selinux-refpolicy

Author	SHA1	Message	Date
Russell Coker	7cb75c56c7	Daemon to monitor memory pressure and notify applications and change … (#670 ) * Daemon to monitor memory pressure and notify applications and change kernel OOM settings. Signed-off-by: Russell Coker <russell@coker.com.au> * Changed the self dgram access to create_socket_perms Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-14 09:15:09 -04:00
Chris PeBenito	7037ef3248	Merge pull request #638 from gtrentalancia/gnome_fixes_pr The gconf daemon (gnome module) must be able to create Unix domain sockets and use them as a server	2023-09-14 09:12:08 -04:00
Dave Sugar	cdd7c8cd5a	/var/lib/sddm should be xdm_var_lib_t based on denials, the fact that sddm runs as xdm_t and how other directories are labeled, xdm_var_lib_t seems more correct here. Sep 13 14:57:10 localhost.localdomain audisp-syslog[1570]: node=localhost type=AVC msg=audit(1694617030.144:419): avc: denied { search } for pid=1702 comm="sddm" name="sddm" dev="dm-10" ino=393297 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0 Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc: denied { add_name } for pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1 Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc: denied { create } for pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1 Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.470:478): avc: denied { getattr } for pid=1768 comm="QQmlThread" path="/var/lib/sddm/.cache/sddm-greeter/qmlcache" dev="dm-10" ino=393280 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-13 13:31:41 -04:00
Dave Sugar	131d4fcaca	Allow rsyslog to drop capabilities Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc: denied { setpcap } for pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0 Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-13 11:53:25 -04:00
Guido Trentalancia	4d2ae53c17	Introduce a new interface in the mta module to manage the mail transport agent configuration directories and files. This interface will be used by a forthcoming update of the rule updating feature of the spamassassin module. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/mta.if \| 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)	2023-09-13 15:59:50 +02:00
Guido Trentalancia	37f81bbc80	Fix the recently introduced "logging_syslog_can_network" tunable policy, by including TCP/IP socket creation permissions. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/logging.te \| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)	2023-09-13 15:34:09 +02:00
Dave Sugar	08866e6253	For systemd-hostnamed service to run systemd_hostnamed allowed to read/update/delete /run/systemd/default-hostname ○ systemd-hostnamed.service - Hostname Service Loaded: loaded (/usr/lib/systemd/system/systemd-hostnamed.service; static) Drop-In: /usr/lib/systemd/system/systemd-hostnamed.service.d └─disable-privatedevices.conf Active: inactive (dead) Docs: man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(5) man:org.freedesktop.resolve1(5) Sep 13 12:51:32 localhost systemd[1]: Starting Hostname Service... Sep 13 12:51:32 localhost systemd[1]: Started Hostname Service. Sep 13 12:51:32 localhost systemd-hostnamed[1777]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Hostname set to <localhost.localdomain> (transient) Sep 13 12:51:32 localhost.localdomain systemd-hostnamed[1777]: Failed to remove "/run/systemd/default-hostname": Permission denied Sep 13 12:52:02 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully. Sep 13 12:54:09 localhost.localdomain systemd[1]: Starting Hostname Service... Sep 13 12:54:09 localhost.localdomain systemd[1]: Started Hostname Service. Sep 13 12:54:09 localhost.localdomain systemd-hostnamed[1931]: Failed to read /run/systemd/default-hostname, ignoring: Permission denied Sep 13 12:54:39 localhost.localdomain systemd[1]: systemd-hostnamed.service: Deactivated successfully. node=localhost type=AVC msg=audit(1689891544.345:413): avc: denied { read } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689891544.345:413): avc: denied { open } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689891544.345:414): avc: denied { getattr } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689891544.345:415): avc: denied { ioctl } for pid=22094 comm="systemd-hostnam" path="/run/systemd/default-hostname" dev="tmpfs" ino=12 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { write } for pid=22094 comm="systemd-hostnam" name="systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { remove_name } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1689891544.351:417): avc: denied { unlink } for pid=22094 comm="systemd-hostnam" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-13 09:28:01 -04:00
Guido Trentalancia	2b0f35134a	Update the gnome module so that the gconf daemon is able to create Unix domain sockets and accept or listen connections on them. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/gnome.te \| 2 ++ 1 file changed, 2 insertions(+)	2023-09-12 22:50:32 +02:00
Dave Sugar	7a635014e9	Fix some ssh agent denials Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.894:3623): avc: denied { write } for pid=1840 comm="ssh-agent" path="/home/sugar/.xsession-errors" dev="dm-9" ino=65541 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1 Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3634): avc: denied { getattr } for pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc: denied { read } for pid=1840 comm="ssh-agent" name="opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Aug 29 21:38:07 localhost.localdomain audisp-syslog[1582]: node=localhost type=AVC msg=audit(1693345086.937:3635): avc: denied { open } for pid=1840 comm="ssh-agent" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-1" ino=262231 scontext=staff_u:staff_r:staff_ssh_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-12 16:43:52 -04:00
Dave Sugar	ccc02fcf36	separate label for /etc/security/opasswd Seting /etc/security/opasswd to shadow_t has some negative side effects like the fact that pam_unix needs to read that. Once pam_unix can read shadow_t that changes the behavour of how pam_unix uses unix_update to update the password. So, this change defines the new type, shadow_history_t, for /etc/secuirty/opasswd. Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-12 15:52:20 -04:00
Dave Sugar	3cd6a8116c	Solve issue with no keyboard/mouse on X login screen Sep 08 03:15:59 localhost audisp-syslog[1620]: node=localhost type=AVC msg=audit(1694142959.038:650): avc: denied { getattr } for pid=1695 comm="Xorg" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:xserver_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-12 15:44:01 -04:00
Chris PeBenito	d1759b92cb	Merge pull request #647 from gtrentalancia/x_fixes_pr Stricter yet more customizable xserver policy and three security bug fixes	2023-09-12 15:01:23 -04:00
Guido Trentalancia	54b4e52a12	Dbus creates Unix domain sockets not only for the system bus, but also for the session bus (in addition to connecting to them), so its policy module is modified accordingly. See also: https://github.com/SELinuxProject/refpolicy/pull/667 which was merged in the following commit: `b4cb09a38c` Date: Mon Sep 11 20:42:50 2023 +0200 Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/dbus.if \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-09-12 20:05:14 +02:00
Guido Trentalancia	3483d76720	Update the gpg module so that the application is able to fetch new keys from the network. Without this patch the following error is produced: $ gpg --recv-keys EA3A87F0A4EBA030E45DF2409E8C1AFBBEFFDB32 gpg: error running '/usr/bin/dirmngr': exit status 1 gpg: failed to start dirmngr '/usr/bin/dirmngr': Generic error gpg: can't connect to the dirmngr: Generic error gpg: keyserver receive failed: dirmngr is not installed Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/gpg.te \| 2 ++ 1 file changed, 2 insertions(+)	2023-09-12 19:36:27 +02:00
Guido Trentalancia	a6a7641605	Fix the shutdown policy in order to make use of the newly created file label and interface needed to manage the random seed file. Add the sys_boot capability permission that was missing in the shutdown domain in order to be able to reboot/shutdown correctly. Let the shutdown domain signal init and all other domains. Fix the shutdown executable file labels, as the executable normally lives in /sbin. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/admin/shutdown.fc \| 4 +++- policy/modules/admin/shutdown.te \| 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-)	2023-09-12 19:27:51 +02:00
