systemd-tmpfiles can manage various file classes but the permissions
vary depending on the class.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.
This does not affect setenforce. Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.
Fixes:
avc: denied { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.
This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.
Relevant denials are silenced in case the policy is disabled.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.
Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.
Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.
Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.
[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
tmp
This patch removes every macro and interface that was deprecated in 20190201.
Some of them date back to 2016 or 2017. I chose 20190201 as that is the one
that is in the previous release of Debian. For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.
One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output. Removing some of these should reduce the
incidence of that.
I believe this is worthy of merging.
Signed-off-by: Russell Coker <russell@coker.com.au>
I was seeing the following errors from systemd-modules-load without this search permission.
Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules.
This is the denial:
Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
