https://github.com/SELinuxProject/refpolicy/issues/735
This patch extends the fix for a serious Information
Disclosure vulnerability caused by the erroneous labeling
of TLS Private Keys and CSR.
See: commit 5c9038ec98
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
and CSR used for example by the HTTP and/or Mail
Transport daemons.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/certmonger.te | 3 +++
1 file changed, 3 insertions(+)
Apache HTTP server according to the default locations:
http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache
Add the correct TLS Private Keys file label for Debian
systems.
This patch fixes a serious Information Disclosure
vulnerability caused by the erroneous labeling of
TLS Private Keys and CSR, as explained above.
See: https://github.com/SELinuxProject/refpolicy/issues/735
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 3 +++
1 file changed, 3 insertions(+)
files, not manage them.
Modify the init policy to match the comment and the
LDAP server actual behavior.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker <russell@coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker <russell@coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
* Separate label for /run/systemd/notify
label systemd_runtime_notify_t
Allow daemon domains to write by default
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
* systemd: Add -s to /run/systemd/notify socket.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users
Signed-off-by: Russell Coker <russell@coker.com.au>
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker <russell@coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker <russell@coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Some misc small patches for cron policy
Signed-off-by: Russell Coker <russell@coker.com.au>
* added systemd_dontaudit_connect_machined interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove the line about connecting to tor
Signed-off-by: Russell Coker <russell@coker.com.au>
* remove the dontaudit for connecting to machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* changed to distro_debian
Signed-off-by: Russell Coker <russell@coker.com.au>
* mta: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
* cron: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
* Some small systemd patches
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker <russell@coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a type for it
Signed-off-by: Russell Coker <russell@coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker <russell@coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker <russell@coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
