nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,106 Commits 1 Branch 0 Tags 16 MiB
d48b57a5bd
Commit Graph

4845 Commits

Author SHA1 Message Date
Dave Sugar
3d55e918f6 Firewalld need to relabel direct.xml file 
firewalld[1084]: Traceback (most recent call last):
                 File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 372, in write
                   shutil.copy2(self.filename, "%s.old" % self.filename)
                 File "/usr/lib64/python3.9/shutil.py", line 445, in copy2
                   copystat(src, dst, follow_symlinks=follow_symlinks)
                 File "/usr/lib64/python3.9/shutil.py", line 388, in copystat
                   _copyxattr(src, dst, follow_symlinks=follow)
                 File "/usr/lib64/python3.9/shutil.py", line 338, in _copyxattr
                   os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)
                 PermissionError: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old'

                 During handling of the above exception, another exception occurred:

                 Traceback (most recent call last):
                   File "/usr/lib/python3.9/site-packages/firewall/server/decorators.py", line 67, in _impl
                       return func(*args, **kwargs)
                   File "/usr/lib/python3.9/site-packages/firewall/server/config.py", line 1429, in update
                       self.config.get_direct().write()
                   File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 374, in write
                        raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
                   OSError: Backup of '/etc/firewalld/direct.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old'
firewalld[1084]: ERROR: Backup of file '/etc/firewalld/zones/data.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/data.xml.old'

node=localhost type=AVC msg=audit(1704599676.613:35145): avc:  denied  { relabelfrom } for  pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
node=loalhost type=AVC msg=audit(1704599677.914:35287): avc:  denied  { relabelfrom } for  pid=1084 comm="firewalld" name="direct.xml.old" dev="dm-0" ino=1180671 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1704599788.714:41689): avc:  denied  { relabelfrom } for  pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1704599788.714:41689): avc:  denied  { relabelto } for  pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-07 17:15:36 -05:00
Christian Göttsche
82f7160a20 init: only grant getattr in init_getattr_generic_units_files() 
Like the name suggests only grant the permission getattr in
init_getattr_generic_units_files().
Adjust the only caller to use init_read_generic_units_files() instead.

Reported-by: Laurent Bigonville
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-01-04 20:43:20 +01:00
Kenton Groombridge
a0018e4e85 kubernetes: allow container engines to mount on DRI devices if enabled 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-01-04 09:46:41 -05:00
Kenton Groombridge
16323cfce2 container, kubernetes: add support for cilium 
Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super
privileged containers which require various accesses in order to load
BPF programs and modify the host network.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-01-04 09:46:41 -05:00
Kenton Groombridge
d2f413c1b6 container: various fixes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-01-04 09:46:41 -05:00
Chris PeBenito
d4555fd002
Merge pull request #744 from quic-kmeng/main 
filesystem:Add type contexts and interface for functionfs
 2024-01-04 09:39:39 -05:00
Kai Meng
76951aa43c devices:Add genfscon context for functionfs to mount 
When start up adbd by adb initscript, there's a command like:
mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb

will cause below deny because lack of functionfs related contexts.

avc:  denied  { mount } for  pid=346 comm="mount" name="/"
dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1

Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>
 2024-01-04 14:29:02 +08:00
Chris PeBenito
e7cdbe3f5b
Merge pull request #743 from dsugar100/dbus_fixes 
Dbus fixes
 2024-01-03 10:56:24 -05:00
Chris PeBenito
14a6144733
Merge pull request #746 from yizhao1/cryptsetup 
fix some contexts
 2024-01-03 10:55:40 -05:00
Yi Zhao
249263f7c4 container: set context for /run/crun 
/run/crun is the runtime directory for crun.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-01-03 19:18:41 +08:00
Yi Zhao
96cb5e6304 lvm: set context for /run/cryptsetup 
* Set context for /runcryptesetup created by systemd-cryptsetup.
* Remove duplicate line 'fs_getattr_cgroup(lvm_t)'.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-01-03 19:17:24 +08:00
Dave Sugar
58e4c9a36f dbus changes 
dbus needs to map security_t files
private type ($1_dbus_tmpfs_t) for file created on tmpfs

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied)
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152
Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc:  denied  { map } for  pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0

Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'.

node=localhost type=AVC msg=audit(1703095496.614:486): avc:  denied  { write } for  pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { map } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc:  denied  { read } for  pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7369): avc:  denied  { write } for  pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { map } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc:  denied  { read } for  pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7632): avc:  denied  { write } for  pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { map } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc:  denied  { read } for  pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-02 15:18:55 -05:00
Christian Göttsche
86d9a00e7f git: add fcontext for default binary 
Avoid relabel loops if the helper binaries are hardlinked:

    $ restorecon -vRF -T0 /usr/libexec/
    Relabeled /usr/libexec/git-core/git from system_u:object_r:git_exec_t to system_u:object_r:bin_t
    Relabeled /usr/libexec/git-core/git-rev-parse from system_u:object_r:bin_t to system_u:object_r:git_exec_t
    Relabeled /usr/libexec/git-core/git-fsmonitor--daemon from system_u:object_r:bin_t to system_u:object_r:git_exec_t

