Commit Graph

4103 Commits

Author SHA1 Message Date
Chris PeBenito 672ea96b45 Module version bump for mlstrustedsocket from qqo. 2016-05-31 09:15:40 -04:00
Chris PeBenito e07f51a923 Merge branch 'qqo-master' 2016-05-31 09:15:01 -04:00
Chris PeBenito 203d4a70db Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master 2016-05-31 09:04:38 -04:00
Chris PeBenito ffc9a79525 Module version bump for systemd-resolved patch from Laurent BIgonville. 2016-05-26 08:53:00 -04:00
Laurent Bigonville 4f9bfeb7b0 Add policy for systemd-resolved
Initial policy for systemd-resolved, tested with systemd 230 on debian
2016-05-26 08:52:23 -04:00
Chris PeBenito cce300b960 Module version bump for LMNR port from Laurent Bigonville. 2016-05-26 07:47:18 -04:00
Laurent Bigonville 8f6cd59aea Add llmnr/5355 (Link-local Multicast Name Resolution) 2016-05-26 07:46:03 -04:00
Chris PeBenito 7857d2724f Update contrib. 2016-05-16 09:20:39 -04:00
Chris PeBenito 7fd44b8fb8 Module version bump for nftables fc entry from Jason Zaman. 2016-05-16 09:20:30 -04:00
Jason Zaman d85ff7f0b9 iptables: add fcontext for nftables 2016-05-16 09:13:30 -04:00
Laurent Bigonville fd9bfbbfba Add the validate_trans access vector to the security class
This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-02 08:41:07 -04:00
Chris PeBenito 78111e98d6 Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz Andrejczuk. 2016-05-02 08:32:42 -04:00
Dominick Grift 6232348be8 Update refpolicy to handle hwloc
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-05-02 08:22:58 -04:00
Nicolas Iooss 4e8768d8a0 Fix typo in module compilation message 2016-04-27 08:31:49 -04:00
qqo aedd5c314d Adds attribute mlstrustedsocket, along with the interface.
Sample AVC:
 type=AVC msg=audit(1459979143.990:219): avc:  denied  { sendto } for  pid=1935
 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0

This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html
2016-04-12 19:28:13 +03:00
Chris PeBenito 0be4f9ba0f Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00
Chris PeBenito 599e5cf7f5 Module version bump for patches from Dominick Grift and Lukas Vrabec. 2016-03-31 08:32:18 -04:00
Lukas Vrabec 78d42e648b SELinux support for cgroup2 filesystem.
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.

Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903

AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc:  denied  { write } for  pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
2016-03-31 08:22:56 -04:00
Dominick Grift 3c9fa86f15 systemd: Add support for --log-target
https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

v2: Add comment about dontaudit rule

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-03-31 08:22:50 -04:00
Chris PeBenito f72f1a48d9 Module version bump for Debian fc entries from Laurent Bigonville. 2016-03-28 09:59:02 -04:00
Chris PeBenito f839472baa Merge branch 'selinux-1' of https://github.com/bigon/refpolicy 2016-03-28 09:58:09 -04:00
Laurent Bigonville af61f22e24 Add some labels for SELinux tools path in Debian 2016-03-25 22:35:17 +01:00
Chris PeBenito 1cfba86fc0 Update su for libselinux-2.5 changes.
su is linked against libselinux via pam_unix.so.  Use the selinuxutil
interface so future libselinux changes are pulled in.
2016-03-25 10:24:59 -04:00
Chris PeBenito 4cf91df460 Update Travis-CI build to newest SELinux userspace release. 2016-03-25 10:07:37 -04:00
Chris PeBenito 464c5df247 Reduce broad entrypoints for unconfined domains.
Entrypoints into unconfined domains, like with confined domains, should be
tightly controlled to make arbitrary code execution more difficult.
2016-03-22 15:43:30 -04:00
Chris PeBenito ef25ff32b6 Update contrib. 2016-03-22 15:35:03 -04:00
Chris PeBenito 5db5b62c42 Module version bump for several Arch fixes from Nicolas Iooss. 2016-03-22 15:34:53 -04:00
Chris PeBenito 84a8181a8d Merge branch 'kdevtmpfs-unlink' of https://github.com/fishilico/selinux-refpolicy-patched 2016-03-22 15:27:21 -04:00
Chris PeBenito df8488bf69 Merge branch 'dev_setattr_dlm_control-typo' of https://github.com/fishilico/selinux-refpolicy-patched 2016-03-22 15:26:42 -04:00
Chris PeBenito 78e5788155 Merge branch 'corecommands-archlinux' of https://github.com/fishilico/selinux-refpolicy-patched 2016-03-22 15:25:57 -04:00
Nicolas Iooss 4bf3dfaeb2 Allow kdevtmpfs to unlink fixed disk devices
When a device gets removed, for example with "cryptsetup close",
kdevtmpfs (a kernel thread) removes its entry from devtmpfs filesystem:

    avc:  denied  { unlink } for  pid=48 comm="kdevtmpfs"
    name="dm-4" dev="devtmpfs" ino=144111
    scontext=system_u:system_r:kernel_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

