nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Changelog and VERSION for release 2.20240226. 

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2024-02-26 13:38:45 -05:00
parent d48b57a5bd
commit fa84ee8fc0
2 changed files with 488 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

487
Changelog
View File

@ -1,3 +1,490 @@
* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226
Chris PeBenito (174):
tests.yml: Pin ubuntu 20.04.
tests.yml: Pin ubuntu 20.04.
fstools: Move lines.
munin: Move munin_rw_tcp_sockets() implementation.
munin: Whitespace change.
systemd: Tmpfilesd can correct seusers on files.
iscsi: Read initiatorname.iscsi.
lvm: Add fc entry for /etc/multipath/*
sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
Define user_namespace object class.
chromium: Allow user namespace creation.
mozilla: Allow user namespace creation.
systemd: Allow user namespace creation.
container: Allow user namespace creation for all container engines.
Update eg25manager.te
switcheroo: Whitespace fix.
unconfined: Keys are linkable by systemd.
postgresql: Move lines
Add append to rw and manage lnk_file permission sets for consistency.
domain: Manage own fds.
systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
kernel: hv_utils shutdown on systemd systems.
Container: Minor fixes from interactive container use.
systemd: Minor coredump fixes.
rpm: Minor fixes
init: Allow nnp/nosuid transitions from systemd initrc_t.
selinuxutil: Semanage reads policy for export.
sysnetwork: ifconfig searches debugfs.
usermanage: Add sysctl access for groupadd to get number of groups.
files: Handle symlinks for /media and /srv.
cloudinit: Add support for installing RPMs and setting passwords.
kdump: Fixes from testing kdumpctl.
usermanage: Handle symlinks in /usr/share/cracklib.
unconfined: Add remaining watch_* permissions.
chronyd: Read /dev/urandom.
cloud-init: Allow use of sudo in runcmd.
cloud-init: Add systemd permissions.
cloud-init: Change udev rules
systemd: Updates for systemd-locale.
cloudinit: Add permissions derived from sysadm.
Christian Göttsche (28):
git: add fcontext for default binary
init: only grant getattr in init_getattr_generic_units_files()
ci: bump SELint version to 1.5.0
SELint userspace class tweaks
systemd: reorder optional block
devicedisk: reorder optional block
access_vectors: define io_uring { cmd }
support/genhomedircon: support usr prefixed paths
fix misc typos
Support multi-line interface calls
policy_capabilities: remove estimated from released versions
Rules.monolithic: pre-compile fcontexts on install
Rules.modular: use temporary file to not ignore error
Makefile: use sepolgen-ifgen-attr-helper from test toolchain
Makefile: set PYTHONPATH for test toolchain
virt: label qemu configuration directory
selinuxutil: setfiles updates
selinuxutil: ignore getattr proc in newrole
userdom: permit reading PSI as admin
fs: mark memory pressure type as file
systemd: binfmt updates
vnstatd: update
fs: add support for virtiofs
systemd: generator updates
udev: update
systemd: logind update
consolesetup: update
libraries: drop space in empty line
Christian Schneider (1):
systemd-generator: systemd_generator_t load kernel modules used for e.g.
zram-generator
Corentin LABBE (20):
udev: permit to read hwdb
fstools: handle gentoo place for drivedb.h
mount: dbus interface must be optional
mcelog: add missing file context for triggers
munin: add file context for common functions file
rsyslog: add label for /var/empty/dev/log
munin: disk-plugin: transition to fsadm
munin: add fc for munin-node plugin state
usermanage: permit groupadd to read kernel sysctl
portage: Remove old binary location
portage: add go/hg source control files
portage: add new location for portage commands
portage: add missing go/hg context in new distfiles location
mandb: permit to read inherited cron files
selinuxutil: do not audit load_policy trying to use portage ptys
selinuxutil: permit run_init to read kernel sysctl
portage: add misc mising rules
smartmon: allow smartd to read fsadm_db_t files
smartmon: add domain for update-smart-drivedb
dovecot: add missing permissions
Dave Sugar (46):
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
Allow local login to read /run/motd
Label pwhistory_helper
If domain can read system_dbusd_var_lib_t files, also allow symlinks
systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
Allow iceauth write to xsession log
Allow system_dbusd_t to start/stop all units
Updates for utempter
Allow display manager to read hwdata
Allow search xdm_var_run_t directories along with reading files.
