nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,106 Commits 1 Branch 0 Tags 16 MiB
d48b57a5bd
Commit Graph

4845 Commits

Author SHA1 Message Date
Dave Sugar
f141dccc2a separate domain for journalctl during init 
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs.  This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.

 × systemd-journal-catalog-update.service - Rebuild Journal Catalog
         Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
         Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago
           Docs: man:systemd-journald.service(8)
                 man:journald.conf(5)
        Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
       Main PID: 1626 (code=exited, status=1/FAILURE)
            CPU: 102ms

    Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
    Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog.

    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { add_name } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { create } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:137): avc:  denied  { setattr } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { rename } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { unlink } for  pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-26 12:47:37 -04:00
Chris PeBenito
3bf196f6a3
Merge pull request #702 from etbe/db 
small postgresql and mysql stuff
 2023-09-26 09:59:31 -04:00
Russell Coker
bcc92a3038
allow jabbers to create sock file and allow matrixd to read sysfs (#705) 
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed to manage_sock_file_perms to allow unlink

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-26 09:48:31 -04:00
Chris PeBenito
61fbf428fb
postgresql: Move lines 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-26 09:43:40 -04:00
Chris PeBenito
1a9143efa3
Merge pull request #696 from yizhao1/fixes 
Fixes for mount and loadkeys
 2023-09-26 09:40:19 -04:00
Russell Coker
f849e27df3
small storage changes (#706) 
* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker <russell@coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker <russell@coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:46:04 -04:00
Russell Coker
478df0e446
small network patches (#707) 
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes (#703) 
* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:01:12 -04:00
Chris PeBenito
748980def5
Merge pull request #694 from etbe/fifth 
some misc userdomain fixes
 2023-09-25 10:57:27 -04:00
Russell Coker
cf1ba82cb9 Added tmpfs file type for postgresql 
Small mysql stuff including anon_inode

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-22 19:09:12 +10:00
Russell Coker
0528990a24
policy patches for anti-spam daemons (#698) 
* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 12:01:24 -04:00
Chris PeBenito
487feedf8e
Merge pull request #699 from yizhao1/systemd-networkd 
systemd: allow systemd-networkd to create file in /run/systemd directory
 2023-09-21 10:45:47 -04:00
Russell Coker
125e52ef58
policy for the Reliability Availability servicability daemon (#690) 
* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:22:36 -04:00
Russell Coker
e349de1507
debian motd.d directory (#689) 
* policy for Debian motd.d dir

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:21:25 -04:00
Yi Zhao
8758b782e5 systemd: allow systemd-networkd to create file in /run/systemd directory 
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-21 11:40:24 +08:00
Yi Zhao
ee3ea8ebca loadkeys: do not audit attempts to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 14:44:45 +08:00
Yi Zhao
0a7f48cb31 mount: allow mount_t to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=130 comm="mount" path="/" dev="tracefs"
ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=166 comm="mount" path="/" dev="configfs"
ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 13:31:50 +08:00
Russell Coker
cb6bf2fe9a some misc userdomain fixes 
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)

Allow pipewire to write to user runtime named sockets

Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-20 12:40:59 +10:00
Chris PeBenito
227786eed7
Merge pull request #693 from dsugar100/colord 
Resolve some denials with colord
 2023-09-19 16:09:52 -04:00
Chris PeBenito
fc3589a04f
Merge pull request #676 from dsugar100/all_users_syslog 
Allow all users to send syslog messages
 2023-09-19 16:07:10 -04:00
Dave Sugar
17c9b3ac7e Resolve some denials with colord 
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { read } for  pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { open } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc:  denied  { map } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc:  denied  { read } for  pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc:  denied  { map } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { search } for  pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { read } for  pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { open } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc:  denied  { ioctl } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { search } for  pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { read } for  pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { open } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 13:52:50 -04:00
Chris PeBenito
41ac8090f7
Merge pull request #691 from etbe/fifth 
power profiles daemon
 2023-09-19 11:40:39 -04:00
Dave Sugar
cf58a70881 Allow all users to (optionally) send syslog messages 
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { write } for  pid=1757 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { sendto } for  pid=1757 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { write } for  pid=1756 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { sendto } for  pid=1756 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 09:14:08 -04:00
Russell Coker
e5ea2c99df policy for power profiles daemon, used to change power settings 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-19 22:51:22 +10:00
Chris PeBenito
5e2bf62c6f
Merge pull request #672 from gtrentalancia/x_fixes_pr2 
Remote X11 TCP/IP functionality is generally insecure: switch it off by default. Strengthen XDM authentication file access.
 2023-09-19 08:36:26 -04:00
Guido Trentalancia
44bfd66186
Merge branch 'main' into x_fixes_pr2 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2023-09-19 01:31:50 +02:00
Guido Trentalancia
8c562af119 The X display manager uses an authentication 
mechanism based on an authorization file which
is critical for X security.

For example, a common attack is to remove the
file in order to disable authorization.

At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   33 +++++++++++++++++++++++++++++++++
 policy/modules/services/xserver.te |   11 +++++++++++
 3 files changed, 45 insertions(+)
 2023-09-19 01:28:10 +02:00
Guido Trentalancia
793d6a29d8 Introduce two new booleans for the X server and 
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.

The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.te |   82 +++++++++++++++++++++++--------------
 1 file changed, 52 insertions(+), 30 deletions(-)
 2023-09-19 01:23:22 +02:00
Chris PeBenito
d806720c76 unconfined: Keys are linkable by systemd. 
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-09-18 17:05:23 -04:00
Chris PeBenito
6e39f49247
Merge pull request #671 from gtrentalancia/dbus_fixes_pr3 
Dbus also creates Unix domain sockets in session mode but has insecure networking code
 2023-09-18 11:40:16 -04:00
Chris PeBenito
1ff9b559b7
Merge pull request #636 from gtrentalancia/spamassassin_update_pr 
Let spamassassin update its rules from the network
 2023-09-18 11:38:57 -04:00
Guido Trentalancia
8331d214ec Introduce a new "dbus_can_network" boolean which 
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.

