selinux-refpolicy

Author	SHA1	Message	Date
Kenton Groombridge	8b26a7ccf3	init, systemd: allow systemd-pcrphase to write TPM measurements Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-21 15:29:43 -05:00
Chris PeBenito	63698fee31	Merge pull request #756 from 0xC0ncord/rook-ceph Add support for rook-ceph in kubernetes	2024-02-21 14:29:00 -05:00
Chris PeBenito	d11ca7a2b5	Merge pull request #752 from dsugar100/systemd_noatsecure Needed to allow environment variable to process started (for cockpit)	2024-02-21 14:12:29 -05:00
Kenton Groombridge	1305fd7be1	container: add filecons for rook-ceph Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-10 21:10:38 -05:00
Kenton Groombridge	08adc2fadb	kernel: dontaudit read fixed disk devices This is triggered rook-ceph creates its OSDs. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-09 15:12:00 -05:00
Kenton Groombridge	5ab2cf6a6a	container, kubernetes: add support for rook-ceph Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-09 15:11:58 -05:00
Kenton Groombridge	dad409e58b	fstools: allow reading container device blk files Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-07 19:20:30 -05:00
Kenton Groombridge	5703d3fdb9	fstools: allow fsadm to ioctl cgroup dirs When kubelet calls losetup, it will transition to the fsadm_t domain and need to access block devices in containers. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-07 18:20:35 -05:00
Kenton Groombridge	0bec2f68f7	mount: make mount_runtime_t a kubernetes mountpoint Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-02-07 18:18:24 -05:00
Yi Zhao	3d565b0a3a	udev: fix for systemd-udevd Fixes: avc: denied { setrlimit } for pid=194 comm="systemd-udevd" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=process permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-02-04 12:52:54 +08:00
Yi Zhao	9d3513c7fa	systemd: allow systemd-rfkill to getopt from uevent sockets Fixes: avc: denied { getopt } for pid=313 comm="systemd-rfkill" scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-02-04 11:18:38 +08:00
Yi Zhao	ecc6e3ccde	systemd: allow systemd-hostnamed to read machine-id and localization files Fixes: avc: denied { read } for pid=533 comm="systemd-hostnam" name="machine-id" dev="sdb2" ino=196 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 avc: denied { open } for pid=533 comm="systemd-hostnam" path="/etc/machine-id" dev="sdb2" ino=196 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 avc: denied { search } for pid=533 comm="systemd-hostnam" name="zoneinfo" dev="sdb2" ino=22345 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 avc: denied { read } for pid=533 comm="systemd-hostnam" name="Universal" dev="sdb2" ino=22959 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 avc: denied { open } for pid=533 comm="systemd-hostnam" path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=533 comm="systemd-hostnam" path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-02-04 11:07:53 +08:00
Dave Sugar	882830d642	Resolve error when cockpit initiate shutdown node=localhost type=AVC msg=audit(1705937785.855:1258): avc: denied { create } for pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1705937817.548:1268): avc: denied { create } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1268): avc: denied { read write open } for pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1269): avc: denied { setattr } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1270): avc: denied { getattr } for pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.548:1271): avc: denied { rename } for pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1272): avc: denied { write } for pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1272): avc: denied { add_name } for pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705937817.549:1273): avc: denied { remove_name } for pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:32:13 -05:00
Dave Sugar	08ea30252e	Fix password changing from cockpit login screen node=localhost type=AVC msg=audit(1705071167.616:1344): avc: denied { write } for pid=6560 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1705071268.820:1383): avc: denied { write } for pid=6588 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705071268.820:1383): avc: denied { add_name } for pid=6588 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705071268.826:1384): avc: denied { remove_name } for pid=6588 comm="cockpit-session" name="nshadow" dev="dm-1" ino=393552 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:32:13 -05:00
Dave Sugar	d80c8f421f	Denial during cockpit use node=localhost type=USER_AVC msg=audit(1702256090.674:226515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" function="mac_selinux_filter" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root" Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:32:08 -05:00