Guido Trentalancia	984897ba81	Create a new specific file label for the random seed file saved before shutting down or rebooting the system and rework the interface needed to manage such file. Use the newly created interface to fix the init policy and deprecate the old one in the kernel files module. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/kernel/files.if \| 29 +++++++++++++++++++++++------ policy/modules/system/init.fc \| 3 ++- policy/modules/system/init.if \| 24 ++++++++++++++++++++++++ policy/modules/system/init.te \| 7 +++++-- 4 files changed, 54 insertions(+), 9 deletions(-)	2023-09-12 19:26:43 +02:00
Chris PeBenito	49fcadb8bd	Merge pull request #668 from gtrentalancia/userdomain_fixes_pr Remove an unneeded logging interface from the userdomain module	2023-09-12 11:49:18 -04:00
Chris PeBenito	f3ab8cef4d	Merge pull request #667 from gtrentalancia/dbus_fixes_pr2 dbus creates Unix domain sockets	2023-09-12 11:34:12 -04:00
Guido Trentalancia	3ed8a9e4d0	Remove a logging interface from the userdomain module since it has now been moved to the xscreensaver domain. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/userdomain.if \| 2 -- 1 file changed, 2 deletions(-)	2023-09-11 21:34:42 +02:00
Guido Trentalancia	b4cb09a38c	Dbus creates Unix domain sockets (in addition to listening on and connecting to them), so its policy module is modified accordingly. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/dbus.te \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-09-11 20:43:58 +02:00
Guido Trentalancia	be2070b445	Remove duplicate permissions in the xserver module xserver_restricted_role() interface. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 2 -- 1 file changed, 2 deletions(-)	2023-09-11 19:32:59 +02:00
Guido Trentalancia	b83fe41629	Fix another security bug similar to the ones that have been recently fixed in the following two commits: `3eef4bc6fd` Date: Sun Sep 3 17:40:30 2023 +0200 and: 7de535d65a6f0592cb47598a4fd456e399a86663 Date: Thu Sep 7 18:46:20 2023 +0200 Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)	2023-09-11 19:31:39 +02:00
Guido Trentalancia	f39caed39b	Fix another security bug companion of the one fixed in the following previous commit: `3eef4bc6fd` Date: Sun Sep 3 17:40:30 2023 +0200 This time the bug is already effective in the following modules: virt, firstboot, wine and mono. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)	2023-09-11 19:30:57 +02:00
Guido Trentalancia	1c053e5223	Improved wording for the new xserver tunable policy booleans introduced with the previous three commits. Thanks to Christopher PeBenito for suggesting this. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 6 +++--- policy/modules/services/xserver.te \| 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-)	2023-09-11 19:30:12 +02:00
Chris PeBenito	d1b1076666	Merge pull request #652 from gtrentalancia/syslog_fixes_pr Increase general syslog daemon policy security by making network permissions tunable	2023-09-11 09:56:36 -04:00
Chris PeBenito	9967edaebe	Merge pull request #666 from gtrentalancia/mix_fixes_pr2 Miscellaneous fixes	2023-09-11 09:38:05 -04:00
Guido Trentalancia	5037801893	Remove a vulnerability introduced by a logging interface which allows to execute log files. This can be potentially used to execute malicious code or scripts previously written in log files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/admin/logrotate.te \| 1 - policy/modules/system/logging.if \| 22 ---------------------- 2 files changed, 23 deletions(-)	2023-09-11 15:25:25 +02:00
Chris PeBenito	a5619fe755	Merge pull request #662 from dsugar100/search_xdm_run_dir Allow search xdm_var_run_t directories along with reading files.	2023-09-11 09:09:29 -04:00
Chris PeBenito	ce2493a5cc	Merge pull request #661 from gtrentalancia/mplayer_fixes_pr mplayer module fixes for vlc	2023-09-11 09:08:18 -04:00
Chris PeBenito	e0e63aa281	Merge pull request #660 from dsugar100/dm_read_hwdata Allow display manager to read hwdata	2023-09-11 09:07:47 -04:00
Chris PeBenito	8ffc5e7246	Merge pull request #658 from dsugar100/utempter_fix Updates for utempter	2023-09-11 09:05:54 -04:00
Chris PeBenito	272a6c902e	Merge pull request #657 from etbe/master Daemon to control authentication for Thunderbolt.	2023-09-11 09:04:47 -04:00
Chris PeBenito	77692ca0f6	Merge pull request #655 from dsugar100/dbus_start_stop_services Allow system_dbusd_t to start/stop all units	2023-09-11 09:03:28 -04:00
Chris PeBenito	83238ce3ae	Merge pull request #639 from gtrentalancia/openoffice_fixes_pr Minor fixes for the openoffice and xserver modules	2023-09-11 09:00:46 -04:00
Guido Trentalancia	9c4b0300ea	Remove misplaced permission from mount interface mount_exec. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/mount.if \| 3 --- 1 file changed, 3 deletions(-)	2023-09-11 09:34:58 +02:00
Dave Sugar	a603b3913d	Allow search xdm_var_run_t directories along with reading files. Sep 07 23:30:46 localhost audisp-syslog[1669]: node=localhost type=AVC msg=audit(1694129445.663:3622): avc: denied { search } for pid=1844 comm="xhost" name="lightdm" dev="tmpfs" ino=1504 scontext=toor_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-07 22:21:14 -04:00
Guido Trentalancia	03bc14351f	Add permissions to read device sysctls to mplayer. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/mplayer.te \| 1 + 1 file changed, 1 insertion(+)	2023-09-07 22:34:19 +02:00
Guido Trentalancia	15db7d14aa	Let mplayer to act as a dbus session bus client (needed by the vlc media player). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/mplayer.te \| 5 +++++ 1 file changed, 5 insertions(+)	2023-09-07 21:44:19 +02:00
Dave Sugar	8dd1903281	Allow display manager to read hwdata Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:431): avc: denied { search } for pid=1744 comm="sddm-greeter" name="hwdata" dev="dm-1" ino=1726 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir permissive=1 Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc: denied { read } for pid=1744 comm="sddm-greeter" name="pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.968:432): avc: denied { open } for pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Sep 01 01:53:02 localhost.localdomain audisp-syslog[1524]: node=localhost type=AVC msg=audit(1693533182.974:433): avc: denied { getattr } for pid=1744 comm="sddm-greeter" path="/usr/share/hwdata/pnp.ids" dev="dm-1" ino=1730 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-06 21:58:46 -04:00
Dave Sugar	56db40c099	Updates for utempter Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter Allow utempter to write to xsession log Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc: denied { write } for pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1 Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc: denied { getattr } for pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-06 21:52:05 -04:00
Russell Coker	3e2dd81a36	Daemon to control authentication for Thunderbolt. Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-07 07:17:00 +10:00
Guido Trentalancia	0a41b1c748	Update the openoffice module so that it can create Unix stream sockets with its own label and use them both as a client and a server. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/openoffice.te \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-09-06 22:35:59 +02:00
Guido Trentalancia	77de8cdd59	Let the openoffice domain manage fonts cache (fontconfig). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/openoffice.te \| 1 + 1 file changed, 1 insertion(+)	2023-09-06 22:28:40 +02:00
Dave Sugar	f7d61f6146	Allow system_dbusd_t to start/stop all units Examples of denials I'm seeing requiring this type of access: node=localhost type=USER_AVC msg=audit(1689811749.504:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-hostnamed.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root" node=localhost type=USER_AVC msg=audit(1692287535.229:262): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'␝UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root" node=localhost type=USER_AVC msg=audit(1692305808.055:375): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/accounts-daemon.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="bus_unit_method_start_generic" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="dbus" SAUID="root" Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-06 16:22:46 -04:00
