nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,124 Commits 1 Branch 0 Tags 16 MiB
1c20c002cd
Commit Graph

7124 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Russell Coker
478df0e446
small network patches (#707) 
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes (#703) 
* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-25 11:01:12 -04:00
Chris PeBenito
748980def5
Merge pull request #694 from etbe/fifth 
some misc userdomain fixes
 2023-09-25 10:57:27 -04:00
Russell Coker
cf1ba82cb9 Added tmpfs file type for postgresql 
Small mysql stuff including anon_inode

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-22 19:09:12 +10:00
Russell Coker
0528990a24
policy patches for anti-spam daemons (#698) 
* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 12:01:24 -04:00
Chris PeBenito
487feedf8e
Merge pull request #699 from yizhao1/systemd-networkd 
systemd: allow systemd-networkd to create file in /run/systemd directory
 2023-09-21 10:45:47 -04:00
Russell Coker
125e52ef58
policy for the Reliability Availability servicability daemon (#690) 
* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:22:36 -04:00
Russell Coker
e349de1507
debian motd.d directory (#689) 
* policy for Debian motd.d dir

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-21 10:21:25 -04:00
Yi Zhao
8758b782e5 systemd: allow systemd-networkd to create file in /run/systemd directory 
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-21 11:40:24 +08:00
Yi Zhao
ee3ea8ebca loadkeys: do not audit attempts to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 14:44:45 +08:00
Yi Zhao
0a7f48cb31 mount: allow mount_t to get attributes for all directories 
Fixes:
avc:  denied  { getattr } for  pid=130 comm="mount" path="/" dev="tracefs"
ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=166 comm="mount" path="/" dev="configfs"
ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-09-20 13:31:50 +08:00
Russell Coker
cb6bf2fe9a some misc userdomain fixes 
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)

Allow pipewire to write to user runtime named sockets

Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-20 12:40:59 +10:00
Chris PeBenito
227786eed7
Merge pull request #693 from dsugar100/colord 
Resolve some denials with colord
 2023-09-19 16:09:52 -04:00
Chris PeBenito
fc3589a04f
Merge pull request #676 from dsugar100/all_users_syslog 
Allow all users to send syslog messages
 2023-09-19 16:07:10 -04:00
Dave Sugar
17c9b3ac7e Resolve some denials with colord 
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { read } for  pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { open } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc:  denied  { map } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc:  denied  { read } for  pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc:  denied  { map } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { search } for  pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { read } for  pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { open } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc:  denied  { ioctl } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { search } for  pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { read } for  pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { open } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 13:52:50 -04:00
Chris PeBenito
41ac8090f7
Merge pull request #691 from etbe/fifth 
power profiles daemon
 2023-09-19 11:40:39 -04:00
Dave Sugar
cf58a70881 Allow all users to (optionally) send syslog messages 
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { write } for  pid=1757 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { sendto } for  pid=1757 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { write } for  pid=1756 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { sendto } for  pid=1756 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-19 09:14:08 -04:00
Russell Coker
e5ea2c99df policy for power profiles daemon, used to change power settings 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-19 22:51:22 +10:00
Chris PeBenito
5e2bf62c6f
Merge pull request #672 from gtrentalancia/x_fixes_pr2 
Remote X11 TCP/IP functionality is generally insecure: switch it off by default. Strengthen XDM authentication file access.
 2023-09-19 08:36:26 -04:00
Chris PeBenito
5fa75724c8
Merge pull request #688 from pebenito/systemd-user-unconfined 
unconfined: Keys are linkable by systemd.
 2023-09-19 08:11:40 -04:00
Guido Trentalancia
44bfd66186
Merge branch 'main' into x_fixes_pr2 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2023-09-19 01:31:50 +02:00
Guido Trentalancia
8c562af119 The X display manager uses an authentication 
mechanism based on an authorization file which
is critical for X security.

For example, a common attack is to remove the
file in order to disable authorization.

At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   33 +++++++++++++++++++++++++++++++++
 policy/modules/services/xserver.te |   11 +++++++++++
 3 files changed, 45 insertions(+)
 2023-09-19 01:28:10 +02:00
Guido Trentalancia
793d6a29d8 Introduce two new booleans for the X server and 
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.