For reference, see the security warning in the
D-Bus specification:

https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |   31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)
 2023-09-18 16:15:50 +02:00
Chris PeBenito
69544a3256
Merge pull request #684 from etbe/fourth 
switcheroo daemon for switching apps between Intel and NVidia GPUs
 2023-09-18 09:51:25 -04:00
Guido Trentalancia
11d17b2e57 Under request from Christopher PeBenito, merge the 
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.

This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |    3 -
 policy/modules/services/spamassassin.te |   56 ++++++--------------------------
 2 files changed, 12 insertions(+), 47 deletions(-)
 2023-09-18 15:40:11 +02:00
Guido Trentalancia
e5b1b197c7 Update the spamassassin module in order to better support 
the rules updating script; this achieved by employing
two distinct domains for increased security and network
isolation: a first domain is used for fetching the updated
rules from the network and second domain is used for
verifying the GPG signatures of the received rules.

The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).

The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |   11 ++-
 policy/modules/services/spamassassin.te |  100 +++++++++++++++++++++++++-------
 2 files changed, 86 insertions(+), 25 deletions(-)
 2023-09-18 15:39:12 +02:00
Guido Trentalancia
ed0613f0cc Extend the scope of the "spamassassin_can_network" 
tunable policy boolean to all network access (except
the relative dontaudit rules).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.te |   81 +++++++++++++++++---------------
 1 file changed, 45 insertions(+), 36 deletions(-)
 2023-09-18 15:38:08 +02:00
Chris PeBenito
f4688a3d54
switcheroo: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-18 09:21:26 -04:00
Chris PeBenito
dfd0149c71
Merge pull request #674 from dsugar100/opasswd_label 
separate label for /etc/security/opasswd
 2023-09-18 09:12:24 -04:00
Chris PeBenito
16c46db2b8
Merge pull request #665 from gtrentalancia/init_fixes_pr 
init and shutdown fixes
 2023-09-18 09:08:32 -04:00
Chris PeBenito
d5a8f78328
Merge pull request #659 from dsugar100/luks_shutdown 
resolve lvm_t issues at shutdown with LUKS encrypted devices
 2023-09-18 09:05:58 -04:00
Chris PeBenito
d6e6ce4f6a
Merge pull request #649 from gtrentalancia/gpg_fixes_pr 
Update the gpg module so that the application is able to fetch keys from the network
 2023-09-18 09:05:14 -04:00
Dave Sugar
73a62c4404 resolve lvm_t issues at shutdown with LUKS encrypted devices 
Errors:
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Device luks-7e802906-791a-432d-8069-dd290fba6dcf is still in use.
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Failed to deactivate: Device or resource busy
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Control process exited, code=exited, status=1/FAILURE
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Failed with result 'exit-code'.

Denials:
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.081:10597): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.081:10597): arch=c000003e syscall=137 success=yes exit=0 a0=7efdc7a96e0e a1=7ffdbbacde50 a2=7efdc69b75e0 a3=1000 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=statfs AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.082:10598): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="pki" dev="dm-1" ino=393276 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { open } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.085:10599): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55943c6cdb90 a2=0 a3=0 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.086:10600): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.087:10601): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="fips_local.cnf" dev="dm-1" ino=393381 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1

Sep 06 15:27:15 localhost audisp-syslog[1497]: node=localhost type=AVC msg=audit(1694014035.204:367): avc:  denied  { search } for  pid=1611 comm="systemd-cryptse" name="/" dev="pstore" ino=2357 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-15 15:34:54 -04:00
Guido Trentalancia
f3b359ec3f Add new gpg interfaces for gpg_agent execution and to avoid 
auditing search operations on files and directories that
are not strictly needed and might pose a security risk.

The new interfaces will be used in a forthcoming update to
allow fetching updates from the network for the spamassassin
rules and the fsdaemon drive database.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.if |   80 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 2023-09-14 18:38:17 +02:00
Chris PeBenito
ba922253f4
Merge pull request #679 from gtrentalancia/audit_fixes_pr 
Improve a previous syslog tunable policy change
 2023-09-14 10:49:38 -04:00
Chris PeBenito
32be26840d
Merge pull request #673 from dsugar100/x_login 
Solve issue with no keyboard/mouse on X login screen
 2023-09-14 10:38:25 -04:00
Russell Coker
c29ca4f257 switcheroo is a daemon to manage discrete vs integrated GPU use for apps 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 23:41:57 +10:00
Chris PeBenito
966cfad4fe
Merge pull request #678 from dsugar100/systemd_hostname 
For systemd-hostnamed service to run
 2023-09-14 09:30:19 -04:00
Chris PeBenito
84e6a92d3b
Merge pull request #644 from dsugar100/rsyslog_caps 
Allow rsyslog to drop capabilities
 2023-09-14 09:28:43 -04:00
Chris PeBenito
472603982f
Merge pull request #681 from dsugar100/fix_sddm_label 
/var/lib/sddm should be xdm_var_lib_t
 2023-09-14 09:23:07 -04:00
Chris PeBenito
224476715e
Merge pull request #675 from dsugar100/ssh_session_error 
Fix some ssh agent denials
 2023-09-14 09:16:32 -04:00
Russell Coker
7cb75c56c7
Daemon to monitor memory pressure and notify applications and change … (#670) 
* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed the self dgram access to create_socket_perms

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 09:15:09 -04:00
Chris PeBenito
7037ef3248
Merge pull request #638 from gtrentalancia/gnome_fixes_pr 
The gconf daemon (gnome module) must be able to create Unix domain sockets and use them as a server
 2023-09-14 09:12:08 -04:00
Dave Sugar
cdd7c8cd5a /var/lib/sddm should be xdm_var_lib_t 
based on denials, the fact that sddm runs as xdm_t and how other
directories are labeled, xdm_var_lib_t seems more correct here.