Dave Sugar	a95feb6cdd	Additional access for systemctl Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc: denied { search } for pid=2071 comm="systemctl" name="kernel" dev="proc" ino=5 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1 Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc: denied { read } for pid=2071 comm="systemctl" name="cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc: denied { open } for pid=2071 comm="systemctl" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	c6d904fcb4	Add watches node=localhost type=AVC msg=audit(1701960388.658:45746): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/" dev="dm-1" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1701960389.457:46142): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/etc/motd" dev="dm-1" ino=524363 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1701960389.538:46261): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/var" dev="dm-9" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1701960389.539:46264): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/var/lib" dev="dm-9" ino=262145 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1701960389.472:46167): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/run/systemd" dev="tmpfs" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1701960389.473:46170): avc: denied { watch } for pid=7282 comm="cockpit-bridge" path="/run/systemd/shutdown" dev="tmpfs" ino=99 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1701966176.317:51985): avc: denied { watch } for pid=7186 comm="cockpit-bridge" path="/run/utmp" dev="tmpfs" ino=94 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	b4d2d588f8	Add dontaudit to quiet down a bit node=localhost type=AVC msg=audit(1702086779.746:35710): avc: denied { execute } for pid=2790 comm="cockpit-bridge" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=18 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:user_tmpfs_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1702086784.802:36735): avc: denied { execute } for pid=2849 comm="cockpit-bridge" path=2F726F6F742F23363535333931202864656C6574656429 dev="dm-1" ino=655391 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0 /var/log/audit/audit.log:node=localhost type=AVC msg=audit(1702086784.803:36742): avc: denied { execute } for pid=2849 comm="cockpit-bridge" path=2F233330363834202864656C6574656429 dev="dm-1" ino=30684 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:etc_runtime_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1702069242.629:385266): avc: denied { execute } for pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	fcfffd4a2c	Allow key manipulation node=localhost type=AVC msg=audit(1701897597.942:245462): avc: denied { create } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { write } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { search } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { link } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	b34ce38bfd	admin can read/write web socket node=localhost type=AVC msg=audit(1701889206.489:120065): avc: denied { use } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1 node=localhost type=AVC msg=audit(1701889206.489:120065): avc: denied { read write } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889206.500:120084): avc: denied { ioctl } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 ioctlcmd=0x5401 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889207.271:120489): avc: denied { write } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889207.279:120491): avc: denied { read } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889217.374:123275): avc: denied { use } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	cb810219ba	This works instead of allow exec on user_tmpfs_t! node=localhost type=AVC msg=audit(1702069242.629:385266): avc: denied { execute } for pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	7abf35393b	This seems important for administrative access node=localhost type=AVC msg=audit(1701976221.478:269623): avc: denied { read write } for pid=11016 comm="sudo" path="socket:[138427]" dev="sockfs" ino=138427 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=unix_stream_socket permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	675144499f	Signal during logout node=localhost type=AVC msg=audit(1701975071.847:229359): avc: denied { signal } for pid=10270 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0 tclass=process permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	a242691898	The L+ tmpfiles option needs to read the symlink node=localhost type=AVC msg=audit(1701956913.910:21672): avc: denied { read } for pid=3783 comm="systemd-tmpfile" name="motd" dev="tmpfs" ino=1812 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	fddef574ba	Allow sudo dbus chat w/sysemd-logind node=localhost type=USER_AVC msg=audit(1701890241.838:133264): pid=1613 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/db us-broker" sauid=81 hostname=? addr=? terminal=?' UID="dbus" AUID="unset" SAUID="dbus" node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { search } for pid=1627 comm="systemd-logind" name="8995" dev="proc" ino=72855 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { read } for pid=1627 comm="systemd-logind" name="cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { open } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133266): avc: denied { getattr } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133267): avc: denied { ioctl } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	c199c29b11	cockpit ssh as user node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { use } for pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=1 node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { read } for pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { write } for pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889205.314:117185): avc: denied { getattr } for pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70169]" dev="pipefs" ino=70169 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70170]" dev="pipefs" ino=70170 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70171]" dev="pipefs" ino=70171 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	4f90070e21	allow system --user to execute systemd-tmpfiles in <user>_systemd_tmpfiles_t domain node=localhost type=AVC msg=audit(1701889206.398:119881): avc: denied { execute } for pid=8733 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { read open } for pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { execute_no_trans } for pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { map } for pid=8733 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.473:3560): avc: denied { read write } for pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="kernel" dev="proc" ino=13283 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3563): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3564): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3568): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3569): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3570): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3570): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3571): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3572): avc: denied { ioctl } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 ioctlcmd=0x5401 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3573): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3574): avc: denied { create } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3575): avc: denied { getopt } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3576): avc: denied { setopt } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { connect } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="journal" dev="tmpfs" ino=55 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { write } for pid=4853 comm="systemd-tmpfile" name="socket" dev="tmpfs" ino=57 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { sendto } for pid=4853 comm="systemd-tmpfile" path="/run/systemd/journal/socket" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3578): avc: denied { map } for pid=4853 comm="systemd-tmpfile" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="contexts" dev="dm-1" ino=138857 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="files" dev="dm-1" ino=138863 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3580): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3581): avc: denied { map } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-1" ino=131164 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3582): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/home" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3583): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3584): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/home/sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3585): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3586): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3587): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run/user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3588): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3589): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run/user/1002" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3590): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { search } for pid=4845 comm="systemd" name="4853" dev="proc" ino=29607 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { read } for pid=4845 comm="systemd" name="comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { open } for pid=4845 comm="systemd" path="/proc/4853/comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	4bd6277912	Fix denial while cleaning up pidfile symlink Nov 29 02:15:13 localhost.localdomain audisp-syslog[1698]: node=localhost type=AVC msg=audit(1701224113.540:7569): avc: denied { unlink } for pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1749 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	cc46c3296a	SELinux policy for cockpit Setup domain for cockpit-certificate-ensure Setup service rules Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:27 -05:00
Chris PeBenito	a81eefc3c1	Merge pull request #751 from cgzones/selint SELint updates	2024-01-16 12:10:29 -05:00
Chris PeBenito	9c3fca3bed	Merge pull request #741 from 0xC0ncord/various-20231217 Various fixes	2024-01-10 14:17:48 -05:00
Kenton Groombridge	0f6361dbc4	kernel: allow delete and setattr on generic SCSI and USB devices Seen with systemd 255. type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	2b672277aa	su: various fixes Fixes for su to allow writing to faillog, lastlog, and wtmp. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	07d5862d2d	zfs: dontaudit net_admin capability by zed Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	838ff87b62	zed: allow managing /etc/exports.d/zfs.exports Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	b74dbb649e	rpc: add filecon for /etc/exports.d Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	6dfe08a416	systemd: allow networkd to use netlink netfilter sockets Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	a3348800a7	systemd: fixes for systemd-pcrphase Add new required accesses for systemd-pcrphase and label the new systemd-pcrextend under the same domain. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	e5a8798485	init: allow all daemons to write to init runtime sockets Seems to be needed as of systemd 255 for writing to /run/systemd/private. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	b61f6c2395	udev: allow reading kernel fs sysctls Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	9874203ca9	init, systemd: label systemd-executor as init_exec_t As of systemd 255, services are no longer forked from PID 1 but instead are spawned by a new systemd-executor helper binary. Label this binary accordingly and add a rule for systemd user session domains to use it. Closes: https://github.com/SELinuxProject/refpolicy/issues/732 Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:23 -05:00
