selinux-refpolicy

Author	SHA1	Message	Date
Corentin LABBE	6732acf8b7	mandb: permit to read inherited cron files Each night /etc/cron.daily/man-db generates some AVC: allow mandb_t system_cronjob_tmp_t:file { read write }; Add the necessary rules for it. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-17 07:28:19 +01:00
Chris PeBenito	95d5195d8c	Merge pull request #578 from montjoie/mcelog-bin mcelog: add missing file context for triggers	2023-01-03 13:38:41 -05:00
Chris PeBenito	ce225e1d96	Merge pull request #574 from montjoie/mount-dbus-optional mount: dbus interface must be optional	2023-01-03 13:37:53 -05:00
Corentin LABBE	95db1dda8d	mcelog: add missing file context for triggers I got the following AVC: allow mcelog_t mcelog_etc_t:file execute; This is due do some trigger, not being set as bin_t -rwxr-xr-x. 1 root root system_u:object_r:bin_t 801 nov. 1 19:11 bus-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1035 nov. 1 19:11 cache-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1213 nov. 1 19:11 dimm-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 742 nov. 1 19:11 iomca-error-trigger -rw-r-----. 1 root root system_u:object_r:mcelog_etc_t 7415 nov. 1 19:11 mcelog.conf -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1209 nov. 1 19:11 page-error-counter-replacement-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1656 nov. 1 19:11 page-error-post-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1640 nov. 1 19:11 page-error-pre-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1308 nov. 1 19:11 page-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 1057 nov. 1 19:11 socket-memory-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 947 nov. 1 19:11 unknown-error-trigger Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2023-01-03 09:22:11 +01:00
Corentin LABBE	207b09a656	mount: dbus interface must be optional On gentoo, when emerging selinux-base-policy, the post install (loading policy) fail due to a missing type. This is due to mount.te using a dbus interface and the dbus module is not present. Fix this by setting the dbus interface as optional; Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-28 09:04:59 +01:00
Chris PeBenito	4d0febdeda	Merge pull request #572 from miroshko/master Fix templates parsing in gentemplates.sh	2022-12-15 11:45:48 -05:00
Oleksii Miroshko	43f3608f0e	Fix templates parsing in gentemplates.sh Template definitions might have a whitespace after the comma, e.g. su_restricted_domain_template in /policy/modules/admin/su.if template(`su_restricted_domain_template', ` ... ') gentemplates.sh silently fails to parse it. This works unless 'set -e' is set, in which case the script fails non-silently. This commit adds support of whitespace after comma, which is a valid syntax. Signed-off-by: Oleksii Miroshko <oleksii.miroshko@bmw.de>	2022-12-15 14:47:46 +01:00
Chris PeBenito	ec4af4446f	Merge pull request #571 from pebenito/master fstools: Move lines.	2022-12-13 10:39:13 -05:00
Chris PeBenito	eca2a04638	fstools: Move lines. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-12-13 10:06:06 -05:00
Chris PeBenito	3c93ad9d70	Merge pull request #562 from montjoie/smartmon-drivedbh fstools: handle gentoo place for drivedb.h	2022-12-13 10:01:17 -05:00
Corentin LABBE	3d4e2deda5	fstools: handle gentoo place for drivedb.h On a gentoo-hardened+selinux, I got denial from fsadm_t reading var_t. This is due to smartctl trying to read /var/db/smartmontools/drivedb.h Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-12 21:04:37 +01:00
Chris PeBenito	50f2c7ad05	Merge pull request #566 from 0xC0ncord/various-20221207 Some more various fixes	2022-12-12 10:47:43 -05:00
Kenton Groombridge	a364dd4e2a	various: fixes for libvirtd and systemd-machined Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	2354b4f1be	postfix, sasl: allow postfix smtp daemon to read SASL keytab Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	d38a21388f	various: use mmap_manage_file_perms Replace instances of manage_file_perms and map with mmap_manage_file_perms Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:36:11 -05:00
Kenton Groombridge	db8bf1ae3b	obj_perm_sets: add mmap_manage_file_perms Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	52e90d4b49	sasl: add filecon for /etc/sasl2 keytab Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	9290f196e7	postfix: allow postfix master to map data files Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	22ece2b57e	container: allow container admins the sysadm capability in user namespaces Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	810cc48197	userdom: allow admin users to use tcpdiag netlink sockets Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	7662001300	podman: allow podman to stop systemd transient units Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	e59404bd44	init, sysadm: allow sysadm to manage systemd runtime units On systemd 252, mount units generated from /etc/fstab result in services labeled init_runtime_t. Allow sysadm to manage these services. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	d96b591a70	logging: allow domains sending syslog messages to connect to kernel unix stream sockets Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	d34dd9571e	filesystem, init: allow systemd to setattr on ramfs dirs This is needed by systemd-creds on system boot. Without this access, many services fail to start. Observed on systemd-252 on Gentoo. type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)" type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1670295099.238:180306): cwd="/" type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	a6db7cb87f	container: add rules required for metallb BGP speakers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	b85d3f673d	netutils: minor fixes for nmap and traceroute Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Kenton Groombridge	26f9727760	hddtemp: add missing rules for interactive usage Add missing rules required for hddtemp admins to interactively run hddtemp. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:32:10 -05:00