Sep 13 14:57:10 localhost.localdomain audisp-syslog[1570]: node=localhost type=AVC msg=audit(1694617030.144:419): avc:  denied  { search } for  pid=1702 comm="sddm" name="sddm" dev="dm-10" ino=393297 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { add_name } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { create } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.470:478): avc:  denied  { getattr } for  pid=1768 comm="QQmlThread" path="/var/lib/sddm/.cache/sddm-greeter/qmlcache" dev="dm-10" ino=393280 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 13:31:41 -04:00
Dave Sugar
131d4fcaca Allow rsyslog to drop capabilities 
Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc:  denied  { setpcap } for  pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0
Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 11:53:25 -04:00
Guido Trentalancia
4d2ae53c17 Introduce a new interface in the mta module to manage the mail 
transport agent configuration directories and files.

This interface will be used by a forthcoming update of the
rule updating feature of the spamassassin module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/mta.if |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 2023-09-13 15:59:50 +02:00
Guido Trentalancia
37f81bbc80 Fix the recently introduced "logging_syslog_can_network" 
tunable policy, by including TCP/IP socket creation
permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 2023-09-13 15:34:09 +02:00
Dave Sugar
08866e6253 For systemd-hostnamed service to run 
systemd_hostnamed allowed to read/update/delete /run/systemd/default-hostname

○ systemd-hostnamed.service - Hostname Service
     Loaded: loaded (/usr/lib/systemd/system/systemd-hostnamed.service; static)
    Drop-In: /usr/lib/systemd/system/systemd-hostnamed.service.d
             └─disable-privatedevices.conf
     Active: inactive (dead)
       Docs: man:systemd-hostnamed.service(8)
             man:hostname(5)
             man:machine-info(5)
             man:org.freedesktop.resolve1(5)

Sep 13 12:51:32 localhost systemd[1]: Starting Hostname Service...
Sep 13 12:51:32 localhost systemd[1]: Started Hostname Service.
Sep 13 12:51:32 localhost systemd-hostnamed[1777]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Hostname set to <localhost.localdomain> (transient)
Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Failed to remove "/run/systemd/default-hostname": Permission denied
Sep 13 12:52:02 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Sep 13 12:54:09 localhost.localdomain systemd[1]: Starting Hostname Service...
Sep 13 12:54:09 localhost.localdomain systemd[1]: Started Hostname Service.
Sep 13 12:54:09 localhost.localdomain systemd-hostnamed[1931]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied
Sep 13 12:54:39 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully.

node=localhost type=AVC msg=audit(1689891544.345:413): avc:  denied  { read } for  pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:413): avc:  denied  { open } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:414): avc:  denied  { getattr } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.345:415): avc:  denied  { ioctl } for  pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { write } for  pid=22094 comm="systemd-hostnam" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { remove_name } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689891544.351:417): avc:  denied  { unlink } for  pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 09:28:01 -04:00
Guido Trentalancia
2b0f35134a Update the gnome module so that the gconf daemon is 
able to create Unix domain sockets and accept or listen
connections on them.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/gnome.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-12 22:50:32 +02:00
Dave Sugar
7a635014e9 Fix some ssh agent denials 
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.894:3623): avc:  denied  { write } for  pid=1840 comm="ssh-agent" path="/home/sugar/.xsession-errors" dev="dm-9" ino=65541 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3634): avc:  denied  { getattr } for  pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc:  denied  { read } for  pid=1840 comm="ssh-agent" name="opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc:  denied  { open } for  pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 16:43:52 -04:00
Dave Sugar
ccc02fcf36 separate label for /etc/security/opasswd 
Seting /etc/security/opasswd to shadow_t has some negative side
effects like the fact that pam_unix needs to read that.  Once
pam_unix can read shadow_t that changes the behavour of how
pam_unix uses unix_update to update the password.  So, this
change defines the new type, shadow_history_t, for
/etc/secuirty/opasswd.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 15:52:20 -04:00
Dave Sugar
3cd6a8116c Solve issue with no keyboard/mouse on X login screen 
Sep 08 03:15:59 localhost audisp-syslog[1620]: node=localhost type=AVC msg=audit(1694142959.038:650): avc:  denied  { getattr } for  pid=1695 comm="Xorg" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:xserver_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-12 15:44:01 -04:00
Chris PeBenito
d1759b92cb
Merge pull request #647 from gtrentalancia/x_fixes_pr 
Stricter yet more customizable xserver policy and three security bug fixes
 2023-09-12 15:01:23 -04:00
Guido Trentalancia
54b4e52a12 Dbus creates Unix domain sockets not only for the 
system bus, but also for the session bus (in addition
to connecting to them), so its policy module is
modified accordingly.

See also: https://github.com/SELinuxProject/refpolicy/pull/667

which was merged in the following commit:

  b4cb09a38c
  Date:   Mon Sep 11 20:42:50 2023 +0200

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.if |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-12 20:05:14 +02:00
Guido Trentalancia
3483d76720 Update the gpg module so that the application is able 
to fetch new keys from the network.

Without this patch the following error is produced:

 $ gpg --recv-keys EA3A87F0A4EBA030E45DF2409E8C1AFBBEFFDB32

 gpg: error running '/usr/bin/dirmngr': exit status 1
 gpg: failed to start dirmngr '/usr/bin/dirmngr': Generic error
 gpg: can't connect to the dirmngr: Generic error
 gpg: keyserver receive failed: dirmngr is not installed

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-12 19:36:27 +02:00
Guido Trentalancia
a6a7641605 Fix the shutdown policy in order to make use of 
the newly created file label and interface needed
to manage the random seed file.

Add the sys_boot capability permission that was
missing in the shutdown domain in order to be
able to reboot/shutdown correctly.

Let the shutdown domain signal init and all other
domains.

Fix the shutdown executable file labels, as the
executable normally lives in /sbin.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/shutdown.fc |    4 +++-
 policy/modules/admin/shutdown.te |    4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 2023-09-12 19:27:51 +02:00
Guido Trentalancia
984897ba81 Create a new specific file label for the random seed 
file saved before shutting down or rebooting the system
and rework the interface needed to manage such file.

