Commit Graph

3939 Commits

Author SHA1 Message Date
Chris PeBenito
1a1b3bd583 Travis CI already exports variables.
Explicit exports are redundant
2015-02-13 13:42:11 -05:00
Chris PeBenito
97fd81312c Add initial Travis CI configuration.
Derived from Nicolas Iooss configuration for ArchLinux.
2015-02-13 13:29:12 -05:00
Chris PeBenito
f963d6dafa Fix domain_mmap_low() to be a proper tunable. 2015-02-09 16:02:36 -05:00
Chris PeBenito
5f0e495887 Update contrib. 2015-01-30 09:13:49 -05:00
Chris PeBenito
68f2c6f44c Add always_check_network policy capability.
Disabled by default, as most systems don't want/need this.
2015-01-27 17:25:36 -05:00
Chris PeBenito
fd0c07c8b3 Module version bump for optional else block removal from Steve Lawrence. 2015-01-12 08:45:58 -05:00
Steve Lawrence
4bd0277313 Remove optional else block for dhcp ping
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
Chris PeBenito
960e6cd4e8 Update Changelog and VERSION for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito
468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito
b86c6004d4 Module version bump for module store move from Steve Lawrence. 2014-12-03 13:37:02 -05:00
Steve Lawrence
418b3c78bb Update policy for selinux userspace moving the policy store to /var/lib/selinux
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 13:36:31 -05:00
Chris PeBenito
3e3a966eea Update contrib. 2014-12-03 08:04:56 -05:00
Chris PeBenito
0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Nicolas Iooss
ad2d828797 Create tmp directory when compiling a .mod.fc file in a modular way
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.

Add the missing command to create tmp/ when running tmp/%.mod.fc target.

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
2014-12-02 09:26:54 -05:00
Sven Vermeulen
1edfad8247 Add /var/lib/racoon as runtime directory for ipsec 2014-12-02 09:16:06 -05:00
Sven Vermeulen
25b232f49a Add gfisk and efibootmgr as fsadm_exec_t 2014-12-02 09:16:05 -05:00
Sven Vermeulen
363daeed61 Add in LightDM contexts 2014-12-02 09:16:05 -05:00
Sven Vermeulen
84fa2ab1f2 Mark f2fs as a SELinux capable file system
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
2014-12-02 09:16:05 -05:00
Sven Vermeulen
29292968fe xfce4-notifyd is an executable 2014-12-02 09:16:05 -05:00
Sven Vermeulen
2b642954a6 New sudo manages timestamp directory in /var/run/sudo
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
2014-12-02 09:16:05 -05:00
Sven Vermeulen
f0ebf14176 Add auth_pid_filetrans_pam_var_run 2014-12-02 09:16:05 -05:00
Sven Vermeulen
fbdf5f0ef8 Run grub(2)-mkconfig in bootloader domain
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
2014-12-02 09:16:05 -05:00
Chris PeBenito
f428babc50 Update contrib. 2014-12-02 09:00:54 -05:00
Nicolas Iooss
0692cd24b5 Update Python requirement in INSTALL
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.

Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.

ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
2014-11-11 08:42:12 -05:00
Chris PeBenito
ce0d545b2e Merge pull request #5 from bigon/audit_read
Add new audit_read access vector in capability2 class
2014-11-10 07:57:10 -05:00
Laurent Bigonville
cbb1f36ef5 Add new audit_read access vector in capability2 class
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Chris PeBenito
8a3a8c7e1b Module version bump for /sbin/iw support from Nicolas Iooss. 2014-10-23 08:51:53 -04:00
Chris PeBenito
0820cfe75d Add comment for iw generic netlink socket usage 2014-10-23 08:50:18 -04:00
Nicolas Iooss
5fb1249f37 Use create_netlink_socket_perms when allowing netlink socket creation
create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Nicolas Iooss
d6af57e5e7 Allow iw to create generic netlink sockets
iw uses generic netlink socket to configure WiFi properties.  For
example, "strace iw dev wlan0 set power_save on" outputs:

    socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
    setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
    bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0

Some AVC denials are reported in audit.log:

    type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
    for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1

Allowing ifconfig_t to create generic netlink sockets fixes this.