Guido Trentalancia	c032204af3	Introduce a new "logging_syslog_can_network" boolean and make the net_admin capability as well as all corenetwork permissions previously granted to the syslog daemon conditional upon such boolean being true. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/logging.te \| 61 +++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 25 deletions(-)	2023-09-06 20:53:42 +02:00
Chris PeBenito	9d03d2ef9e	Merge pull request #656 from gtrentalancia/kernel_fixes_pr Update the kernel module to remove misplaced or obsolete permissions	2023-09-06 13:29:48 -04:00
Chris PeBenito	663284394c	Merge pull request #654 from gtrentalancia/smartmon_fixes_pr Smartmon policy update	2023-09-06 13:28:08 -04:00
Chris PeBenito	246c1aab40	Merge pull request #653 from etbe/master Add iio-sensor-proxy.	2023-09-06 13:27:41 -04:00
Guido Trentalancia	7e5292de29	Update the kernel module to remove misplaced or at least really obsolete permissions during kernel module loading. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/kernel/kernel.te \| 12 ------------ 1 file changed, 12 deletions(-)	2023-09-06 17:50:52 +02:00
Guido Trentalancia	86f9bfe0ee	Revert the following commit (ability to read /usr files), as it is no longer needed, after the database file got its own label: Date: Wed Feb 16 07:24:34 2011 +0100 patch to allow smartmon to read usr files `37ba0d0437` Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/smartmon.te \| 1 - 1 file changed, 1 deletion(-)	2023-09-06 17:12:48 +02:00
Russell Coker	4bd63b2b11	Comment sysfs better Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-07 00:52:24 +10:00
Guido Trentalancia	38fe903684	Include the X server tmpfs rw permissions in the X shared memory write access tunable policy under request from Christoper PeBenito. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)	2023-09-06 15:58:29 +02:00
Chris PeBenito	02da19b0e9	Merge pull request #641 from gtrentalancia/mix_fixes_pr Minor miscellaneous fixes for various policy modules	2023-09-06 08:46:40 -04:00
Chris PeBenito	c57e1f1a6d	Merge pull request #650 from gtrentalancia/xscreensaver_fixes_pr Update the xscreensaver module in order to work with the latest version	2023-09-06 08:31:40 -04:00
Russell Coker	bc25ff1354	Fixed dependency on unconfined_t Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-06 21:12:23 +10:00
Russell Coker	2cf4a28321	iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus proxy Industrial I/O subsystem is intended to provide support for devices that in some sense are analog to digital or digital to analog convertors . Devices that fall into this category are: * ADCs * Accelerometers * Gyros * IMUs * Capacitance to Digital Converters (CDCs) * Pressure Sensors * Color, Light and Proximity Sensors * Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain Amplifiers (VGA, PGA) Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-06 20:31:37 +10:00
Dave Sugar	be5a1e168e	Allow iceauth write to xsession log node=localhost type=AVC msg=audit(1689822970.302:4180): avc: denied { write } for pid=2610 comm="iceauth" path="/home/toor/.xsession-errors" dev="dm-9" ino=129541 scontext=toor_u:staff_r:iceauth_t:s0 tcontext=system_u:object_r:xsession_log_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-05 16:58:19 -04:00
Guido Trentalancia	8ca93044b1	Update the xscreensaver module in order to work with the latest version (tested with version 6.06). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/wm.if \| 4 +++ policy/modules/apps/xscreensaver.fc \| 1 policy/modules/apps/xscreensaver.if \| 46 ++++++++++++++++++++++++++++++++++++ policy/modules/apps/xscreensaver.te \| 16 ++++++++++-- 4 files changed, 65 insertions(+), 2 deletions(-)	2023-09-05 21:56:04 +02:00
Guido Trentalancia	6e965d40c2	Add permissions to watch libraries directories to the userdomain login user template interface. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/userdomain.if \| 1 + 1 file changed, 1 insertion(+)	2023-09-05 21:27:05 +02:00
Guido Trentalancia	db408f7f17	Add the permissions to manage the fonts cache (fontconfig) to the window manager role template. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/wm.if \| 2 ++ 1 file changed, 2 insertions(+)	2023-09-05 21:27:05 +02:00
Guido Trentalancia	dbbfa9877e	Add missing permissions to execute binary files for the evolution_alarm_t domain. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/evolution.te \| 2 ++ 1 file changed, 2 insertions(+)	2023-09-05 21:27:05 +02:00
Chris PeBenito	49420a8638	Merge pull request #643 from etbe/master policy for eg25-manager to manage Quectel EG25 modem	2023-09-05 11:39:25 -04:00
Chris PeBenito	d2ee8ac352	Merge pull request #635 from gtrentalancia/main The kernel domain should be able to mounton default and runtime directories	2023-09-05 11:06:35 -04:00
Chris PeBenito	20c53171b7	Merge pull request #645 from dsugar100/write_net_sysctl To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf	2023-09-05 11:00:02 -04:00
Chris PeBenito	66a480087a	Update eg25manager.te Minor style fix. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2023-09-05 10:56:17 -04:00
Chris PeBenito	9fae196c53	Merge pull request #637 from gtrentalancia/pulseaudio_fixes_pr Pulseaudio fixes	2023-09-05 10:48:48 -04:00
Guido Trentalancia	3eef4bc6fd	Fix a security bug in the xserver module (interfaces) which was wrongly allowing an interface to bypass existing tunable policy logic related to X shared memory and xserver tmpfs files write permissions. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)	2023-09-03 17:40:30 +02:00
Guido Trentalancia	ad1f2d2ae3	Separate the tunable permissions to write xserver tmpfs files from the tunable permissions to write X server shared memory. Indeed some applications such as vlc (media player) only require the former, so this change opts for a stricter, yet more customizable policy. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if \| 7 +++++++ policy/modules/services/xserver.te \| 8 ++++++++ 2 files changed, 15 insertions(+)	2023-09-03 17:33:15 +02:00
Dave Sugar	970ef05e19	To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf node=localhost type=AVC msg=audit(1691097149.019:422): avc: denied { search } for pid=2332 comm="sysctl" name="net" dev="proc" ino=11426 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1691097149.019:422): avc: denied { getattr } for pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1691097149.020:423): avc: denied { write } for pid=2332 comm="sysctl" name="nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1691097149.020:423): avc: denied { open } for pid=2332 comm="sysctl" path="/proc/sys/net/netfilter/nf_conntrack_max" dev="proc" ino=23194 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-01 20:22:55 -04:00
Russell Coker	810f333ac5	eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring and monitoring the Quectel EG25 modem on a running system. It is used on the PinePhone (Pro) and performs the following functions: * power on/off * startup configuration using AT commands * AGPS data upload * status monitoring (and restart if it becomes unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-01 20:15:13 +10:00
Guido Trentalancia	519fe6f81a	Let pulseaudio search debugfs directories, as currently done with other modules. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/pulseaudio.te \| 1 + 1 file changed, 1 insertion(+)	2023-08-31 16:35:01 +02:00
Guido Trentalancia	5b89b4120e	Update the dbus role template so that permissions to get the attributes of the proc filesystem are included. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.if \| 2 ++ 1 file changed, 2 insertions(+)	2023-08-30 16:30:54 +02:00
Guido Trentalancia	5ff0aa1b61	Fix the dbus module so that temporary session named sockets can be read and written in the role template and by system and session bus clients. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/dbus.if \| 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)	2023-08-30 16:19:27 +02:00
Guido Trentalancia	de026627fe	Fix the dbus module so that automatic file type transitions are used not only for files and directories, but also for named sockets. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/dbus.te \| 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)	2023-08-30 16:07:13 +02:00
Guido Trentalancia	1f5bd26210	Fix the pulseaudio module file transition for named sockets in tmp directories. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/pulseaudio.te \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)	2023-08-30 15:40:20 +02:00
