nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,462 Commits 1 Branch 0 Tags 16 MiB
d698a5594c
Commit Graph

6462 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
d698a5594c filesystem: Move ecryptfs interface definitions. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-06-03 15:25:59 -04:00
Chris PeBenito
45f1a0d54e
Merge pull request #509 from jcpunk/container-ecryptfs 
container: Boolean for ecryptfs
 2022-06-03 11:39:26 -04:00
Pat Riehecky
9ad002b0f9 container: Boolean for ecryptfs 
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
 2022-06-03 08:48:56 -05:00
Chris PeBenito
d1c15b2c21
Merge pull request #507 from pebenito/various-updates-20220524 
Various updates 20220524
 2022-05-26 11:00:22 -04:00
Chris PeBenito
d767ebfef0 systemd: Misc updates. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
16badfa641 application: Allow apps to use init fds. 
This is needed for console/serial logins:

avc:  denied  { use } for  pid=767 comm="semodule" path="/dev/ttyS0"
dev="devtmpfs" ino=83
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
136d1b724b container: Getattr generic device nodes. 
There should be no device_t device nodes, but add access in case they
exist. Saw containerd fail to start containers if it couldn't stat() all
devices.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
1caf5c6dc1 container: Allow container engines to connect to http cache ports. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
9185562849 systemd: Fixes for coredumps in containers. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
b2f352e2ee files: Make etc_runtime_t a config file. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
38d43bd770 files: Add prerequisite access for files_mounton_non_security(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
75c5a4c050 storage: Add fc for /dev/ng*n* devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
a4f4bc6fb8 devices: Add type for infiniband devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
f8739276a5 iptables: Ioctl cgroup dirs. 
avc:  denied  { ioctl } for  pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
80683a4f0f devices: Add file context for /dev/vhost-vsock. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
38cc32be73 devices: Add type for SAS management devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito
a042bc5aa7 container, docker: Fixes for containerd and kubernetes testing. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:48 -04:00
Chris PeBenito
e0784b866d isns: Updates from testing. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:17:03 -04:00
Chris PeBenito
39657b7f61 systemd: Misc fixes. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:17:03 -04:00
Chris PeBenito
ca0d6b74b5 locallogin: Use init file descriptors. 
Without this, some systems have slow or broken console login.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:16:56 -04:00
Chris PeBenito
3fe6f270e3 lvm: Updates for multipath LVM. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 13:13:04 -04:00
Chris PeBenito
05e386bcb3 unconfined: Add missing capability2 perms. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 11:09:24 -04:00
Chris PeBenito
a4534a76bb systemd: Remove systemd-run domain. 
This command should be run with the privs of the caller.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 11:09:20 -04:00
Chris PeBenito
602e1f71c6 logging: Change to systemd interface for tmpfilesd. 
Remove explicit rules for systemd-tmpfiles to manage var_log_t and replace
it with systemd_tmpfilesd_managed().

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:44:57 -04:00
Chris PeBenito
d76969703d rpm: Add dnf and tdnf labeling. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:44:52 -04:00
Chris PeBenito
d9acee82c5 mount: Get the attributes of all filesystems. 
Remove individual fs rules.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:42:42 -04:00
Chris PeBenito
27bb8aead9 fstools: Handle resizes of the root filesystem. 
Resize2fs will create a .ismount-test-file temp file in the root of a
filesystem to resize.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:41:59 -04:00
Chris PeBenito
28ca7991df systemd: Drop systemd_detect_virt_t. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:41:42 -04:00
Chris PeBenito
78dde1e1ae
Merge pull request #506 from 0xC0ncord/conmon-exec-typealias 
podman: add alias for conmon executable
 2022-05-24 09:11:54 -04:00
Kenton Groombridge
b90cc02311 podman: add alias for conmon executable 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-23 23:00:56 -04:00
Chris PeBenito
802ef7569f
Merge pull request #503 from 0xC0ncord/unconfined-no-container-engine-trans 
Do not transition to container engines for unconfined users
 2022-05-23 10:41:14 -04:00
Chris PeBenito
fc1fa1ffbf
Merge pull request #504 from 0xC0ncord/podman-conmon-template 
Rework conmon rules
 2022-05-23 10:40:00 -04:00
Chris PeBenito
f1465b9721
Merge pull request #501 from 0xC0ncord/various-20220429 
Another round of various fixes (reopen)
 2022-05-23 10:36:18 -04:00
Kenton Groombridge
ec1d3be3f7 systemd: allow systemd-networkd to read init runtime files 
If started from an initrd and the kernel is configured for networking at
early boot, systemd-networkd needs access to files for the network
configuration in /run/systemd/network which are still init_runtime_t
during early boot. systemd will later relabel these files after the
policy is loaded.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:45 -04:00
Kenton Groombridge
998ef975f3 systemd, udev: allow udev to read systemd-networkd runtime 
udev searches for .link files and applies custom udev rules to devices
as they come up.

Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:44 -04:00
Kenton Groombridge
73adba0a39 systemd: add file contexts for systemd-network-generator 
Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:43 -04:00
Kenton Groombridge
f2fe1ae154 systemd: add missing file context for /run/systemd/network 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:42 -04:00
Kenton Groombridge
663b62f27c systemd: add file transition for systemd-networkd runtime 
systemd-networkd creates the /run/systemd/network directory which should
be labeled appropriately.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:41 -04:00
Kenton Groombridge
06319896b3 certbot: various fixes 
Allow acme-sh to send syslog msgs and dontaudit reading /proc.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
308ab9f69a term, init: allow systemd to watch and watch reads on unallocated ttys 
As of systemd 250, systemd needs to be able to add a watch on and watch
reads on unallocated ttys in order to start getty.

systemd[55548]: getty@tty1.service: Failed to set up standard input: Permission denied
systemd[55548]: getty@tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied

time->Fri May  6 21:17:58 2022
type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1651886278.452:1770): cwd="/"
type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1651886278.452:1770): avc:  denied  { watch watch_reads } for  pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
5b59c7611b spamassassin: add file context for rspamd log directory 
rspamd's default log location is /var/log/rspamd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
dcc90a0c3c container, podman: allow podman to restart container units 
podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
43a9841746 container: add separate type for container engine units 
and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
eff1b1ecad init, systemd: allow unpriv users to read the catalog 
Label /var/lib/systemd/catalog the journal type, and allow unpriv users
to search /var/lib/systemd. This is to fix this warning when an
unprivileged user uses journalctl:

Failed to find catalog entry: Permission denied

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
001d51d267 systemd: minor fixes to systemd user domains 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
c2b0d7e7fb ssh: add tunable to allow sshd to use remote port forwarding 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
7624e8dd7d container: allow container engines to manage tmp symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
3560273d54 container: allow containers to manipulate own fds 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
1a0acc9c0d sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge
3cac9e0e5d sudo: allow sudo domains to create netlink selinux sockets 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00