nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,880 Commits 1 Branch 0 Tags 16 MiB
4ed30f7492
Commit Graph

4880 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
c95e835170 sysnetwork: Module version bump. 2018-04-25 17:34:13 -04:00
Chris PeBenito
71b2ed038c sysnetwork: Move lines in sysnet_read_config(). 2018-04-25 17:33:51 -04:00
Jason Zaman
0ae2abab2e sysnetwork: put systemd_read_resolved_runtime in an ifdef 
commit f865919872
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.
 2018-04-25 17:28:59 -04:00
Chris PeBenito
ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Dave Sugar
f865919872 Interface to read /run/systemd/resolve/resolv.conf 
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-04-17 20:14:50 -04:00
Dave Sugar
ceec13419f Fix problems booting with fips=1 
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-04-17 20:14:50 -04:00
Chris PeBenito
2c54bc4eaf Update contrib. 2018-04-12 19:11:36 -04:00
Chris PeBenito
e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter
93238de580 Remove undeclared identifiers from xserver interface 
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
b8d528ea62 Remove undeclared identifiers from interfaces 
These interfaces are not being called in the policy.

corenetwork.if.in:corenet_sctp_bind_generic_port(),
  corenet_dontaudit_sctp_bind_generic_port(), and
  corenet_sctp_connect_generic_port()
  Removed references to undeclared type ephemeral_port_t.

corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
  Removed references to undeclared type attribute corenet_unlabled_type.

devices.if:dev_read_printk()
  Removed references to undeclared type printk_device_t and marked
  interface as deprecated because it is now empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
90b214c004 Move use of user_devpts_t from terminal.fc to userdomain.fc 
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.

Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
6226181924 Move use of systemd_unit_t from systemd.fc to init.fc 
The type systemd_unit_t is actually declared in init.te.

Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
d172b3b45d Move the use of initrc_var_run_t from files.fc to init.fc 
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.

Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
f43db58687 Move the use of var_log_t from authlogin.fc to logging.fc 
The type var_log_t is actually declared in logging.te.

Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
da0cf8e721 Mark unused parameters as unused 
Marked unused parameters as unused in the interfaces listed below.

userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
James Carter
2268d42fee Removed unnecessary semicolons 
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
Chris PeBenito
ed60abef70 corenetwork, init: Module version bump. 2018-03-21 14:17:22 -04:00
Christian Göttsche
7b6042b29c add definition of bpf class and systemd perms 2018-03-21 14:16:52 -04:00
Chris PeBenito
1a231081f8 .travis.yml: Change to master branch for sctp support. 2018-03-21 14:15:53 -04:00
Richard Haines
437e48ac53 refpolicy: Update for kernel sctp support 
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
 2018-03-21 14:14:37 -04:00
Chris PeBenito
d0bac9a48e Update contrib. 2018-03-09 17:10:00 -05:00
Chris PeBenito
94e3f48a8e iptables: Module version bump. 2018-03-09 17:09:50 -05:00
Chris PeBenito
76aea031e7 Merge branch 'xtable-proc' of https://github.com/bigon/refpolicy 2018-03-09 17:09:11 -05:00
Miroslav Grepl
b0b4bc947c xtables-multi wants to getattr of the proc fs 2018-03-01 12:32:22 +01:00
Chris PeBenito
9c0d0e66ff another trivial dbus patch from Russell Coker. 2018-02-18 11:25:29 -05:00
Chris PeBenito
03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Chris PeBenito
b492924414 Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
Chris PeBenito
88e821f369 Enable cgroup_seclabel and nnp_nosuid_transition. 2018-01-16 18:52:39 -05:00
Chris PeBenito
c20931323a Update Changelog and VERSION for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito
f9f721028c init: Module version bump. 2018-01-05 16:20:50 -05:00
Christian Göttsche
288bc8471c init: add init_rw_inherited_stream_socket 2018-01-05 15:35:06 -05:00
Chris PeBenito
519cada9f1 Update contrib. 2018-01-03 16:56:53 -05:00
Christian Göttsche
c51e9e1bb4 filesystem: add fs_rw_inherited_hugetlbfs_files for apache module 2018-01-03 16:56:03 -05:00
Chris PeBenito
6c41a0a3af hostname: Module version bump. 2017-12-31 07:06:52 -05:00
Christian Göttsche
5b2db4fcb1 hostname: cmdline usage + signal perms sort 2017-12-31 06:51:13 -05:00
Chris PeBenito
e1fb2401fe Update contrib. 2017-12-26 05:38:55 -05:00
Nicolas Iooss
dbd8fbb01c corecommands: label systemd script directories bin_t 
systemd defines in /usr/lib/systemd several directories which can
contain scripts or executable files:
- system-environment-generators/ and user-environment-generators/
  documented in
  https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
- system-shutdown/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
- system-sleep/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html

Currently the content of these directories is labelled lib_t, which
causes the following AVC on Arch Linux:

    avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
    path="/usr/lib/systemd/system-environment-generators/10-arch"
    dev="vda1" ino=543182 scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=1

For information /usr/lib/systemd/system-environment-generators/10-arch
only defines $PATH and its content is available on
https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
 2017-12-17 15:28:37 -05:00
Chris PeBenito
d91260b7b5 Revise mmap_file_perms deprecation warning message. 2017-12-17 15:24:48 -05:00
Chris PeBenito
94f1a1b3f3 Add missing mmap_*_files_pattern macros. 2017-12-13 19:01:45 -05:00
Chris PeBenito
78a49b640d Add new mmap permission set and pattern support macros. 
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.
 2017-12-13 18:58:34 -05:00
Chris PeBenito
84ce1a11a4 storage, userdomain: Module version bump. 2017-12-13 18:29:26 -05:00
Jason Zaman
7757827de9 storage: Add fcontexts for NVMe disks 
NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition
 2017-12-13 18:19:29 -05:00
Jason Zaman
d29486d4cf userdomain: Allow public content access 
All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.
 2017-12-13 18:19:29 -05:00
Chris PeBenito
8e19b3103e mls, xserver, systemd, userdomain: Module version bump. 2017-12-12 20:25:32 -05:00
David Sugar
dd4facd8af Allow systemd_logind to delete user_runtime_content_type files 
Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
David Sugar
248b914d4d Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type) 
Setup type  xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
David Sugar
9af24aeb9c Make an attribute for objects in /run/user/%{USERID}/* 
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
Chad Hanson
5a4f511ff4 Fix implementation of MLS file relabel attributes 
This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below.

Signed-off-by: Chad Hanson <dahchanson@gmail.com>
 2017-12-12 20:07:57 -05:00
Chris PeBenito
1461e89016 Update contrib. 2017-12-11 19:16:07 -05:00