nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,962 Commits 1 Branch 0 Tags 16 MiB
4f6614ba7f
Commit Graph

1298 Commits

Author SHA1 Message Date
Chris PeBenito
4f6614ba7f ntp, init, lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72 Denial of cryptsetup reading cracklib database 
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength.  This is
allowing the needed access.

type=AVC msg=audit(1553216939.261:2652): avc:  denied  { search } for  pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { read } for  pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { open } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc:  denied  { getattr } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Sugar, David
7525ba9c1e Allow ntpd to read unit files 
Adding missing documenation (sorry about that).

type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1

type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Chris PeBenito
32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David
5f14e530ad Resolve denial about logging to journal from chkpwd 
type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Chris PeBenito
c46eba9c02 sysadm, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:27:34 -04:00
Chris PeBenito
ceadf42b75 udev: Move one line and remove a redundant line. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:28 -04:00
Chris PeBenito
2297487654 udev: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:03 -04:00
Sugar, David
ba31e59cd1 Separate out udevadm into a new domain 
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-17 16:15:21 -04:00
Chris PeBenito
60b8e08f4f systemd, udev, usermanage: Module version bump. 2019-03-11 20:59:21 -04:00
Sugar, David
9d2b68e0ba Allow additional map permission when reading hwdb 
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-11 20:53:30 -04:00
Sugar, David
3fd0d7df8b Update cron use to pam interface 
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-07 19:02:57 -05:00
Chris PeBenito
e6dcad5002 systemd: Module version bump. 2019-02-24 08:19:27 -08:00
Nicolas Iooss
2fb15c8268
Update systemd-update-done policy 
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { sendto } for
    pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
    permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { write } for
    pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { connect } for
    pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t
    tclass=unix_dgram_socket permissive=1

Moreover it creates /etc/.updated and /var/.updated using temporary
files:

    type=AVC msg=audit(1550865504.463:83): avc:  denied  { setfscreate }
    for  pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t tclass=process
    permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { read write
    open } for  pid=277 comm="systemd-update-"
    path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { create } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    [...]

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { unlink } for
    pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { rename } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
    ino=806171 scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1
 2019-02-24 11:08:20 +01:00
Chris PeBenito
2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Chris PeBenito
0805aaca8d Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy 2019-02-23 18:43:02 -08:00
Nicolas Iooss
0ab9035efa
Remove a broad read-files rule for restorecond 
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):

    auth_read_all_files_except_shadow(restorecond_t)

Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.

This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
 2019-02-23 21:20:21 +01:00
Nicolas Iooss
7bb9172b67
Allow restorecond to read customizable_types 
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { open } for
    pid=281 comm="restorecond"
    path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { read } for
    pid=281 comm="restorecond" name="customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
 2019-02-23 21:14:10 +01:00
Nicolas Iooss
5250bd4863
Allow systemd-journald to use kill(pid, 0) on its clients 
Since systemd 241, systemd-journald is using kill(pid, 0) in order to
find dead processes and reduce its cache. The relevant commit is
91714a7f42
("journald: periodically drop cache for all dead PIDs"). This commit
added a call to pid_is_unwaited(c->pid), which is a function implemented in
https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 :

    bool pid_is_unwaited(pid_t pid) {
        /* Checks whether a PID is still valid at all, including a zombie */
        if (pid < 0)
                return false;
        if (pid <= 1) /* If we or PID 1 would be dead and have been waited for, this code would not be running */
                return true;
        if (pid == getpid_cached())
                return true;
        if (kill(pid, 0) >= 0)
                return true;
        return errno != ESRCH;
    }

This new code triggers the following AVC denials:

    type=AVC msg=audit(1550911933.606:332): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:auditd_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:333): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:334): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:sshd_t tclass=process permissive=1
 2019-02-23 20:55:17 +01:00
Chris PeBenito
5986fdc4df logging, miscfiles, authlogin: Module version bump. 2019-02-20 19:38:55 -08:00
Sugar, David
81c10b077a New interface to dontaudit access to cert_t 
I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki.  They seem to be working OK even with the denial.  The
tunable authlogin_nsswitch_use_ldap controls access to cert_t
(for domains that are part of nsswitch_domain attribute).  Use this
new interface when that tunable is off to quiet the denials.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-20 19:28:45 -08:00
Sugar, David
d8492558b3 Add interface to get status of rsyslog service 
Updated based on feedback.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-20 19:28:45 -08:00
Chris PeBenito
98a7f0446d init, systemd, cdrecord: Module version bump. 2019-02-19 19:31:04 -08:00
Chris PeBenito
b3e8e5a4ba systemd: Remove unnecessary brackets. 2019-02-19 19:20:57 -08:00
Sugar, David
b3cbf00cba Allow systemd-hostnamed to set the hostname 
When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.

Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc:  denied  { sys_admin } for  pid=7873 comm="systemd-hostnam" capability=21  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-19 19:06:40 -08:00
Sugar, David
61d12f722d Allow init_t to read net_conf_t 
init (systemd) needs to read /etc/hostname during boot
to retreive the hostname to apply to the system.

Feb 06 18:37:06 localhost.localdomain kernel: type=1400 audit(1549478223.842:3): avc:  denied  { read } for  pid=1 comm="systemd" name="hostname" dev="dm-1" ino=1262975 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-19 19:06:40 -08:00
Chris PeBenito
e727079acc systemd: Module version bump. 2019-02-09 09:06:37 -05:00
Sugar, David
24da4bf370 Separate domain for systemd-modules-load 
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules.  This change sets up a new domain for this service and grants permission
necessary to load kernel modules.

Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc:  denied  { read } for  pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc:  denied  { open } for  pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-09 09:01:05 -05:00
Sugar, David
21351f6bd9 Allow systemd-networkd to get IP address from dhcp server 
I'm seeing the following denials when attempting to get a DHCP address.

type=AVC msg=audit(1549471325.440:199): avc:  denied  { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { net_bind_service } for  pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-09 09:01:05 -05:00
Chris PeBenito
445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker
044da0b8b9 more misc stuff 
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
 2019-02-01 14:16:57 -05:00
Chris PeBenito
b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Russell Coker
3d65c79750 yet another little patch 
This should all be obvious.
 2019-01-29 18:45:30 -05:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Jason Zaman
fa23645ca1 userdomain: introduce userdom_user_home_dir_filetrans_user_cert 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2019-01-23 18:40:57 -05:00
Chris PeBenito
7a1e0d0ca9 init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks(). 2019-01-23 18:35:00 -05:00
Chris PeBenito
09a81f7220 init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks(). 2019-01-23 18:34:10 -05:00
Russell Coker
eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Chris PeBenito
ecb4968238 systemd: Move interface implementation. 2019-01-20 16:36:36 -05:00
Sugar, David
6e86de0736 Add interface to read journal files 
When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-20 16:34:14 -05:00
Russell Coker
54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito
b5cda0e2c5 selinuxutil: Module version bump. 2019-01-16 18:20:51 -05:00
Chris PeBenito
038a5af1ed Merge branch 'restorecond-dontaudit-symlinks' of git://github.com/fishilico/selinux-refpolicy 2019-01-16 18:20:05 -05:00
Chris PeBenito
238bd4f91f logging, sysnetwork, systemd: Module version bump. 2019-01-16 18:19:22 -05:00
Sugar, David
69961e18a8 Modify type for /etc/hostname 
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:13:41 -05:00
Sugar, David
34e3505004 Interface with systemd_hostnamed over dbus to set hostname 
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-16 18:12:50 -05:00