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2023-12-28 17:52:08 +01:00
Dave Sugar
2680abe1f8 Allow dbus-broker-launch to execute in same domain 
node=localhost type=AVC msg=audit(1703080976.876:873613): avc:  denied { execute_no_trans } for  pid=6840 comm="dbus-broker-lau" path="/usr/bin/dbus-broker" dev="dm-1" ino=16361 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-12-20 14:49:39 -05:00
Dave Sugar
dd21a7724a Changes needed for dbus-broker-launch 
node=localhost type=AVC msg=audit(1701877079.240:52506): avc:  denied  { read } for  pid=7055 comm="dbus-broker-lau" name="machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.240:52506): avc:  denied  { open } for  pid=7055 comm="dbus-broker-lau" path="/etc/machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.244:52520): avc:  denied  { connectto } for  pid=7054 comm="dbus-broker-lau" path="/run/user/1001/bus" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { sendto } for  pid=7054 comm="dbus-broker-lau" path="/run/user/1001/systemd/notify" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { search } for  pid=7054 comm="dbus-broker-lau" name="systemd" dev="tmpfs" ino=2 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc:  denied  { write } for  pid=7054 comm="dbus-broker-lau" name="notify" dev="tmpfs" ino=13 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-12-20 14:48:54 -05:00
Kenton Groombridge
b1a8799185 sysadm: allow using networkctl 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-12-17 23:42:07 -05:00
Kenton Groombridge
43d529e90e glusterfs: add tunable to allow managing unlabeled files 
If gluster ever experiences data corruption on its underlying bricks, a
situation may arise where the corrupted files have bad or missing
xattrs and are therefore presented as unlabeled to SELinux. Gluster will
then be unable to repair these files until the access is allowed or the
user manually relabels these files.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-12-17 23:42:04 -05:00
Kenton Groombridge
c3dbaf035c container: allow watching FUSEFS dirs and files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-12-17 23:10:02 -05:00
Guido Trentalancia
82b4448e1d Additional file context fix for: 
https://github.com/SELinuxProject/refpolicy/issues/735

This patch extends the fix for a serious Information
Disclosure vulnerability caused by the erroneous labeling
of TLS Private Keys and CSR.

See: commit 5c9038ec98

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-12-05 21:04:29 +01:00
Chris PeBenito
044e318dd7
Merge pull request #738 from ffontaine/main 
policy/modules/services/smartmon.te: make fstools optional
 2023-11-29 09:43:44 -05:00
Chris PeBenito
4b1ba3cc47
Merge pull request #736 from gtrentalancia/init_fixes_pr 
Restrict LDAP server init script permissions on generic certificate files
 2023-11-29 09:39:43 -05:00
Fabrice Fontaine
65eed16b58 policy/modules/services/smartmon.te: make fstools optional 
Make fstools optional to avoid the following build failure raised since
version 2.20231002 and
cb068f09d2:

 Compiling targeted policy.33
 env LD_LIBRARY_PATH="/home/thomas/autobuild/instance-2/output-1/host/lib:/home/thomas/autobuild/instance-2/output-1/host/usr/lib" /home/thomas/autobuild/instance-2/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
 policy/modules/services/smartmon.te:146:ERROR 'type fsadm_exec_t is not within scope' at token ';' on line 237472:
 	allow smartmon_update_drivedb_t fsadm_exec_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };
 #line 146
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:80: policy.33] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/a01123de9a8c1927060e7e4748666bebfc82ea44

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 2023-11-29 08:37:25 +01:00
Guido Trentalancia
2e27be3c56 Let the certmonger module manage SSL Private Keys 
and CSR used for example by the HTTP and/or Mail
Transport daemons.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/certmonger.te |    3 +++
 1 file changed, 3 insertions(+)
 2023-11-20 17:09:31 +01:00
Guido Trentalancia
912d3a687b Let the webadm role manage Private Keys and CSR for 
SSL Certificates used by the HTTP daemon.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/roles/webadm.te |    4 ++++
 1 file changed, 4 insertions(+)
 2023-11-20 17:09:12 +01:00
Guido Trentalancia
5c9038ec98 Create new TLS Private Keys file contexts for the 
Apache HTTP server according to the default locations:

 http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache

Add the correct TLS Private Keys file label for Debian
systems.

This patch fixes a serious Information Disclosure
vulnerability caused by the erroneous labeling of
TLS Private Keys and CSR, as explained above.

See: https://github.com/SELinuxProject/refpolicy/issues/735

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    3 +++
 1 file changed, 3 insertions(+)
 2023-11-19 22:44:27 +01:00
Guido Trentalancia
b38583a79d The LDAP server only needs to read generic certificate 
files, not manage them.

Modify the init policy to match the comment and the
LDAP server actual behavior.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/init.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-11-19 22:23:37 +01:00
Yi Zhao
100a853c0c rpm: fixes for dnf 
* Set labels for /var/lib/dnf/.
* Allow useradd/groupadd to read/append rpm temporary files.
* Allow rpm_t to send/receive messages from systemd-logind over dbus.
* Allow rpm_t to use inherited systemd-logind file descriptors.

