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:24 -05:00
Kenton Groombridge
b2ed289221 systemd: add interface to dbus chat with systemd-machined 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:23 -05:00
Kenton Groombridge
582f390f85 init: add interface to run init bpf programs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:22 -05:00
Kenton Groombridge
c9eb093f2b devices: add interfaces to remount sysfs and device filesystems 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:21 -05:00
Kenton Groombridge
dea8a63ed3 devices, kernel: deprecate dev_mounton_sysfs 
dev_mounton_sysfs is a duplicate of dev_mounton_sysfs_dirs

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:20 -05:00
Kenton Groombridge
bd5fb161df kernel, rpc, systemd: deprecate kernel_mounton_proc 
Deprecate kernel_mounton_proc in favor of kernel_mounton_proc_dirs. The
former seems to be a duplicate interface. Also fixup the summary of
kernel_mounton_proc_dirs.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:19 -05:00
Kenton Groombridge
842b390ff1 kernel: add various supporting interfaces for containers 
kernel: add interface to getattr on nsfs filesystems
kernel: add interface to dontaudit searching fs sysctls

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:17 -05:00
Chris PeBenito
d55544121b
Merge pull request #454 from jpds/rwnetlinksocketperms-typo 
obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms.
 2022-01-11 15:04:31 -05:00
Jonathan Davies
6178cd096b policy/*: Replaced rw_netlink_socket_perms with create_netlink_socket_perms. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-01-11 19:44:11 +00:00
Chris PeBenito
a440f1d90f
Merge pull request #461 from pebenito/journal-mls 
systemd: Change journal file context to MLS system high.
 2022-01-11 08:20:52 -05:00
Chris PeBenito
e09733d6b4 systemd: Change journal file context to MLS system high. 
Fixes issues like this: audit(1640354247.630:3): op=security_validate_transition seresult=denied oldcontext=system_u:object_r:systemd_journal_t:s15:c0.c1023 newcontext=system_u:object_r:systemd_journal_t:s0 taskcontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 tclass=file

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-01-10 08:41:59 -05:00
Chris PeBenito
9fc775c3cb
Merge pull request #459 from 0xC0ncord/user-mcs-removal 
Remove MCS categories from default users
 2022-01-09 07:45:09 -05:00
Kenton Groombridge
499b35eac9 various: remove various mcs ranged transitions 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-06 20:58:28 -05:00
Kenton Groombridge
7d53784332 users: remove MCS categories from default users 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-06 20:58:22 -05:00
Chris PeBenito
bfc448e688
Merge pull request #456 from pebenito/drop-module-versioning 
Drop module versioning.
 2022-01-06 11:09:21 -05:00
Chris PeBenito
5781a2393c tests.yml: Disable policy_module() selint checks. 
It does not support single-parameter policy_module().

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:20:18 -05:00
Chris PeBenito
78276fc43b Drop module versioning. 
Semodule stopped using this many years ago. The policy_module() macro will
continue to support an optional second parameter as version.
If it is not specified, a default value of 1 is set.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:19:13 -05:00
Chris PeBenito
60a3d5af67 modutils: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-06 09:11:09 -05:00
Chris PeBenito
7e871f6573 Merge pull request #451 from yizhao1/kmod-fixes 2022-01-06 08:37:45 -05:00
Yi Zhao
b7258b3d6d modutils: allow kmod_t to write keys 
Fixes:
$ modprobe cfg80211
kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database
kernel: cfg80211: Problem loading in-kernel X.509 certificate (-13)
kernel: cfg80211: loaded regulatory.db is malformed or signature is missing/invalid

avc:  denied  { write } for  pid=219 comm="modprobe"
scontext=system_u:system_r:kmod_t tcontext=system_u:system_r:kmod_t
tclass=key permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2022-01-06 10:10:50 +08:00
Jonathan Davies
5abf92037f obj_perm_sets.spt: Fixed typo in rw_netlink_socket_perms. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2022-01-04 16:27:16 +00:00
Chris PeBenito
23a8d103f3 su, corenetwork, bluetooth, chronyd, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-01-04 11:03:07 -05:00
Chris PeBenito
742b10b70d Merge pull request #452 from jpds/chronyd-nts 2022-01-04 11:00:05 -05:00
Chris PeBenito
57eafae3f7 Merge pull request #450 from yizhao1/fixes 2022-01-04 11:00:03 -05:00
Jonathan Davies
f4f6465466 chronyd: Allow access to read certs. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 22:04:21 +00:00
Jonathan Davies
472325cbfd chronyd.te: Added support for bind/connect/recv/send NTS packets. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 17:26:30 +00:00
Jonathan Davies
53a6c9360a corenetwork.te.in: Added ntske port. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2021-12-26 17:26:30 +00:00
Yi Zhao
91d32c2162 su: allow su to map SELinux status page 
We encountered a su runtime error with selinux 3.3:
$ su - user1
su: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault

Fixes:
avc:  denied  { map } for  pid=558 comm="su"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19
scontext=root:sysadm_r:sysadm_su_t tcontext=system_u:object_r:security_t
tclass=file permissive=0

avc:  denied  { getattr } for  pid=570 comm="su" name="/" dev="proc"
ino=1 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:proc_t
tclass=filesystem permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:46:27 +08:00
Yi Zhao
4c515c9f8b systemd: allow systemd-hostnamed to read udev runtime files 
Fixes:
avc:  denied  { open } for  pid=392 comm="systemd-hostnam"
path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=392 comm="systemd-hostnam"
path="/run/udev/data/+dmi:id" dev="tmpfs" ino=609
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:38:26 +08:00
Yi Zhao
5eb43f0bca bluetooth: allow bluetoothd to create alg_socket 
Fixes:
avc:  denied  { create } for  pid=268 comm="bluetoothd"
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=alg_socket
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-21 10:33:04 +08:00
Chris PeBenito
51dca5c89a acpi, ssh: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-12-20 09:52:39 -05:00
Chris PeBenito
f8ea1c2c2e Merge pull request #449 from yizhao1/acpid 2021-12-20 09:52:10 -05:00
Chris PeBenito
37398a50ba Merge pull request #448 from yizhao1/ssh-keygen 2021-12-20 09:52:06 -05:00
Yi Zhao
0a1386e8ec acpid: allow acpid to watch the directories in /dev 
Fixes:
acpid: inotify_add_watch() failed: Permission denied (13)

avc:  denied  { watch } for  pid=269 comm="acpid" path="/dev/input"
dev="devtmpfs" ino=35 scontext=system_u:system_r:acpid_t:s0-s15:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-13 11:51:57 +08:00
Yi Zhao
8537bdaf23 ssh: do not audit attempts by ssh-keygen to read proc 
Fixes:
avc:  denied  { read } for  pid=353 comm="ssh-keygen" name="filesystems"
dev="proc" ino=4026532078 scontext=system_u:system_r:ssh_keygen_t
tcontext=system_u:object_r:proc_t tclass=file permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2021-12-10 12:53:51 +08:00