Dave Sugar
3d55e918f6
Firewalld need to relabel direct.xml file
...
firewalld[1084]: Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 372, in write
shutil.copy2(self.filename, "%s.old" % self.filename)
File "/usr/lib64/python3.9/shutil.py", line 445, in copy2
copystat(src, dst, follow_symlinks=follow_symlinks)
File "/usr/lib64/python3.9/shutil.py", line 388, in copystat
_copyxattr(src, dst, follow_symlinks=follow)
File "/usr/lib64/python3.9/shutil.py", line 338, in _copyxattr
os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)
PermissionError: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/firewall/server/decorators.py", line 67, in _impl
return func(*args, **kwargs)
File "/usr/lib/python3.9/site-packages/firewall/server/config.py", line 1429, in update
self.config.get_direct().write()
File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 374, in write
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
OSError: Backup of '/etc/firewalld/direct.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old'
firewalld[1084]: ERROR: Backup of file '/etc/firewalld/zones/data.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/data.xml.old'
node=localhost type=AVC msg=audit(1704599676.613:35145): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
node=loalhost type=AVC msg=audit(1704599677.914:35287): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="direct.xml.old" dev="dm-0" ino=1180671 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelto } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-01-07 17:15:36 -05:00
Christian Göttsche
82f7160a20
init: only grant getattr in init_getattr_generic_units_files()
...
Like the name suggests only grant the permission getattr in
init_getattr_generic_units_files().
Adjust the only caller to use init_read_generic_units_files() instead.
Reported-by: Laurent Bigonville
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2024-01-04 20:43:20 +01:00
Kenton Groombridge
a0018e4e85
kubernetes: allow container engines to mount on DRI devices if enabled
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-01-04 09:46:41 -05:00
Kenton Groombridge
16323cfce2
container, kubernetes: add support for cilium
...
Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super
privileged containers which require various accesses in order to load
BPF programs and modify the host network.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-01-04 09:46:41 -05:00
Kenton Groombridge
d2f413c1b6
container: various fixes
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-01-04 09:46:41 -05:00
Chris PeBenito
d4555fd002
Merge pull request #744 from quic-kmeng/main
...
filesystem:Add type contexts and interface for functionfs
2024-01-04 09:39:39 -05:00
Kai Meng
76951aa43c
devices:Add genfscon context for functionfs to mount
...
When start up adbd by adb initscript, there's a command like:
mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb
will cause below deny because lack of functionfs related contexts.
avc: denied { mount } for pid=346 comm="mount" name="/"
dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>
2024-01-04 14:29:02 +08:00
Chris PeBenito
e7cdbe3f5b
Merge pull request #743 from dsugar100/dbus_fixes
...
Dbus fixes
2024-01-03 10:56:24 -05:00
Chris PeBenito
14a6144733
Merge pull request #746 from yizhao1/cryptsetup
...
fix some contexts
2024-01-03 10:55:40 -05:00
Yi Zhao
249263f7c4
container: set context for /run/crun
...
/run/crun is the runtime directory for crun.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-01-03 19:18:41 +08:00
Yi Zhao
96cb5e6304
lvm: set context for /run/cryptsetup
...
* Set context for /runcryptesetup created by systemd-cryptsetup.
* Remove duplicate line 'fs_getattr_cgroup(lvm_t)'.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-01-03 19:17:24 +08:00
Dave Sugar
58e4c9a36f
dbus changes
...
dbus needs to map security_t files
private type ($1_dbus_tmpfs_t) for file created on tmpfs
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied)
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152
Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc: denied { map } for pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178
Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE
Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'.
node=localhost type=AVC msg=audit(1703095496.614:486): avc: denied { write } for pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { map } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { read } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7369): avc: denied { write } for pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { map } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { read } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7632): avc: denied { write } for pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { map } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { read } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-01-02 15:18:55 -05:00
Christian Göttsche
86d9a00e7f
git: add fcontext for default binary
...
Avoid relabel loops if the helper binaries are hardlinked:
$ restorecon -vRF -T0 /usr/libexec/
Relabeled /usr/libexec/git-core/git from system_u:object_r:git_exec_t to system_u:object_r:bin_t
Relabeled /usr/libexec/git-core/git-rev-parse from system_u:object_r:bin_t to system_u:object_r:git_exec_t
Relabeled /usr/libexec/git-core/git-fsmonitor--daemon from system_u:object_r:bin_t to system_u:object_r:git_exec_t
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2023-12-28 17:52:08 +01:00
Dave Sugar
2680abe1f8
Allow dbus-broker-launch to execute in same domain
...
node=localhost type=AVC msg=audit(1703080976.876:873613): avc: denied { execute_no_trans } for pid=6840 comm="dbus-broker-lau" path="/usr/bin/dbus-broker" dev="dm-1" ino=16361 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-12-20 14:49:39 -05:00
Dave Sugar
dd21a7724a
Changes needed for dbus-broker-launch
...
node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { read } for pid=7055 comm="dbus-broker-lau" name="machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { open } for pid=7055 comm="dbus-broker-lau" path="/etc/machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1701877079.244:52520): avc: denied { connectto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/bus" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { sendto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/systemd/notify" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { search } for pid=7054 comm="dbus-broker-lau" name="systemd" dev="tmpfs" ino=2 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { write } for pid=7054 comm="dbus-broker-lau" name="notify" dev="tmpfs" ino=13 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-12-20 14:48:54 -05:00
Kenton Groombridge
b1a8799185
sysadm: allow using networkctl
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-12-17 23:42:07 -05:00
Kenton Groombridge
43d529e90e
glusterfs: add tunable to allow managing unlabeled files
...