Fixes:
avc:  denied  { send_msg } for msgtype=method_call
interface=org.freedesktop.login1.Manager member=Inhibit
dest=org.freedesktop.login1 spid=565 tpid=331
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=dbus permissive=1

avc:  denied  { send_msg } for msgtype=method_return dest=:1.11 spid=331
tpid=565 scontext=system_u:system_r:systemd_logind_t
tcontext=root:sysadm_r:rpm_t tclass=dbus permissive=1

avc:  denied  { use } for  pid=565 comm="python3"
path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=703
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=fd permissive=1

avc:  denied  { read append } for  pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { getattr } for  pid=590 comm="groupadd" name="/"
dev="proc" ino=1 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

avc:  denied  { ioctl } for  pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { read append } for  pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

avc:  denied  { ioctl } for  pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-11-16 21:58:18 +08:00
Chris PeBenito
0b148c02b6
Merge pull request #730 from gtrentalancia/gpg_fixes2_pr 
Modify the gpg module so that gpg and the gpg_agent
 2023-11-14 11:04:40 -05:00
Guido Trentalancia
8839a7137d Modify the gpg module so that gpg and the gpg_agent 
can manage gpg_runtime_t socket files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-11-11 15:44:24 +01:00
Russell Coker
780adb80af Simple patch for Brother printer drivers as described in: 
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-10-23 00:09:26 +11:00
Chris PeBenito
f3865abfc2
Merge pull request #717 from dsugar100/use_chat_machined_interface 
Use interface that already exists.
 2023-10-09 09:35:59 -04:00
Chris PeBenito
f5eba7176e
Merge pull request #723 from etbe/modemmanager 
modemmanager and eg25manager changes needed for pinephonepro
 2023-10-09 09:34:07 -04:00
Russell Coker
3e39efffdf
patches for nspawn policy (#721) 
* patches to nspawn policy.

Allow it netlink operations and creating udp sockets

Allow remounting and reading sysfs

Allow stat cgroup filesystem

Make it create fifos and sock_files in the right context

Allow mounting the selinux fs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use the new mounton_dir_perms and mounton_file_perms macros

Signed-off-by: Russell Coker <russell@coker.com.au>

* Corrected macro name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed description of files_mounton_kernel_symbol_table

Signed-off-by: Russell Coker <russell@coker.com.au>

* systemd: Move lines in nspawn.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
 2023-10-09 09:32:38 -04:00
Yi Zhao
6eecf51716 systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved 
Systemd-networkd and systemd-resolved are daemons.

Fixes:
avc:  denied  { write } for  pid=277 comm="systemd-resolve"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1

avc:  denied  { write } for  pid=324 comm="systemd-network"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-10-07 14:41:16 +08:00
Russell Coker
9f7d6ff7a0 Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-10-07 13:56:52 +11:00
Chris PeBenito
d542d53698
Merge pull request #720 from etbe/raid 
small mdadm changes for cron job
 2023-10-06 09:26:55 -04:00
Dave Sugar
0a9650901c
Separate label for /run/systemd/notify (#710) 
* Separate label for /run/systemd/notify

label systemd_runtime_notify_t
Allow daemon domains to write by default

Signed-off-by: Dave Sugar <dsugar100@gmail.com>

* systemd: Add -s to /run/systemd/notify socket.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
 2023-10-06 09:06:39 -04:00
Russell Coker
c2a9111a5c Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited 
from cron, and dontaudit ps type operations from it

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-10-06 21:48:52 +11:00
Dave Sugar
12ad93d167 Use interface that already exists. 
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-10-05 17:31:33 -04:00
Russell Coker
be2e8970e0 https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ 
While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-10-05 22:13:54 +11:00
Chris PeBenito
44fd3ebd12
Merge pull request #715 from yizhao1/bind 
bind: fix for named service
 2023-10-02 08:58:52 -04:00
Chris PeBenito
275e3f0ef9
Merge pull request #714 from yizhao1/systemd-journal-catalog-update 
systemd: allow journalctl to create /var/lib/systemd/catalog
 2023-10-02 08:57:55 -04:00
Chris PeBenito
6909b4b2f9
Merge pull request #713 from gtrentalancia/openoffice_fixes_pr2 
Let openoffice perform temporary file transitions on link files and manage them
 2023-10-02 08:57:04 -04:00
Yi Zhao
0a776a270a bind: fix for named service 
Fixes:
avc:  denied  { sqpoll } for  pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0

avc:  denied  { create } for  pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-10-02 16:38:12 +08:00
Yi Zhao
4ce68f22d8 systemd: allow journalctl to create /var/lib/systemd/catalog 
If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:

$ systemctl status systemd-journal-catalog-update.service
  systemd-journal-catalog-update.service - Rebuild Journal Catalog
     Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
     Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
    Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
   Main PID: 247 (code=exited, status=1/FAILURE)

Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.

Fixes:
AVC avc:  denied  { getattr } for  pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

AVC avc:  denied  { write } for  pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-30 18:34:40 +08:00
Guido Trentalancia
701410e7a6 Let openoffice perform temporary file transitions 
and manage link files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/openoffice.te |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 2023-09-29 22:30:14 +02:00
Russell Coker
1c0b2027f9
misc small email changes (#704) 
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed an obsolete patch

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use create_stream_socket_perms for unix connection to itself

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed unconfined_run_to

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove change for it to run from a user session

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-28 09:57:18 -04:00
Russell Coker
bb90d67768
mon.te patches as well as some fstools patches related to it (#697) 
* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker <russell@coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker <russell@coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-28 09:55:56 -04:00
Russell Coker
c51554cbab
misc small patches for cron policy (#701) 
* Some misc small patches for cron policy

Signed-off-by: Russell Coker <russell@coker.com.au>

* added systemd_dontaudit_connect_machined interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove the line about connecting to tor

Signed-off-by: Russell Coker <russell@coker.com.au>

* remove the dontaudit for connecting to machined

Signed-off-by: Russell Coker <russell@coker.com.au>

* changed to distro_debian

Signed-off-by: Russell Coker <russell@coker.com.au>

* mta: Whitespace changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

* cron: Move lines.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-28 09:46:14 -04:00
Russell Coker
1577b2105a
small systemd patches (#708) 
* Some small systemd patches

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed error where systemd.if had a reference to user_devpts_t

Signed-off-by: Russell Coker <russell@coker.com.au>

* removed the init_var_run_t:service stuff as there's already interfaces and a type for it

Signed-off-by: Russell Coker <russell@coker.com.au>

* corecmd_shell_entry_type doesn't seem to be needed

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-27 09:20:52 -04:00
Dave Sugar
f141dccc2a separate domain for journalctl during init 
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs.  This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.