Dave Sugar	e668e176fb	Needed to allow environment variable to process started (for cockpit) Dec 05 22:41:49 localhost.localdomain cockpit-tls[7887]: cockpit-tls: $RUNTIME_DIRECTORY environment variable must be set to a private directory Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Failed with result 'exit-code'. Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-10 11:34:03 -05:00
Christian Göttsche	ee176fe272	devicedisk: reorder optional block Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Christian Göttsche	babd479760	systemd: reorder optional block Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Christian Göttsche	4b05e1e9c3	SELint userspace class tweaks SELint version 1.5 emits issues for missing or unused declarations of userspace classes: init.te: 270: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) init.te: 312: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1116: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) init.te: 1124: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1132: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1136: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1137: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) unconfined.te: 64: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) systemd.te: 1250: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) systemd.te: 1377: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 56: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 157: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 297: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) kernel.te: 566: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) chromium.if: 139: (W): Class dbus is listed in require block but not used in interface (W-003) init.if: 1192: (W): Class system is used in interface but not required (W-002) init.if: 1210: (W): Class system is used in interface but not required (W-002) init.if: 1228: (W): Class system is used in interface but not required (W-002) init.if: 1246: (W): Class system is used in interface but not required (W-002) init.if: 1264: (W): Class system is used in interface but not required (W-002) init.if: 1282: (W): Class system is used in interface but not required (W-002) init.if: 1300: (W): Class system is used in interface but not required (W-002) init.if: 1318: (W): Class system is used in interface but not required (W-002) init.if: 1393: (W): Class bpf is listed in require block but is not a userspace class (W-003) unconfined.if: 34: (W): Class service is listed in require block but not used in interface (W-003) systemd.if: 144: (W): Class system is used in interface but not required (W-002) systemd.if: 159: (W): Class service is used in interface but not required (W-002) systemd.if: 160: (W): Class service is used in interface but not required (W-002) systemd.if: 413: (W): Class system is used in interface but not required (W-002) systemd.if: 437: (W): Class system is used in interface but not required (W-002) systemd.if: 461: (W): Class system is used in interface but not required (W-002) postgresql.if: 31: (W): Class db_database is listed in require block but not used in interface (W-003) postgresql.if: 37: (W): Class db_language is listed in require block but not used in interface (W-003) postgresql.if: 465: (W): Class db_database is listed in require block but not used in interface (W-003) postgresql.if: 471: (W): Class db_language is listed in require block but not used in interface (W-003) xserver.if: 370: (W): Class x_property is listed in require block but not used in interface (W-003) Found the following issue counts: W-001: 14 W-002: 14 W-003: 8 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Chris PeBenito	45f43ca378	Merge pull request #747 from cgzones/getattr init: only grant getattr in init_getattr_generic_units_files()	2024-01-09 12:39:11 -05:00
Chris PeBenito	ee0a03efd5	Merge pull request #749 from dsugar100/xguest_systemd xguest needs 'systemd --user'	2024-01-09 11:48:12 -05:00
Chris PeBenito	66cff3bca2	Merge pull request #748 from dsugar100/firewall_etc_relabel Firewalld need to relabel direct.xml.old file	2024-01-09 11:47:37 -05:00
Chris PeBenito	2bd4015c67	Merge pull request #742 from 0xC0ncord/container-fixes Kubernetes and container fixes, add support for Cilium	2024-01-09 11:46:08 -05:00