If gluster ever experiences data corruption on its underlying bricks, a
situation may arise where the corrupted files have bad or missing
xattrs and are therefore presented as unlabeled to SELinux. Gluster will
then be unable to repair these files until the access is allowed or the
user manually relabels these files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-12-17 23:42:04 -05:00
Kenton Groombridge
c3dbaf035c
container: allow watching FUSEFS dirs and files
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-12-17 23:10:02 -05:00
Guido Trentalancia
82b4448e1d
Additional file context fix for:
...
https://github.com/SELinuxProject/refpolicy/issues/735
This patch extends the fix for a serious Information
Disclosure vulnerability caused by the erroneous labeling
of TLS Private Keys and CSR.
See: commit 5c9038ec98
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2023-12-05 21:04:29 +01:00
Chris PeBenito
044e318dd7
Merge pull request #738 from ffontaine/main
...
policy/modules/services/smartmon.te: make fstools optional
2023-11-29 09:43:44 -05:00
Chris PeBenito
4b1ba3cc47
Merge pull request #736 from gtrentalancia/init_fixes_pr
...
Restrict LDAP server init script permissions on generic certificate files
2023-11-29 09:39:43 -05:00
Fabrice Fontaine
65eed16b58
policy/modules/services/smartmon.te: make fstools optional
...
Make fstools optional to avoid the following build failure raised since
version 2.20231002 and
cb068f09d2
:
Compiling targeted policy.33
env LD_LIBRARY_PATH="/home/thomas/autobuild/instance-2/output-1/host/lib:/home/thomas/autobuild/instance-2/output-1/host/usr/lib" /home/thomas/autobuild/instance-2/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
policy/modules/services/smartmon.te:146:ERROR 'type fsadm_exec_t is not within scope' at token ';' on line 237472:
allow smartmon_update_drivedb_t fsadm_exec_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };
#line 146
checkpolicy: error(s) encountered while parsing configuration
make[1]: *** [Rules.monolithic:80: policy.33] Error 1
Fixes:
- http://autobuild.buildroot.org/results/a01123de9a8c1927060e7e4748666bebfc82ea44
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2023-11-29 08:37:25 +01:00
Guido Trentalancia
2e27be3c56
Let the certmonger module manage SSL Private Keys
...
and CSR used for example by the HTTP and/or Mail
Transport daemons.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/certmonger.te | 3 +++
1 file changed, 3 insertions(+)
2023-11-20 17:09:31 +01:00
Guido Trentalancia
912d3a687b
Let the webadm role manage Private Keys and CSR for
...
SSL Certificates used by the HTTP daemon.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/roles/webadm.te | 4 ++++
1 file changed, 4 insertions(+)
2023-11-20 17:09:12 +01:00
Guido Trentalancia
5c9038ec98
Create new TLS Private Keys file contexts for the
...
Apache HTTP server according to the default locations:
http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache
Add the correct TLS Private Keys file label for Debian
systems.
This patch fixes a serious Information Disclosure
vulnerability caused by the erroneous labeling of
TLS Private Keys and CSR, as explained above.
See: https://github.com/SELinuxProject/refpolicy/issues/735
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 3 +++
1 file changed, 3 insertions(+)
2023-11-19 22:44:27 +01:00
Guido Trentalancia
b38583a79d
The LDAP server only needs to read generic certificate
...
files, not manage them.
Modify the init policy to match the comment and the
LDAP server actual behavior.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2023-11-19 22:23:37 +01:00
Yi Zhao
100a853c0c
rpm: fixes for dnf
...
* Set labels for /var/lib/dnf/.
* Allow useradd/groupadd to read/append rpm temporary files.
* Allow rpm_t to send/receive messages from systemd-logind over dbus.
* Allow rpm_t to use inherited systemd-logind file descriptors.
Fixes:
avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.login1.Manager member=Inhibit
dest=org.freedesktop.login1 spid=565 tpid=331
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=dbus permissive=1
avc: denied { send_msg } for msgtype=method_return dest=:1.11 spid=331
tpid=565 scontext=system_u:system_r:systemd_logind_t
tcontext=root:sysadm_r:rpm_t tclass=dbus permissive=1
avc: denied { use } for pid=565 comm="python3"
path="/run/systemd/inhibit/1.ref" dev="tmpfs" ino=703
scontext=root:sysadm_r:rpm_t tcontext=system_u:system_r:systemd_logind_t
tclass=fd permissive=1
avc: denied { read append } for pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1
avc: denied { getattr } for pid=590 comm="groupadd" name="/"
dev="proc" ino=1 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
avc: denied { ioctl } for pid=590 comm="groupadd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:groupadd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1
avc: denied { read append } for pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1
avc: denied { ioctl } for pid=626 comm="useradd"
path="/tmp/tmpy6epkors" dev="tmpfs" ino=20 ioctlcmd=0x5401
scontext=root:sysadm_r:useradd_t tcontext=root:object_r:rpm_tmp_t
tclass=file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-11-16 21:58:18 +08:00
Chris PeBenito
0b148c02b6
Merge pull request #730 from gtrentalancia/gpg_fixes2_pr
...