 × systemd-journal-catalog-update.service - Rebuild Journal Catalog
         Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
         Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago
           Docs: man:systemd-journald.service(8)
                 man:journald.conf(5)
        Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
       Main PID: 1626 (code=exited, status=1/FAILURE)
            CPU: 102ms

    Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
    Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog.

    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { add_name } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { create } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:137): avc:  denied  { setattr } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { rename } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { unlink } for  pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-26 12:47:37 -04:00
Chris PeBenito
3bf196f6a3
Merge pull request #702 from etbe/db 
small postgresql and mysql stuff
 2023-09-26 09:59:31 -04:00
Russell Coker
bcc92a3038
allow jabbers to create sock file and allow matrixd to read sysfs (#705) 
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed to manage_sock_file_perms to allow unlink

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-26 09:48:31 -04:00
Chris PeBenito
61fbf428fb
postgresql: Move lines 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-26 09:43:40 -04:00
Chris PeBenito
1a9143efa3
Merge pull request #696 from yizhao1/fixes 
Fixes for mount and loadkeys
 2023-09-26 09:40:19 -04:00
Russell Coker
f849e27df3
small storage changes (#706) 
* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker <russell@coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker <russell@coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:46:04 -04:00
Russell Coker
478df0e446
small network patches (#707) 
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes (#703) 
* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:01:12 -04:00
Chris PeBenito
748980def5
Merge pull request #694 from etbe/fifth 
some misc userdomain fixes
 2023-09-25 10:57:27 -04:00
Russell Coker
cf1ba82cb9 Added tmpfs file type for postgresql 
Small mysql stuff including anon_inode

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-22 19:09:12 +10:00
Russell Coker
0528990a24
policy patches for anti-spam daemons (#698) 
* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 12:01:24 -04:00
Chris PeBenito
487feedf8e
Merge pull request #699 from yizhao1/systemd-networkd 
systemd: allow systemd-networkd to create file in /run/systemd directory
 2023-09-21 10:45:47 -04:00
Russell Coker
125e52ef58
policy for the Reliability Availability servicability daemon (#690) 
* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:22:36 -04:00
Russell Coker
e349de1507
debian motd.d directory (#689) 
* policy for Debian motd.d dir

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:21:25 -04:00
Yi Zhao
8758b782e5 systemd: allow systemd-networkd to create file in /run/systemd directory 
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-21 11:40:24 +08:00
Yi Zhao
ee3ea8ebca loadkeys: do not audit attempts to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 14:44:45 +08:00
Yi Zhao
0a7f48cb31 mount: allow mount_t to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=130 comm="mount" path="/" dev="tracefs"
ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=166 comm="mount" path="/" dev="configfs"
ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 13:31:50 +08:00
Russell Coker
cb6bf2fe9a some misc userdomain fixes 
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)

Allow pipewire to write to user runtime named sockets

Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-20 12:40:59 +10:00
Chris PeBenito
227786eed7
Merge pull request #693 from dsugar100/colord 
Resolve some denials with colord
 2023-09-19 16:09:52 -04:00
Chris PeBenito
fc3589a04f
Merge pull request #676 from dsugar100/all_users_syslog 
Allow all users to send syslog messages
 2023-09-19 16:07:10 -04:00
Dave Sugar
17c9b3ac7e Resolve some denials with colord 
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { read } for  pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { open } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc:  denied  { map } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc:  denied  { read } for  pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc:  denied  { map } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { search } for  pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { read } for  pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { open } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc:  denied  { ioctl } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { search } for  pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { read } for  pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { open } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 13:52:50 -04:00
Chris PeBenito
41ac8090f7
Merge pull request #691 from etbe/fifth 
power profiles daemon
 2023-09-19 11:40:39 -04:00
Dave Sugar
cf58a70881 Allow all users to (optionally) send syslog messages 
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { write } for  pid=1757 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { sendto } for  pid=1757 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { write } for  pid=1756 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { sendto } for  pid=1756 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 09:14:08 -04:00
Russell Coker
e5ea2c99df policy for power profiles daemon, used to change power settings 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-19 22:51:22 +10:00
Chris PeBenito
5e2bf62c6f
Merge pull request #672 from gtrentalancia/x_fixes_pr2 
Remote X11 TCP/IP functionality is generally insecure: switch it off by default. Strengthen XDM authentication file access.
 2023-09-19 08:36:26 -04:00
Guido Trentalancia
44bfd66186
Merge branch 'main' into x_fixes_pr2 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2023-09-19 01:31:50 +02:00
Guido Trentalancia
8c562af119 The X display manager uses an authentication 
mechanism based on an authorization file which
is critical for X security.

For example, a common attack is to remove the
file in order to disable authorization.