Guido Trentalancia	911c02feef	The pulseaudio module should be able to read alsa library directories. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/pulseaudio.te \| 1 + 1 file changed, 1 insertion(+)	2023-08-30 15:39:44 +02:00
Guido Trentalancia	191f6d28e1	The kernel domain should be able to mounton default directories during switch_root. Corresponding suspicious permissions are removed from the init domain, however this might need further testing on a wider number of systems. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/kernel/kernel.te \| 1 + policy/modules/system/init.te \| 4 ---- 2 files changed, 1 insertion(+), 4 deletions(-)	2023-08-24 21:34:52 +02:00
Guido Trentalancia	718139ca87	The kernel domain should be able to mounton runtime directories during switch_root, otherwise parts of the boot process might fail on some systems (for example, the udev daemon). Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/kernel/kernel.te \| 1 + 1 file changed, 1 insertion(+)	2023-08-23 17:49:05 +02:00
Chris PeBenito	f3f761c4a8	Merge pull request #631 from dsugar100/label_pwhistory_helper Label pwhistory_helper	2023-08-18 11:53:50 -04:00
Chris PeBenito	626848ad94	Merge pull request #632 from dsugar100/dbsud_var_lib_symlinks If domain can read system_dbusd_var_lib_t files, also allow symlinks	2023-08-18 11:48:06 -04:00
Dave Sugar	e0970d55e6	systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. Need to allow this to open the file so the service starts properly. node=localhost type=AVC msg=audit(1689883855.890:419): avc: denied { open } for pid=1 comm="systemd" path="/dev/rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=1 node=localhost type=AVC msg=audit(1689883962.317:408): avc: denied { read write } for pid=1 comm="systemd" name="rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-08-16 11:52:15 -04:00
Dave Sugar	b128e7ea2d	If domain can read system_dbusd_var_lib_t files, also allow symlinks node=localhost type=AVC msg=audit(1689811752.145:511): avc: denied { read } for pid=2622 comm="lightdm-gtk-gre" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 node=localhost type=AVC msg=audit(1689811752.404:514): avc: denied { read } for pid=2629 comm="at-spi-bus-laun" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-08-16 11:47:08 -04:00
Dave Sugar	9812e9c0ef	Label pwhistory_helper pwhistory_helper is executed by pam_pwhistory (as configued in /etc/pam.d/sysem-auth). It updates /etc/security/opasswd which contains old passwords. Label /etc/security/opasswd as shadow_t to control access. node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { execute } for pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { read open } for pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { execute_no_trans } for pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { map } for pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-08-16 11:45:13 -04:00
Chris PeBenito	97e35d8845	Merge pull request #626 from dsugar100/main Allow local login to read /run/motd	2023-08-02 09:36:54 -04:00
Dave Sugar	a120ea8c25	Allow local login to read /run/motd node=localhost type=AVC msg=audit(1689384764.155:53945): avc: denied { getattr } for pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689384764.155:53946): avc: denied { read } for pid=5125 comm="login" name="motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689384764.155:53946): avc: denied { open } for pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-07-18 08:13:43 -04:00
Kenton Groombridge	f1e7404baa	container: rework capabilities Rework (primarily) non-namespaced capabilities. These accesses are leftovers from earlier policy versions before the container module was introduced that are most likely too coarse for most container applications. Put all non-namespaced capability accesses for containers behind tunables, borrowing ideas from container-selinux. For the more privileged capabilities (sysadmin, mknod), add a tunable to control both namespaced and non-namespaced access to these operations. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2023-07-17 09:40:09 -04:00
Christian Schneider	26eb377014	systemd-generator: systemd_generator_t load kernel modules used for e.g. zram-generator Fixes: avc: denied { getsched } for pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1 avc: denied { execute } for pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1 Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>	2023-07-11 09:37:28 +02:00
Chris PeBenito	c6424be02d	Merge pull request #623 from fajs/psi_t Add label and interfaces for kernel PSI files	2023-07-06 10:29:08 -04:00
Florian Schmidt	cf09279eab	Add label and interfaces for kernel PSI files The pressure stall information (PSI) special files in /proc/pressure currently don't have a separate file context, and so default to proc_t. Since users need read/write permissions to those files to use PSI, and handing out blanket permissions to proc_t is strongly discouraged, introduce a new proc_psi_t label, as well as interfaces for it. Signed-off-by: Florian Schmidt <flosch@nutanix.com>	2023-07-05 15:21:46 +00:00
Renato Caldas	34cba22df8	kubernetes: allow kubelet to read /proc/sys/vm files. Kubelet checks the value of '/proc/sys/vm/panic_on_oom' before starting. Signed-off-by: Renato Caldas <renato@calgera.com>	2023-07-03 20:05:35 +01:00
Mathieu Tortuyaux	feaf607f3e	container: fix cilium denial Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>	2023-06-21 09:24:25 +02:00
Kenton Groombridge	6ac468d24e	chromium: allow chromium-naclhelper to create user namespaces Closes: https://github.com/SELinuxProject/refpolicy/issues/605 Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2023-05-25 16:58:06 -04:00
Chris PeBenito	429b26878b	Merge pull request #607 from bluca/mempressure Add support for memory pressure notifications protocol	2023-05-18 09:13:34 -04:00
Grzegorz Filo	80d52aa4f6	Keep context of blkid file/dir when created by zpool. Signed-off-by: Grzegorz Filo <gf578@wp.pl>	2023-05-15 19:33:41 +02:00
Chris PeBenito	8f563f58ea	Merge pull request #615 from plsph/zfs-dir-transition Dir transition goes with dir create perms.	2023-05-03 09:31:45 -04:00
Chris PeBenito	9ef053d6c5	Merge pull request #614 from plsph/initrc-zfs-config Allow initrc_t read zfs config files.	2023-05-03 09:27:25 -04:00
Grzegorz Filo	d769f31966	Dir transition goes with dir create perms. Signed-off-by: Grzegorz Filo <gf578@wp.pl>	2023-05-03 10:54:59 +02:00
Grzegorz Filo	232b4ab271	Shell functions used during boot by initrc_t shall be bin_t and defined in corecommands.fc Signed-off-by: Grzegorz Filo <gf578@wp.pl>	2023-05-03 09:42:34 +02:00
Pat Riehecky	f52070b3cf	container: set default context for local-path-provisioner The kubernetes local-path-provisioner uses either /opt/local-path-provisioner or /var/local-path-provisioner for its physical volumes Signed-off-by: Pat Riehecky <riehecky@fnal.gov>	2023-04-28 15:16:46 -05:00
Chris PeBenito	ad527f9f62	Merge pull request #592 from montjoie/update-smart-drivedb fsadm: add domain for update-smart-drivedb	2023-04-17 10:23:49 -04:00
Chris PeBenito	218c42f592	Merge pull request #608 from montjoie/dovecot dovecot: add missing permissions	2023-04-17 10:17:53 -04:00
Corentin LABBE	ac6b47c71d	dovecot: add missing permissions I use dovecot for IMAP hosting and several rules are missing. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-04-11 10:51:03 +02:00
Corentin LABBE	cb068f09d2	smartmon: add domain for update-smart-drivedb update-smart-drivedb is a fsadm_t like but with access to network, so Since it do network access, and dont access any hardware, let's add its own domain. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-04-11 10:31:52 +02:00
Chris PeBenito	7831981d0d	Merge pull request #609 from freedom1b2830/master path marking for vlc(mplayer_t)	2023-04-06 09:41:39 -04:00
freedom1b2830	a098f2bd52	mplayer:vlc paths Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>	2023-04-05 17:07:43 +00:00
Guido Trentalancia	8f7064490d	The pulseaudio daemon and client do not normally need to use the network for most computer systems that need to play and record audio. So, network access by pulseaudio should normally be restricted. This patch restricts all network access by using tunable policy and a new boolean to control it. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/pulseaudio.te \| 47 ++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 17 deletions(-)	2023-04-05 16:06:19 +02:00