Modify the gpg module so that gpg and the gpg_agent
2023-11-14 11:04:40 -05:00
Guido Trentalancia
8839a7137d
Modify the gpg module so that gpg and the gpg_agent
...
can manage gpg_runtime_t socket files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)
2023-11-11 15:44:24 +01:00
Russell Coker
780adb80af
Simple patch for Brother printer drivers as described in:
...
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-23 00:09:26 +11:00
Chris PeBenito
f3865abfc2
Merge pull request #717 from dsugar100/use_chat_machined_interface
...
Use interface that already exists.
2023-10-09 09:35:59 -04:00
Chris PeBenito
f5eba7176e
Merge pull request #723 from etbe/modemmanager
...
modemmanager and eg25manager changes needed for pinephonepro
2023-10-09 09:34:07 -04:00
Russell Coker
3e39efffdf
patches for nspawn policy ( #721 )
...
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker <russell@coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker <russell@coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
2023-10-09 09:32:38 -04:00
Yi Zhao
6eecf51716
systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved
...
Systemd-networkd and systemd-resolved are daemons.
Fixes:
avc: denied { write } for pid=277 comm="systemd-resolve"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
avc: denied { write } for pid=324 comm="systemd-network"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-10-07 14:41:16 +08:00
Russell Coker
9f7d6ff7a0
Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro
...
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-07 13:56:52 +11:00
Chris PeBenito
d542d53698
Merge pull request #720 from etbe/raid
...
small mdadm changes for cron job
2023-10-06 09:26:55 -04:00
Dave Sugar
0a9650901c
Separate label for /run/systemd/notify ( #710 )
...
* Separate label for /run/systemd/notify
label systemd_runtime_notify_t
Allow daemon domains to write by default
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
* systemd: Add -s to /run/systemd/notify socket.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
2023-10-06 09:06:39 -04:00
Russell Coker
c2a9111a5c
Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited
...
from cron, and dontaudit ps type operations from it
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-06 21:48:52 +11:00
Dave Sugar
12ad93d167
Use interface that already exists.
...
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-10-05 17:31:33 -04:00
Russell Coker
be2e8970e0
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
...
While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-05 22:13:54 +11:00
Chris PeBenito
44fd3ebd12
Merge pull request #715 from yizhao1/bind
...
bind: fix for named service
2023-10-02 08:58:52 -04:00
Chris PeBenito
275e3f0ef9
Merge pull request #714 from yizhao1/systemd-journal-catalog-update
...
systemd: allow journalctl to create /var/lib/systemd/catalog
2023-10-02 08:57:55 -04:00
Chris PeBenito
6909b4b2f9
Merge pull request #713 from gtrentalancia/openoffice_fixes_pr2
...
Let openoffice perform temporary file transitions on link files and manage them
2023-10-02 08:57:04 -04:00
Yi Zhao
0a776a270a
bind: fix for named service
...
Fixes:
avc: denied { sqpoll } for pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0
avc: denied { create } for pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-10-02 16:38:12 +08:00
Yi Zhao
4ce68f22d8
systemd: allow journalctl to create /var/lib/systemd/catalog
...
If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:
$ systemctl status systemd-journal-catalog-update.service
systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
Main PID: 247 (code=exited, status=1/FAILURE)
Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.
Fixes:
AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
AVC avc: denied { write } for pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-30 18:34:40 +08:00
Guido Trentalancia
701410e7a6
Let openoffice perform temporary file transitions
...
and manage link files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/openoffice.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
2023-09-29 22:30:14 +02:00
Russell Coker
1c0b2027f9
misc small email changes ( #704 )
...
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-28 09:57:18 -04:00
Russell Coker
bb90d67768
mon.te patches as well as some fstools patches related to it ( #697 )
...
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker <russell@coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker <russell@coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-28 09:55:56 -04:00
Russell Coker
c51554cbab
misc small patches for cron policy ( #701 )
...
* Some misc small patches for cron policy
Signed-off-by: Russell Coker <russell@coker.com.au>
* added systemd_dontaudit_connect_machined interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove the line about connecting to tor
Signed-off-by: Russell Coker <russell@coker.com.au>
* remove the dontaudit for connecting to machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* changed to distro_debian
Signed-off-by: Russell Coker <russell@coker.com.au>
* mta: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
* cron: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
2023-09-28 09:46:14 -04:00
Russell Coker
1577b2105a
small systemd patches ( #708 )
...
* Some small systemd patches
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker <russell@coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a type for it
Signed-off-by: Russell Coker <russell@coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-27 09:20:52 -04:00
Dave Sugar
f141dccc2a
separate domain for journalctl during init
...
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs. This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.
× systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
Main PID: 1626 (code=exited, status=1/FAILURE)
CPU: 102ms
Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied
Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog.
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { create } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied { setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-26 12:47:37 -04:00
Chris PeBenito
3bf196f6a3
Merge pull request #702 from etbe/db
...
small postgresql and mysql stuff
2023-09-26 09:59:31 -04:00
Russell Coker
bcc92a3038
allow jabbers to create sock file and allow matrixd to read sysfs ( #705 )
...
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-26 09:48:31 -04:00
Chris PeBenito
61fbf428fb
postgresql: Move lines
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2023-09-26 09:43:40 -04:00
Chris PeBenito
1a9143efa3
Merge pull request #696 from yizhao1/fixes
...