The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.te |   82 +++++++++++++++++++++++--------------
 1 file changed, 52 insertions(+), 30 deletions(-)
 2023-09-19 01:23:22 +02:00
Chris PeBenito
d806720c76 unconfined: Keys are linkable by systemd. 
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2023-09-18 17:05:23 -04:00
Chris PeBenito
6e39f49247
Merge pull request #671 from gtrentalancia/dbus_fixes_pr3 
Dbus also creates Unix domain sockets in session mode but has insecure networking code
 2023-09-18 11:40:16 -04:00
Chris PeBenito
1ff9b559b7
Merge pull request #636 from gtrentalancia/spamassassin_update_pr 
Let spamassassin update its rules from the network
 2023-09-18 11:38:57 -04:00
Guido Trentalancia
8331d214ec Introduce a new "dbus_can_network" boolean which 
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.

For reference, see the security warning in the
D-Bus specification:

https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |   31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)
 2023-09-18 16:15:50 +02:00
Chris PeBenito
69544a3256
Merge pull request #684 from etbe/fourth 
switcheroo daemon for switching apps between Intel and NVidia GPUs
 2023-09-18 09:51:25 -04:00
Guido Trentalancia
11d17b2e57 Under request from Christopher PeBenito, merge the 
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.

This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |    3 -
 policy/modules/services/spamassassin.te |   56 ++++++--------------------------
 2 files changed, 12 insertions(+), 47 deletions(-)
 2023-09-18 15:40:11 +02:00
Guido Trentalancia
e5b1b197c7 Update the spamassassin module in order to better support 
the rules updating script; this achieved by employing
two distinct domains for increased security and network
isolation: a first domain is used for fetching the updated
rules from the network and second domain is used for
verifying the GPG signatures of the received rules.

The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).

The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |   11 ++-
 policy/modules/services/spamassassin.te |  100 +++++++++++++++++++++++++-------
 2 files changed, 86 insertions(+), 25 deletions(-)
 2023-09-18 15:39:12 +02:00
Guido Trentalancia
ed0613f0cc Extend the scope of the "spamassassin_can_network" 
tunable policy boolean to all network access (except
the relative dontaudit rules).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.te |   81 +++++++++++++++++---------------
 1 file changed, 45 insertions(+), 36 deletions(-)
 2023-09-18 15:38:08 +02:00
Chris PeBenito
f4688a3d54
switcheroo: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2023-09-18 09:21:26 -04:00
Chris PeBenito
dfd0149c71
Merge pull request #674 from dsugar100/opasswd_label 
separate label for /etc/security/opasswd
 2023-09-18 09:12:24 -04:00
Chris PeBenito
16c46db2b8
Merge pull request #665 from gtrentalancia/init_fixes_pr 
init and shutdown fixes
 2023-09-18 09:08:32 -04:00
Chris PeBenito
d5a8f78328
Merge pull request #659 from dsugar100/luks_shutdown 
resolve lvm_t issues at shutdown with LUKS encrypted devices
 2023-09-18 09:05:58 -04:00
Chris PeBenito
d6e6ce4f6a
Merge pull request #649 from gtrentalancia/gpg_fixes_pr 
Update the gpg module so that the application is able to fetch keys from the network
 2023-09-18 09:05:14 -04:00
Dave Sugar
73a62c4404 resolve lvm_t issues at shutdown with LUKS encrypted devices 
Errors:
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Device luks-7e802906-791a-432d-8069-dd290fba6dcf is still in use.
Sep 06 15:27:15 localhost systemd-cryptsetup[1611]: Failed to deactivate: Device or resource busy
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Control process exited, code=exited, status=1/FAILURE
Sep 06 15:27:15 localhost systemd[1]: systemd-cryptsetup@luks\x2d7e802906\x2d791a\x2d432d\x2d8069\x2ddd290fba6dcf.service: Failed with result 'exit-code'.