Solve issue with no keyboard/mouse on X login screen
separate label for /etc/security/opasswd
Fix some ssh agent denials
For systemd-hostnamed service to run
Allow rsyslog to drop capabilities
/var/lib/sddm should be xdm_var_lib_t
resolve lvm_t issues at shutdown with LUKS encrypted devices
Allow all users to (optionally) send syslog messages
Resolve some denials with colord
separate domain for journalctl during init
Use interface that already exists.
Separate label for /run/systemd/notify (#710)
Changes needed for dbus-broker-launch
Allow dbus-broker-launch to execute in same domain
dbus changes
Firewalld need to relabel direct.xml file
xguest ues systemd --user
Needed to allow environment variable to process started (for cockpit)
SELinux policy for cockpit
Fix denial while cleaning up pidfile symlink
allow system --user to execute systemd-tmpfiles in
<user>_systemd_tmpfiles_t domain
cockpit ssh as user
Allow sudo dbus chat w/sysemd-logind
The L+ tmpfiles option needs to read the symlink
Signal during logout
This seems important for administrative access
This works instead of allow exec on user_tmpfs_t!
admin can read/write web socket
Allow key manipulation
Add dontaudit to quiet down a bit
Add watches
Additional access for systemctl
Denial during cockpit use
Fix password changing from cockpit login screen
Resolve error when cockpit initiate shutdown
David Sommerseth (1):
openvpn: Allow netlink genl
Fabrice Fontaine (1):
policy/modules/services/smartmon.te: make fstools optional
Florian Schmidt (1):
Add label and interfaces for kernel PSI files
George Zenner (1):
Signed-off-by: George Zenner <zen@pyl.onl>
Grzegorz Filo (3):
Shell functions used during boot by initrc_t shall be bin_t and defined in
corecommands.fc
Dir transition goes with dir create perms.
Keep context of blkid file/dir when created by zpool.
Guido Trentalancia (53):
The pulseaudio daemon and client do not normally need to use the network
for most computer systems that need to play and record audio.
The kernel domain should be able to mounton runtime directories during
switch_root, otherwise parts of the boot process might fail on some
systems (for example, the udev daemon).
The kernel domain should be able to mounton default directories during
switch_root.
The pulseaudio module should be able to read alsa library directories.
Fix the pulseaudio module file transition for named sockets in tmp
directories.
Fix the dbus module so that automatic file type transitions are used not
only for files and directories, but also for named sockets.
Fix the dbus module so that temporary session named sockets can be read
and written in the role template and by system and session bus clients.
Update the dbus role template so that permissions to get the attributes of
the proc filesystem are included.
Let pulseaudio search debugfs directories, as currently done with other
modules.
Separate the tunable permissions to write xserver tmpfs files from the
tunable permissions to write X server shared memory.
Fix a security bug in the xserver module (interfaces) which was wrongly
allowing an interface to bypass existing tunable policy logic related
to X shared memory and xserver tmpfs files write permissions.
Add missing permissions to execute binary files for the evolution_alarm_t
domain.
Add the permissions to manage the fonts cache (fontconfig) to the window
manager role template.
Add permissions to watch libraries directories to the userdomain login
user template interface.
Update the xscreensaver module in order to work with the latest version
(tested with version 6.06).
Include the X server tmpfs rw permissions in the X shared memory write
access tunable policy under request from Christoper PeBenito.
Revert the following commit (ability to read /usr files), as it is no
longer needed, after the database file got its own label:
Update the kernel module to remove misplaced or at least really obsolete
permissions during kernel module loading.
Introduce a new "logging_syslog_can_network" boolean and make the
net_admin capability as well as all corenetwork permissions previously
granted to the syslog daemon conditional upon such boolean being true.