Dave Sugar	dc3ccdfafa	xguest ues systemd --user node=localhost type=AVC msg=audit(1703021456.203:565): avc: denied { search } for pid=1247 comm="(systemd)" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1703021456.203:565): avc: denied { link } for pid=1247 comm="(systemd)" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1703021456.282:694): avc: denied { create } for pid=1247 comm="systemd" name="systemd" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.283:696): avc: denied { create } for pid=1247 comm="systemd" name="fifo" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1703021456.283:697): avc: denied { create } for pid=1247 comm="systemd" name="sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.283:698): avc: denied { create } for pid=1247 comm="systemd" name="chr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=chr_file permissive=1 node=localhost type=AVC msg=audit(1703021456.353:812): avc: denied { create } for pid=1247 comm="systemd" name="generator" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_unit_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.419:901): avc: denied { remove_name } for pid=1247 comm="systemd" name="generator" dev="tmpfs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.614:2701): avc: denied { write } for pid=1247 comm="systemd" name="private" dev="tmpfs" ino=14 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.643:3029): avc: denied { create } for pid=1247 comm="systemd" name="bus" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.644:3032): avc: denied { write } for pid=1247 comm="systemd" name="bus" dev="tmpfs" ino=15 scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3047): avc: denied { create } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3048): avc: denied { remove_name } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" dev="tmpfs" ino=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3048): avc: denied { rename } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" dev="tmpfs" ino=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021456.771:3266): avc: denied { write } for pid=1247 comm="systemd" name="notify" dev="tmpfs" ino=38 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6433): avc: denied { create } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6434): avc: denied { remove_name } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6434): avc: denied { rename } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021613.141:6469): avc: denied { unlink } for pid=1247 comm="systemd" name="invocation:grub-boot-success.service" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021793.226:6636): avc: denied { unlink } for pid=1247 comm="systemd" name="invocation:systemd-tmpfiles-clean.service" dev="tmpfs" ino=21 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-07 17:37:02 -05:00
Dave Sugar	3d55e918f6	Firewalld need to relabel direct.xml file firewalld[1084]: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 372, in write shutil.copy2(self.filename, "%s.old" % self.filename) File "/usr/lib64/python3.9/shutil.py", line 445, in copy2 copystat(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.9/shutil.py", line 388, in copystat _copyxattr(src, dst, follow_symlinks=follow) File "/usr/lib64/python3.9/shutil.py", line 338, in _copyxattr os.setxattr(dst, name, value, follow_symlinks=follow_symlinks) PermissionError: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/firewall/server/decorators.py", line 67, in _impl return func(args, *kwargs) File "/usr/lib/python3.9/site-packages/firewall/server/config.py", line 1429, in update self.config.get_direct().write() File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 374, in write raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) OSError: Backup of '/etc/firewalld/direct.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old' firewalld[1084]: ERROR: Backup of file '/etc/firewalld/zones/data.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/data.xml.old' node=localhost type=AVC msg=audit(1704599676.613:35145): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 node=loalhost type=AVC msg=audit(1704599677.914:35287): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="direct.xml.old" dev="dm-0" ino=1180671 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelto } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-07 17:15:36 -05:00
Christian Göttsche	82f7160a20	init: only grant getattr in init_getattr_generic_units_files() Like the name suggests only grant the permission getattr in init_getattr_generic_units_files(). Adjust the only caller to use init_read_generic_units_files() instead. Reported-by: Laurent Bigonville Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-04 20:43:20 +01:00
Kenton Groombridge	a0018e4e85	kubernetes: allow container engines to mount on DRI devices if enabled Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Kenton Groombridge	16323cfce2	container, kubernetes: add support for cilium Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super privileged containers which require various accesses in order to load BPF programs and modify the host network. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Kenton Groombridge	d2f413c1b6	container: various fixes Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Chris PeBenito	d4555fd002	Merge pull request #744 from quic-kmeng/main filesystem:Add type contexts and interface for functionfs	2024-01-04 09:39:39 -05:00
Kai Meng	76951aa43c	devices:Add genfscon context for functionfs to mount When start up adbd by adb initscript, there's a command like: mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb will cause below deny because lack of functionfs related contexts. avc: denied { mount } for pid=346 comm="mount" name="/" dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>	2024-01-04 14:29:02 +08:00