Denials:
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.081:10597): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.081:10597): arch=c000003e syscall=137 success=yes exit=0 a0=7efdc7a96e0e a1=7ffdbbacde50 a2=7efdc69b75e0 a3=1000 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=statfs AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.082:10598): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { search } for  pid=1996 comm="systemd-cryptse" name="pki" dev="dm-1" ino=393276 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.085:10599): avc:  denied  { open } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=SYSCALL msg=audit(1694013919.085:10599): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=55943c6cdb90 a2=0 a3=0 items=1 ppid=1 pid=1996 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cryptse" exe="/usr/lib/systemd/systemd-cryptsetup" subj=system_u:system_r:lvm_t:s0 key=(null) ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.086:10600): avc:  denied  { getattr } for  pid=1996 comm="systemd-cryptse" path="/etc/pki/tls/openssl.cnf" dev="dm-1" ino=393383 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 15:25:19 localhost.localdomain audisp-syslog[1522]: node=localhost type=AVC msg=audit(1694013919.087:10601): avc:  denied  { read } for  pid=1996 comm="systemd-cryptse" name="fips_local.cnf" dev="dm-1" ino=393381 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1

Sep 06 15:27:15 localhost audisp-syslog[1497]: node=localhost type=AVC msg=audit(1694014035.204:367): avc:  denied  { search } for  pid=1611 comm="systemd-cryptse" name="/" dev="pstore" ino=2357 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-15 15:34:54 -04:00
Guido Trentalancia
f3b359ec3f Add new gpg interfaces for gpg_agent execution and to avoid 
auditing search operations on files and directories that
are not strictly needed and might pose a security risk.

The new interfaces will be used in a forthcoming update to
allow fetching updates from the network for the spamassassin
rules and the fsdaemon drive database.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/gpg.if |   80 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 2023-09-14 18:38:17 +02:00
Chris PeBenito
ba922253f4
Merge pull request #679 from gtrentalancia/audit_fixes_pr 
Improve a previous syslog tunable policy change
 2023-09-14 10:49:38 -04:00
Chris PeBenito
32be26840d
Merge pull request #673 from dsugar100/x_login 
Solve issue with no keyboard/mouse on X login screen
 2023-09-14 10:38:25 -04:00
Russell Coker
c29ca4f257 switcheroo is a daemon to manage discrete vs integrated GPU use for apps 
Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 23:41:57 +10:00
Chris PeBenito
966cfad4fe
Merge pull request #678 from dsugar100/systemd_hostname 
For systemd-hostnamed service to run
 2023-09-14 09:30:19 -04:00
Chris PeBenito
84e6a92d3b
Merge pull request #644 from dsugar100/rsyslog_caps 
Allow rsyslog to drop capabilities
 2023-09-14 09:28:43 -04:00
Chris PeBenito
472603982f
Merge pull request #681 from dsugar100/fix_sddm_label 
/var/lib/sddm should be xdm_var_lib_t
 2023-09-14 09:23:07 -04:00
Chris PeBenito
224476715e
Merge pull request #675 from dsugar100/ssh_session_error 
Fix some ssh agent denials
 2023-09-14 09:16:32 -04:00
Russell Coker
7cb75c56c7
Daemon to monitor memory pressure and notify applications and change … (#670) 
* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed the self dgram access to create_socket_perms

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
 2023-09-14 09:15:09 -04:00
Chris PeBenito
7037ef3248
Merge pull request #638 from gtrentalancia/gnome_fixes_pr 
The gconf daemon (gnome module) must be able to create Unix domain sockets and use them as a server
 2023-09-14 09:12:08 -04:00
Dave Sugar
cdd7c8cd5a /var/lib/sddm should be xdm_var_lib_t 
based on denials, the fact that sddm runs as xdm_t and how other
directories are labeled, xdm_var_lib_t seems more correct here.

Sep 13 14:57:10 localhost.localdomain audisp-syslog[1570]: node=localhost type=AVC msg=audit(1694617030.144:419): avc:  denied  { search } for  pid=1702 comm="sddm" name="sddm" dev="dm-10" ino=393297 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { add_name } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.431:477): avc:  denied  { create } for  pid=1768 comm="QQmlThread" name=".cache" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1
Sep 13 14:59:31 localhost.localdomain audisp-syslog[1571]: node=localhost type=AVC msg=audit(1694617171.470:478): avc:  denied  { getattr } for  pid=1768 comm="QQmlThread" path="/var/lib/sddm/.cache/sddm-greeter/qmlcache" dev="dm-10" ino=393280 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 13:31:41 -04:00
Dave Sugar
131d4fcaca Allow rsyslog to drop capabilities 
Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc:  denied  { setpcap } for  pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0
Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-09-13 11:53:25 -04:00
Guido Trentalancia
4d2ae53c17 Introduce a new interface in the mta module to manage the mail 
transport agent configuration directories and files.

This interface will be used by a forthcoming update of the
rule updating feature of the spamassassin module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/mta.if |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 2023-09-13 15:59:50 +02:00