Let the openoffice domain manage fonts cache (fontconfig).
Update the openoffice module so that it can create Unix stream sockets
with its own label and use them both as a client and a server.
Let mplayer to act as a dbus session bus client (needed by the vlc media
player).
Add permissions to read device sysctls to mplayer.
Remove misplaced permission from mount interface mount_exec.
Remove a vulnerability introduced by a logging interface which allows to
execute log files.
Improved wording for the new xserver tunable policy booleans introduced
with the previous three commits.
Fix another security bug companion of the one fixed in the following
previous commit:
Fix another security bug similar to the ones that have been recently fixed
in the following two commits:
Remove duplicate permissions in the xserver module
xserver_restricted_role() interface.
Dbus creates Unix domain sockets (in addition to listening on and
connecting to them), so its policy module is modified accordingly.
Remove a logging interface from the userdomain module since it has now
been moved to the xscreensaver domain.
Create a new specific file label for the random seed file saved before
shutting down or rebooting the system and rework the interface needed
to manage such file.
Fix the shutdown policy in order to make use of the newly created file
label and interface needed to manage the random seed file.
Update the gpg module so that the application is able to fetch new keys
from the network.
Dbus creates Unix domain sockets not only for the system bus, but also for
the session bus (in addition to connecting to them), so its policy
module is modified accordingly.
Update the gnome module so that the gconf daemon is able to create Unix
domain sockets and accept or listen connections on them.
Fix the recently introduced "logging_syslog_can_network" tunable policy,
by including TCP/IP socket creation permissions.
Introduce a new interface in the mta module to manage the mail transport
agent configuration directories and files.
Add new gpg interfaces for gpg_agent execution and to avoid auditing
search operations on files and directories that are not strictly needed
and might pose a security risk.
Extend the scope of the "spamassassin_can_network" tunable policy boolean
to all network access (except the relative dontaudit rules).
Update the spamassassin module in order to better support the rules
updating script; this achieved by employing two distinct domains for
increased security and network isolation: a first domain is used for
fetching the updated rules from the network and second domain is used
for verifying the GPG signatures of the received rules.
Under request from Christopher PeBenito, merge the two spamassassin rules
updating SELinux domains introduced in the previous change in order to
reduce the non-swappable kernel memory used by the policy.
Introduce a new "dbus_can_network" boolean which controls whether or not
the dbus daemon can act as a server over TCP/IP networks and defaults
to false, as this is generally insecure, except when using the local
loopback interface.
Introduce two new booleans for the X server and X display manager domains
which control whether or not the respective domains allow the TCP/IP
server networking functionality.
The X display manager uses an authentication mechanism based on an
authorization file which is critical for X security.
Merge branch 'main' into x_fixes_pr2
Let openoffice perform temporary file transitions and manage link files.
Modify the gpg module so that gpg and the gpg_agent can manage
gpg_runtime_t socket files.
The LDAP server only needs to read generic certificate files, not manage
them.
Create new TLS Private Keys file contexts for the Apache HTTP server
according to the default locations:
Let the webadm role manage Private Keys and CSR for SSL Certificates used
by the HTTP daemon.
Let the certmonger module manage SSL Private Keys and CSR used for example
by the HTTP and/or Mail Transport daemons.