At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   33 +++++++++++++++++++++++++++++++++
 policy/modules/services/xserver.te |   11 +++++++++++
 3 files changed, 45 insertions(+)
 2023-09-19 01:28:10 +02:00
Guido Trentalancia
793d6a29d8 Introduce two new booleans for the X server and 
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.

The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.te |   82 +++++++++++++++++++++++--------------
 1 file changed, 52 insertions(+), 30 deletions(-)
 2023-09-19 01:23:22 +02:00
Chris PeBenito
d806720c76 unconfined: Keys are linkable by systemd. 
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-09-18 17:05:23 -04:00
Chris PeBenito
6e39f49247
Merge pull request #671 from gtrentalancia/dbus_fixes_pr3 
Dbus also creates Unix domain sockets in session mode but has insecure networking code
 2023-09-18 11:40:16 -04:00
Chris PeBenito
1ff9b559b7
Merge pull request #636 from gtrentalancia/spamassassin_update_pr 
Let spamassassin update its rules from the network
 2023-09-18 11:38:57 -04:00
Guido Trentalancia
8331d214ec Introduce a new "dbus_can_network" boolean which 
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.

For reference, see the security warning in the
D-Bus specification:

https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |   31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)
 2023-09-18 16:15:50 +02:00
Chris PeBenito
69544a3256
Merge pull request #684 from etbe/fourth 
switcheroo daemon for switching apps between Intel and NVidia GPUs
 2023-09-18 09:51:25 -04:00
Guido Trentalancia
11d17b2e57 Under request from Christopher PeBenito, merge the 
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.

This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |    3 -
 policy/modules/services/spamassassin.te |   56 ++++++--------------------------
 2 files changed, 12 insertions(+), 47 deletions(-)
 2023-09-18 15:40:11 +02:00
Guido Trentalancia
e5b1b197c7 Update the spamassassin module in order to better support 
the rules updating script; this achieved by employing
two distinct domains for increased security and network
isolation: a first domain is used for fetching the updated
rules from the network and second domain is used for
verifying the GPG signatures of the received rules.

The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).

The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |   11 ++-
 policy/modules/services/spamassassin.te |  100 +++++++++++++++++++++++++-------
 2 files changed, 86 insertions(+), 25 deletions(-)
 2023-09-18 15:39:12 +02:00
Guido Trentalancia
ed0613f0cc Extend the scope of the "spamassassin_can_network" 
tunable policy boolean to all network access (except
the relative dontaudit rules).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.te |   81 +++++++++++++++++---------------
 1 file changed, 45 insertions(+), 36 deletions(-)
 2023-09-18 15:38:08 +02:00
Chris PeBenito
f4688a3d54
switcheroo: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-18 09:21:26 -04:00
Chris PeBenito
dfd0149c71
Merge pull request #674 from dsugar100/opasswd_label 
separate label for /etc/security/opasswd
 2023-09-18 09:12:24 -04:00
Chris PeBenito
16c46db2b8
Merge pull request #665 from gtrentalancia/init_fixes_pr 
init and shutdown fixes
 2023-09-18 09:08:32 -04:00
Chris PeBenito
d5a8f78328
Merge pull request #659 from dsugar100/luks_shutdown 
resolve lvm_t issues at shutdown with LUKS encrypted devices
 2023-09-18 09:05:58 -04:00
Chris PeBenito
d6e6ce4f6a
Merge pull request #649 from gtrentalancia/gpg_fixes_pr 
Update the gpg module so that the application is able to fetch keys from the network
 2023-09-18 09:05:14 -04:00
Dave Sugar
73a62c4404 resolve lvm_t issues at shutdown with LUKS encrypted devices 
Errors:
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Device luks-7e802906-791a-432d-8069-dd290fba6dcf is still in use.
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Failed to deactivate: Device or resource busy
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Control process exited, code=exited, status=1/FAILURE
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Failed with result 'exit-code'.

Denials:
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.081:10597): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.081:10597): arch=c000003e syscall=137 success=yes exit=0 a0=7efdc7a96e0e a1=7ffdbbacde50 a2=7efdc69b75e0 a3=1000 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=statfs AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.082:10598): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="pki" dev="dm-1" ino=393276 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { open } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.085:10599): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55943c6cdb90 a2=0 a3=0 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.086:10600): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.087:10601): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="fips_local.cnf" dev="dm-1" ino=393381 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1

Sep 06 15:27:15 localhost audisp-syslog[1497]: node=localhost type=AVC msg=audit(1694014035.204:367): avc:  denied  { search } for  pid=1611 comm="systemd-cryptse" name="/" dev="pstore" ino=2357 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-15 15:34:54 -04:00
Guido Trentalancia
f3b359ec3f Add new gpg interfaces for gpg_agent execution and to avoid 
auditing search operations on files and directories that
are not strictly needed and might pose a security risk.

