nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,106 Commits 1 Branch 0 Tags 16 MiB
d48b57a5bd
Commit Graph

698 Commits

Author SHA1 Message Date
Chris PeBenito
0c41682fc4 cloudinit: Add permissions derived from sysadm. 
Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-22 09:13:38 -05:00
Chris PeBenito
34afd8343c cloud-init: Change udev rules 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
758f819529 cloud-init: Add systemd permissions. 
Additional access for controlling systemd units and logind dbus chat.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
7213dcf3a7 cloud-init: Allow use of sudo in runcmd. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
92587eddb3 usermanage: Handle symlinks in /usr/share/cracklib. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
0b77fe85c6 kdump: Fixes from testing kdumpctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
14b555b02b cloudinit: Add support for installing RPMs and setting passwords. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
5df7c1e4b6 usermanage: Add sysctl access for groupadd to get number of groups. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
45f5a5a8e0 rpm: Minor fixes 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Kenton Groombridge
f0fc6cd236 bootloader, init, udev: misc minor fixes 
Resolve these AVCs seen during early boot with systemd 255:

Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc:  denied  { setrlimit } for  pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0

Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc:  denied  { write } for  pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0

Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc:  denied  { net_admin } for  pid=3033 comm="bootctl" capability=12  scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:08 -05:00
Dave Sugar
7abf35393b This seems important for administrative access 
node=localhost type=AVC msg=audit(1701976221.478:269623): avc:  denied { read write } for  pid=11016 comm="sudo" path="socket:[138427]" dev="sockfs" ino=138427 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=unix_stream_socket permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
fddef574ba Allow sudo dbus chat w/sysemd-logind 
node=localhost type=USER_AVC msg=audit(1701890241.838:133264): pid=1613 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/db us-broker" sauid=81 hostname=? addr=? terminal=?' UID="dbus" AUID="unset" SAUID="dbus"

node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { search } for  pid=1627 comm="systemd-logind" name="8995" dev="proc" ino=72855 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { read } for  pid=1627 comm="systemd-logind" name="cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133265): avc:  denied { open } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133266): avc:  denied { getattr } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701890241.838:133267): avc:  denied { ioctl } for  pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Kenton Groombridge
2b672277aa su: various fixes 
Fixes for su to allow writing to faillog, lastlog, and wtmp.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-01-10 13:49:26 -05:00
Yi Zhao
100a853c0c rpm: fixes for dnf 
* Set labels for /var/lib/dnf/.
* Allow useradd/groupadd to read/append rpm temporary files.
* Allow rpm_t to send/receive messages from systemd-logind over dbus.
* Allow rpm_t to use inherited systemd-logind file descriptors.

Fixes:
avc:  denied  { send_msg } for msgtype=method_call
interface=org.freedesktop.login1.Manager member=Inhibit
dest=org.freedesktop.login1 spid=565 tpid=331
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=dbus permissive=1

avc:  denied  { send_msg } for msgtype=method_return dest=:1.11 spid=331
tpid=565 scontext=system_u:system_r:systemd_logind_t
tcontext=root:sysadm_r:rpm_t tclass=dbus permissive=1

avc:  denied  { use } for  pid=565 comm="python3"
path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=703
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=fd permissive=1

avc:  denied  { read append } for  pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { getattr } for  pid=590 comm="groupadd" name="/"
dev="proc" ino=1 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

avc:  denied  { ioctl } for  pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { read append } for  pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { ioctl } for  pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-11-16 21:58:18 +08:00
Russell Coker
478df0e446
small network patches (#707) 
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes (#703) 
* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:01:12 -04:00
Chris PeBenito
16c46db2b8
Merge pull request #665 from gtrentalancia/init_fixes_pr 
init and shutdown fixes
 2023-09-18 09:08:32 -04:00
Guido Trentalancia
a6a7641605 Fix the shutdown policy in order to make use of 
the newly created file label and interface needed
to manage the random seed file.

Add the sys_boot capability permission that was
missing in the shutdown domain in order to be
able to reboot/shutdown correctly.

Let the shutdown domain signal init and all other
domains.

Fix the shutdown executable file labels, as the
executable normally lives in /sbin.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/shutdown.fc |    4 +++-
 policy/modules/admin/shutdown.te |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 2023-09-12 19:27:51 +02:00
Guido Trentalancia
5037801893 Remove a vulnerability introduced by a logging interface 
which allows to execute log files.

This can be potentially used to execute malicious code or
scripts previously written in log files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/logrotate.te |    1 -
 policy/modules/system/logging.if  |   22 ----------------------
 2 files changed, 23 deletions(-)
 2023-09-11 15:25:25 +02:00
Dave Sugar
9812e9c0ef Label pwhistory_helper 
pwhistory_helper is executed by pam_pwhistory (as configued in
/etc/pam.d/sysem-auth).  It updates /etc/security/opasswd which contains
old passwords.  Label /etc/security/opasswd as shadow_t to control access.

node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute } for  pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { read open } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute_no_trans } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { map } for  pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:45:13 -04:00
Chris PeBenito
7416ac14f9
Merge pull request #603 from 0xC0ncord/various-20230224 
More various fixes
 2023-03-13 09:18:13 -04:00
Chris PeBenito
f625d5b788
Merge pull request #579 from montjoie/portage-misc 
portage: add misc mising rules
 2023-03-10 14:58:38 -05:00
Kenton Groombridge
1d8b309808 netutils: fixes for iftop 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Corentin LABBE
3bf53039eb portage: add misc mising rules 
Add missing rules for portage I encountered while emerging or just calling gcc-config