Luca Boccassi	d0d4e8fd73	systemd: allow daemons to access memory.pressure These services are hooked up to the memory.pressure interface, so allow them to access the file. Jan 26 08:12:21 localhost audit[202]: AVC avc: denied { getattr } for pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[379]: AVC avc: denied { getattr } for pid=379 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:49:01 localhost audit[475]: AVC avc: denied { getattr } for pid=475 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:49:02 localhost audit[491]: AVC avc: denied { getattr } for pid=491 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:49:02 localhost audit[490]: AVC avc: denied { write } for pid=490 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[202]: AVC avc: denied { getattr } for pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[382]: AVC avc: denied { getattr } for pid=382 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:57:56 localhost audit[479]: AVC avc: denied { getattr } for pid=479 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:57:56 localhost audit[493]: AVC avc: denied { getattr } for pid=493 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 10 19:57:56 localhost audit[492]: AVC avc: denied { write } for pid=492 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[204]: AVC avc: denied { getattr } for pid=204 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[316]: AVC avc: denied { getattr } for pid=316 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[359]: AVC avc: denied { getattr } for pid=359 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[350]: AVC avc: denied { write } for pid=350 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[203]: AVC avc: denied { getattr } for pid=203 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[312]: AVC avc: denied { getattr } for pid=312 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[351]: AVC avc: denied { getattr } for pid=351 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[342]: AVC avc: denied { write } for pid=342 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Jan 26 08:12:21 localhost audit[201]: AVC avc: denied { open } for pid=201 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Mar 13 17:00:57 localhost audit[490]: AVC avc: denied { open } for pid=490 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0 Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>	2023-03-17 13:02:11 +00:00
Luca Boccassi	6ecba6ff80	systemd: also allow to mounton memory.pressure Mar 15 22:15:35 localhost audit[1607]: AVC avc: denied { mounton } for pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1 Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>	2023-03-17 13:00:48 +00:00
Luca Boccassi	6dd2c3bcd1	Add separate label for cgroup's memory.pressure files Required to enable notifications on memory pressure events, need to write to the file to start receiving them. This will be used by all systemd daemons, and eventually external daemons that subscribe to the same interface too. See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>	2023-03-17 13:00:48 +00:00
Yi Zhao	c75a32f2be	systemd: allow systemd-resolved to search directories on tmpfs and ramfs Fixes: avc: denied { search } for pid=233 comm="systemd-resolve" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 avc: denied { search } for pid=233 comm="systemd-resolve" name="/" dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-03-15 10:57:55 +08:00
Chris PeBenito	7416ac14f9	Merge pull request #603 from 0xC0ncord/various-20230224 More various fixes	2023-03-13 09:18:13 -04:00
Kenton Groombridge	9b4e8bd875	kubernetes: allow kubelet to read etc runtime files To read /etc/machine-id. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	bf546e4c4f	glusterfs: allow glusterd to bind to all TCP unreserved ports Port 32767 seems to be needed by glfs_timer type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1678151692.991:193): avc: denied { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	228e8e3f15	fstools: allow fsadm to read utab Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	6ad1768065	raid: allow mdadm to create generic links in /dev/md Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	69e6c33c46	raid: allow mdadm to read udev runtime files This fixes this AVC: avc: denied { getattr } for pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	edef7a8469	init: allow initrc_t to create netlink_kobject_uevent_sockets Needed by rdma-rdd, which is automatically started by udev when an RDMA device with a node description is present. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	5b0aa89da7	systemd: allow systemd-resolved to bind to UDP port 5353 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	9307110277	init: allow systemd-init to set the attributes of unallocated terminals type=AVC msg=audit(1678150061.367:292): avc: denied { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	104e2014ea	fs, init: allow systemd-init to set the attributes of efivarfs files avc: denied { setattr } for pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	48af8ca656	systemd: allow systemd-pcrphase to read generic certs Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	20fbb550b7	systemd: add rules for systemd-zram-generator Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	716f47dbd5	files, systemd: allow systemd-tmpfiles to relabel config file symlinks Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:59 -05:00
Kenton Groombridge	eed80c888c	logging, systemd: allow relabelfrom,relabelto on systemd journal files by systemd-journald journald's journal-offline will relabel log files. It should be noted however that this happens even if the files already have the correct label. avc: granted { relabelfrom } for pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 avc: granted { relabelto } for pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 15:10:58 -05:00
Chris PeBenito	f625d5b788	Merge pull request #579 from montjoie/portage-misc portage: add misc mising rules	2023-03-10 14:58:38 -05:00
Kenton Groombridge	02e558be0f	fs, udev: allow systemd-udevd various cgroup perms Needed for systemd-udevd to create files under /sys/fs/cgroup/system.slice/systemd-udevd.service/udev Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:32:41 -05:00
Kenton Groombridge	dea2090ac3	logging: allow systemd-journald to list cgroups Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:47 -05:00
Kenton Groombridge	d1593345df	systemd: allow systemd-userdbd to getcap Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:47 -05:00
Kenton Groombridge	5ad60847c6	init: allow initrc_t to getcap Many AVCs are observed on a systemd system and various services. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:47 -05:00
Kenton Groombridge	9af88f2bf7	init, systemd: allow init to create userdb runtime symlinks At boot, systemd-init will create symlinks in /run/systemd/userdb. This fixes these AVCs: avc: denied { create } for pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0 avc: denied { create } for pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:46 -05:00
Kenton Groombridge	079de3d496	various: make /etc/machine-id etc_runtime_t This file is updated at boot by systemd. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	064a66c509	init: make init_runtime_t useable for systemd units Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	011aadef16	zfs: add runtime filetrans for dirs Needed by zfs recv. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	18c1eeb654	zfs: allow sending signals to itself Required for zfs snapshot. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	214149b637	kernel, zfs: add filetrans for kernel creating zpool cache file Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	1d8b309808	netutils: fixes for iftop Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	181077dd47	podman, selinux: move lines, add missing rules for --network=host Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	1aab07e154	redis: add missing rules for runtime filetrans Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	eaf9f15d35	node_exporter: various fixes Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	6894aaa796	container: fixes for podman run --log-driver=passthrough The --log-driver=passthrough argument is used by default for units generated by quadlet. Without this access, containers started through systemd in this way will not be able to send logs to the journal. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	d2ec3ce6e4	container: fixes for podman 4.4.0 podman now creates a lock file in /run/containers and will fail to run if this is not allowed. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Kenton Groombridge	f27b6fcc5e	container, init, systemd: add policy for quadlet quadlet is a systemd generator provided by podman which generates runtime units from "template" container units. Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-03-10 11:31:02 -05:00