Chris PeBenito	065c6a0f3c	tests.yml: Pin ubuntu 20.04. Fix this issue: Version 3.5 was not found in the local cache Error: The version '3.5' with architecture 'x64' was not found for Ubuntu 22.04. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-12-12 10:32:09 -05:00
Russell Coker	d55395c1a3	This patch removes deprecated interfaces that were deprecated in the 20210203 release. I think that 2 years of support for a deprecated interface is enough and by the time we have the next release out it will probably be more than 2 years since 20210203. I think this is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-12-12 10:32:09 -05:00
Chris PeBenito	84a78f686e	Merge pull request #569 from 0xC0ncord/systemd-pcrphase systemd: add policy for systemd-pcrphase	2022-12-12 10:17:44 -05:00
Kenton Groombridge	d4ee0d3c29	systemd: add policy for systemd-pcrphase Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-12-12 10:05:00 -05:00
Chris PeBenito	31bee5dc41	Merge pull request #570 from pebenito/fix-ci tests.yml: Pin ubuntu 20.04.	2022-12-12 09:39:53 -05:00
Chris PeBenito	ee3610e3df	tests.yml: Pin ubuntu 20.04. Fix this issue: Version 3.5 was not found in the local cache Error: The version '3.5' with architecture 'x64' was not found for Ubuntu 22.04. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2022-12-12 09:29:25 -05:00
Chris PeBenito	410e4b14af	Merge pull request #568 from etbe/master remove things deprecated since before 20210203	2022-12-08 08:19:52 -05:00
Russell Coker	3ca0cd59d7	This patch removes deprecated interfaces that were deprecated in the 20210203 release. I think that 2 years of support for a deprecated interface is enough and by the time we have the next release out it will probably be more than 2 years since 20210203. I think this is ready to merge. Signed-off-by: Russell Coker <russell@coker.com.au>	2022-12-08 18:35:27 +11:00
Chris PeBenito	ced72298dd	Merge pull request #563 from montjoie/gentoo-udev udev: permit to read hwdb	2022-12-05 11:23:03 -05:00
Corentin LABBE	090f4ca18e	udev: permit to read hwdb On a gentoo with openRC, udev is denied to read hwdb. On current policy, reading hwdb is only allowed for system with systemd. In fact it is a common action (beyond openrc/systemd) so rules for reading it must be global. Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>	2022-12-01 20:36:09 +01:00
Chris PeBenito	48e4788886	Merge pull request #560 from dsugar100/master rng-tools updated to 6.15 (on RHEL9) seeing the following denials:	2022-11-23 09:28:04 -05:00
Dave Sugar	ef6857944d	rng-tools updated to 6.15 (on RHEL9) seeing the following denials: node=localhost type=AVC msg=audit(1669206851.792:438): avc: denied { getattr } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { read } for pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { open } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 rngd now drops privlidges rather than having user/group set in .service file: node=localhost type=AVC msg=audit(1669206851.856:440): avc: denied { setgid } for pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.881:441): avc: denied { setuid } for pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.910:442): avc: denied { setcap } for pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2022-11-23 09:03:31 -05:00
Chris PeBenito	4d219e137d	Merge pull request #511 from 0xC0ncord/k8s Initial policy for kubernetes and CRI-O	2022-11-08 16:17:59 -05:00
Kenton Groombridge	fb835d04d3	container: correct admin_pattern() usage Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	c7a0cc0cd2	container: add tunable to allow spc to use tun-tap devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	d9314aeb24	container, miscfiles: transition to s0 for public content created by containers Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	d4c5bd96c8	various: allow using glusterfs as backing storage for k8s Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	3b3d3715c9	container, kubernetes: add rules for device plugins running as spc Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	6c2124d5ae	container: add tunable to use dri devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	3ae0575114	container, kubernetes: add private type for generic container devices /dev/termination-log is one such generic file created in containers' /dev filesystems. Add a private type for objects created in /dev for containers instead of using the generic device type. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	9216a7a7f1	container: add tunable to allow containers to use huge pages Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	dc66fd7238	container, kernel: add tunable to allow spc to create NFS servers OpenEBS' dynamic NFS provisioner uses a privileged container to dynamically provision persistent volumes and create an NFS server for it so that it can be served across different nodes. Add a tunable to allow this access. Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:16 -05:00
Kenton Groombridge	cd929e846b	various: fixes for kubernetes Signed-off-by: Kenton Groombridge <me@concord.sh>	2022-11-06 18:42:15 -05:00

1 2 3 4 5 ...

6676 Commits