Fixes for mount and loadkeys
2023-09-26 09:40:19 -04:00
Russell Coker
f849e27df3
small storage changes ( #706 )
...
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker <russell@coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker <russell@coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:46:04 -04:00
Russell Coker
478df0e446
small network patches ( #707 )
...
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes ( #703 )
...
* Small changes for ntp, bind, avahi, and dnsmasq
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:01:12 -04:00
Chris PeBenito
748980def5
Merge pull request #694 from etbe/fifth
...
some misc userdomain fixes
2023-09-25 10:57:27 -04:00
Russell Coker
cf1ba82cb9
Added tmpfs file type for postgresql
...
Small mysql stuff including anon_inode
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-22 19:09:12 +10:00
Russell Coker
0528990a24
policy patches for anti-spam daemons ( #698 )
...
* Patches for anti-spam related policy
* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 12:01:24 -04:00
Chris PeBenito
487feedf8e
Merge pull request #699 from yizhao1/systemd-networkd
...
systemd: allow systemd-networkd to create file in /run/systemd directory
2023-09-21 10:45:47 -04:00
Russell Coker
125e52ef58
policy for the Reliability Availability servicability daemon ( #690 )
...
* policy for the Reliability Availability servicability daemon
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 10:22:36 -04:00
Russell Coker
e349de1507
debian motd.d directory ( #689 )
...
* policy for Debian motd.d dir
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 10:21:25 -04:00
Yi Zhao
8758b782e5
systemd: allow systemd-networkd to create file in /run/systemd directory
...
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.
Fixes:
avc: denied { create } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { write } for pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { setattr } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { rename } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-21 11:40:24 +08:00
Yi Zhao
ee3ea8ebca
loadkeys: do not audit attempts to get attributes for all directories
...
Fixes:
avc: denied { getattr } for pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-20 14:44:45 +08:00
Yi Zhao
0a7f48cb31
mount: allow mount_t to get attributes for all directories
...
Fixes:
avc: denied { getattr } for pid=130 comm="mount" path="/" dev="tracefs"
ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1
avc: denied { getattr } for pid=166 comm="mount" path="/" dev="configfs"
ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-20 13:31:50 +08:00
Russell Coker
cb6bf2fe9a
some misc userdomain fixes
...
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)
Allow pipewire to write to user runtime named sockets
Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-20 12:40:59 +10:00
Chris PeBenito
227786eed7
Merge pull request #693 from dsugar100/colord
...
Resolve some denials with colord
2023-09-19 16:09:52 -04:00
Chris PeBenito
fc3589a04f
Merge pull request #676 from dsugar100/all_users_syslog
...
Allow all users to send syslog messages
2023-09-19 16:07:10 -04:00
Dave Sugar
17c9b3ac7e
Resolve some denials with colord
...
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc: denied { read } for pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc: denied { open } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc: denied { getattr } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc: denied { map } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc: denied { read } for pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc: denied { getattr } for pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc: denied { map } for pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { search } for pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { read } for pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { open } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc: denied { getattr } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc: denied { ioctl } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { search } for pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { read } for pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { open } for pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc: denied { getattr } for pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-19 13:52:50 -04:00
Chris PeBenito
41ac8090f7
Merge pull request #691 from etbe/fifth
...
power profiles daemon
2023-09-19 11:40:39 -04:00
Dave Sugar
cf58a70881
Allow all users to (optionally) send syslog messages
...
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc: denied { write } for pid=1757 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc: denied { sendto } for pid=1757 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc: denied { write } for pid=1756 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc: denied { sendto } for pid=1756 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-19 09:14:08 -04:00
Russell Coker
e5ea2c99df
policy for power profiles daemon, used to change power settings
...
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-19 22:51:22 +10:00
Chris PeBenito
5e2bf62c6f
Merge pull request #672 from gtrentalancia/x_fixes_pr2
...
Remote X11 TCP/IP functionality is generally insecure: switch it off by default. Strengthen XDM authentication file access.
2023-09-19 08:36:26 -04:00
Guido Trentalancia
44bfd66186
Merge branch 'main' into x_fixes_pr2
...
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2023-09-19 01:31:50 +02:00
Guido Trentalancia
8c562af119
The X display manager uses an authentication
...
mechanism based on an authorization file which
is critical for X security.
For example, a common attack is to remove the
file in order to disable authorization.
At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.if | 33 +++++++++++++++++++++++++++++++++
policy/modules/services/xserver.te | 11 +++++++++++
3 files changed, 45 insertions(+)
2023-09-19 01:28:10 +02:00
Guido Trentalancia
793d6a29d8
Introduce two new booleans for the X server and
...
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.
The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.te | 82 +++++++++++++++++++++++--------------
1 file changed, 52 insertions(+), 30 deletions(-)
2023-09-19 01:23:22 +02:00
Chris PeBenito
d806720c76
unconfined: Keys are linkable by systemd.
...
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2023-09-18 17:05:23 -04:00
Chris PeBenito
6e39f49247
Merge pull request #671 from gtrentalancia/dbus_fixes_pr3
...
Dbus also creates Unix domain sockets in session mode but has insecure networking code
2023-09-18 11:40:16 -04:00
Chris PeBenito
1ff9b559b7
Merge pull request #636 from gtrentalancia/spamassassin_update_pr
...