(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
2014-10-23 08:07:44 -04:00
Nicolas Iooss
f91e07baa9 Label /sbin/iw as ifconfig_exec_t
iw manpage says "iw - show / manipulate wireless devices and their
configuration".  Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.

Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
2014-10-23 08:07:44 -04:00
Chris PeBenito
6a24d9dba0 Module version bump for Debian arping fc entries from Laurent Bigonville. 2014-10-06 09:50:58 -04:00
Chris PeBenito
da451633ef Merge pull request #4 from fishilico/minor-typo
Fix minor typo in init.if
2014-10-06 09:07:43 -04:00
Chris PeBenito
58b700e214 Merge pull request #3 from bigon/arping
Add arping paths for debian
2014-10-06 09:07:25 -04:00
Nicolas Iooss
836a282439 Fix minor typo in init.if 2014-10-04 10:53:50 +02:00
Laurent Bigonville
740a1746bf Debian also ship a different arping implementation
In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping
2014-10-03 14:35:58 +02:00
Laurent Bigonville
a9594fc684 On Debian iputils-arping is installed in /usr/bin/arping 2014-10-03 14:29:05 +02:00
Chris PeBenito
6624f9cf7a Drop RHEL4 and RHEL5 support. 2014-09-24 13:10:37 -04:00
Chris PeBenito
35860e6459 Module version bump for CIL fixes from Yuli Khodorkovskiy. 2014-09-17 14:00:08 -04:00
Yuli Khodorkovskiy
330b0fc333 Remove duplicate role declarations
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.

-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
2014-09-17 10:44:04 -04:00
Chris PeBenito
47fa454784 /dev/log symlinks are not labeled devlog_t.
Drop rule; if /dev/log is a symlink, it should be device_t.
2014-09-12 14:25:01 -04:00
Chris PeBenito
607f8fb32a Update contrib. 2014-09-12 11:30:28 -04:00
Chris PeBenito
e4cbb09a3d Module version bumps for systemd/journald patches from Nicolas Iooss. 2014-09-12 11:30:05 -04:00
Nicolas Iooss
0cd1ea9596 Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
Since commit 0fd9dc55, logging.te contains:

  term_write_all_user_ttys(syslogd_t)

As "write" is a superset of "append", this rule is no longer needed:

    term_append_unallocated_ttys(syslogd_t)

While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
2014-09-12 09:55:58 -04:00
Nicolas Iooss
6a201e405b Allow journald to access to the state of all processes
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589

This needs domain_read_all_domains_state.
2014-09-12 09:55:13 -04:00
Chris PeBenito
6ced8116bd Add comment for journald ring buffer reading. 2014-09-12 09:54:11 -04:00
Nicolas Iooss
3a7e30c22d Allow journald to read the kernel ring buffer and to use /dev/kmsg
audit.log shows that journald needs to read the kernel read buffer:

    avc:  denied  { syslog_read } for  pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1

Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-12 09:52:18 -04:00
Nicolas Iooss
ae4d07c8a8 Support logging with /run/systemd/journal/dev-log
In June 2014 systemd moved the socket used by journald to /run.  This
requires two new directory search access for every domain sending syslog
messages:

* /run/systemd/ (handled by init_search_run)
* /run/systemd/journal/ (labeled syslogd_var_run_t)

systemd commit:
http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99
2014-09-12 09:50:48 -04:00
Chris PeBenito
a30feb2a5b Whitespace change in logging.fc. 2014-09-12 09:49:37 -04:00
Nicolas Iooss
d7b2ccf89a Label systemd-journald files and directories 2014-09-12 09:47:59 -04:00