Additional file context fix for:
Kai Meng (1):
devices:Add genfscon context for functionfs to mount
Kenton Groombridge (106):
corenet: add portcon for kubernetes
kubernetes: initial policy module
sysadm: allow running kubernetes
crio: new policy module
crio, kubernetes: allow k8s admins to run CRI-O
container: add type for container plugins
various: fixes for kubernetes
kubernetes: add policy for kubectl
various: fixes for kubernetes
container, kernel: add tunable to allow spc to create NFS servers
container: add tunable to allow containers to use huge pages
container, kubernetes: add private type for generic container devices
container: add tunable to use dri devices
container, kubernetes: add rules for device plugins running as spc
various: allow using glusterfs as backing storage for k8s
container, miscfiles: transition to s0 for public content created by
containers
container: add tunable to allow spc to use tun-tap devices
container: correct admin_pattern() usage
systemd: add policy for systemd-pcrphase
hddtemp: add missing rules for interactive usage
netutils: minor fixes for nmap and traceroute
container: add rules required for metallb BGP speakers
filesystem, init: allow systemd to setattr on ramfs dirs
logging: allow domains sending syslog messages to connect to kernel unix
stream sockets
init, sysadm: allow sysadm to manage systemd runtime units
podman: allow podman to stop systemd transient units
userdom: allow admin users to use tcpdiag netlink sockets
container: allow container admins the sysadm capability in user namespaces
postfix: allow postfix master to map data files
sasl: add filecon for /etc/sasl2 keytab
obj_perm_sets: add mmap_manage_file_perms
various: use mmap_manage_file_perms
postfix, sasl: allow postfix smtp daemon to read SASL keytab
various: fixes for libvirtd and systemd-machined
portage: label eix cache as portage_cache_t
container: add missing filetrans and filecon for containerd/docker
container, init, systemd: add policy for quadlet
container: fixes for podman 4.4.0
container: fixes for podman run --log-driver=passthrough
node_exporter: various fixes
redis: add missing rules for runtime filetrans
podman, selinux: move lines, add missing rules for --network=host
netutils: fixes for iftop
kernel, zfs: add filetrans for kernel creating zpool cache file
zfs: allow sending signals to itself
zfs: add runtime filetrans for dirs
init: make init_runtime_t useable for systemd units
various: make /etc/machine-id etc_runtime_t
init, systemd: allow init to create userdb runtime symlinks
init: allow initrc_t to getcap
systemd: allow systemd-userdbd to getcap
logging: allow systemd-journald to list cgroups
fs, udev: allow systemd-udevd various cgroup perms
logging, systemd: allow relabelfrom,relabelto on systemd journal files by
systemd-journald
files, systemd: allow systemd-tmpfiles to relabel config file symlinks
systemd: add rules for systemd-zram-generator
systemd: allow systemd-pcrphase to read generic certs
fs, init: allow systemd-init to set the attributes of efivarfs files
init: allow systemd-init to set the attributes of unallocated terminals
systemd: allow systemd-resolved to bind to UDP port 5353
init: allow initrc_t to create netlink_kobject_uevent_sockets
raid: allow mdadm to read udev runtime files
raid: allow mdadm to create generic links in /dev/md
fstools: allow fsadm to read utab
glusterfs: allow glusterd to bind to all TCP unreserved ports
kubernetes: allow kubelet to read etc runtime files
chromium: allow chromium-naclhelper to create user namespaces
container: rework capabilities
container: allow watching FUSEFS dirs and files
glusterfs: add tunable to allow managing unlabeled files
sysadm: allow using networkctl
container: various fixes
container, kubernetes: add support for cilium
kubernetes: allow container engines to mount on DRI devices if enabled
init, systemd: label systemd-executor as init_exec_t
udev: allow reading kernel fs sysctls
init: allow all daemons to write to init runtime sockets
systemd: fixes for systemd-pcrphase
systemd: allow networkd to use netlink netfilter sockets
rpc: add filecon for /etc/exports.d
zed: allow managing /etc/exports.d/zfs.exports
zfs: dontaudit net_admin capability by zed
su: various fixes
kernel: allow delete and setattr on generic SCSI and USB devices
mount: make mount_runtime_t a kubernetes mountpoint
fstools: allow fsadm to ioctl cgroup dirs
fstools: allow reading container device blk files
container, kubernetes: add support for rook-ceph
kernel: dontaudit read fixed disk devices
container: add filecons for rook-ceph
init, systemd: allow systemd-pcrphase to write TPM measurements
systemd: add policy for systemd-machine-id-setup
container, kubernetes: allow kubernetes to use fuse-overlayfs
kubernetes: fix kubelet accounting
systemd: label systemd-pcrlock as systemd-pcrphase
zfs: allow zfs to write to exports
kernel: allow managing mouse devices
init: allow using system bus anon pidfs
systemd: label systemd-tpm2-setup as systemd-pcrphase
bootloader, init, udev: misc minor fixes
rpc: fix not labeling exports.d directory
dbus: allow the system bus to get the status of generic units
systemd: allow systemd generator to list exports
crio: allow reading container home content
container: allow spc to map kubernetes runtime files
kubernetes: allow kubelet to apply fsGroup to persistent volumes
Luca Boccassi (4):
Set label systemd-oomd
Add separate label for cgroup's memory.pressure files
systemd: also allow to mounton memory.pressure
systemd: allow daemons to access memory.pressure
Mathieu Tortuyaux (1):
container: fix cilium denial
Oleksii Miroshko (1):
Fix templates parsing in gentemplates.sh
Pat Riehecky (1):
container: set default context for local-path-provisioner
Renato Caldas (1):
kubernetes: allow kubelet to read /proc/sys/vm files.