Let spamassassin update its rules from the network
2023-09-18 11:38:57 -04:00
Guido Trentalancia
8331d214ec
Introduce a new "dbus_can_network" boolean which
...
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.
For reference, see the security warning in the
D-Bus specification:
https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.te | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
2023-09-18 16:15:50 +02:00
Chris PeBenito
69544a3256
Merge pull request #684 from etbe/fourth
...
switcheroo daemon for switching apps between Intel and NVidia GPUs
2023-09-18 09:51:25 -04:00
Guido Trentalancia
11d17b2e57
Under request from Christopher PeBenito, merge the
...
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.
This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.if | 3 -
policy/modules/services/spamassassin.te | 56 ++++++--------------------------
2 files changed, 12 insertions(+), 47 deletions(-)
2023-09-18 15:40:11 +02:00
Guido Trentalancia
e5b1b197c7
Update the spamassassin module in order to better support
...
the rules updating script; this achieved by employing
two distinct domains for increased security and network
isolation: a first domain is used for fetching the updated
rules from the network and second domain is used for
verifying the GPG signatures of the received rules.
The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).
The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.if | 11 ++-
policy/modules/services/spamassassin.te | 100 +++++++++++++++++++++++++-------
2 files changed, 86 insertions(+), 25 deletions(-)
2023-09-18 15:39:12 +02:00
Guido Trentalancia
ed0613f0cc
Extend the scope of the "spamassassin_can_network"
...
tunable policy boolean to all network access (except
the relative dontaudit rules).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.te | 81 +++++++++++++++++---------------
1 file changed, 45 insertions(+), 36 deletions(-)
2023-09-18 15:38:08 +02:00
Chris PeBenito
f4688a3d54
switcheroo: Whitespace fix.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2023-09-18 09:21:26 -04:00
Chris PeBenito
dfd0149c71
Merge pull request #674 from dsugar100/opasswd_label
...
separate label for /etc/security/opasswd
2023-09-18 09:12:24 -04:00
Chris PeBenito
16c46db2b8
Merge pull request #665 from gtrentalancia/init_fixes_pr
...
init and shutdown fixes
2023-09-18 09:08:32 -04:00
Chris PeBenito
d5a8f78328
Merge pull request #659 from dsugar100/luks_shutdown
...
resolve lvm_t issues at shutdown with LUKS encrypted devices
2023-09-18 09:05:58 -04:00
Chris PeBenito
d6e6ce4f6a
Merge pull request #649 from gtrentalancia/gpg_fixes_pr
...
Update the gpg module so that the application is able to fetch keys from the network
2023-09-18 09:05:14 -04:00
Dave Sugar
73a62c4404
resolve lvm_t issues at shutdown with LUKS encrypted devices
...
Errors:
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Device luks-7e802906-791a-432d-8069-dd290fba6dcf is still in use.
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Failed to deactivate: Device or resource busy
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Control process exited, code=exited, status=1/FAILURE
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Failed with result 'exit-code'.
Denials:
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.081:10597): avc: denied { getattr } for pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.081:10597): arch=c000003e syscall=137 success=yes exit=0 a0=7efdc7a96e0e a1=7ffdbbacde50 a2=7efdc69b75e0 a3=1000 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=statfs AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.082:10598): avc: denied { search } for pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc: denied { search } for pid=1996 comm="systemd-cryptse" name="pki" dev="dm-1" ino=393276 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc: denied { read } for pid=1996 comm="systemd-cryptse" name="openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc: denied { open } for pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.085:10599): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55943c6cdb90 a2=0 a3=0 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.086:10600): avc: denied { getattr } for pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.087:10601): avc: denied { read } for pid=1996 comm="systemd-cryptse" name="fips_local.cnf" dev="dm-1" ino=393381 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
Sep 06 15:27:15 localhost audisp-syslog[1497]: node=localhost type=AVC msg=audit(1694014035.204:367): avc: denied { search } for pid=1611 comm="systemd-cryptse" name="/" dev="pstore" ino=2357 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-15 15:34:54 -04:00
Guido Trentalancia
f3b359ec3f
Add new gpg interfaces for gpg_agent execution and to avoid
...
auditing search operations on files and directories that
are not strictly needed and might pose a security risk.
The new interfaces will be used in a forthcoming update to
allow fetching updates from the network for the spamassassin
rules and the fsdaemon drive database.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/gpg.if | 80 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
2023-09-14 18:38:17 +02:00
Chris PeBenito
ba922253f4
Merge pull request #679 from gtrentalancia/audit_fixes_pr
...
Improve a previous syslog tunable policy change
2023-09-14 10:49:38 -04:00
Chris PeBenito
32be26840d
Merge pull request #673 from dsugar100/x_login
...
Solve issue with no keyboard/mouse on X login screen
2023-09-14 10:38:25 -04:00
Russell Coker
c29ca4f257
switcheroo is a daemon to manage discrete vs integrated GPU use for apps
...
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-14 23:41:57 +10:00
Chris PeBenito
966cfad4fe
Merge pull request #678 from dsugar100/systemd_hostname
...
For systemd-hostnamed service to run
2023-09-14 09:30:19 -04:00
Chris PeBenito
84e6a92d3b
Merge pull request #644 from dsugar100/rsyslog_caps
...
Allow rsyslog to drop capabilities
2023-09-14 09:28:43 -04:00
Chris PeBenito
472603982f
Merge pull request #681 from dsugar100/fix_sddm_label
...
