nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,176 Commits 1 Branch 0 Tags 16 MiB
4e97f87cee
Commit Graph

7176 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kenton Groombridge
4e97f87cee init: use pidfds from local login 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
7fd9032d88 dbus, init: add interface for pidfd usage 
Commit 4e7511f4a previously added access for init to use DBUS system bus
file descriptors while the intended access was for pidfds. Add an
interface for pidfd usage so that when pidfds are eventually handled
separately from regular fds, this interface can be adjusted.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
a6d6921a9c asterisk: allow watching spool dirs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
72c1d912ff su, sudo: allow sudo to signal all su domains 
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.

type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc:  denied  { signal } for  pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
8b31782480 sudo: allow systemd-logind to read cgroup state of sudo 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
871f0b0dd7 postfix: allow smtpd to mmap SASL keytab files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
578375480d sysnetwork: allow ifconfig to read usr files 
ip wants to read files in /usr/share/iproute2.

type=AVC msg=audit(1715785441.968:297208): avc:  denied  { read } for  pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge
6916e9b20c systemd: allow systemd-logind to use sshd pidfds 
This is to avoid a long timeout in pam_systemd when logging on. This is
the second half of the fix described in
ddc6ac493c.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Chris PeBenito
04eca2fa9b
Merge pull request #770 from pebenito/systemd-analyze 
Misc fixes
 2024-06-06 12:07:27 -04:00
Chris PeBenito
c920fc5d9e
Merge pull request #781 from yizhao1/selinuxutil 
selinuxutil: make policykit optional
 2024-06-05 19:48:02 -04:00
Chris PeBenito
c963ddfae0
Merge pull request #782 from pebenito/quic_amisjain-bt-uhid 
Sepolicy changes for bluez to access uhid
 2024-06-05 19:42:16 -04:00
Chris PeBenito
2102055d4d devices: Change dev_rw_uhid() to use a policy pattern. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-05 15:26:56 -04:00
Chris PeBenito
1cbe455a5e device: Move dev_rw_uhid definition. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-05 15:25:24 -04:00
Amisha Jain
7a33b4bc87 Sepolicy changes for bluez to access uhid 
Resolve selinux premission for HID

Below avc denials that are fixed with this patch -

avc:  denied  { read write } for  pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Amisha Jain <quic_amisjain@quicinc.com>
 2024-06-05 14:50:39 -04:00
Yi Zhao
c6dd4087de selinuxutil: make policykit optional 
Make policykit optional to avoid a potential build error.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-05 10:52:34 +08:00
Chris PeBenito
d53aa53110
Merge pull request #779 from yizhao1/fixes 
Fixes for dhcpcd and newrole
 2024-06-04 10:05:54 -04:00
Chris PeBenito
50a1ee7e9c
Merge pull request #780 from pebenito/quic_nakella-gatt 
Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.
 2024-06-04 09:54:45 -04:00
Yi Zhao
10feb47e55 newrole: allow newrole to search faillock runtime directory 
Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.

Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root

After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole  -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:

Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-04 21:18:58 +08:00
Yi Zhao
bf34d3e5e8 sysnetwork: fixes for dhcpcd 
Allow dhcpcd to create netlink socket and read files under /run/udev/.

Fixes:
avc: denied { search } for pid=393 comm="dhcpcd" name="udev" dev="tmpfs"
ino=49 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=1

avc: denied { create } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { getopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { setopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { bind } for  pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { getattr } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { read } for  pid=393 comm="dhcpcd" name="n1" dev="tmpfs"
ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc: denied { open } for pid=393 comm="dhcpcd" path="/run/udev/data/n1"
dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc: denied { getattr } for pid=393 comm="dhcpcd"
path="/run/udev/data/n1" dev="tmpfs" ino=222
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-04 21:12:36 +08:00
Naga Bhavani Akella
4663e613f0 Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. 
Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(315966559.395:444):
avc:  denied  { use } for  pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. audit: type=1400 audit(315999854.939:523):
avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-04 09:08:18 -04:00
Chris PeBenito
af26e63697
Merge pull request #778 from 0xC0ncord/various-20240506 
Various fixes
 2024-05-13 08:38:14 -04:00
Kenton Groombridge
27602a932b various: various fixes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:37 -04:00
Kenton Groombridge
63d50bbaa3 container, crio, kubernetes: minor fixes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:37 -04:00
Kenton Groombridge
11e729e273 container, podman: various fixes 
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.

