Commit Graph

4920 Commits

Author SHA1 Message Date
Chris PeBenito
98a7f0446d init, systemd, cdrecord: Module version bump. 2019-02-19 19:31:04 -08:00
Chris PeBenito
b3e8e5a4ba systemd: Remove unnecessary brackets. 2019-02-19 19:20:57 -08:00
Sugar, David
31ac26dd58 Add interface to run cdrecord in caller domain
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:19:28 -08:00
Sugar, David
b3cbf00cba Allow systemd-hostnamed to set the hostname
When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.

Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc:  denied  { sys_admin } for  pid=7873 comm="systemd-hostnam" capability=21  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:06:40 -08:00
Sugar, David
61d12f722d Allow init_t to read net_conf_t
init (systemd) needs to read /etc/hostname during boot
to retreive the hostname to apply to the system.

Feb 06 18:37:06 localhost.localdomain kernel: type=1400 audit(1549478223.842:3): avc:  denied  { read } for  pid=1 comm="systemd" name="hostname" dev="dm-1" ino=1262975 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:06:40 -08:00
Chris PeBenito
807cf71287 corenetwork: Module version bump. 2019-02-17 21:11:43 -05:00
Chris PeBenito
0608514160 Merge branch 'stubby-daemon' of git://github.com/fishilico/selinux-refpolicy 2019-02-17 21:11:04 -05:00
Nicolas Iooss
919c889b7d
Add policy for stubby DNS resolver
Stubby is a DNS resolver that encrypts DNS queries and transmits them to
a resolver in a TLS channel. It therefore requires less permissions than
a traditionnal DNS resolver such as named or unbound (provided by module
"bind").

cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

This program is packaged for Arch Linux, Debian, etc.

DNS-over-TLS uses TCP port 853, which does not seem to conflict with
existing ports. Label it like other DNS ports.

init_dbus_chat(stubby_t) is required on systemd-based distributions
because stubby's service uses DynamicUser=yes [1]. Without this
statement, the following denials are reported by dbus:

    type=USER_AVC msg=audit(1550007165.936:257): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus member=Hello
    dest=org.freedesktop.DBus spid=649
    scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:system_dbusd_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:258): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=649
    tpid=1 scontext=system_u:system_r:stubby_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

    type=USER_AVC msg=audit(1550007165.939:259): pid=274 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.39
    spid=1 tpid=649 scontext=system_u:system_r:init_t
    tcontext=system_u:system_r:stubby_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[1] https://github.com/getdnsapi/stubby/blob/v0.2.5/systemd/stubby.service#L8
2019-02-17 22:16:33 +01:00
Chris PeBenito
e3f90ef0b5 sysadm: Module version bump. 2019-02-13 18:53:56 -05:00
Chris PeBenito
9508b3bbe9 Merge branch 'sysadm-dynamic-users' of git://github.com/fishilico/selinux-refpolicy 2019-02-13 18:49:35 -05:00
Nicolas Iooss
4aa9acca0a
sysadm: allow resolving dynamic users
On a virtual machine using haveged daemon, running "ps" from a sysadm_t
user leads to the following output:

    $ ps -eH -o label,user,pid,cmd
    ...
    system_u:system_r:init_t        root         1 /sbin/init
    system_u:system_r:syslogd_t     root       223   /usr/lib/systemd/systemd-journald
    system_u:system_r:lvm_t         root       234   /usr/bin/lvmetad -f
    system_u:system_r:udev_t        root       236   /usr/lib/systemd/systemd-udevd
    system_u:system_r:entropyd_t    65306      266   /usr/bin/haveged --Foreground --verbose=1

User 65306 is a dynamic user attributed by systemd:

    $ cat /var/run/systemd/dynamic-uid/65306
    haveged

Running ps leads to the following log:

    type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1
    spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Allow sysadm_t to resolve dynamic users when systemd is used.

After this, "ps" works fine:

    system_u:system_r:entropyd_t    haveged    266   /usr/bin/haveged --Foreground --verbose=1
2019-02-12 21:43:08 +01:00
Chris PeBenito
e727079acc systemd: Module version bump. 2019-02-09 09:06:37 -05:00
Sugar, David
24da4bf370 Separate domain for systemd-modules-load
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules.  This change sets up a new domain for this service and grants permission
necessary to load kernel modules.

Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc:  denied  { read } for  pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc:  denied  { open } for  pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
Sugar, David
21351f6bd9 Allow systemd-networkd to get IP address from dhcp server
I'm seeing the following denials when attempting to get a DHCP address.

type=AVC msg=audit(1549471325.440:199): avc:  denied  { name_bind } for pid=6964 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { node_bind } for pid=6964 comm="systemd-network" saddr=10.1.12.61 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1549471325.440:199): avc:  denied  { net_bind_service } for  pid=6964 comm="systemd-network" capability=10 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1549471325.440:199): arch=c000003e syscall=49 success=yes exit=0 a0=b a1=7fff09388780 a2=10 a3=7fff09388778 items=0 ppid=1 pid=6964 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-09 09:01:05 -05:00
Chris PeBenito
10e0106e82 Update Changelog and VERSION for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker
044da0b8b9 more misc stuff
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
2019-02-01 14:16:57 -05:00
Chris PeBenito
4e5b6f39ff redis: Module version bump. 2019-01-30 18:46:28 -05:00
Chris PeBenito
8e45aef50c redis: Move line. 2019-01-30 18:46:07 -05:00
Alexander Miroshnichenko
2adbd7f732 minor updates redis module to be able to start the app
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
2019-01-30 18:45:43 -05:00
Chris PeBenito
b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Chris PeBenito
137aca70e3 hostapd: Move line. 2019-01-29 18:59:50 -05:00
Chris PeBenito
b54fd25c60 hostapd: Whitespace change. 2019-01-29 18:59:50 -05:00
Russell Coker
1574ac4a5d chromium
There are several nacl binaries that need labels.

Put an ifdef debian for some chromium paths.

Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?

I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

Allow domain_use_interactive_fds() for running via ssh -X.

Allow managing xdg data, cache, and config.

Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.

How does the whold naclhelper thing work anyway?  I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?

Added lots of other stuff like searching cgroup dirs etc.
2019-01-29 18:59:33 -05:00
Russell Coker
3d65c79750 yet another little patch
This should all be obvious.
2019-01-29 18:45:30 -05:00
Alexander Miroshnichenko
275c304dc1 Add hostapd service module
Add a SELinux Reference Policy module for the hostapd
IEEE 802.11 wireless LAN Host AP daemon.
2019-01-29 18:42:14 -05:00
Chris PeBenito
535cea9ad1 filesystem, postgresql: Module version bump. 2019-01-27 12:58:33 -05:00
Chris PeBenito
b78be0cc7a Merge branch 'postgres' of git://github.com/alexminder/refpolicy 2019-01-27 12:44:39 -05:00
Alexander Miroshnichenko
548564099e fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface 2019-01-26 21:50:12 +03:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Chris PeBenito
14505cb1ef dovecot: Move lines. 2019-01-23 19:01:37 -05:00
Chris PeBenito
fce54c10fa Merge branch 'dovecot' of git://github.com/alexminder/refpolicy 2019-01-23 18:52:35 -05:00
Chris PeBenito
08cb521ab0 chromium: Move line. 2019-01-23 18:44:45 -05:00
Chris PeBenito
71830b02c5 chromium: Whitespace fixes. 2019-01-23 18:43:16 -05:00
Jason Zaman
6d164216d9 Add chromium policy upstreamed from Gentoo
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-01-23 18:40:57 -05:00
Jason Zaman
fa23645ca1 userdomain: introduce userdom_user_home_dir_filetrans_user_cert
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-01-23 18:40:57 -05:00
Jason Zaman
4ed30f7492 kernel: introduce kernel_dontaudit_read_kernel_sysctl
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-01-23 18:40:57 -05:00
Jason Zaman
d83a104eda files: introduce files_dontaudit_read_etc_files
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-01-23 18:40:57 -05:00
Jason Zaman
1bc0503d53 devices: introduce dev_dontaudit_read_sysfs
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-01-23 18:40:57 -05:00
Chris PeBenito
7a1e0d0ca9 init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks(). 2019-01-23 18:35:00 -05:00
Chris PeBenito
09a81f7220 init: Rename init_read_generic_units_links() to init_read_generic_units_symlinks(). 2019-01-23 18:34:10 -05:00
Russell Coker
eba35802cc yet more tiny stuff
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
2019-01-23 18:32:41 -05:00
Chris PeBenito
bf21c5c0d2 dpkg: Move interface implementations. 2019-01-23 18:30:15 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
2019-01-23 18:26:45 -05:00
Alexander Miroshnichenko
de478dca3a Add dovecot_can_connect_db boolean.
Add dovecot_can_connect_db boolean. Grant connect dovecot_auth_t to DBs by dovecot_can_connect_db boolean.
2019-01-23 18:22:24 +03:00
Alexander Miroshnichenko
438786dfa7 Add map permission for postgresql_t to postgresql_tmp_t files. 2019-01-23 18:00:25 +03:00
Alexander Miroshnichenko
cff5e0026c Add new interface fs_rmw_hugetlbfs_files.
Add new interface fs_rmw_hugetlbfs_files and grant it to postgresql_t.
2019-01-23 17:58:54 +03:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00