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-31 08:22:39 +01:00
Chris PeBenito
8aa2f1d582
Merge pull request #589 from montjoie/portage-gh-svn-new 
portage: add missing go/hg context in new distfiles location
 2023-01-17 09:30:48 -05:00
Chris PeBenito
ffc581d9b9
Merge pull request #585 from montjoie/selinuxutil-loadpolicy-portage 
selinuxutil: permit load_policy to use portage ptys
 2023-01-17 09:26:54 -05:00
Corentin LABBE
b06c8a0a4c selinuxutil: do not audit load_policy trying to use portage ptys 
Each time portage build and install a new SELinux policy I got the following AVC:
allow load_policy_t portage_devpts_t:chr_file { read write };

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-17 07:40:44 +01:00
Corentin LABBE
868cc9f440 portage: add missing go/hg context in new distfiles location 
go/hg source files context are added in old portage distfiles location,
but are missing in new one.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-17 07:25:35 +01:00
Chris PeBenito
8bf564f1bb
Merge pull request #582 from montjoie/groupadd 
usermanage: permit groupadd to read kernel sysctl
 2023-01-11 16:48:09 -05:00
Corentin LABBE
d7f25ea35b portage: add new location for portage commands 
There are missing lot of portage commands location, add them following the gentoo SELinux repo.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-10 10:17:15 +01:00
Corentin LABBE
51f52b56d7 portage: add go/hg source control files 
Add location on /usr/portage/ as portage_srcrepo_t for the mercurial and go sources.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-10 10:17:15 +01:00
Corentin LABBE
17f81aa065 portage: Remove old binary location 
/usr/lib/portage/bin is not used anymore

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-10 10:17:15 +01:00
Kenton Groombridge
a07dbbccf3 portage: label eix cache as portage_cache_t 
Closes: https://github.com/perfinion/hardened-refpolicy/pull/10
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
 2023-01-10 10:17:15 +01:00
Corentin LABBE
4e81910cce usermanage: permit groupadd to read kernel sysctl 
When using groupadd, I got some AVC due to groupadd reading /proc/sys/kernel/cap_last_cap

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-01-09 09:33:10 +01:00
Kenton Groombridge
d38a21388f various: use mmap_manage_file_perms 
Replace instances of manage_file_perms and map with
mmap_manage_file_perms

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-12-12 10:36:11 -05:00
Kenton Groombridge
b85d3f673d netutils: minor fixes for nmap and traceroute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-12-12 10:32:10 -05:00
Russell Coker
d55395c1a3 This patch removes deprecated interfaces that were deprecated in the 20210203 
release.  I think that 2 years of support for a deprecated interface is
enough and by the time we have the next release out it will probably be more
than 2 years since 20210203.

I think this is ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2022-12-12 10:32:09 -05:00
Yi Zhao
31a32f53ee rpm: add label for dnf-automatic and dnf-3 
Now dnf is a symlink to dnf-3, and dnf-automatic is a symlink to
dnf-automatic-3. Add rpm_exec_t label for them.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2022-10-31 15:38:14 +08:00
Kenton Groombridge
56fed5bdb9 usbguard: add file context for usbguard in /usr/bin 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-10-08 15:31:48 -04:00
Kenton Groombridge
4257f875d8 usermanage: add file context for chpasswd in /usr/bin 
chpasswd is installed to /usr/bin in Gentoo.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-10-08 15:31:46 -04:00
Dave Sugar
2b349d795a fapolicyd: fagenrules chgrp's the compiled.rules 
node=localhost type=AVC msg=audit(1664829990.107:8051): avc:  denied  { chown } for  pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2022-10-07 20:55:29 -04:00
Dave Sugar
cdfa072c0b fix: issue #550 - compile failed when DIRECT_INITRC=y 
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2022-10-07 20:55:29 -04:00
Chris PeBenito
3c9564a802 fapolicyd: Fix selint issue. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-09-20 09:52:11 -04:00
Chris PeBenito
abb3474508
Merge pull request #526 from dsugar100/fapolicyd 
fapolicyd: Initial SELinux policy
 2022-09-19 09:24:16 -04:00
Yi Zhao
6bb56e6158 logwatch: fixes for logwatch 
* Allow logwatch_t to getsched
* Allow logwatch_t to create logwatch_lock_t dirs
* Allow logwatch_mail_t to read/write pipe of crond

Fixes:
avc:  denied  { getsched } for  pid=1012 comm="sort"
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { write } for  pid=269 comm="lockfile-create"
name="logcheck" dev="tmpfs" ino=12709
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:object_r:logwatch_lock_t:s0 tclass=dir permissive=0

avc:  denied  { write } for  pid=1470 comm="sendmail"
path="pipe:[15133]" dev="pipefs" ino=15133
scontext=system_u:system_r:logwatch_mail_t:s0-s15:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=fifo_file
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2022-09-18 00:38:25 +08:00
Dave Sugar
0cace1e7a3 fapolicyd: Initial SELinux policy 
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2022-09-15 20:42:56 -04:00
Dave Sugar
6ff1259688 domain: move kernel_read_crypto_sysctls to a common location 
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2022-09-14 17:03:04 -04:00
Chris PeBenito
d2fc884d26
Merge pull request #518 from 0xC0ncord/various-20220524 
More various fixes, mostly ZFS and systemd-related
 2022-09-14 14:26:51 -04:00
Kenton Groombridge
3ff2ae3cad bootloader, userdom: minor fixes for systemd-boot 
Dontaudits on user home files for bootctl opening in less and wanting to
write to the less history file.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-09-13 14:34:44 -04:00
Kenton Groombridge
966468c626 bootloader, init: various fixes for systemd-boot 
These rules were found to be needed for systemd-boot-update.service to
run properly on a systemd system with a dracut initrd and with
systemd-boot as the bootloader.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-09-13 14:24:20 -04:00