nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,236 Commits 1 Branch 0 Tags 16 MiB
2de74b9ca1
Commit Graph

5236 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nicolas Iooss
2de74b9ca1 systemd-logind: allow using BootLoaderEntries DBUS property 
systemd-logind exposes several properties related to the bootloader. One
of them is BootLoaderEntries [1], which scans the disks using
util-linux's blkid in order to find the ESP (EFI System Partition) [2][3].

This triggers the following logs in audit.log (where /dev/sda1 is the
ESP, mounted on /boot):

    type=AVC msg=audit(1577692922.834:310): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1

    type=AVC msg=audit(1577692922.841:311): avc:  denied  { search } for
    pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:312): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:314): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:315): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:317): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:318): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 ioctlcmd=0x5401
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1"
    ino=5 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

As allowing read access to fixed disks (such as /dev/sda1 here) can be
considered as dangerous, add a conditional to allow the accesses.

[1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315
[2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118
[3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2020-01-12 20:51:45 +01:00
Chris PeBenito
cb5e78abe7 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-12-26 12:21:07 -05:00
Jason Zaman
66d7d802da virt: allow lvm_control access 
type=AVC msg=audit(1563034372.505:40675): avc:  denied  { read write } for  pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563034372.505:40675): cwd="/"
type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
17f644c625 virt: Add unix socket for virtlogd/virtlockd 
avc:  denied  { listen } for  pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
9fbd5741a4 chromium: allow dbus chat to inhibit power 
Chromium will inhibit power saving when playing videos.

Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
c0e77208be dirmngr: accept unix stream socket 
dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr

type=AVC msg=audit(1554175286.968:2720907): avc:  denied  { accept } for  pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
deb69b3b65 devicekit: udisks needs access to /run/mount/utab.lock 
type=AVC msg=audit(1563073723.106:232): avc:  denied  { read } for  pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563073723.106:232): cwd="/"
type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
32b6f152a2 xserver: ICEauthority can be in /run/user 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Jason Zaman
bcab64fba4 udev: Allow udevadm access to udev_tbl_t 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-12-26 12:08:25 -05:00
Sugar, David
97635685d5 Fix indent to match the rest of the file (space -> tab) 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-12-26 12:00:32 -05:00
Sugar, David
99a7c5c197 Add interface to read efivarfs_t directory 
I'm seeing the following denial when using 'efivars --list'.  This
interface grants access
2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc:  denied  { read } for  pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-12-26 12:00:32 -05:00
Chris PeBenito
335d9425c0 various: Module version bump. 2019-12-26 11:48:27 -05:00
Chris PeBenito
a29e7442ea Merge pull request #144 from fishilico/init-mount-kmsg 2019-12-26 11:41:54 -05:00
Chris PeBenito
9a5d515584 Merge pull request #143 from fishilico/sysadm-chat-hostnamed 2019-12-26 11:41:37 -05:00
Chris PeBenito
ce968cefbb Merge pull request #142 from fishilico/mount-search-bin 2019-12-26 11:41:31 -05:00
Chris PeBenito
3165b50515 Merge pull request #138 from bauen1/filesystem_bpf 2019-12-26 11:41:23 -05:00
Chris PeBenito
a36d1217b8 Merge pull request #136 from bauen1/ifupdown2-fcontext 2019-12-26 11:41:13 -05:00
Chris PeBenito
9c76cca828 Merge pull request #135 from bauen1/sudo-default-types 2019-12-26 11:41:07 -05:00
Chris PeBenito
9fb8494a37
Merge pull request #145 from fishilico/cryfs 
Add policy for CryFS, encfs and gocryptfs
 2019-12-26 11:37:12 -05:00
Chris PeBenito
c07134adcd
Merge pull request #146 from fishilico/vagrant-fixes 
Allow using sysadm_u with Vagrantfile configuration
 2019-12-26 11:36:18 -05:00
Chris PeBenito
5d02fc45ff
Merge pull request #141 from fishilico/check_fc_files-allow-arobas 
testing/check_fc_files: allow @ character in file context patterns
 2019-12-26 11:27:35 -05:00
Nicolas Iooss
7317bd64c0
Vagrantfile: add a specific SELinux policy module 
When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:17:36 +01:00
Nicolas Iooss
d1f92dae04
Vagrantfile: remove sudo 
The provisioning scripts are already run as root.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:12:34 +01:00
Nicolas Iooss
d82115ac48
Vagrantfile: fix configuration 
"debian" needs to be used instead of "config" in the VM description.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:12:02 +01:00
Nicolas Iooss
358bcef0a4
Add policy for CryFS, encfs and gocryptfs 
CryFS (https://www.cryfs.org/) is a software that can be run by non-root
users that have access to /dev/fuse. Its command is directly used to
mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command
"mount". Unmounting a mountpoint is done with "fusermount -u
mountpoint", /usr/bin/fusermount being a setuid-root program labeled
mount_exec_t.

EncFS (https://www.arg0.net/encfs) is a similar software that has been
considered insecure since a security audit in 2014 found vulnerabilities
that are not yet fixed (like https://github.com/vgough/encfs/issues/9).

gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that
has been inspired by EncFS.