Chris PeBenito	86a7f884a5	Merge pull request #601 from yizhao1/fixes Systemd fixes	2023-03-10 09:05:00 -05:00
Corentin LABBE	a25a1a3056	smartmon: allow smartd to read fsadm_db_t files On gentoo, smartd need to access fsadm_db_t files. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-03-08 21:17:52 +01:00
Chris PeBenito	313d8f46d6	container: Allow user namespace creation for all container engines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-03-07 09:54:48 -05:00
Chris PeBenito	e1a6199384	systemd: Allow user namespace creation. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-03-07 09:54:48 -05:00
Chris PeBenito	de41a207b9	mozilla: Allow user namespace creation. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-03-02 15:59:49 -05:00
Chris PeBenito	ffd80c42c9	chromium: Allow user namespace creation. closes #600 Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-03-02 09:02:03 -05:00
Yi Zhao	5e6fad9e4c	systemd: allow systemd-sysctl to search directories on ramfs Fixes: avc: denied { search } for pid=170 comm="systemd-sysctl" name="/" dev="ramfs" ino=14098 scontext=system_u:system_r:systemd_sysctl_t tcontext=system_u:object_r:ramfs_t tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-03-02 19:06:39 +08:00
Yi Zhao	3b1d4e715e	systemd: add capability sys_resource to systemd_userdbd_t Fixes: avc: denied { sys_resource } for pid=316 comm="(sd-worker)" capability=24 scontext=system_u:system_r:systemd_userdbd_t tcontext=system_u:system_r:systemd_userdbd_t tclass=capability permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-03-02 18:59:16 +08:00
Luca Boccassi	bf11e1b229	Set label systemd-oomd Feb 24 19:02:53 localhost audit[1664]: AVC avc: denied { write } for pid=1664 comm="systemd-oomd" path=2F6D656D66643A646174612D6664202864656C6574656429 dev="tmpfs" ino=2051 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 Needs to manage cgroups and kill processes, so make it init_exec_t Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>	2023-02-27 16:43:49 +00:00
Chris PeBenito	aedf310cdb	Merge pull request #598 from desultory/master Added interface: sysnet_dontaudit_rw_dhcpc_dgram_sockets	2023-02-13 10:06:16 -05:00
Chris PeBenito	cbde619aaf	sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2023-02-13 09:38:00 -05:00
George Zenner	105e623ee8	Signed-off-by: George Zenner <zen@pyl.onl> modified: policy/modules/system/sysnetwork.if	2023-02-10 15:45:09 -06:00
Kenton Groombridge	7ec913312b	container: add missing filetrans and filecon for containerd/docker Add a missing file transition for the docker socket in /run as well as a missing file context for /var/log/containerd. Thanks-to: zen_desu Signed-off-by: Kenton Groombridge <me@concord.sh>	2023-02-10 13:33:16 -05:00
Chris PeBenito	307c617d45	lvm: Add fc entry for /etc/multipath/* Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-02-08 08:09:30 -05:00
Chris PeBenito	1bca60bcd3	iscsi: Read initiatorname.iscsi. This is normally created by iscsi-init.service. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-02-07 16:02:01 -05:00
Chris PeBenito	d7b0388d35	Merge pull request #593 from montjoie/run_init_sysctl selinuxutil: permit run_init to read kernel sysctl	2023-02-02 09:14:14 -05:00
Chris PeBenito	06d97b7e0b	Merge pull request #583 from montjoie/mandb-cron mandb: permit to read inherited cron files	2023-02-02 09:04:01 -05:00
Corentin LABBE	3bf53039eb	portage: add misc mising rules Add missing rules for portage I encountered while emerging or just calling gcc-config Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-31 08:22:39 +01:00
David Sommerseth	a78f4ac1fb	openvpn: Allow netlink genl OpenVPN 2.6 can use an OpenVPN specific kernel module to handle the VPN data channel. The communication via userspace and kernel space happens over a generic netlink interface. Without this access, the following denials can be found in the logs [...] denied { create } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket [...] denied { setopt } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket [...] denied { bind } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket [...] denied { getattr } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket Signed-off-by: David Sommerseth <davids@openvpn.net>	2023-01-27 09:50:22 +01:00
Corentin LABBE	727fe91a40	selinuxutil: permit run_init to read kernel sysctl When restarting services with run_init, I got some AVC due to run_init reading /proc/sys/kernel/cap_last_cap Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-25 21:33:13 +01:00
Chris PeBenito	7fd7f67eb8	Merge pull request #590 from pebenito/tmpfiles-bug systemd: Tmpfilesd can correct seusers on files.	2023-01-18 09:19:42 -05:00
Chris PeBenito	8aa2f1d582	Merge pull request #589 from montjoie/portage-gh-svn-new portage: add missing go/hg context in new distfiles location	2023-01-17 09:30:48 -05:00
Chris PeBenito	ffc581d9b9	Merge pull request #585 from montjoie/selinuxutil-loadpolicy-portage selinuxutil: permit load_policy to use portage ptys	2023-01-17 09:26:54 -05:00
Chris PeBenito	c1a352a615	systemd: Tmpfilesd can correct seusers on files. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-01-17 09:22:22 -05:00
Corentin LABBE	b06c8a0a4c	selinuxutil: do not audit load_policy trying to use portage ptys Each time portage build and install a new SELinux policy I got the following AVC: allow load_policy_t portage_devpts_t:chr_file { read write }; Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-17 07:40:44 +01:00
Corentin LABBE	6732acf8b7	mandb: permit to read inherited cron files Each night /etc/cron.daily/man-db generates some AVC: allow mandb_t system_cronjob_tmp_t:file { read write }; Add the necessary rules for it. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-17 07:28:19 +01:00
Corentin LABBE	868cc9f440	portage: add missing go/hg context in new distfiles location go/hg source files context are added in old portage distfiles location, but are missing in new one. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-17 07:25:35 +01:00
Chris PeBenito	8bf564f1bb	Merge pull request #582 from montjoie/groupadd usermanage: permit groupadd to read kernel sysctl	2023-01-11 16:48:09 -05:00
Chris PeBenito	02a38abf1a	Merge pull request #586 from montjoie/gentoo-port-portagefc Gentoo port portagefc	2023-01-11 08:43:33 -05:00
Corentin LABBE	d7f25ea35b	portage: add new location for portage commands There are missing lot of portage commands location, add them following the gentoo SELinux repo. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-10 10:17:15 +01:00
Corentin LABBE	51f52b56d7	portage: add go/hg source control files Add location on /usr/portage/ as portage_srcrepo_t for the mercurial and go sources. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-10 10:17:15 +01:00
Corentin LABBE	17f81aa065	portage: Remove old binary location /usr/lib/portage/bin is not used anymore Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-10 10:17:15 +01:00
Kenton Groombridge	a07dbbccf3	portage: label eix cache as portage_cache_t Closes: https://github.com/perfinion/hardened-refpolicy/pull/10 Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>	2023-01-10 10:17:15 +01:00
Corentin LABBE	4e81910cce	usermanage: permit groupadd to read kernel sysctl When using groupadd, I got some AVC due to groupadd reading /proc/sys/kernel/cap_last_cap Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-09 09:33:10 +01:00
Chris PeBenito	e235fd2065	Merge pull request #580 from montjoie/munin-node-fc munin: add fc for munin-node plugin state	2023-01-06 10:10:59 -05:00
Chris PeBenito	19da71e5c6	munin: Whitespace change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2023-01-06 09:58:09 -05:00
Corentin LABBE	c9cdcc7704	munin: add fc for munin-node plugin state Gentoo deploy munin-node plugin state in /var/lib/munin-node Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-05 16:46:28 +01:00
