Chris PeBenito
56b7919589
sigrok: Remove extra comments.
2019-01-03 20:52:26 -05:00
Guido Trentalancia
9e6febb049
Add sigrok contrib module
...
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2019-01-03 20:51:18 -05:00
Chris PeBenito
65b7fa3f43
lvm, syncthing: Module version bump.
2019-01-03 17:52:03 -05:00
Chris PeBenito
82e652df04
Merge branch 'lvm' of https://github.com/alexminder/refpolicy
2019-01-03 17:45:16 -05:00
Chris PeBenito
9e3bb1bfde
syncthing: Whitespace change
2019-01-03 17:44:48 -05:00
Chris PeBenito
38cd14761a
Merge branch 'syncthing' of https://github.com/alexminder/refpolicy
2019-01-03 17:44:22 -05:00
Alexander Miroshnichenko
972654cf09
Remove syncthing tunable_policy.
...
kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.
2019-01-03 13:26:08 +03:00
Alexander Miroshnichenko
29bbe7b958
Add comment for map on lvm_metadata_t.
2019-01-03 10:15:07 +03:00
Alexander Miroshnichenko
eca583b86c
Add map permission to lvm_t on lvm_metadata_t.
...
On musl libc system lvm requires map permission.
2018-12-30 18:57:56 +03:00
Alexander Miroshnichenko
8b2add4140
Allow syncthing_t to execute ifconfig/iproute2.
...
Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.
2018-12-30 17:43:16 +03:00
Alexander Miroshnichenko
2b3473c40c
Allow syncthing_t to read network state.
...
Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).
2018-12-30 17:42:26 +03:00
Alexander Miroshnichenko
eb588f836e
Add corecmd_exec_bin permissions to syncthing_t.
...
corecmd_exec_bin required to run application.
2018-12-30 17:41:31 +03:00
Alexander Miroshnichenko
d2569bb877
Add signal_perms setpgid setsched permissions to syncthing_t.
...
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
2018-12-30 17:39:38 +03:00
Chris PeBenito
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
David Sugar
6167b9b6e5
Allow auditctl_t to read bin_t symlinks.
...
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod. But policy didn't allow auditctl_t to follow
that link.
type=AVC msg=audit(1543853530.925:141): avc: denied { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc: denied { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc: denied { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc: denied { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
e73e9e7734
Add missing require for 'daemon' attribute.
...
Not sure how I didn't notice this missing require before.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
241b917d37
Allow kmod to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
David Sugar
3425d22c24
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito
249e87ab73
cron, minissdpd, ntp, systemd: Module version bump.
2018-11-17 19:02:54 -05:00
Chris PeBenito
45a8ddd39f
Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
2018-11-17 18:58:09 -05:00
David Sugar
b73758bb97
Interface to read cron_system_spool_t
...
Useful for the case that manage isn't requied.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
David Sugar
56e8f679b2
interface to enable/disable systemd_networkd service
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
David Sugar
5deea1b940
Add interfaces to control ntpd_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
Chris PeBenito
cd4be3dcd0
dnsmasq: Module version bump.
2018-11-17 18:50:18 -05:00
Petr Vorel
da49b37d87
dnsmasq: Require log files to have .log suffix
...
+ allow log rotate as well.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
2018-11-17 18:49:59 -05:00
Laurent Bigonville
a71cc466fc
Allow minissdpd_t to create a unix_stream_socket
...
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc: denied { listen } for pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc: denied { accept } for pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
2018-11-12 16:24:54 +01:00
Chris PeBenito
b4d7c65fc4
Various modules: Version bump.
2018-11-11 15:58:59 -05:00
Chris PeBenito
205b5e705a
Merge branch 'iscsi' of https://github.com/bigon/refpolicy
2018-11-11 15:53:19 -05:00
Chris PeBenito
0e868859c4
Merge branch 'resolved' of https://github.com/bigon/refpolicy
2018-11-11 15:52:51 -05:00
Chris PeBenito
390c4f80fb
Merge branch 'master' of https://github.com/bigon/refpolicy
2018-11-11 15:52:14 -05:00
Laurent Bigonville
7316be9c2a
Allow iscsid_t to create a netlink_iscsi_socket
...
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc: denied { bind } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc: denied { create } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
2018-11-11 20:04:21 +01:00
Laurent Bigonville
d5d6fe0046
Allow systemd_resolved_t to bind to port 53 and use net_raw
...
resolved also binds against port 53 on lo interface
2018-11-11 14:27:01 +01:00
Laurent Bigonville
404dcf2af4
Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
...
Also allow unconfined_t to talk with the resolved daemon
2018-11-11 13:36:05 +01:00
Laurent Bigonville
06588b55b4
Add systemd_dbus_chat_resolved() interface
2018-11-11 13:33:00 +01:00
Laurent Bigonville
df58008c2b
Allow ntpd_t to read init state
...
With systemd-timesyncd, the following AVC denials are generated:
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { open } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { read } for pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc: denied { getattr } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
2018-11-10 19:01:33 +01:00
Laurent Bigonville
6060f35f03
Allow semanage_t to connect to system D-Bus bus
...
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
2018-11-10 19:01:33 +01:00
Laurent Bigonville
2f054c67a2
irqbalance now creates an abstract socket
2018-11-10 19:01:28 +01:00
Chris PeBenito
4ff893bca0
dnsmasq: Reorder lines in file contexts.
2018-11-09 19:35:14 -05:00
Chris PeBenito
f583b6b061
dnsmasq: Whitespace fix in file contexts.
2018-11-09 19:34:49 -05:00
Chris PeBenito
1431ba9d41
amavis, apache, clamav, exim, mta, udev: Module version bump.
2018-11-09 19:32:08 -05:00
David Sugar
75dd54edc7
Allow clamd to use sent file descriptor
...
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning. This still requires
the file type to be readable by clamd.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:09:49 -05:00
David Sugar
2fa76a4b9e
Add interfaces to control clamav_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
81953475a5
Interface to add domain allowed to be read by ClamAV for scanning.
...
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
03f248c9e1
Allow clamd_t to read /proc/sys/crypt/fips_enabled
...
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc: denied { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc: denied { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc: denied { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc: denied { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
David Sugar
f0047d0247
Add interface udev_run_domain
...
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action. This interface allows a domain transition to occur for the run action.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:04:22 -05:00
Chris PeBenito
35463351a0
clamav, ssh, init: Module version bump.
2018-10-27 15:10:10 -04:00
David Sugar
8e18a55457
Update CUSTOM_BUILDOPT
...
Have Makefile include CUSTOM_BUILDOPT in generated build.conf
Update Makefile.devel to pass CUSTOM_BUILDOPT while building module
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
Luis Ressel
9dd80c6a67
system/init: Give init_spec_daemon_domain()s the "daemon" attribute
...
init_daemon_domain() applies this attribute too.
2018-10-27 14:56:34 -04:00
Luis Ressel
a42ff404bd
services/ssh: Don't audit accesses from ssh_t to /dev/random
...
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.
The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
2018-10-27 14:56:34 -04:00