It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]
Granting only setcap (initial AVC seen) does not fully help either:
* Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
With setcap and getcap enabled, syslog-ng starts and functions fine.
See also https://bugs.gentoo.org/show_bug.cgi?id=488718
Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With new userspace, trying to build a SELinux policy (and load it)
fails:
~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories
udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy
udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
udev: udevd manages control udev_tbl_t type socket
udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory
udev: lets just label /run/udev type udev_var_run_t and get it over with
udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)
udev: udev-acl.ck uses dbus system bus fds
udev: sends dbus message to consolekit manager:
OpenSessionWithParameters
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.
There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Also known as 'vmchannel', a transport mechanism is needed for
communication between the host userspace and guest userspace for
achieving things like making clipboard copy/paste work seamlessly across
the host and guest, locking the guest screen in case the vnc session to
the guest is closed and so on. This can be used in offline cases as
well, for example with libguestfs to probe which file systems the guest
uses, the apps installed, etc.
Virtio-serial is just the transport protocol that will enable such
applications to be written. It has two parts: (a) device emulation in
qemu that presents a virtio-pci device to the guest and (b) a guest
driver that presents a char device interface to userspace applications.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The script basically does what the name suggests, and additionally it
need to be able to stop and start avahi-daemon via its init script
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Generic interface to platform dependent persistent storage
https://www.kernel.org/doc/Documentation/ABI/testing/pstore
This basically works pretty much the same as cgroup file systems from a
SELinux perspective
Make sure that the installed /sys/fs/pstore directory is labeled
properly so that the pstore file system can be mounted on that
I also removed the files_type() calls as they are duplicate (it is
already called in files_mountpoint)
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Back when the SECMARK implementation was new, the packet class was always
checked. Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules. Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules. Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.
To have partial SECMARK confinement, the following rule applies:
allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };
It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:
allow * unlabeled_t:packet { send recv };
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd
The following AVC denials are shown:
Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
In permissive mode, this goes up to:
Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc: denied { open } for pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file
Hence, adding in seutil_read_file_contexts().
A second error is that chsh, if available, wants to execute nscd:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
Similar to most other user admin utilities, we grant it the rights to run nscd.
Changes since v1
- Removed seutil_dontaudit_search_config() call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Make sure various virt user home content gets created with a type
transition and proper file contexts for common users
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Just adding zfs to the list of defined filesystems in filesystem.te
Signed-off-by: Matthew Thode <mthode@mthode.org>