Russell Coker (28):
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
This patch removes deprecated interfaces that were deprecated in the
20210203 release. I think that 2 years of support for a deprecated
interface is enough and by the time we have the next release out it
will probably be more than 2 years since 20210203.
eg25-manager (Debian package eg25-manager) is a daemon aimed at
configuring and monitoring the Quectel EG25 modem on a running system.
It is used on the PinePhone (Pro) and performs the following functions:
* power on/off * startup configuration using AT commands * AGPS
data upload * status monitoring (and restart if it becomes
unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
iio-sensor-proxy (Debian package iio-sensor-proxy) IIO sensors to D-Bus
proxy Industrial I/O subsystem is intended to provide support for
devices that in some sense are analog to digital or digital to analog
convertors . Devices that fall into this category are: * ADCs *
Accelerometers * Gyros * IMUs * Capacitance to Digital Converters
(CDCs) * Pressure Sensors * Color, Light and Proximity Sensors *
Temperature Sensors * Magnetometers * DACs * DDS (Direct Digital
Synthesis) * PLLs (Phase Locked Loops) * Variable/Programmable Gain
Amplifiers (VGA, PGA)
Fixed dependency on unconfined_t
Comment sysfs better
Daemon to control authentication for Thunderbolt.
Daemon to monitor memory pressure and notify applications and change …
(#670)
switcheroo is a daemon to manage discrete vs integrated GPU use for apps
policy for power profiles daemon, used to change power settings
some misc userdomain fixes
debian motd.d directory (#689)
policy for the Reliability Availability servicability daemon (#690)
policy patches for anti-spam daemons (#698)
Added tmpfs file type for postgresql Small mysql stuff including
anon_inode
small ntp and dns changes (#703)
small network patches (#707)
small storage changes (#706)
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
small systemd patches (#708)
misc small patches for cron policy (#701)
mon.te patches as well as some fstools patches related to it (#697)
misc small email changes (#704)
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
Label checkarray as mdadm_exec_t, allow it to read/write temp files
inherited from cron, and dontaudit ps type operations from it
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
patches for nspawn policy (#721)
Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Yi Zhao (15):
systemd: add capability sys_resource to systemd_userdbd_t
systemd: allow systemd-sysctl to search directories on ramfs
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
mount: allow mount_t to get attributes for all directories
loadkeys: do not audit attempts to get attributes for all directories
systemd: allow systemd-networkd to create file in /run/systemd directory
systemd: allow journalctl to create /var/lib/systemd/catalog
bind: fix for named service
systemd: use init_daemon_domain instead of init_system_domain for
systemd-networkd and systemd-resolved
rpm: fixes for dnf
lvm: set context for /run/cryptsetup
container: set context for /run/crun
systemd: allow systemd-hostnamed to read machine-id and localization files
systemd: allow systemd-rfkill to getopt from uevent sockets
udev: fix for systemd-udevd
freedom1b2830 (1):
mplayer:vlc paths
* Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
Chris PeBenito (46):
systemd: Drop systemd_detect_virt_t.

2
VERSION
View File

@ -1 +1 @@
2.20221101
2.20240226