The new interfaces will be used in a forthcoming update to
allow fetching updates from the network for the spamassassin
rules and the fsdaemon drive database.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.if |   80 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 2023-09-14 18:38:17 +02:00
Chris PeBenito
ba922253f4
Merge pull request #679 from gtrentalancia/audit_fixes_pr 
Improve a previous syslog tunable policy change
 2023-09-14 10:49:38 -04:00
Chris PeBenito
32be26840d
Merge pull request #673 from dsugar100/x_login 
Solve issue with no keyboard/mouse on X login screen
 2023-09-14 10:38:25 -04:00
Russell Coker
c29ca4f257 switcheroo is a daemon to manage discrete vs integrated GPU use for apps 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 23:41:57 +10:00
Chris PeBenito
966cfad4fe
Merge pull request #678 from dsugar100/systemd_hostname 
For systemd-hostnamed service to run
 2023-09-14 09:30:19 -04:00
Chris PeBenito
84e6a92d3b
Merge pull request #644 from dsugar100/rsyslog_caps 
Allow rsyslog to drop capabilities
 2023-09-14 09:28:43 -04:00
Chris PeBenito
472603982f
Merge pull request #681 from dsugar100/fix_sddm_label 
/var/lib/sddm should be xdm_var_lib_t
 2023-09-14 09:23:07 -04:00
Chris PeBenito
224476715e
Merge pull request #675 from dsugar100/ssh_session_error 
Fix some ssh agent denials
 2023-09-14 09:16:32 -04:00
Russell Coker
7cb75c56c7
Daemon to monitor memory pressure and notify applications and change … (#670) 
* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed the self dgram access to create_socket_perms

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 09:15:09 -04:00
Chris PeBenito
7037ef3248
Merge pull request #638 from gtrentalancia/gnome_fixes_pr 
The gconf daemon (gnome module) must be able to create Unix domain sockets and use them as a server
 2023-09-14 09:12:08 -04:00
Dave Sugar
cdd7c8cd5a /var/lib/sddm should be xdm_var_lib_t 
based on denials, the fact that sddm runs as xdm_t and how other
directories are labeled, xdm_var_lib_t seems more correct here.

Sep 13 14:57:10 localhost.localdomain audisp-syslog[1570]: node=localhost type=AVC msg=audit(1694617030.144:419): avc:  denied  { search } for  pid=1702 comm="sddm" name="sddm" dev="dm-10" ino=393297 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { add_name } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { create } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.470:478): avc:  denied  { getattr } for  pid=1768 comm="QQmlThread" path="/var/lib/sddm/.cache/sddm-greeter/qmlcache" dev="dm-10" ino=393280 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 13:31:41 -04:00
Dave Sugar
131d4fcaca Allow rsyslog to drop capabilities 
Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc:  denied  { setpcap } for  pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0
Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 11:53:25 -04:00
Guido Trentalancia
4d2ae53c17 Introduce a new interface in the mta module to manage the mail 
transport agent configuration directories and files.

This interface will be used by a forthcoming update of the
rule updating feature of the spamassassin module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/mta.if |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 2023-09-13 15:59:50 +02:00
Guido Trentalancia
37f81bbc80 Fix the recently introduced "logging_syslog_can_network" 
tunable policy, by including TCP/IP socket creation
permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 2023-09-13 15:34:09 +02:00
Dave Sugar
08866e6253 For systemd-hostnamed service to run 
systemd_hostnamed allowed to read/update/delete /run/systemd/default-hostname

○ systemd-hostnamed.service - Hostname Service
     Loaded: loaded (/usr/lib/systemd/system/systemd-hostnamed.service; static)
    Drop-In: /usr/lib/systemd/system/systemd-hostnamed.service.d
             └─disable-privatedevices.conf
     Active: inactive (dead)
       Docs: man:systemd-hostnamed.service(8)
             man:hostname(5)
             man:machine-info(5)
             man:org.freedesktop.resolve1(5)

Sep 13 12:51:32 localhost systemd[1]: Starting Hostname Service...
Sep 13 12:51:32 localhost systemd[1]: Started Hostname Service.
Sep 13 12:51:32 localhost systemd-hostnamed[1777]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Hostname set to <localhost.localdomain> (transient)
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Failed to remove "/run/systemd/default-hostname": Permission denied
Sep 13 12:52:02 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Sep 13 12:54:09 localhost.localdomain systemd[1]: Starting Hostname Service...
Sep 13 12:54:09 localhost.localdomain systemd[1]: Started Hostname Service.
Sep 13 12:54:09 localhost.localdomain systemd-hostnamed[1931]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:54:39 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.

node=localhost type=AVC msg=audit(1689891544.345:413): avc:  denied  { read } for  pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:413): avc:  denied  { open } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:414): avc:  denied  { getattr } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:415): avc:  denied  { ioctl } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { write } for  pid=22094 comm="systemd-hostnam" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { remove_name } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { unlink } for  pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 09:28:01 -04:00
Guido Trentalancia
2b0f35134a Update the gnome module so that the gconf daemon is 
able to create Unix domain sockets and accept or listen
connections on them.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/gnome.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-12 22:50:32 +02:00
Dave Sugar
7a635014e9 Fix some ssh agent denials 
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.894:3623): avc:  denied  { write } for  pid=1840 comm="ssh-agent" path="/home/sugar/.xsession-errors" dev="dm-9" ino=65541 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3634): avc:  denied  { getattr } for  pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc:  denied  { read } for  pid=1840 comm="ssh-agent" name="opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc:  denied  { open } for  pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 16:43:52 -04:00
Dave Sugar
ccc02fcf36 separate label for /etc/security/opasswd 
Seting /etc/security/opasswd to shadow_t has some negative side
effects like the fact that pam_unix needs to read that.  Once
pam_unix can read shadow_t that changes the behavour of how
pam_unix uses unix_update to update the password.  So, this
change defines the new type, shadow_history_t, for
/etc/secuirty/opasswd.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 15:52:20 -04:00
Dave Sugar
3cd6a8116c Solve issue with no keyboard/mouse on X login screen 
Sep 08 03:15:59 localhost audisp-syslog[1620]: node=localhost type=AVC msg=audit(1694142959.038:650): avc:  denied  { getattr } for  pid=1695 comm="Xorg" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:xserver_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 15:44:01 -04:00
Chris PeBenito
d1759b92cb
Merge pull request #647 from gtrentalancia/x_fixes_pr 
Stricter yet more customizable xserver policy and three security bug fixes
 2023-09-12 15:01:23 -04:00
Guido Trentalancia
54b4e52a12 Dbus creates Unix domain sockets not only for the 
system bus, but also for the session bus (in addition
to connecting to them), so its policy module is
modified accordingly.