Use the newly created interface to fix the init policy
and deprecate the old one in the kernel files module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/files.if |   29 +++++++++++++++++++++++------
 policy/modules/system/init.fc  |    3 ++-
 policy/modules/system/init.if  |   24 ++++++++++++++++++++++++
 policy/modules/system/init.te  |    7 +++++--
 4 files changed, 54 insertions(+), 9 deletions(-)
 2023-09-12 19:26:43 +02:00
Chris PeBenito
49fcadb8bd
Merge pull request #668 from gtrentalancia/userdomain_fixes_pr 
Remove an unneeded logging interface from the userdomain module
 2023-09-12 11:49:18 -04:00
Chris PeBenito
f3ab8cef4d
Merge pull request #667 from gtrentalancia/dbus_fixes_pr2 
dbus creates Unix domain sockets
 2023-09-12 11:34:12 -04:00
Guido Trentalancia
3ed8a9e4d0 Remove a logging interface from the userdomain module 
since it has now been moved to the xscreensaver domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/userdomain.if |    2 --
 1 file changed, 2 deletions(-)
 2023-09-11 21:34:42 +02:00
Guido Trentalancia
b4cb09a38c Dbus creates Unix domain sockets (in addition to 
listening on and connecting to them), so its policy
module is modified accordingly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-11 20:43:58 +02:00
Guido Trentalancia
be2070b445 Remove duplicate permissions in the xserver module 
xserver_restricted_role() interface.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    2 --
 1 file changed, 2 deletions(-)
 2023-09-11 19:32:59 +02:00
Guido Trentalancia
b83fe41629 Fix another security bug similar to the ones that 
have been recently fixed in the following two
commits:

  3eef4bc6fd
  Date:   Sun Sep 3 17:40:30 2023 +0200

and:

  7de535d65a6f0592cb47598a4fd456e399a86663
  Date:   Thu Sep 7 18:46:20 2023 +0200

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
 2023-09-11 19:31:39 +02:00
Guido Trentalancia
f39caed39b Fix another security bug companion of the one 
fixed in the following previous commit:

  3eef4bc6fd
  Date:   Sun Sep 3 17:40:30 2023 +0200

This time the bug is already effective in the
following modules: virt, firstboot, wine and
mono.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 2023-09-11 19:30:57 +02:00
Guido Trentalancia
1c053e5223 Improved wording for the new xserver tunable policy 
booleans introduced with the previous three commits.

Thanks to Christopher PeBenito for suggesting this.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    6 +++---
 policy/modules/services/xserver.te |   16 ++++++++--------
 2 files changed, 11 insertions(+), 11 deletions(-)
 2023-09-11 19:30:12 +02:00
Chris PeBenito
d1b1076666
Merge pull request #652 from gtrentalancia/syslog_fixes_pr 
Increase general syslog daemon policy security by making network permissions tunable
 2023-09-11 09:56:36 -04:00
Chris PeBenito
9967edaebe
Merge pull request #666 from gtrentalancia/mix_fixes_pr2 
Miscellaneous fixes
 2023-09-11 09:38:05 -04:00
Guido Trentalancia
5037801893 Remove a vulnerability introduced by a logging interface 
which allows to execute log files.

This can be potentially used to execute malicious code or
scripts previously written in log files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/admin/logrotate.te |    1 -
 policy/modules/system/logging.if  |   22 ----------------------
 2 files changed, 23 deletions(-)
 2023-09-11 15:25:25 +02:00
Chris PeBenito
a5619fe755
Merge pull request #662 from dsugar100/search_xdm_run_dir 
Allow search xdm_var_run_t directories along with reading files.
 2023-09-11 09:09:29 -04:00
Chris PeBenito
ce2493a5cc
Merge pull request #661 from gtrentalancia/mplayer_fixes_pr 
mplayer module fixes for vlc
 2023-09-11 09:08:18 -04:00
Chris PeBenito
e0e63aa281
Merge pull request #660 from dsugar100/dm_read_hwdata 
Allow display manager to read hwdata
 2023-09-11 09:07:47 -04:00
Chris PeBenito
8ffc5e7246
Merge pull request #658 from dsugar100/utempter_fix 
Updates for utempter
 2023-09-11 09:05:54 -04:00
Chris PeBenito
272a6c902e
Merge pull request #657 from etbe/master 
Daemon to control authentication for Thunderbolt.
 2023-09-11 09:04:47 -04:00
Chris PeBenito
77692ca0f6
Merge pull request #655 from dsugar100/dbus_start_stop_services 
Allow system_dbusd_t to start/stop all units
 2023-09-11 09:03:28 -04:00
Chris PeBenito
83238ce3ae
Merge pull request #639 from gtrentalancia/openoffice_fixes_pr 
Minor fixes for the openoffice and xserver modules
 2023-09-11 09:00:46 -04:00
Guido Trentalancia
9c4b0300ea Remove misplaced permission from mount interface 
mount_exec.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/mount.if |    3 ---
 1 file changed, 3 deletions(-)
 2023-09-11 09:34:58 +02:00
Dave Sugar
a603b3913d Allow search xdm_var_run_t directories along with reading files. 
Sep 07 23:30:46 localhost audisp-syslog[1669]: node=localhost type=AVC msg=audit(1694129445.663:3622): avc:  denied  { search } for pid=1844 comm="xhost" name="lightdm" dev="tmpfs" ino=1504 scontext=toor_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-07 22:21:14 -04:00
Guido Trentalancia
03bc14351f Add permissions to read device sysctls to mplayer. 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/mplayer.te |    1 +
 1 file changed, 1 insertion(+)
 2023-09-07 22:34:19 +02:00
Guido Trentalancia
15db7d14aa Let mplayer to act as a dbus session bus client (needed 
by the vlc media player).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/mplayer.te |    5 +++++
 1 file changed, 5 insertions(+)
 2023-09-07 21:44:19 +02:00
Dave Sugar
8dd1903281 Allow display manager to read hwdata 
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:431): avc:  denied  { search } for  pid=1744 comm="sddm-greeter" name="hwdata" dev="dm-1" ino=1726 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc:  denied  { read } for  pid=1744 comm="sddm-greeter" name="pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc:  denied  { open } for  pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.974:433): avc:  denied  { getattr } for  pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 21:58:46 -04:00
Dave Sugar
56db40c099 Updates for utempter 
Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter
Allow utempter to write to xsession log

Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc:  denied  { write } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc:  denied  { getattr } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 21:52:05 -04:00
Russell Coker
3e2dd81a36 Daemon to control authentication for Thunderbolt. 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-07 07:17:00 +10:00
Guido Trentalancia
0a41b1c748 Update the openoffice module so that it can create 
Unix stream sockets with its own label and use them
both as a client and a server.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/openoffice.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-09-06 22:35:59 +02:00
Guido Trentalancia
77de8cdd59 Let the openoffice domain manage fonts cache (fontconfig). 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/openoffice.te |    1 +
 1 file changed, 1 insertion(+)
 2023-09-06 22:28:40 +02:00
Dave Sugar
f7d61f6146 Allow system_dbusd_t to start/stop all units 
Examples of denials I'm seeing requiring this type of access:
node=localhost type=USER_AVC msg=audit(1689811749.504:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-hostnamed.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692287535.229:262): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"
node=localhost type=USER_AVC msg=audit(1692305808.055:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/accounts-daemon.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root"

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-06 16:22:46 -04:00
Guido Trentalancia
c032204af3 Introduce a new "logging_syslog_can_network" boolean 
and make the net_admin capability as well as all
corenetwork permissions previously granted
to the syslog daemon conditional upon such boolean
being true.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |   61 +++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 25 deletions(-)
 2023-09-06 20:53:42 +02:00
Chris PeBenito
9d03d2ef9e
Merge pull request #656 from gtrentalancia/kernel_fixes_pr 
Update the kernel module to remove misplaced or obsolete permissions
 2023-09-06 13:29:48 -04:00
Chris PeBenito
663284394c
Merge pull request #654 from gtrentalancia/smartmon_fixes_pr 
Smartmon policy update
 2023-09-06 13:28:08 -04:00
Chris PeBenito
246c1aab40
Merge pull request #653 from etbe/master 
Add iio-sensor-proxy.
 2023-09-06 13:27:41 -04:00
Guido Trentalancia
7e5292de29 Update the kernel module to remove misplaced or at least really 
obsolete permissions during kernel module loading.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |   12 ------------
 1 file changed, 12 deletions(-)
 2023-09-06 17:50:52 +02:00
Guido Trentalancia
86f9bfe0ee Revert the following commit (ability to read /usr files), 
as it is no longer needed, after the database file got its
own label:

 Date:   Wed Feb 16 07:24:34 2011 +0100
 patch to allow smartmon to read usr files
 37ba0d0437

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/smartmon.te |    1 -
 1 file changed, 1 deletion(-)
 2023-09-06 17:12:48 +02:00
Russell Coker
4bd63b2b11 Comment sysfs better 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-07 00:52:24 +10:00
Guido Trentalancia
38fe903684 Include the X server tmpfs rw permissions in the X shared memory 
write access tunable policy under request from Christoper
PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 2023-09-06 15:58:29 +02:00
Chris PeBenito
02da19b0e9
Merge pull request #641 from gtrentalancia/mix_fixes_pr 
Minor miscellaneous fixes for various policy modules
 2023-09-06 08:46:40 -04:00
Chris PeBenito
c57e1f1a6d
Merge pull request #650 from gtrentalancia/xscreensaver_fixes_pr 
Update the xscreensaver module in order to work with the latest version
 2023-09-06 08:31:40 -04:00
Russell Coker
bc25ff1354 Fixed dependency on unconfined_t 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-06 21:12:23 +10:00
Russell Coker
2cf4a28321 iio-sensor-proxy (Debian package iio-sensor-proxy) 
IIO sensors to D-Bus proxy
 Industrial I/O subsystem is intended to provide support for devices
 that in some sense are analog to digital or digital to analog convertors
 .
 Devices that fall into this category are:
  * ADCs
  * Accelerometers
  * Gyros
  * IMUs
  * Capacitance to Digital Converters (CDCs)
  * Pressure Sensors
  * Color, Light and Proximity Sensors
  * Temperature Sensors
  * Magnetometers
  * DACs
  * DDS (Direct Digital Synthesis)
  * PLLs (Phase Locked Loops)
  * Variable/Programmable Gain Amplifiers (VGA, PGA)

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-06 20:31:37 +10:00
Dave Sugar
be5a1e168e Allow iceauth write to xsession log 
node=localhost type=AVC msg=audit(1689822970.302:4180): avc:  denied  { write } for  pid=2610 comm="iceauth" path="/home/toor/.xsession-errors" dev="dm-9" ino=129541 scontext=toor_u:staff_r:iceauth_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-05 16:58:19 -04:00
Guido Trentalancia
8ca93044b1 Update the xscreensaver module in order to work with 
the latest version (tested with version 6.06).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/wm.if           |    4 +++
 policy/modules/apps/xscreensaver.fc |    1
 policy/modules/apps/xscreensaver.if |   46 ++++++++++++++++++++++++++++++++++++
 policy/modules/apps/xscreensaver.te |   16 ++++++++++--
 4 files changed, 65 insertions(+), 2 deletions(-)
 2023-09-05 21:56:04 +02:00
Guido Trentalancia
6e965d40c2 Add permissions to watch libraries directories to the 
userdomain login user template interface.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/userdomain.if |    1 +
 1 file changed, 1 insertion(+)
 2023-09-05 21:27:05 +02:00
Guido Trentalancia
db408f7f17 Add the permissions to manage the fonts cache (fontconfig) 
to the window manager role template.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/wm.if |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-05 21:27:05 +02:00
Guido Trentalancia
dbbfa9877e Add missing permissions to execute binary files for 
the evolution_alarm_t domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/evolution.te |    2 ++
 1 file changed, 2 insertions(+)
 2023-09-05 21:27:05 +02:00
Chris PeBenito
49420a8638
Merge pull request #643 from etbe/master 
policy for eg25-manager to manage Quectel EG25 modem
 2023-09-05 11:39:25 -04:00
Chris PeBenito
d2ee8ac352
Merge pull request #635 from gtrentalancia/main 
The kernel domain should be able to mounton default and runtime directories
 2023-09-05 11:06:35 -04:00
Chris PeBenito
20c53171b7
Merge pull request #645 from dsugar100/write_net_sysctl 
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
 2023-09-05 11:00:02 -04:00
Chris PeBenito
66a480087a
Update eg25manager.te 
Minor style fix.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-05 10:56:17 -04:00
Chris PeBenito
9fae196c53
Merge pull request #637 from gtrentalancia/pulseaudio_fixes_pr 
Pulseaudio fixes
 2023-09-05 10:48:48 -04:00
Guido Trentalancia
3eef4bc6fd Fix a security bug in the xserver module (interfaces) 
which was wrongly allowing an interface to bypass existing
tunable policy logic related to X shared memory and
xserver tmpfs files write permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
 2023-09-03 17:40:30 +02:00
Guido Trentalancia
ad1f2d2ae3 Separate the tunable permissions to write xserver 
tmpfs files from the tunable permissions to write
X server shared memory.