Allow this access on systems using systemd.
2016-03-19 11:12:28 +01:00
Nicolas Iooss 242fa9347a Fix typo in dev_setattr_dlm_control interface requirements 2016-03-19 10:54:40 +01:00
Nicolas Iooss e43b1e2ffc Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
On Arch Linux, /usr/lib/gvfs directory contains both executable files
(gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so
and libgvfsdaemon.so).  As all executable files are prefixed with
"gfvs", so use this to distinguish them with the libraries.

This fixes the following AVC denials, reported from geoclue service
using a library wrongly labelled bin_t:

    avc:  denied  { read } for  pid=14872 comm="geoclue"
    name="libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

    avc:  denied  { open } for  pid=14872 comm="geoclue"
    path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
    scontext=system_u:system_r:geoclue_t
    tcontext=system_u:object_r:bin_t tclass=file permissive=1

     avc:  denied  { execute } for  pid=14872 comm="geoclue"
     path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
     scontext=system_u:system_r:geoclue_t
     tcontext=system_u:object_r:bin_t tclass=file permissive=1
2016-03-19 10:39:17 +01:00
Nicolas Iooss 4b1cd5b369 Label some user session DBus services as bin_t 2016-03-19 10:39:17 +01:00
Nicolas Iooss 2cedfc0ada Label gedit plugins properly on Arch Linux 2016-03-19 10:39:17 +01:00
Nicolas Iooss 55f64a8112 Label system-config-printer applet properly on Arch Linux
It is used by system-config-printer, as shown by these AVC denials:

    avc:  denied  { execute } for  pid=1061 comm="system-config-p"
    name="applet.py" dev="dm-0" ino=9568316
    scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:object_r:usr_t
    tclass=file permissive=1

    avc:  denied  { execute_no_trans } for  pid=1061
    comm="system-config-p"
    path="/usr/share/system-config-printer/applet.py" dev="dm-0"
    ino=9568316 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:object_r:usr_t tclass=file permissive=1
2016-03-19 10:39:17 +01:00
Nicolas Iooss 90599ef760 Label TexLive scripts bin_t
These scripts can be run by users.
2016-03-19 10:39:17 +01:00
Chris PeBenito 0e133c7d74 Module version bump for tboot utils from Luis Ressel and systemd fix from Jason Zaman.
Update contrib.
2016-03-08 08:52:25 -05:00
Jason Zaman 7a1ffd80e6 system/init: move systemd_ interfaces into optional_policy
When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
2016-03-08 08:36:16 -05:00
Luis Ressel 3b586829cc Allow sysadm to run txt-stat. 2016-03-08 08:36:04 -05:00
Chris PeBenito 397c248c31 Module version bump for getty patch from Luis Ressel. 2016-03-07 10:15:37 -05:00
Luis Ressel 7216d000d9 Allow getty the sys_admin capability
It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
2016-03-07 10:15:37 -05:00
Chris PeBenito a2de14b61f Merge pull request #29 from bigon/appconfig-lxc
Add lxc_contexts config file
2016-02-19 15:43:58 -05:00
Laurent Bigonville ca6fefc3c8 Add lxc_contexts config file
selinux_lxc_contexts_path() function in upstream libselinux points to
this config file. It is ATM used by libvirt.

The file from Fedora also contains sandbox_lxc_process and
sandbox_kvm_process parameters, but I cannot find where they are used,
keep them out of the file for the time being.
2016-02-19 16:50:42 +01:00
Chris PeBenito b5e8ec6346 Module version bump for iptables/firewalld patch from Laurent Bigonville. 2016-02-16 09:48:37 -05:00
Laurent Bigonville a54d52058d Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
Since version 0.4.0, firewalld uses *tables-restore to speedup the
load of the rules
2016-02-13 10:06:58 +01:00
Chris PeBenito 6b9f92999b Update contrib. 2016-02-10 12:58:54 -05:00
Chris PeBenito 137cca377d Module version bump for iptables fc entries from Laurent Bigonville and Lukas Vrabec. 2016-02-10 10:36:09 -05:00
Chris PeBenito 35baa47094 Whitespace fix in iptables.fc. 2016-02-10 10:34:51 -05:00
Laurent Bigonville 8f19ffbde8 Label /var/run/ebtables.lock as iptables_var_run_t.
This lock file is used on debian since version 2.0.10.4-3.2. This is
also used on Fedora.
2016-02-08 22:51:30 +01:00