/var/lib/sddm should be xdm_var_lib_t
2023-09-14 09:23:07 -04:00
Chris PeBenito
224476715e
Merge pull request #675 from dsugar100/ssh_session_error
...
Fix some ssh agent denials
2023-09-14 09:16:32 -04:00
Russell Coker
7cb75c56c7
Daemon to monitor memory pressure and notify applications and change … ( #670 )
...
* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed the self dgram access to create_socket_perms
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-14 09:15:09 -04:00
Chris PeBenito
7037ef3248
Merge pull request #638 from gtrentalancia/gnome_fixes_pr
...
The gconf daemon (gnome module) must be able to create Unix domain sockets and use them as a server
2023-09-14 09:12:08 -04:00
Dave Sugar
cdd7c8cd5a
/var/lib/sddm should be xdm_var_lib_t
...
based on denials, the fact that sddm runs as xdm_t and how other
directories are labeled, xdm_var_lib_t seems more correct here.
Sep 13 14:57:10 localhost.localdomain audisp-syslog[1570]: node=localhost type=AVC msg=audit(1694617030.144:419): avc: denied { search } for pid=1702 comm="sddm" name="sddm" dev="dm-10" ino=393297 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc: denied { add_name } for pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc: denied { create } for pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.470:478): avc: denied { getattr } for pid=1768 comm="QQmlThread" path="/var/lib/sddm/.cache/sddm-greeter/qmlcache" dev="dm-10" ino=393280 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-13 13:31:41 -04:00
Dave Sugar
131d4fcaca
Allow rsyslog to drop capabilities
...
Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc: denied { setpcap } for pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0
Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-13 11:53:25 -04:00
Guido Trentalancia
4d2ae53c17
Introduce a new interface in the mta module to manage the mail
...
transport agent configuration directories and files.
This interface will be used by a forthcoming update of the
rule updating feature of the spamassassin module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/mta.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
2023-09-13 15:59:50 +02:00
Guido Trentalancia
37f81bbc80
Fix the recently introduced "logging_syslog_can_network"
...
tunable policy, by including TCP/IP socket creation
permissions.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/logging.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
2023-09-13 15:34:09 +02:00
Dave Sugar
08866e6253
For systemd-hostnamed service to run
...
systemd_hostnamed allowed to read/update/delete /run/systemd/default-hostname
○ systemd-hostnamed.service - Hostname Service
Loaded: loaded (/usr/lib/systemd/system/systemd-hostnamed.service; static)
Drop-In: /usr/lib/systemd/system/systemd-hostnamed.service.d
└─disable-privatedevices.conf
Active: inactive (dead)
Docs: man:systemd-hostnamed.service(8)
man:hostname(5)
man:machine-info(5)
man:org.freedesktop.resolve1(5)
Sep 13 12:51:32 localhost systemd[1]: Starting Hostname Service...
Sep 13 12:51:32 localhost systemd[1]: Started Hostname Service.
Sep 13 12:51:32 localhost systemd-hostnamed[1777]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Hostname set to <localhost.localdomain> (transient)
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Failed to remove "/run/systemd/default-hostname": Permission denied
Sep 13 12:52:02 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Sep 13 12:54:09 localhost.localdomain systemd[1]: Starting Hostname Service...
Sep 13 12:54:09 localhost.localdomain systemd[1]: Started Hostname Service.
Sep 13 12:54:09 localhost.localdomain systemd-hostnamed[1931]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:54:39 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.
node=localhost type=AVC msg=audit(1689891544.345:413): avc: denied { read } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:413): avc: denied { open } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:414): avc: denied { getattr } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:415): avc: denied { ioctl } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { write } for pid=22094 comm="systemd-hostnam" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { remove_name } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { unlink } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-13 09:28:01 -04:00
Guido Trentalancia
2b0f35134a
Update the gnome module so that the gconf daemon is
...
able to create Unix domain sockets and accept or listen
connections on them.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/contrib/gnome.te | 2 ++
1 file changed, 2 insertions(+)
2023-09-12 22:50:32 +02:00
Dave Sugar
7a635014e9
Fix some ssh agent denials
...
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.894:3623): avc: denied { write } for pid=1840 comm="ssh-agent" path="/home/sugar/.xsession-errors" dev="dm-9" ino=65541 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3634): avc: denied { getattr } for pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc: denied { read } for pid=1840 comm="ssh-agent" name="opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc: denied { open } for pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-12 16:43:52 -04:00
Dave Sugar
ccc02fcf36
separate label for /etc/security/opasswd
...
Seting /etc/security/opasswd to shadow_t has some negative side
effects like the fact that pam_unix needs to read that. Once
pam_unix can read shadow_t that changes the behavour of how
pam_unix uses unix_update to update the password. So, this
change defines the new type, shadow_history_t, for
/etc/secuirty/opasswd.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-12 15:52:20 -04:00
Dave Sugar
3cd6a8116c
Solve issue with no keyboard/mouse on X login screen
...
Sep 08 03:15:59 localhost audisp-syslog[1620]: node=localhost type=AVC msg=audit(1694142959.038:650): avc: denied { getattr } for pid=1695 comm="Xorg" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:xserver_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-12 15:44:01 -04:00
Chris PeBenito
d1759b92cb
Merge pull request #647 from gtrentalancia/x_fixes_pr
...