Indeed some applications such as vlc (media player)
only require the former, so this change opts for a
stricter, yet more customizable policy.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    7 +++++++
 policy/modules/services/xserver.te |    8 ++++++++
 2 files changed, 15 insertions(+)
 2023-09-03 17:33:15 +02:00
Dave Sugar
970ef05e19 To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf 
node=localhost type=AVC msg=audit(1691097149.019:422): avc:  denied  { search } for  pid=2332 comm="sysctl" name="net" dev="proc" ino=11426 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1691097149.019:422): avc:  denied  { getattr } for  pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1691097149.020:423): avc:  denied  { write } for  pid=2332 comm="sysctl" name="nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1691097149.020:423): avc:  denied  { open } for  pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-01 20:22:55 -04:00
Russell Coker
810f333ac5 eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring 
and monitoring the Quectel EG25 modem on a running system. It is used on the
PinePhone (Pro) and performs the following functions:
  * power on/off
  * startup configuration using AT commands
  * AGPS data upload
  * status monitoring (and restart if it becomes unavailable)
Homepage: https://gitlab.com/mobian1/eg25-manager

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-01 20:15:13 +10:00
Guido Trentalancia
519fe6f81a Let pulseaudio search debugfs directories, as currently 
done with other modules.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/pulseaudio.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-31 16:35:01 +02:00
Guido Trentalancia
5b89b4120e Update the dbus role template so that permissions to get 
the attributes of the proc filesystem are included.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/dbus.if |    2 ++
 1 file changed, 2 insertions(+)
 2023-08-30 16:30:54 +02:00
Guido Trentalancia
5ff0aa1b61 Fix the dbus module so that temporary session named sockets 
can be read and written in the role template and by system
and session bus clients.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.if |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 2023-08-30 16:19:27 +02:00
Guido Trentalancia
de026627fe Fix the dbus module so that automatic file type transitions 
are used not only for files and directories, but also for
named sockets.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/dbus.te |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 2023-08-30 16:07:13 +02:00
Guido Trentalancia
1f5bd26210 Fix the pulseaudio module file transition for named 
sockets in tmp directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/pulseaudio.te |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 2023-08-30 15:40:20 +02:00
Guido Trentalancia
911c02feef The pulseaudio module should be able to read alsa 
library directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-30 15:39:44 +02:00
Guido Trentalancia
191f6d28e1 The kernel domain should be able to mounton default directories 
during switch_root.

Corresponding suspicious permissions are removed from the init
domain, however this might need further testing on a wider number
of systems.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |    1 +
 policy/modules/system/init.te   |    4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)
 2023-08-24 21:34:52 +02:00
Guido Trentalancia
718139ca87 The kernel domain should be able to mounton runtime directories 
during switch_root, otherwise parts of the boot process might
fail on some systems (for example, the udev daemon).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/kernel/kernel.te |    1 +
 1 file changed, 1 insertion(+)
 2023-08-23 17:49:05 +02:00
Chris PeBenito
f3f761c4a8
Merge pull request #631 from dsugar100/label_pwhistory_helper 
Label pwhistory_helper
 2023-08-18 11:53:50 -04:00
Chris PeBenito
626848ad94
Merge pull request #632 from dsugar100/dbsud_var_lib_symlinks 
If domain can read system_dbusd_var_lib_t files, also allow symlinks
 2023-08-18 11:48:06 -04:00
Dave Sugar
e0970d55e6 systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. 
Need to allow this to open the file so the service starts properly.

node=localhost type=AVC msg=audit(1689883855.890:419): avc:  denied  { open } for  pid=1 comm="systemd" path="/dev/rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1689883962.317:408): avc:  denied  { read write } for  pid=1 comm="systemd" name="rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:52:15 -04:00
Dave Sugar
b128e7ea2d If domain can read system_dbusd_var_lib_t files, also allow symlinks 
node=localhost type=AVC msg=audit(1689811752.145:511): avc:  denied  { read } for  pid=2622 comm="lightdm-gtk-gre" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0
node=localhost type=AVC msg=audit(1689811752.404:514): avc:  denied  { read } for  pid=2629 comm="at-spi-bus-laun" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:47:08 -04:00
Dave Sugar
9812e9c0ef Label pwhistory_helper 
pwhistory_helper is executed by pam_pwhistory (as configued in
/etc/pam.d/sysem-auth).  It updates /etc/security/opasswd which contains
old passwords.  Label /etc/security/opasswd as shadow_t to control access.

node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute } for  pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { read open } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute_no_trans } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { map } for  pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:45:13 -04:00
Chris PeBenito
97e35d8845
Merge pull request #626 from dsugar100/main 
Allow local login to read /run/motd
 2023-08-02 09:36:54 -04:00
Dave Sugar
a120ea8c25 Allow local login to read /run/motd 
node=localhost type=AVC msg=audit(1689384764.155:53945): avc:  denied  { getattr } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { read } for  pid=5125 comm="login" name="motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { open } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-07-18 08:13:43 -04:00
Kenton Groombridge
f1e7404baa container: rework capabilities 
Rework (primarily) non-namespaced capabilities. These accesses are
leftovers from earlier policy versions before the container module was
introduced that are most likely too coarse for most container
applications.