See also: https://github.com/SELinuxProject/refpolicy/pull/667

which was merged in the following commit:

  b4cb09a38c
  Date:   Mon Sep 11 20:42:50 2023 +0200

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.if |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-12 20:05:14 +02:00
Guido Trentalancia
3483d76720 Update the gpg module so that the application is able 
to fetch new keys from the network.

Without this patch the following error is produced:

 $ gpg --recv-keys EA3A87F0A4EBA030E45DF2409E8C1AFBBEFFDB32

 gpg: error running '/usr/bin/dirmngr': exit status 1
 gpg: failed to start dirmngr '/usr/bin/dirmngr': Generic error
 gpg: can't connect to the dirmngr: Generic error
 gpg: keyserver receive failed: dirmngr is not installed

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-12 19:36:27 +02:00
Guido Trentalancia
a6a7641605 Fix the shutdown policy in order to make use of 
the newly created file label and interface needed
to manage the random seed file.

Add the sys_boot capability permission that was
missing in the shutdown domain in order to be
able to reboot/shutdown correctly.

Let the shutdown domain signal init and all other
domains.

Fix the shutdown executable file labels, as the
executable normally lives in /sbin.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/shutdown.fc |    4 +++-
 policy/modules/admin/shutdown.te |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 2023-09-12 19:27:51 +02:00
Guido Trentalancia
984897ba81 Create a new specific file label for the random seed 
file saved before shutting down or rebooting the system
and rework the interface needed to manage such file.

Use the newly created interface to fix the init policy
and deprecate the old one in the kernel files module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/files.if |   29 +++++++++++++++++++++++------
 policy/modules/system/init.fc  |    3 ++-
 policy/modules/system/init.if  |   24 ++++++++++++++++++++++++
 policy/modules/system/init.te  |    7 +++++--
 4 files changed, 54 insertions(+), 9 deletions(-)
 2023-09-12 19:26:43 +02:00
Chris PeBenito
49fcadb8bd
Merge pull request #668 from gtrentalancia/userdomain_fixes_pr 
Remove an unneeded logging interface from the userdomain module
 2023-09-12 11:49:18 -04:00
Chris PeBenito
f3ab8cef4d
Merge pull request #667 from gtrentalancia/dbus_fixes_pr2 
dbus creates Unix domain sockets
 2023-09-12 11:34:12 -04:00
Guido Trentalancia
3ed8a9e4d0 Remove a logging interface from the userdomain module 
since it has now been moved to the xscreensaver domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/userdomain.if |    2 --
 1 file changed, 2 deletions(-)
 2023-09-11 21:34:42 +02:00
Guido Trentalancia
b4cb09a38c Dbus creates Unix domain sockets (in addition to 
listening on and connecting to them), so its policy
module is modified accordingly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-11 20:43:58 +02:00
Guido Trentalancia
be2070b445 Remove duplicate permissions in the xserver module 
xserver_restricted_role() interface.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    2 --
 1 file changed, 2 deletions(-)
 2023-09-11 19:32:59 +02:00
Guido Trentalancia
b83fe41629 Fix another security bug similar to the ones that 
have been recently fixed in the following two
commits:

  3eef4bc6fd
  Date:   Sun Sep 3 17:40:30 2023 +0200

and:

  7de535d65a6f0592cb47598a4fd456e399a86663
  Date:   Thu Sep 7 18:46:20 2023 +0200

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
 2023-09-11 19:31:39 +02:00
Guido Trentalancia
f39caed39b Fix another security bug companion of the one 
fixed in the following previous commit:

  3eef4bc6fd
  Date:   Sun Sep 3 17:40:30 2023 +0200

This time the bug is already effective in the
following modules: virt, firstboot, wine and
mono.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 2023-09-11 19:30:57 +02:00
Guido Trentalancia
1c053e5223 Improved wording for the new xserver tunable policy 
booleans introduced with the previous three commits.

Thanks to Christopher PeBenito for suggesting this.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    6 +++---
 policy/modules/services/xserver.te |   16 ++++++++--------
 2 files changed, 11 insertions(+), 11 deletions(-)
 2023-09-11 19:30:12 +02:00
Chris PeBenito
d1b1076666
Merge pull request #652 from gtrentalancia/syslog_fixes_pr 
Increase general syslog daemon policy security by making network permissions tunable
 2023-09-11 09:56:36 -04:00
Chris PeBenito
9967edaebe
Merge pull request #666 from gtrentalancia/mix_fixes_pr2 
Miscellaneous fixes
 2023-09-11 09:38:05 -04:00
Guido Trentalancia
5037801893 Remove a vulnerability introduced by a logging interface 
which allows to execute log files.