Stricter yet more customizable xserver policy and three security bug fixes
2023-09-12 15:01:23 -04:00
Guido Trentalancia
54b4e52a12
Dbus creates Unix domain sockets not only for the
...
system bus, but also for the session bus (in addition
to connecting to them), so its policy module is
modified accordingly.
See also: https://github.com/SELinuxProject/refpolicy/pull/667
which was merged in the following commit:
b4cb09a38c
Date: Mon Sep 11 20:42:50 2023 +0200
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2023-09-12 20:05:14 +02:00
Guido Trentalancia
3483d76720
Update the gpg module so that the application is able
...
to fetch new keys from the network.
Without this patch the following error is produced:
$ gpg --recv-keys EA3A87F0A4EBA030E45DF2409E8C1AFBBEFFDB32
gpg: error running '/usr/bin/dirmngr': exit status 1
gpg: failed to start dirmngr '/usr/bin/dirmngr': Generic error
gpg: can't connect to the dirmngr: Generic error
gpg: keyserver receive failed: dirmngr is not installed
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)
2023-09-12 19:36:27 +02:00
Guido Trentalancia
a6a7641605
Fix the shutdown policy in order to make use of
...
the newly created file label and interface needed
to manage the random seed file.
Add the sys_boot capability permission that was
missing in the shutdown domain in order to be
able to reboot/shutdown correctly.
Let the shutdown domain signal init and all other
domains.
Fix the shutdown executable file labels, as the
executable normally lives in /sbin.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/admin/shutdown.fc | 4 +++-
policy/modules/admin/shutdown.te | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
2023-09-12 19:27:51 +02:00
Guido Trentalancia
984897ba81
Create a new specific file label for the random seed
...
file saved before shutting down or rebooting the system
and rework the interface needed to manage such file.
Use the newly created interface to fix the init policy
and deprecate the old one in the kernel files module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/files.if | 29 +++++++++++++++++++++++------
policy/modules/system/init.fc | 3 ++-
policy/modules/system/init.if | 24 ++++++++++++++++++++++++
policy/modules/system/init.te | 7 +++++--
4 files changed, 54 insertions(+), 9 deletions(-)
2023-09-12 19:26:43 +02:00
Chris PeBenito
49fcadb8bd
Merge pull request #668 from gtrentalancia/userdomain_fixes_pr
...
Remove an unneeded logging interface from the userdomain module
2023-09-12 11:49:18 -04:00
Chris PeBenito
f3ab8cef4d
Merge pull request #667 from gtrentalancia/dbus_fixes_pr2
...
dbus creates Unix domain sockets
2023-09-12 11:34:12 -04:00
Guido Trentalancia
3ed8a9e4d0
Remove a logging interface from the userdomain module
...
since it has now been moved to the xscreensaver domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/userdomain.if | 2 --
1 file changed, 2 deletions(-)
2023-09-11 21:34:42 +02:00
Guido Trentalancia
b4cb09a38c
Dbus creates Unix domain sockets (in addition to
...
listening on and connecting to them), so its policy
module is modified accordingly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2023-09-11 20:43:58 +02:00
Guido Trentalancia
be2070b445
Remove duplicate permissions in the xserver module
...
xserver_restricted_role() interface.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 2 --
1 file changed, 2 deletions(-)
2023-09-11 19:32:59 +02:00
Guido Trentalancia
b83fe41629
Fix another security bug similar to the ones that
...
have been recently fixed in the following two
commits:
3eef4bc6fd
Date: Sun Sep 3 17:40:30 2023 +0200
and:
7de535d65a6f0592cb47598a4fd456e399a86663
Date: Thu Sep 7 18:46:20 2023 +0200
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
2023-09-11 19:31:39 +02:00
Guido Trentalancia
f39caed39b
Fix another security bug companion of the one
...
fixed in the following previous commit:
3eef4bc6fd
Date: Sun Sep 3 17:40:30 2023 +0200
This time the bug is already effective in the
following modules: virt, firstboot, wine and
mono.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
2023-09-11 19:30:57 +02:00
Guido Trentalancia
1c053e5223
Improved wording for the new xserver tunable policy
...
booleans introduced with the previous three commits.
Thanks to Christopher PeBenito for suggesting this.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 6 +++---
policy/modules/services/xserver.te | 16 ++++++++--------
2 files changed, 11 insertions(+), 11 deletions(-)
2023-09-11 19:30:12 +02:00
Chris PeBenito
d1b1076666
Merge pull request #652 from gtrentalancia/syslog_fixes_pr
...
Increase general syslog daemon policy security by making network permissions tunable
2023-09-11 09:56:36 -04:00
Chris PeBenito
9967edaebe
Merge pull request #666 from gtrentalancia/mix_fixes_pr2
...
Miscellaneous fixes
2023-09-11 09:38:05 -04:00
Guido Trentalancia
5037801893
Remove a vulnerability introduced by a logging interface
...
which allows to execute log files.
This can be potentially used to execute malicious code or
scripts previously written in log files.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/admin/logrotate.te | 1 -
policy/modules/system/logging.if | 22 ----------------------
2 files changed, 23 deletions(-)
2023-09-11 15:25:25 +02:00
Chris PeBenito
a5619fe755
Merge pull request #662 from dsugar100/search_xdm_run_dir
...
Allow search xdm_var_run_t directories along with reading files.