Put all non-namespaced capability accesses for containers behind
tunables, borrowing ideas from container-selinux. For the more
privileged capabilities (sysadmin, mknod), add a tunable to control both
namespaced and non-namespaced access to these operations.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-07-17 09:40:09 -04:00
Christian Schneider
26eb377014 systemd-generator: systemd_generator_t load kernel modules used for e.g. zram-generator 
Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
 2023-07-11 09:37:28 +02:00
Chris PeBenito
c6424be02d
Merge pull request #623 from fajs/psi_t 
Add label and interfaces for kernel PSI files
 2023-07-06 10:29:08 -04:00
Florian Schmidt
cf09279eab Add label and interfaces for kernel PSI files 
The pressure stall information (PSI) special files in /proc/pressure
currently don't have a separate file context, and so default to proc_t.
Since users need read/write permissions to those files to use PSI, and
handing out blanket permissions to proc_t is strongly discouraged,
introduce a new proc_psi_t label, as well as interfaces for it.

Signed-off-by: Florian Schmidt <flosch@nutanix.com>
 2023-07-05 15:21:46 +00:00
Renato Caldas
34cba22df8 kubernetes: allow kubelet to read /proc/sys/vm files. 
Kubelet checks the value of '/proc/sys/vm/panic_on_oom' before starting.

Signed-off-by: Renato Caldas <renato@calgera.com>
 2023-07-03 20:05:35 +01:00
Mathieu Tortuyaux
feaf607f3e
container: fix cilium denial 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 2023-06-21 09:24:25 +02:00
Kenton Groombridge
6ac468d24e
chromium: allow chromium-naclhelper to create user namespaces 
Closes: https://github.com/SELinuxProject/refpolicy/issues/605
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-05-25 16:58:06 -04:00
Chris PeBenito
429b26878b
Merge pull request #607 from bluca/mempressure 
Add support for memory pressure notifications protocol
 2023-05-18 09:13:34 -04:00
Grzegorz Filo
80d52aa4f6 Keep context of blkid file/dir when created by zpool. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-15 19:33:41 +02:00
Chris PeBenito
8f563f58ea
Merge pull request #615 from plsph/zfs-dir-transition 
Dir transition goes with dir create perms.
 2023-05-03 09:31:45 -04:00
Chris PeBenito
9ef053d6c5
Merge pull request #614 from plsph/initrc-zfs-config 
Allow initrc_t read zfs config files.
 2023-05-03 09:27:25 -04:00
Grzegorz Filo
d769f31966 Dir transition goes with dir create perms. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 10:54:59 +02:00
Grzegorz Filo
232b4ab271 Shell functions used during boot by initrc_t shall be bin_t and defined in corecommands.fc 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 09:42:34 +02:00
Pat Riehecky
f52070b3cf container: set default context for local-path-provisioner 
The kubernetes local-path-provisioner uses either
/opt/local-path-provisioner or
/var/local-path-provisioner for its physical volumes

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
 2023-04-28 15:16:46 -05:00
Chris PeBenito
ad527f9f62
Merge pull request #592 from montjoie/update-smart-drivedb 
fsadm: add domain for update-smart-drivedb
 2023-04-17 10:23:49 -04:00
Chris PeBenito
218c42f592
Merge pull request #608 from montjoie/dovecot 
dovecot: add missing permissions
 2023-04-17 10:17:53 -04:00
Corentin LABBE
ac6b47c71d dovecot: add missing permissions 
I use dovecot for IMAP hosting and several rules are missing.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:51:03 +02:00
Corentin LABBE
cb068f09d2 smartmon: add domain for update-smart-drivedb 
update-smart-drivedb is a fsadm_t like but with access to network, so
Since it do network access, and dont access any hardware, let's add its own domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:31:52 +02:00
Chris PeBenito
7831981d0d
Merge pull request #609 from freedom1b2830/master 
path marking for vlc(mplayer_t)
 2023-04-06 09:41:39 -04:00
freedom1b2830
a098f2bd52
mplayer:vlc paths 
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
 2023-04-05 17:07:43 +00:00
Guido Trentalancia
8f7064490d The pulseaudio daemon and client do not normally need to use 
the network for most computer systems that need to play and
record audio.

So, network access by pulseaudio should normally be restricted.

This patch restricts all network access by using tunable policy
and a new boolean to control it.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |   47 ++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)
 2023-04-05 16:06:19 +02:00
Luca Boccassi
d0d4e8fd73 systemd: allow daemons to access memory.pressure 
These services are hooked up to the memory.pressure interface, so
allow them to access the file.

Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[379]: AVC avc:  denied  { getattr } for  pid=379 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:01 localhost audit[475]: AVC avc:  denied  { getattr } for  pid=475 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[491]: AVC avc:  denied  { getattr } for  pid=491 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[490]: AVC avc:  denied  { write } for  pid=490 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[382]: AVC avc:  denied  { getattr } for  pid=382 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[479]: AVC avc:  denied  { getattr } for  pid=479 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[493]: AVC avc:  denied  { getattr } for  pid=493 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[492]: AVC avc:  denied  { write } for  pid=492 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[204]: AVC avc:  denied  { getattr } for  pid=204 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[316]: AVC avc:  denied  { getattr } for  pid=316 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[359]: AVC avc:  denied  { getattr } for  pid=359 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[350]: AVC avc:  denied  { write } for  pid=350 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[203]: AVC avc:  denied  { getattr } for  pid=203 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[312]: AVC avc:  denied  { getattr } for  pid=312 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[351]: AVC avc:  denied  { getattr } for  pid=351 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[342]: AVC avc:  denied  { write } for  pid=342 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[201]: AVC avc:  denied  { open } for  pid=201 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 13 17:00:57 localhost audit[490]: AVC avc:  denied  { open } for  pid=490 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:02:11 +00:00
Luca Boccassi
6ecba6ff80 systemd: also allow to mounton memory.pressure 
Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Luca Boccassi
6dd2c3bcd1 Add separate label for cgroup's memory.pressure files 
Required to enable notifications on memory pressure events, need to
write to the file to start receiving them. This will be used by all
systemd daemons, and eventually external daemons that subscribe to the
same interface too.