This can be potentially used to execute malicious code or
scripts previously written in log files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/logrotate.te |    1 -
 policy/modules/system/logging.if  |   22 ----------------------
 2 files changed, 23 deletions(-)
 2023-09-11 15:25:25 +02:00
Chris PeBenito
a5619fe755
Merge pull request #662 from dsugar100/search_xdm_run_dir 
Allow search xdm_var_run_t directories along with reading files.
 2023-09-11 09:09:29 -04:00
Chris PeBenito
ce2493a5cc
Merge pull request #661 from gtrentalancia/mplayer_fixes_pr 
mplayer module fixes for vlc
 2023-09-11 09:08:18 -04:00
Chris PeBenito
e0e63aa281
Merge pull request #660 from dsugar100/dm_read_hwdata 
Allow display manager to read hwdata
 2023-09-11 09:07:47 -04:00
Chris PeBenito
8ffc5e7246
Merge pull request #658 from dsugar100/utempter_fix 
Updates for utempter
 2023-09-11 09:05:54 -04:00
Chris PeBenito
272a6c902e
Merge pull request #657 from etbe/master 
Daemon to control authentication for Thunderbolt.
 2023-09-11 09:04:47 -04:00
Chris PeBenito
77692ca0f6
Merge pull request #655 from dsugar100/dbus_start_stop_services 
Allow system_dbusd_t to start/stop all units
 2023-09-11 09:03:28 -04:00
Chris PeBenito
83238ce3ae
Merge pull request #639 from gtrentalancia/openoffice_fixes_pr 
Minor fixes for the openoffice and xserver modules
 2023-09-11 09:00:46 -04:00
Guido Trentalancia
9c4b0300ea Remove misplaced permission from mount interface 
mount_exec.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/mount.if |    3 ---
 1 file changed, 3 deletions(-)
 2023-09-11 09:34:58 +02:00
Dave Sugar
a603b3913d Allow search xdm_var_run_t directories along with reading files. 
Sep 07 23:30:46 localhost audisp-syslog[1669]: node=localhost type=AVC msg=audit(1694129445.663:3622): avc:  denied  { search } for pid=1844 comm="xhost" name="lightdm" dev="tmpfs" ino=1504 scontext=toor_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-07 22:21:14 -04:00
Guido Trentalancia
03bc14351f Add permissions to read device sysctls to mplayer. 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/mplayer.te |    1 +
 1 file changed, 1 insertion(+)
 2023-09-07 22:34:19 +02:00
Guido Trentalancia
15db7d14aa Let mplayer to act as a dbus session bus client (needed 
by the vlc media player).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/mplayer.te |    5 +++++
 1 file changed, 5 insertions(+)
 2023-09-07 21:44:19 +02:00
Dave Sugar
8dd1903281 Allow display manager to read hwdata 
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:431): avc:  denied  { search } for  pid=1744 comm="sddm-greeter" name="hwdata" dev="dm-1" ino=1726 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc:  denied  { read } for  pid=1744 comm="sddm-greeter" name="pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc:  denied  { open } for  pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.974:433): avc:  denied  { getattr } for  pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 21:58:46 -04:00
Dave Sugar
56db40c099 Updates for utempter 
Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter
Allow utempter to write to xsession log

Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc:  denied  { write } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc:  denied  { getattr } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 21:52:05 -04:00
Russell Coker
3e2dd81a36 Daemon to control authentication for Thunderbolt. 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-07 07:17:00 +10:00
Guido Trentalancia
0a41b1c748 Update the openoffice module so that it can create 
Unix stream sockets with its own label and use them
both as a client and a server.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/openoffice.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-06 22:35:59 +02:00
Guido Trentalancia
77de8cdd59 Let the openoffice domain manage fonts cache (fontconfig). 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/openoffice.te |    1 +
 1 file changed, 1 insertion(+)
 2023-09-06 22:28:40 +02:00
Dave Sugar
f7d61f6146 Allow system_dbusd_t to start/stop all units 
Examples of denials I'm seeing requiring this type of access:
node=localhost type=USER_AVC msg=audit(1689811749.504:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-hostnamed.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692287535.229:262): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692305808.055:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/accounts-daemon.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 16:22:46 -04:00
Guido Trentalancia
c032204af3 Introduce a new "logging_syslog_can_network" boolean 
and make the net_admin capability as well as all
corenetwork permissions previously granted
to the syslog daemon conditional upon such boolean
being true.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |   61 +++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 25 deletions(-)
 2023-09-06 20:53:42 +02:00
Chris PeBenito
9d03d2ef9e
Merge pull request #656 from gtrentalancia/kernel_fixes_pr 
Update the kernel module to remove misplaced or obsolete permissions
 2023-09-06 13:29:48 -04:00
Chris PeBenito
663284394c
Merge pull request #654 from gtrentalancia/smartmon_fixes_pr 
Smartmon policy update
 2023-09-06 13:28:08 -04:00
Chris PeBenito
246c1aab40
Merge pull request #653 from etbe/master 
Add iio-sensor-proxy.
 2023-09-06 13:27:41 -04:00
Guido Trentalancia
7e5292de29 Update the kernel module to remove misplaced or at least really 
obsolete permissions during kernel module loading.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |   12 ------------
 1 file changed, 12 deletions(-)
 2023-09-06 17:50:52 +02:00
Guido Trentalancia
86f9bfe0ee Revert the following commit (ability to read /usr files), 
as it is no longer needed, after the database file got its
own label:

 Date:   Wed Feb 16 07:24:34 2011 +0100
 patch to allow smartmon to read usr files
 37ba0d0437

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/smartmon.te |    1 -
 1 file changed, 1 deletion(-)
 2023-09-06 17:12:48 +02:00