Chris PeBenito	e7cdbe3f5b	Merge pull request #743 from dsugar100/dbus_fixes Dbus fixes	2024-01-03 10:56:24 -05:00
Chris PeBenito	14a6144733	Merge pull request #746 from yizhao1/cryptsetup fix some contexts	2024-01-03 10:55:40 -05:00
Yi Zhao	249263f7c4	container: set context for /run/crun /run/crun is the runtime directory for crun. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-01-03 19:18:41 +08:00
Yi Zhao	96cb5e6304	lvm: set context for /run/cryptsetup * Set context for /runcryptesetup created by systemd-cryptsetup. * Remove duplicate line 'fs_getattr_cgroup(lvm_t)'. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-01-03 19:17:24 +08:00
Dave Sugar	58e4c9a36f	dbus changes dbus needs to map security_t files private type ($1_dbus_tmpfs_t) for file created on tmpfs Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied) Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152 Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc: denied { map } for pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107 Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'. node=localhost type=AVC msg=audit(1703095496.614:486): avc: denied { write } for pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { map } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { read } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7369): avc: denied { write } for pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { map } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { read } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7632): avc: denied { write } for pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { map } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { read } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-02 15:18:55 -05:00
Christian Göttsche	86d9a00e7f	git: add fcontext for default binary Avoid relabel loops if the helper binaries are hardlinked: $ restorecon -vRF -T0 /usr/libexec/ Relabeled /usr/libexec/git-core/git from system_u:object_r:git_exec_t to system_u:object_r:bin_t Relabeled /usr/libexec/git-core/git-rev-parse from system_u:object_r:bin_t to system_u:object_r:git_exec_t Relabeled /usr/libexec/git-core/git-fsmonitor--daemon from system_u:object_r:bin_t to system_u:object_r:git_exec_t Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2023-12-28 17:52:08 +01:00
Dave Sugar	2680abe1f8	Allow dbus-broker-launch to execute in same domain node=localhost type=AVC msg=audit(1703080976.876:873613): avc: denied { execute_no_trans } for pid=6840 comm="dbus-broker-lau" path="/usr/bin/dbus-broker" dev="dm-1" ino=16361 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-12-20 14:49:39 -05:00
Dave Sugar	dd21a7724a	Changes needed for dbus-broker-launch node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { read } for pid=7055 comm="dbus-broker-lau" name="machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { open } for pid=7055 comm="dbus-broker-lau" path="/etc/machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701877079.244:52520): avc: denied { connectto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/bus" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { sendto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/systemd/notify" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { search } for pid=7054 comm="dbus-broker-lau" name="systemd" dev="tmpfs" ino=2 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { write } for pid=7054 comm="dbus-broker-lau" name="notify" dev="tmpfs" ino=13 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-12-20 14:48:54 -05:00
Kenton Groombridge	b1a8799185	sysadm: allow using networkctl Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2023-12-17 23:42:07 -05:00
Kenton Groombridge	43d529e90e	glusterfs: add tunable to allow managing unlabeled files If gluster ever experiences data corruption on its underlying bricks, a situation may arise where the corrupted files have bad or missing xattrs and are therefore presented as unlabeled to SELinux. Gluster will then be unable to repair these files until the access is allowed or the user manually relabels these files. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2023-12-17 23:42:04 -05:00
Kenton Groombridge	c3dbaf035c	container: allow watching FUSEFS dirs and files Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2023-12-17 23:10:02 -05:00
Guido Trentalancia	82b4448e1d	Additional file context fix for: https://github.com/SELinuxProject/refpolicy/issues/735 This patch extends the fix for a serious Information Disclosure vulnerability caused by the erroneous labeling of TLS Private Keys and CSR. See: commit `5c9038ec98` Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/miscfiles.fc \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-12-05 21:04:29 +01:00
Chris PeBenito	044e318dd7	Merge pull request #738 from ffontaine/main policy/modules/services/smartmon.te: make fstools optional	2023-11-29 09:43:44 -05:00
Chris PeBenito	4b1ba3cc47	Merge pull request #736 from gtrentalancia/init_fixes_pr Restrict LDAP server init script permissions on generic certificate files	2023-11-29 09:39:43 -05:00