Allow users with role sysadm to use all these projects.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:03:53 +01:00
Nicolas Iooss
50b9886061
init: allow systemd to mount over /dev/kmsg and /proc/kmsg 
When spawning services such as systemd-timedated with systemd 244,
systemd now mounts an inaccessible directory on /dev/kmsg and
/proc/kmsg:

    type=AVC msg=audit(1576535711.579:363): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=9055
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1576535711.583:364): avc:  denied  { getattr }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

    type=AVC msg=audit(1576535711.589:365): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

Running "findmnt" in the resulting mount namespace shows:

    |-/dev         dev                             devtmpfs   rw,...
    | `-/dev/kmsg  run[/systemd/inaccessible/chr]  tmpfs      ro,...

    |-/proc        proc                            proc       rw,...
    | `-/proc/kmsg run[/systemd/inaccessible/reg]  tmpfs      ro,...

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 17:29:58 +01:00
Nicolas Iooss
b1566c1966
sysadm: allow using hostnamectl 
Command "hostnamectl" communicates with systemd_hostnamed_t through
DBUS:

    type=USER_AVC msg=audit(1576535282.679:345): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus.Properties member=GetAll
    dest=org.freedesktop.hostname1 spid=1449 tpid=1450
    scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:systemd_hostnamed_t tclass=dbus
    permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
    terminal=?'

    type=USER_AVC msg=audit(1576535282.683:347): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.269 spid=1450 tpid=1449
    scontext=system_u:system_r:systemd_hostnamed_t
    tcontext=sysadm_u:sysadm_r:sysadm_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 17:26:34 +01:00
Nicolas Iooss
789307d57e
mount: allow callers of mount to search /usr/bin 
In order to be able to invoke /usr/bin/mount, /usr/bin/fusermount, etc.
callers need to be able to search /usr/bin. Otherwise, such denials are
recorded:

    type=AVC msg=audit(1576534518.220:1320): avc:  denied  { search }
    for  pid=24067 comm="cryfs" name="bin" dev="vda1" ino=524829
    scontext=sysadm_u:sysadm_r:cryfs_t tcontext=system_u:object_r:bin_t
    tclass=dir permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 16:54:51 +01:00
Nicolas Iooss
8e612038de
testing/check_fc_files: allow @ character in file context patterns 
Some systemd units use @ in their names.

Fixes: https://github.com/SELinuxProject/refpolicy/issues/131

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 16:53:05 +01:00
bauen1
09efc0087a
added bpf_t filesystem label 2019-12-16 20:16:14 +01:00
bauen1
a1f20e749e
fix ifupdown2 executable mislabeled as lib_t 2019-12-10 20:18:00 +01:00
bauen1
d4cc5cf3d2
fix: sudo can't determine default type for sysadm_r 2019-12-09 21:13:23 +01:00
Chris PeBenito
17f06cf1fe unconfined: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-12-02 08:47:19 -05:00
Chris PeBenito
9a04561643 Merge pull request #130 from pebenito/unconfined-systemd-user 2019-12-02 08:45:44 -05:00
Chris PeBenito
832face6f2 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:27:14 -05:00
Chris PeBenito
9c3c525aa8 logging: Reorder lines. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:26:50 -05:00
Sugar, David
a9ae616800 resolve syslog imuxsock denial 
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]

With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc:  denied  { create } for  pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc:  denied  { setattr } for  pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-11-23 10:24:13 -05:00
Chris PeBenito
0bfd1387ac Remove incorrect usages of "is" operator from Python scripts. 
Closes #128

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:12:53 -05:00
Chris PeBenito
45bd96f619 various: Module version bump. 2019-11-23 09:54:36 -05:00
Chris PeBenito
8fcd20b9f9 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:42 -05:00
Chris PeBenito
e05c589ae6 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:28 -05:00
Chris PeBenito
42d115aa53 unconfined: Fix systemd --user rule. 
Use the full init_pgm_spec_user_daemon_domain() to ensure correct
permissions.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-22 16:39:35 -05:00
Chris PeBenito
87745f09d9 unconfined: Add namespaced capabilities. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-15 11:13:58 -05:00
Laurent Bigonville
53a76d3fb7 Allow alsa_t to set scheduling priority and send signal to itself 
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.

----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc:  denied  { setsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc:  denied  { getsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc:  denied  { signal } for  pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
56a11f07c3 Allow alsa_t to create alsa_runtime_t file as well 
When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
9b18951eb0 Allow realmd_t to read localization files 
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:148): avc:  denied  { open } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=262415 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { search } for  pid=1382 comm="realmd" name="locale" dev="dm-1" ino=262056 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:149): avc:  denied  { getattr } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
69d88981bc Allow geoclue to log in syslog 
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:513): avc:  denied  { create } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:514): avc:  denied  { sendto } for  pid=1384 comm="geoclue" path="/run/systemd/journal/socket" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tc
lass=unix_dgram_socket permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" name="socket" dev="tmpfs" ino=1781 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:devlog_t:s0 tcla
ss=sock_file permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="journal" dev="tmpfs" ino=1777 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:syslogd_runtim
e_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="systemd" dev="tmpfs" ino=11001 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:init_runtime_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Laurent Bigonville
805f2d9cd4 Allow the systemd dbus-daemon to talk to systemd 
Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Chris PeBenito
04a83b9616 init: Module version bump. 2019-10-31 04:12:24 -04:00
Chris PeBenito
bb48674bd1 init: Whitespace change. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-31 03:33:14 -04:00