Chris PeBenito	c594d3b803	Merge pull request #573 from montjoie/rsyslog-empty-dev rsyslog: add label for /var/empty/dev/log	2023-01-05 08:43:12 -05:00
Chris PeBenito	7f12646e5b	Merge pull request #576 from montjoie/munin-disk-smart-run munin: disk-plugin: transition to fsadm	2023-01-04 16:42:31 -05:00
Chris PeBenito	fa7f795539	munin: Move munin_rw_tcp_sockets() implementation. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2023-01-04 14:32:19 -05:00
Chris PeBenito	ccbfadcd42	Merge pull request #575 from montjoie/munin-plugin-common-pr munin: add file context for common functions file	2023-01-04 10:04:32 -05:00
Corentin LABBE	e9a4a12023	munin: disk-plugin: transition to fsadm smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain. But lot of rules are still missing for a correct smartctl execution. Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-04 15:49:38 +01:00
Corentin LABBE	31f6577765	rsyslog: add label for /var/empty/dev/log On gentoo, starting rsyslog give this: allow syslogd_t var_t:dir { add_name remove_name }; allow syslogd_t var_t:sock_file { create setattr unlink }; This is due to the following piece of code in configuration: """ Create an additional socket for the default chroot location (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744) input(type="imuxsock" Socket="/var/empty/dev/log") """ So let's add correct label for this file Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-04 15:41:46 +01:00
Corentin LABBE	42a038719c	munin: add file context for common functions file Some Munin plugins need to read the plugin.sh file providing common functions. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-04 15:16:07 +01:00
Chris PeBenito	95d5195d8c	Merge pull request #578 from montjoie/mcelog-bin mcelog: add missing file context for triggers	2023-01-03 13:38:41 -05:00
Corentin LABBE	95db1dda8d	mcelog: add missing file context for triggers I got the following AVC: allow mcelog_t mcelog_etc_t:file execute; This is due do some trigger, not being set as bin_t -rwxr-xr-x. 1 root root system_u:object_r:bin_t 801 nov. 1 19:11 bus-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1035 nov. 1 19:11 cache-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1213 nov. 1 19:11 dimm-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 742 nov. 1 19:11 iomca-error-trigger -rw-r-----. 1 root root system_u:object_r:mcelog_etc_t 7415 nov. 1 19:11 mcelog.conf -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1209 nov. 1 19:11 page-error-counter-replacement-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1656 nov. 1 19:11 page-error-post-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1640 nov. 1 19:11 page-error-pre-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1308 nov. 1 19:11 page-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1057 nov. 1 19:11 socket-memory-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 947 nov. 1 19:11 unknown-error-trigger Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-03 09:22:11 +01:00
Corentin LABBE	207b09a656	mount: dbus interface must be optional On gentoo, when emerging selinux-base-policy, the post install (loading policy) fail due to a missing type. This is due to mount.te using a dbus interface and the dbus module is not present. Fix this by setting the dbus interface as optional; Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-28 09:04:59 +01:00
Chris PeBenito	eca2a04638	fstools: Move lines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-12-13 10:06:06 -05:00
Chris PeBenito	3c93ad9d70	Merge pull request #562 from montjoie/smartmon-drivedbh fstools: handle gentoo place for drivedb.h	2022-12-13 10:01:17 -05:00
Corentin LABBE	3d4e2deda5	fstools: handle gentoo place for drivedb.h On a gentoo-hardened+selinux, I got denial from fsadm_t reading var_t. This is due to smartctl trying to read /var/db/smartmontools/drivedb.h Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-12 21:04:37 +01:00
Chris PeBenito	50f2c7ad05	Merge pull request #566 from 0xC0ncord/various-20221207 Some more various fixes	2022-12-12 10:47:43 -05:00
Kenton Groombridge	a364dd4e2a	various: fixes for libvirtd and systemd-machined Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	2354b4f1be	postfix, sasl: allow postfix smtp daemon to read SASL keytab Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	d38a21388f	various: use mmap_manage_file_perms Replace instances of manage_file_perms and map with mmap_manage_file_perms Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	52e90d4b49	sasl: add filecon for /etc/sasl2 keytab Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	9290f196e7	postfix: allow postfix master to map data files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	22ece2b57e	container: allow container admins the sysadm capability in user namespaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	810cc48197	userdom: allow admin users to use tcpdiag netlink sockets Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	7662001300	podman: allow podman to stop systemd transient units Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	e59404bd44	init, sysadm: allow sysadm to manage systemd runtime units On systemd 252, mount units generated from /etc/fstab result in services labeled init_runtime_t. Allow sysadm to manage these services. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	d96b591a70	logging: allow domains sending syslog messages to connect to kernel unix stream sockets Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	d34dd9571e	filesystem, init: allow systemd to setattr on ramfs dirs This is needed by systemd-creds on system boot. Without this access, many services fail to start. Observed on systemd-252 on Gentoo. type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)" type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1670295099.238:180306): cwd="/" type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	a6db7cb87f	container: add rules required for metallb BGP speakers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	b85d3f673d	netutils: minor fixes for nmap and traceroute Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	26f9727760	hddtemp: add missing rules for interactive usage Add missing rules required for hddtemp admins to interactively run hddtemp. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Russell Coker	d55395c1a3	This patch removes deprecated interfaces that were deprecated in the 20210203 release. I think that 2 years of support for a deprecated interface is enough and by the time we have the next release out it will probably be more than 2 years since 20210203. I think this is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-12-12 10:32:09 -05:00
Kenton Groombridge	d4ee0d3c29	systemd: add policy for systemd-pcrphase Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:05:00 -05:00
Russell Coker	3ca0cd59d7	This patch removes deprecated interfaces that were deprecated in the 20210203 release. I think that 2 years of support for a deprecated interface is enough and by the time we have the next release out it will probably be more than 2 years since 20210203. I think this is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-12-08 18:35:27 +11:00
Corentin LABBE	090f4ca18e	udev: permit to read hwdb On a gentoo with openRC, udev is denied to read hwdb. On current policy, reading hwdb is only allowed for system with systemd. In fact it is a common action (beyond openrc/systemd) so rules for reading it must be global. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-01 20:36:09 +01:00
Dave Sugar	ef6857944d	rng-tools updated to 6.15 (on RHEL9) seeing the following denials: node=localhost type=AVC msg=audit(1669206851.792:438): avc: denied { getattr } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { read } for pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { open } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 rngd now drops privlidges rather than having user/group set in .service file: node=localhost type=AVC msg=audit(1669206851.856:440): avc: denied { setgid } for pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.881:441): avc: denied { setuid } for pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.910:442): avc: denied { setcap } for pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2022-11-23 09:03:31 -05:00