One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:

type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc:  denied  { ioctl } for  pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:29 -04:00
Kenton Groombridge
ef5954a0e9 systemd: allow systemd-sysctl to search tmpfs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:29 -04:00
Kenton Groombridge
472e0442e7 container: allow containers to getcap 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:29 -04:00
Kenton Groombridge
7876e51510 container: allow system container engines to mmap runtime files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:13:29 -04:00
Kenton Groombridge
d917092a81 matrixd: add tunable for binding to all unreserved ports 
This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:54 -04:00
Kenton Groombridge
3dba91dd48 bootloader: allow systemd-boot to manage EFI binaries 
systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:54 -04:00
Kenton Groombridge
ddf395d5d4 asterisk: allow binding to all unreserved UDP ports 
This is for RTP streaming.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:51 -04:00
Kenton Groombridge
3bad3696b8 postgres: add a standalone execmem tunable 
Add a separate tunable to allow Postgres to use execmem. This is to
support JIT in the Postgres server without enabling it for the entire
system.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:51 -04:00
Kenton Groombridge
ef28f7879a userdom: allow users to read user home dir symlinks 
This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:23 -04:00
Kenton Groombridge
03711caea1 dovecot: allow dovecot-auth to read SASL keytab 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:23 -04:00
Kenton Groombridge
cd781e783e fail2ban: allow reading net sysctls 
type=AVC msg=audit(1696613589.191:194926): avc:  denied  { search } for  pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:23 -04:00
Kenton Groombridge
ddc6ac493c init: allow systemd to use sshd pidfds 
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.

May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out

type=AVC msg=audit(1715019897.540:13855): avc:  denied  { use } for  pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-05-09 10:00:18 -04:00
Chris PeBenito
eefc22e395
Merge pull request #768 from plsph/merged-usr-gentoo 
files context for merged-usr profile on gentoo
 2024-05-09 08:28:30 -04:00
Grzegorz Filo
b9c457d80a
files context for merged-usr profile on gentoo 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2024-05-08 13:46:48 +02:00
Chris PeBenito
6daf602382 init: Add homectl dbus access. 
homectl is used in the systemd-homed-activate.service ExecStop.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-05-07 10:26:18 -04:00
Chris PeBenito
7d998958dc filesystem/systemd: memory.pressure fixes. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-05-07 10:23:10 -04:00
Chris PeBenito
9b4ac09194
Merge pull request #777 from dsugar100/cockpit_map 
Need map perm for cockpit 300.4
 2024-05-06 13:43:26 -04:00
Dave Sugar
5040dd3b6e
Need map perm for cockpit 300.4 
node=localhost type=AVC msg=audit(1714870999.370:3558): avc:  denied  { map } for  pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-05-05 22:14:39 -04:00
Chris PeBenito
d049eb2173 cloudinit: Add support for cloud-init-growpart. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-05-02 14:59:32 -04:00
Chris PeBenito
739ae42cac systemd: Add basic systemd-analyze rules. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-05-02 14:57:29 -04:00
Chris PeBenito
0dc400529c
Merge pull request #776 from pebenito/sechecker 
Add initial sechecker configuration for CI.
 2024-04-30 10:17:51 -04:00
Chris PeBenito
029684596a
Merge pull request #775 from matt-sheets/masheets/init-siginh 
Allow systemd to pass down sig mask
 2024-04-30 10:09:02 -04:00
Chris PeBenito
2ef9838dba tests.yml: Add sechecker testing. 
Add initial privilege and integrity tests.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-04-29 14:20:24 -04:00
Chris PeBenito
c62bd5c6c0 cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-04-29 14:20:24 -04:00
Chris PeBenito
1c694125b7 certbot: Drop execmem. 
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-04-29 14:20:24 -04:00
Chris PeBenito
349411d555 xen: Drop xend/xm stack. 
Xend/xm was replaced with xl in Xen 4.5 (Jan 2015).

https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-04-29 14:20:19 -04:00
Matt Sheets
2a261f9166 Allow systemd to pass down sig mask 
IgnoreSIGPIPE is a feature that requires systemd to passdown the signal
mask down to the fork process. To allow this the siginh permission must
be allowed for all process domains that can be forked by systemd.

Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
 2024-04-26 17:17:24 -07:00