Fabrice Fontaine	65eed16b58	policy/modules/services/smartmon.te: make fstools optional Make fstools optional to avoid the following build failure raised since version 2.20231002 and `cb068f09d2`: Compiling targeted policy.33 env LD_LIBRARY_PATH="/home/thomas/autobuild/instance-2/output-1/host/lib:/home/thomas/autobuild/instance-2/output-1/host/usr/lib" /home/thomas/autobuild/instance-2/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33 policy/modules/services/smartmon.te:146:ERROR 'type fsadm_exec_t is not within scope' at token ';' on line 237472: allow smartmon_update_drivedb_t fsadm_exec_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans }; #line 146 checkpolicy: error(s) encountered while parsing configuration make[1]: *** [Rules.monolithic:80: policy.33] Error 1 Fixes: - http://autobuild.buildroot.org/results/a01123de9a8c1927060e7e4748666bebfc82ea44 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>	2023-11-29 08:37:25 +01:00
Guido Trentalancia	2e27be3c56	Let the certmonger module manage SSL Private Keys and CSR used for example by the HTTP and/or Mail Transport daemons. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/certmonger.te \| 3 +++ 1 file changed, 3 insertions(+)	2023-11-20 17:09:31 +01:00
Guido Trentalancia	912d3a687b	Let the webadm role manage Private Keys and CSR for SSL Certificates used by the HTTP daemon. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/roles/webadm.te \| 4 ++++ 1 file changed, 4 insertions(+)	2023-11-20 17:09:12 +01:00
Guido Trentalancia	5c9038ec98	Create new TLS Private Keys file contexts for the Apache HTTP server according to the default locations: http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache Add the correct TLS Private Keys file label for Debian systems. This patch fixes a serious Information Disclosure vulnerability caused by the erroneous labeling of TLS Private Keys and CSR, as explained above. See: https://github.com/SELinuxProject/refpolicy/issues/735 Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/miscfiles.fc \| 3 +++ 1 file changed, 3 insertions(+)	2023-11-19 22:44:27 +01:00
Guido Trentalancia	b38583a79d	The LDAP server only needs to read generic certificate files, not manage them. Modify the init policy to match the comment and the LDAP server actual behavior. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/init.te \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-11-19 22:23:37 +01:00
Yi Zhao	100a853c0c	rpm: fixes for dnf * Set labels for /var/lib/dnf/. * Allow useradd/groupadd to read/append rpm temporary files. * Allow rpm_t to send/receive messages from systemd-logind over dbus. * Allow rpm_t to use inherited systemd-logind file descriptors. Fixes: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=565 tpid=331 scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t tclass=dbus permissive=1 avc: denied { send_msg } for msgtype=method_return dest=:1.11 spid=331 tpid=565 scontext=system_u:system_r:systemd_logind_t tcontext=root:sysadm_r:rpm_t tclass=dbus permissive=1 avc: denied { use } for pid=565 comm="python3" path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=703 scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=1 avc: denied { read append } for pid=590 comm="groupadd" path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t tclass=file permissive=1 avc: denied { getattr } for pid=590 comm="groupadd" name="/" dev="proc" ino=1 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 avc: denied { ioctl } for pid=590 comm="groupadd" path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401 scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t tclass=file permissive=1 avc: denied { read append } for pid=626 comm="useradd" path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t tclass=file permissive=1 avc: denied { ioctl } for pid=626 comm="useradd" path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401 scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t tclass=file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-11-16 21:58:18 +08:00
Chris PeBenito	0b148c02b6	Merge pull request #730 from gtrentalancia/gpg_fixes2_pr Modify the gpg module so that gpg and the gpg_agent	2023-11-14 11:04:40 -05:00
Guido Trentalancia	8839a7137d	Modify the gpg module so that gpg and the gpg_agent can manage gpg_runtime_t socket files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/gpg.te \| 2 ++ 1 file changed, 2 insertions(+)	2023-11-11 15:44:24 +01:00
Russell Coker	780adb80af	Simple patch for Brother printer drivers as described in: https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/ Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-23 00:09:26 +11:00
Chris PeBenito	f3865abfc2	Merge pull request #717 from dsugar100/use_chat_machined_interface Use interface that already exists.	2023-10-09 09:35:59 -04:00
Chris PeBenito	f5eba7176e	Merge pull request #723 from etbe/modemmanager modemmanager and eg25manager changes needed for pinephonepro	2023-10-09 09:34:07 -04:00
Russell Coker	3e39efffdf	patches for nspawn policy (#721 ) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker <russell@coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker <russell@coker.com.au> * Corrected macro name Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker <russell@coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Russell Coker <russell@coker.com.au> Signed-off-by: Chris PeBenito <pebenito@ieee.org> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-10-09 09:32:38 -04:00
