Commit Graph

3699 Commits

Author SHA1 Message Date
Chris PeBenito
872ece4bcf Whitespace fix in usermanage. 2013-12-06 08:16:10 -05:00
Dominick Grift
6042255ede usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-06 08:14:29 -05:00
Chris PeBenito
3208ff94c4 Module version bump for second lot of patches from Dominick Grift. 2013-12-03 13:03:35 -05:00
Dominick Grift
1b757c65cc udev: in debian udevadm is located in /bin/udevadm
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 11:34:15 -05:00
Chris PeBenito
3ee649f132 Add comment in policy for lvm sysfs write. 2013-12-03 10:54:22 -05:00
Dominick Grift
6905ddaa98 lvm: lvm writes read_ahead_kb
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:53:23 -05:00
Dominick Grift
198a6b2830 udev: udevd executable location changed
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:52:44 -05:00
Chris PeBenito
613100a7f4 Whitespace fix in fstools. 2013-12-03 10:39:51 -05:00
Dominick Grift
521bbf8586 These { read write } tty_device_t chr files on boot up in Debian
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 10:39:21 -05:00
Chris PeBenito
ac22f3a48e setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian
Access noted by Dominick Grift.
2013-12-03 09:52:21 -05:00
Chris PeBenito
3b52b87615 Rearrage userdom_delete_user_tmpfs_files() interface. 2013-12-03 09:45:16 -05:00
Dominick Grift
b0068ace7d userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-03 09:43:51 -05:00
Chris PeBenito
f06282d1e0 Update contrib. 2013-12-03 09:34:05 -05:00
Chris PeBenito
1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift
66c6b8a9f7 unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
04ac9311b9 xserver: already allowed by auth_login_pgm_domain(xdm_t)
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
5c49af2076 kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
4113f7b0d4 sshd/setrans: make respective init scripts create pid dirs with proper contexts
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Dominick Grift
012f1b2311 sysbnetwork: dhclient searches /var/lib/ntp
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Dominick Grift
6c19504654 sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:32 -05:00
Dominick Grift
3b6a8b0ee5 fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
000397b217 udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
e7b86e07f2 setrans: mcstransd reads filesystems file in /proc
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
a0e88de5e5 authlogin: unix_chkpwd traverses / on sysfs device on Debian
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:54 -05:00
Dominick Grift
ec54e42ed9 udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Dominick Grift
617e504c20 udev: this fc spec does not make sense, as there is no corresponding file type transition for it
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Dominick Grift
76e595794b mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints()
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:27:53 -05:00
Chris PeBenito
f028029464 Update contrib. 2013-11-13 12:20:51 -05:00
Chris PeBenito
9d6546a472 Module version bumps for syslog-ng and semodule updates. 2013-11-13 09:27:21 -05:00
Chris PeBenito
9fcc6fe625 Add comments about new capabilities for syslogd_t. 2013-11-13 09:26:38 -05:00
Sven Vermeulen
b00d94fb72 Allow capabilities for syslog-ng
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-11-13 09:14:34 -05:00
Sven Vermeulen
2142e6e0cc Allow semodule to create symlink in semanage_store_t
With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
2013-11-13 09:13:32 -05:00
Chris PeBenito
eb4512f6eb Module version bump for dhcpc fixes from Dominick Grift. 2013-09-27 17:15:22 -04:00
Chris PeBenito
f0e0066a7b Reorder dhcpc additions. 2013-09-27 17:15:02 -04:00
Dominick Grift
b1599e01fe sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd)
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 17:13:12 -04:00
Chris PeBenito
20471346ed Silence symlink reading by setfiles since it doesn't follow symlinks anyway. 2013-09-27 17:09:43 -04:00
Chris PeBenito
57f00181ee Module version bump for mount updates from Dominick Grift. 2013-09-27 16:54:54 -04:00
Dominick Grift
85016ae811 mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:50:38 -04:00
Chris PeBenito
b7b3b55280 Module version bumps for Debian udev updates from Dominick Grift. 2013-09-27 16:44:54 -04:00
Chris PeBenito
756a5e5101 Update contrib 2013-09-27 16:44:28 -04:00
Dominick Grift
0947e315ea udev: runs: /usr/lib/avahi/avahi-daemon-check-dns.sh which creates /run/avahi-daemon directory
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:40:09 -04:00
Chris PeBenito
24f4016ec5 Move stray Debian rule in udev. 2013-09-27 16:36:52 -04:00
Dominick Grift
5905067f2a udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories

udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t

udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy

udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)

udev: udevd manages control udev_tbl_t type socket

udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory

udev: lets just label /run/udev type udev_var_run_t and get it over with

udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)

udev: udev-acl.ck uses dbus system bus fds

udev: sends dbus message to consolekit manager:
OpenSessionWithParameters

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:35:28 -04:00
Chris PeBenito
be570944e5 Module version bump for ssh server caps for Debian from Dominick Grift. 2013-09-27 16:25:56 -04:00
Dominick Grift
fc8bbe630a ssh: Debian sshd is configured to use capabilities
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 16:25:15 -04:00
Chris PeBenito
cf905e8ef1 Module version bumps for dhcpc leaked fds to hostname. 2013-09-27 15:55:52 -04:00
Dominick Grift
0857061b58 hostname: do not audit attempts by hostname to read and write dhcpc udp sockets (looks like a leaked fd)
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 15:13:19 -04:00
Chris PeBenito
48554d9376 Module version bump for gdomap port from Dominick Grift. 2013-09-27 15:12:51 -04:00
Dominick Grift
9e62ecd264 corenetwork: Declare gdomap port, tcp/udp:538
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-27 15:08:58 -04:00
Chris PeBenito
15f32f59fe Module version bump for xserver console and fc fixes from Dominick Grift. 2013-09-27 15:08:12 -04:00