See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Yi Zhao
c75a32f2be systemd: allow systemd-resolved to search directories on tmpfs and ramfs 
Fixes:
avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1

avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-03-15 10:57:55 +08:00
Chris PeBenito
7416ac14f9
Merge pull request #603 from 0xC0ncord/various-20230224 
More various fixes
 2023-03-13 09:18:13 -04:00
Kenton Groombridge
9b4e8bd875 kubernetes: allow kubelet to read etc runtime files 
To read /etc/machine-id.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
bf546e4c4f glusterfs: allow glusterd to bind to all TCP unreserved ports 
Port 32767 seems to be needed by glfs_timer

type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc:  denied  { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
228e8e3f15 fstools: allow fsadm to read utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
6ad1768065 raid: allow mdadm to create generic links in /dev/md 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
69e6c33c46 raid: allow mdadm to read udev runtime files 
This fixes this AVC:

avc:  denied  { getattr } for  pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
edef7a8469 init: allow initrc_t to create netlink_kobject_uevent_sockets 
Needed by rdma-rdd, which is automatically started by udev when an RDMA
device with a node description is present.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
5b0aa89da7 systemd: allow systemd-resolved to bind to UDP port 5353 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
9307110277 init: allow systemd-init to set the attributes of unallocated terminals 
type=AVC msg=audit(1678150061.367:292): avc:  denied  { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
104e2014ea fs, init: allow systemd-init to set the attributes of efivarfs files 
avc:  denied  { setattr } for  pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
48af8ca656 systemd: allow systemd-pcrphase to read generic certs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
20fbb550b7 systemd: add rules for systemd-zram-generator 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
716f47dbd5 files, systemd: allow systemd-tmpfiles to relabel config file symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge
eed80c888c logging, systemd: allow relabelfrom,relabelto on systemd journal 
files by systemd-journald

journald's journal-offline will relabel log files. It should be noted
however that this happens even if the files already have the correct
label.

avc:  granted  { relabelfrom } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
avc:  granted  { relabelto } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:58 -05:00
Chris PeBenito
f625d5b788
Merge pull request #579 from montjoie/portage-misc 
portage: add misc mising rules
 2023-03-10 14:58:38 -05:00
Kenton Groombridge
02e558be0f fs, udev: allow systemd-udevd various cgroup perms 
Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:32:41 -05:00
Kenton Groombridge
dea2090ac3 logging: allow systemd-journald to list cgroups 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge
d1593345df systemd: allow systemd-userdbd to getcap 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge
5ad60847c6 init: allow initrc_t to getcap 
Many AVCs are observed on a systemd system and various services.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge
9af88f2bf7 init, systemd: allow init to create userdb runtime symlinks 
At boot, systemd-init will create symlinks in /run/systemd/userdb. This
fixes these AVCs:

avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:46 -05:00
Kenton Groombridge
079de3d496 various: make /etc/machine-id etc_runtime_t 
This file is updated at boot by systemd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
064a66c509 init: make init_runtime_t useable for systemd units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
011aadef16 zfs: add runtime filetrans for dirs 
Needed by zfs recv.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
18c1eeb654 zfs: allow sending signals to itself 
Required for zfs snapshot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
214149b637 kernel, zfs: add filetrans for kernel creating zpool cache file 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
1d8b309808 netutils: fixes for iftop 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
181077dd47 podman, selinux: move lines, add missing rules for --network=host 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
1aab07e154 redis: add missing rules for runtime filetrans 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
eaf9f15d35 node_exporter: various fixes 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
6894aaa796 container: fixes for podman run --log-driver=passthrough 
The --log-driver=passthrough argument is used by default for units
generated by quadlet. Without this access, containers started through
systemd in this way will not be able to send logs to the journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
d2ec3ce6e4 container: fixes for podman 4.4.0 
podman now creates a lock file in /run/containers and will fail to run
if this is not allowed.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge
f27b6fcc5e container, init, systemd: add policy for quadlet 
quadlet is a systemd generator provided by podman which generates
runtime units from "template" container units.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Chris PeBenito
86a7f884a5
Merge pull request #601 from yizhao1/fixes 
Systemd fixes
 2023-03-10 09:05:00 -05:00
Corentin LABBE
a25a1a3056 smartmon: allow smartd to read fsadm_db_t files 
On gentoo, smartd need to access fsadm_db_t files.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-03-08 21:17:52 +01:00
Chris PeBenito
313d8f46d6 container: Allow user namespace creation for all container engines. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-03-07 09:54:48 -05:00
Chris PeBenito
e1a6199384 systemd: Allow user namespace creation. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-03-07 09:54:48 -05:00
Chris PeBenito
de41a207b9 mozilla: Allow user namespace creation. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-03-02 15:59:49 -05:00
Chris PeBenito
ffd80c42c9 chromium: Allow user namespace creation. 
closes #600

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-03-02 09:02:03 -05:00
Yi Zhao
5e6fad9e4c systemd: allow systemd-sysctl to search directories on ramfs 
Fixes:
avc:  denied  { search } for  pid=170 comm="systemd-sysctl" name="/"
dev="ramfs" ino=14098 scontext=system_u:system_r:systemd_sysctl_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-03-02 19:06:39 +08:00
Yi Zhao
3b1d4e715e systemd: add capability sys_resource to systemd_userdbd_t 
Fixes:
avc:  denied  { sys_resource } for  pid=316 comm="(sd-worker)"
capability=24  scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:systemd_userdbd_t tclass=capability
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-03-02 18:59:16 +08:00