Yi Zhao	6eecf51716	systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved Systemd-networkd and systemd-resolved are daemons. Fixes: avc: denied { write } for pid=277 comm="systemd-resolve" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 avc: denied { write } for pid=324 comm="systemd-network" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-10-07 14:41:16 +08:00
Russell Coker	9f7d6ff7a0	Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-07 13:56:52 +11:00
Chris PeBenito	d542d53698	Merge pull request #720 from etbe/raid small mdadm changes for cron job	2023-10-06 09:26:55 -04:00
Dave Sugar	0a9650901c	Separate label for /run/systemd/notify (#710 ) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar <dsugar100@gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Dave Sugar <dsugar100@gmail.com> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-10-06 09:06:39 -04:00
Russell Coker	c2a9111a5c	Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-06 21:48:52 +11:00
Dave Sugar	12ad93d167	Use interface that already exists. Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-10-05 17:31:33 -04:00
Russell Coker	be2e8970e0	https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-05 22:13:54 +11:00
Chris PeBenito	44fd3ebd12	Merge pull request #715 from yizhao1/bind bind: fix for named service	2023-10-02 08:58:52 -04:00
Chris PeBenito	275e3f0ef9	Merge pull request #714 from yizhao1/systemd-journal-catalog-update systemd: allow journalctl to create /var/lib/systemd/catalog	2023-10-02 08:57:55 -04:00
Chris PeBenito	6909b4b2f9	Merge pull request #713 from gtrentalancia/openoffice_fixes_pr2 Let openoffice perform temporary file transitions on link files and manage them	2023-10-02 08:57:04 -04:00
Yi Zhao	0a776a270a	bind: fix for named service Fixes: avc: denied { sqpoll } for pid=373 comm="named" scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring permissive=0 avc: denied { create } for pid=373 comm="named" anonclass=[io_uring] scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-10-02 16:38:12 +08:00
Yi Zhao	4ce68f22d8	systemd: allow journalctl to create /var/lib/systemd/catalog If /var/lib/systemd/catalog doesn't exist at first boot, systemd-journal-catalog-update.service would fail: $ systemctl status systemd-journal-catalog-update.service systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 247 (code=exited, status=1/FAILURE) Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog... Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog. Fixes: AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 AVC avc: denied { write } for pid=247 comm="journalctl" name="systemd" dev="vda" ino=13634 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-09-30 18:34:40 +08:00
Guido Trentalancia	701410e7a6	Let openoffice perform temporary file transitions and manage link files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/openoffice.te \| 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)	2023-09-29 22:30:14 +02:00
Russell Coker	1c0b2027f9	misc small email changes (#704 ) * Small changes to courier, dovecot, exim, postfix, amd sendmail policy. Signed-off-by: Russell Coker <russell@coker.com.au> * Removed an obsolete patch Signed-off-by: Russell Coker <russell@coker.com.au> * Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined Signed-off-by: Russell Coker <russell@coker.com.au> * Use create_stream_socket_perms for unix connection to itself Signed-off-by: Russell Coker <russell@coker.com.au> * Removed unconfined_run_to Signed-off-by: Russell Coker <russell@coker.com.au> * Remove change for it to run from a user session Signed-off-by: Russell Coker <russell@coker.com.au> * Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and moved it out of the postfix section Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-28 09:57:18 -04:00
Russell Coker	bb90d67768	mon.te patches as well as some fstools patches related to it (#697 ) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker <russell@coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker <russell@coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker <russell@coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker <russell@coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker <russell@coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-28 09:55:56 -04:00
Russell Coker	c51554cbab	misc small patches for cron policy (#701 ) * Some misc small patches for cron policy Signed-off-by: Russell Coker <russell@coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker <russell@coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker <russell@coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker <russell@coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker <russell@coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Russell Coker <russell@coker.com.au> Signed-off-by: Chris PeBenito <pebenito@ieee.org> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-09-28 09:46:14 -04:00
Russell Coker	1577b2105a	small systemd patches (#708 ) * Some small systemd patches Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed error where systemd.if had a reference to user_devpts_t Signed-off-by: Russell Coker <russell@coker.com.au> * removed the init_var_run_t:service stuff as there's already interfaces and a type for it Signed-off-by: Russell Coker <russell@coker.com.au> * corecmd_shell_entry_type doesn't seem to be needed Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-27 09:20:52 -04:00

1 2 3 4 5 ...

4845 Commits