Kenton Groombridge	fb835d04d3	container: correct admin_pattern() usage Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	c7a0cc0cd2	container: add tunable to allow spc to use tun-tap devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	d9314aeb24	container, miscfiles: transition to s0 for public content created by containers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	d4c5bd96c8	various: allow using glusterfs as backing storage for k8s Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	3b3d3715c9	container, kubernetes: add rules for device plugins running as spc Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	6c2124d5ae	container: add tunable to use dri devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	3ae0575114	container, kubernetes: add private type for generic container devices /dev/termination-log is one such generic file created in containers' /dev filesystems. Add a private type for objects created in /dev for containers instead of using the generic device type. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	9216a7a7f1	container: add tunable to allow containers to use huge pages Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	dc66fd7238	container, kernel: add tunable to allow spc to create NFS servers OpenEBS' dynamic NFS provisioner uses a privileged container to dynamically provision persistent volumes and create an NFS server for it so that it can be served across different nodes. Add a tunable to allow this access. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	cd929e846b	various: fixes for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:15 -05:00
Kenton Groombridge	1512723b36	kubernetes: add policy for kubectl Add a private type for kubectl because kubectl edit will invoke a text editor for editing. This execution should transition back to the user domain. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 14:25:52 -04:00
Kenton Groombridge	141971a291	various: fixes for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 14:25:52 -04:00
Kenton Groombridge	466ea4b323	container: add type for container plugins Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	16a928df4e	crio, kubernetes: allow k8s admins to run CRI-O Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	12590a88d6	crio: new policy module Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	f1718529d2	sysadm: allow running kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:15 -04:00
Kenton Groombridge	d387288693	kubernetes: initial policy module Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-04 13:55:14 -04:00
Kenton Groombridge	79aeab71c8	corenet: add portcon for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-03 17:33:14 -04:00
Yi Zhao	c57259582d	systemd: add capability sys_admin to systemd_generator_t Fixes: systemd-gpt-auto-generator[116]: Failed to dissect: Permission denied systemd[112]: /lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. avc: denied { sys_admin } for pid=116 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 tclass=capability permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	72399fc077	systemd: allow systemd-hostnamed to read selinux configuration files Fixes: systemd[1]: Starting Hostname Service... systemd-hostnamed[395]: Failed to initialize SELinux labeling handle: No such file or directory systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-hostnamed.service: Failed with result 'exit-code'. systemd[1]: Failed to start Hostname Service. avc: denied { read } for pid=341 comm="systemd-hostnam" name="config" dev="vda" ino=345 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	d4b19952c2	systemd: allow systemd-rfkill to get attributes of all fs Fixes: avc: denied { getattr } for pid=238 comm="systemd-rfkill" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-11-01 14:01:50 +08:00
Yi Zhao	c98bb9c716	systemd: allow systemd-backlight to read kernel sysctl settings Fixes: avc: denied { read } for pid=359 comm="systemd-backlig" name="osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { open } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { ioctl } for pid=359 comm="systemd-backlig" path="/proc/sys/kernel/osrelease" dev="proc" ino=1457 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 avc: denied { search } for pid=359 comm="systemd-backlig" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=359 comm="systemd-backlig" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-31 15:54:10 +08:00
Yi Zhao	31a32f53ee	rpm: add label for dnf-automatic and dnf-3 Now dnf is a symlink to dnf-3, and dnf-automatic is a symlink to dnf-automatic-3. Add rpm_exec_t label for them. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-31 15:38:14 +08:00
Yi Zhao	6ed9c66d62	sysnetwork: allow dhcpcd to send and receive messages from systemd resolved The dhcpcd can send DNS information to systemd-resolved to update resolv.conf. Fixes: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=RevertLink dest=org.freedesktop.resolve1 spid=340 tpid=345 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tclass=dbus permissive=0 avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345 tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Yi Zhao	77fd73e6b8	sysnetwork: fix privilege separation functionality of dhcpcd Fixes: dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted dhcpcd[410]: failed to drop privileges: Operation not permitted dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setrlimit } for pid=332 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process permissive=0 avc: denied { getattr } for pid=330 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Yi Zhao	b1f16bf755	systemd: allow systemd-resolved to manage link files The systemd-resolved may create a symlink stub-resolv.conf pointing to resolv.conf under /run/system/resolve directory. Fixes: avc: denied { create } for pid=329 comm="systemd-resolve" name=".#stub-resolv.conf53cb7f9d1e3aa72b" scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-27 18:54:51 +08:00
Yi Zhao	44873ba42a	watchdog: allow watchdog to create /var/log/watchdog directory Allow watchdog to create log directory with correct label. Fixes: avc: denied { create } for pid=315 comm="watchdog" name="watchdog" scontext=system_u:system_r:watchdog_t tcontext=system_u:object_r:var_log_t tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-19 15:42:43 +08:00
Chris PeBenito	8b3fee99c0	Merge pull request #555 from pebenito/container-engine-udp-bind container: Add missing UDP node bind access on container engines.	2022-10-17 11:04:13 -04:00
Yi Zhao	93575af48c	udev: allow udev_read_runtime_files to read link files There are some link files under /run/udev directory: $ ls -lZ /run/udev/static_node-tags/uaccess/ total 0 lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 12 Oct 16 08:32 'snd\x2fseq' -> /dev/snd/seq lrwxrwxrwx. 1 root root system_u:object_r:udev_runtime_t:SystemLow 14 Oct 16 08:32 'snd\x2ftimer' -> /dev/snd/timer Fixes: avc: denied { read } for pid=297 comm="systemd-logind" name="snd\x2fseq" dev="tmpfs" ino=125 scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2022-10-16 16:54:33 +08:00
Chris PeBenito	5399afbc7d	container: Add missing UDP node bind access on container engines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-12 09:40:50 -04:00
Chris PeBenito	cc2d06a20f	Merge pull request #554 from pebenito/sympa Add sympa mail list manager	2022-10-12 08:36:53 -04:00
Kenton Groombridge	4f157b5f63	rpc: allow rpc admins to rw nfsd fs Seen when using exportfs. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-10 13:50:07 -04:00
Chris PeBenito	accdce94a2	sympa, logging; Fix lint errors. Logging is from new append_inherited_file_perms set. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:39:05 -04:00
Chris PeBenito	3fd5341bff	sympa, mta, exim: Revise interfaces. Revise interfaces added as part of sympa work. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:25:17 -04:00
Chris PeBenito	be2ba4e473	sympa: Drop module version. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:15:16 -04:00
Chris PeBenito	6a0a90065e	sympa: Move lines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-10-10 10:15:16 -04:00
Russell Coker	ef70117066	Sympa list server Policy for the Sympa mailing list server. I think this is ready to merge, it works well. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-10-10 09:29:42 -04:00
Kenton Groombridge	d4f3b21e18	systemd: allow systemd-generator to use dns resolution systemd-generator will create mount units for NFS shares in /etc/fstab, but will need to use DNS resolution if those fstab entries use hostnames. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-10-08 21:09:56 -04:00

... 3 4 5 6 7 ...

4845 Commits