2023-09-11 09:09:29 -04:00
Chris PeBenito
ce2493a5cc
Merge pull request #661 from gtrentalancia/mplayer_fixes_pr
...
mplayer module fixes for vlc
2023-09-11 09:08:18 -04:00
Chris PeBenito
e0e63aa281
Merge pull request #660 from dsugar100/dm_read_hwdata
...
Allow display manager to read hwdata
2023-09-11 09:07:47 -04:00
Chris PeBenito
8ffc5e7246
Merge pull request #658 from dsugar100/utempter_fix
...
Updates for utempter
2023-09-11 09:05:54 -04:00
Chris PeBenito
272a6c902e
Merge pull request #657 from etbe/master
...
Daemon to control authentication for Thunderbolt.
2023-09-11 09:04:47 -04:00
Chris PeBenito
77692ca0f6
Merge pull request #655 from dsugar100/dbus_start_stop_services
...
Allow system_dbusd_t to start/stop all units
2023-09-11 09:03:28 -04:00
Chris PeBenito
83238ce3ae
Merge pull request #639 from gtrentalancia/openoffice_fixes_pr
...
Minor fixes for the openoffice and xserver modules
2023-09-11 09:00:46 -04:00
Guido Trentalancia
9c4b0300ea
Remove misplaced permission from mount interface
...
mount_exec.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/mount.if | 3 ---
1 file changed, 3 deletions(-)
2023-09-11 09:34:58 +02:00
Dave Sugar
a603b3913d
Allow search xdm_var_run_t directories along with reading files.
...
Sep 07 23:30:46 localhost audisp-syslog[1669]: node=localhost type=AVC msg=audit(1694129445.663:3622): avc: denied { search } for pid=1844 comm="xhost" name="lightdm" dev="tmpfs" ino=1504 scontext=toor_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-07 22:21:14 -04:00
Guido Trentalancia
03bc14351f
Add permissions to read device sysctls to mplayer.
...
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/mplayer.te | 1 +
1 file changed, 1 insertion(+)
2023-09-07 22:34:19 +02:00
Guido Trentalancia
15db7d14aa
Let mplayer to act as a dbus session bus client (needed
...
by the vlc media player).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/mplayer.te | 5 +++++
1 file changed, 5 insertions(+)
2023-09-07 21:44:19 +02:00
Dave Sugar
8dd1903281
Allow display manager to read hwdata
...
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:431): avc: denied { search } for pid=1744 comm="sddm-greeter" name="hwdata" dev="dm-1" ino=1726 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc: denied { read } for pid=1744 comm="sddm-greeter" name="pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc: denied { open } for pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.974:433): avc: denied { getattr } for pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-06 21:58:46 -04:00
Dave Sugar
56db40c099
Updates for utempter
...
Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter
Allow utempter to write to xsession log
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc: denied { write } for pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc: denied { getattr } for pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-06 21:52:05 -04:00
Russell Coker
3e2dd81a36
Daemon to control authentication for Thunderbolt.
...
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-07 07:17:00 +10:00
Guido Trentalancia
0a41b1c748
Update the openoffice module so that it can create
...
Unix stream sockets with its own label and use them
both as a client and a server.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/contrib/openoffice.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2023-09-06 22:35:59 +02:00
Guido Trentalancia
77de8cdd59
Let the openoffice domain manage fonts cache (fontconfig).
...
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/contrib/openoffice.te | 1 +
1 file changed, 1 insertion(+)
2023-09-06 22:28:40 +02:00
Dave Sugar
f7d61f6146
Allow system_dbusd_t to start/stop all units
...
Examples of denials I'm seeing requiring this type of access:
node=localhost type=USER_AVC msg=audit(1689811749.504:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-hostnamed.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692287535.229:262): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692305808.055:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/accounts-daemon.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-06 16:22:46 -04:00
Guido Trentalancia
c032204af3
Introduce a new "logging_syslog_can_network" boolean
...
and make the net_admin capability as well as all
corenetwork permissions previously granted
to the syslog daemon conditional upon such boolean
being true.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/logging.te | 61 +++++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 25 deletions(-)
2023-09-06 20:53:42 +02:00
Chris PeBenito
9d03d2ef9e
Merge pull request #656 from gtrentalancia/kernel_fixes_pr
...
Update the kernel module to remove misplaced or obsolete permissions
2023-09-06 13:29:48 -04:00
Chris PeBenito
663284394c
Merge pull request #654 from gtrentalancia/smartmon_fixes_pr
...
Smartmon policy update
2023-09-06 13:28:08 -04:00
Chris PeBenito
246c1aab40
Merge pull request #653 from etbe/master
...
Add iio-sensor-proxy.
2023-09-06 13:27:41 -04:00
Guido Trentalancia
7e5292de29
Update the kernel module to remove misplaced or at least really
...
obsolete permissions during kernel module loading.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/kernel.te | 12 ------------
1 file changed, 12 deletions(-)
2023-09-06 17:50:52 +02:00
Guido Trentalancia
86f9bfe0ee
Revert the following commit (ability to read /usr files),
...
as it is no longer needed, after the database file got its
own label:
Date: Wed Feb 16 07:24:34 2011 +0100
patch to allow smartmon to read usr files
37ba0d0437
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/smartmon.te | 1 -
1 file changed, 1 deletion(-)
2023-09-06 17:12:48 +02:00