Jason Zaman
9cf1886c68
fstools: add in filetrans for /run dir
...
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.
type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
In permissive:
type=AVC msg=audit(1428948565.919:160149): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149): cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { write open } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc: denied { getattr } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
2015-04-15 12:16:32 -04:00
Chris PeBenito
600f71a2d9
Update contrib.
2015-03-25 08:28:22 -04:00
Chris PeBenito
9a215ef9d9
Update contrib.
2015-02-17 08:35:52 -05:00
Chris PeBenito
f963d6dafa
Fix domain_mmap_low() to be a proper tunable.
2015-02-09 16:02:36 -05:00
Chris PeBenito
5f0e495887
Update contrib.
2015-01-30 09:13:49 -05:00
Chris PeBenito
68f2c6f44c
Add always_check_network policy capability.
...
Disabled by default, as most systems don't want/need this.
2015-01-27 17:25:36 -05:00
Chris PeBenito
fd0c07c8b3
Module version bump for optional else block removal from Steve Lawrence.
2015-01-12 08:45:58 -05:00
Steve Lawrence
4bd0277313
Remove optional else block for dhcp ping
...
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
Chris PeBenito
960e6cd4e8
Update Changelog and VERSION for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
b86c6004d4
Module version bump for module store move from Steve Lawrence.
2014-12-03 13:37:02 -05:00
Steve Lawrence
418b3c78bb
Update policy for selinux userspace moving the policy store to /var/lib/selinux
...
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 13:36:31 -05:00
Chris PeBenito
3e3a966eea
Update contrib.
2014-12-03 08:04:56 -05:00
Chris PeBenito
0735f2ca4a
Module version bump for misc fixes from Sven Vermeulen.
2014-12-02 10:29:59 -05:00
Sven Vermeulen
1edfad8247
Add /var/lib/racoon as runtime directory for ipsec
2014-12-02 09:16:06 -05:00
Sven Vermeulen
25b232f49a
Add gfisk and efibootmgr as fsadm_exec_t
2014-12-02 09:16:05 -05:00
Sven Vermeulen
363daeed61
Add in LightDM contexts
2014-12-02 09:16:05 -05:00
Sven Vermeulen
84fa2ab1f2
Mark f2fs as a SELinux capable file system
...
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
2014-12-02 09:16:05 -05:00
Sven Vermeulen
29292968fe
xfce4-notifyd is an executable
2014-12-02 09:16:05 -05:00
Sven Vermeulen
2b642954a6
New sudo manages timestamp directory in /var/run/sudo
...
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
2014-12-02 09:16:05 -05:00
Sven Vermeulen
f0ebf14176
Add auth_pid_filetrans_pam_var_run
2014-12-02 09:16:05 -05:00
Sven Vermeulen
fbdf5f0ef8
Run grub(2)-mkconfig in bootloader domain
...
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
2014-12-02 09:16:05 -05:00
Chris PeBenito
f428babc50
Update contrib.
2014-12-02 09:00:54 -05:00
Laurent Bigonville
cbb1f36ef5
Add new audit_read access vector in capability2 class
...
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Chris PeBenito
8a3a8c7e1b
Module version bump for /sbin/iw support from Nicolas Iooss.
2014-10-23 08:51:53 -04:00
Chris PeBenito
0820cfe75d
Add comment for iw generic netlink socket usage
2014-10-23 08:50:18 -04:00
Nicolas Iooss
5fb1249f37
Use create_netlink_socket_perms when allowing netlink socket creation
...
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Nicolas Iooss
d6af57e5e7
Allow iw to create generic netlink sockets
...
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
2014-10-23 08:07:44 -04:00
Nicolas Iooss
f91e07baa9
Label /sbin/iw as ifconfig_exec_t
...
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
2014-10-23 08:07:44 -04:00
Chris PeBenito
6a24d9dba0
Module version bump for Debian arping fc entries from Laurent Bigonville.
2014-10-06 09:50:58 -04:00
Chris PeBenito
da451633ef
Merge pull request #4 from fishilico/minor-typo
...
Fix minor typo in init.if
2014-10-06 09:07:43 -04:00
Nicolas Iooss
836a282439
Fix minor typo in init.if
2014-10-04 10:53:50 +02:00
Laurent Bigonville
740a1746bf
Debian also ship a different arping implementation
...
In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping
2014-10-03 14:35:58 +02:00
Laurent Bigonville
a9594fc684
On Debian iputils-arping is installed in /usr/bin/arping
2014-10-03 14:29:05 +02:00
Chris PeBenito
6624f9cf7a
Drop RHEL4 and RHEL5 support.
2014-09-24 13:10:37 -04:00
Chris PeBenito
35860e6459
Module version bump for CIL fixes from Yuli Khodorkovskiy.
2014-09-17 14:00:08 -04:00
Yuli Khodorkovskiy
330b0fc333
Remove duplicate role declarations
...
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.
-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
2014-09-17 10:44:04 -04:00
Chris PeBenito
47fa454784
/dev/log symlinks are not labeled devlog_t.
...
Drop rule; if /dev/log is a symlink, it should be device_t.
2014-09-12 14:25:01 -04:00
Chris PeBenito
607f8fb32a
Update contrib.
2014-09-12 11:30:28 -04:00
Chris PeBenito
e4cbb09a3d
Module version bumps for systemd/journald patches from Nicolas Iooss.
2014-09-12 11:30:05 -04:00
Nicolas Iooss
0cd1ea9596
Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
...
Since commit 0fd9dc55
2014-09-12 09:55:58 -04:00
Nicolas Iooss
6a201e405b
Allow journald to access to the state of all processes
...
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589
This needs domain_read_all_domains_state.
2014-09-12 09:55:13 -04:00
Chris PeBenito
6ced8116bd
Add comment for journald ring buffer reading.
2014-09-12 09:54:11 -04:00
Nicolas Iooss
3a7e30c22d
Allow journald to read the kernel ring buffer and to use /dev/kmsg
...
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-12 09:52:18 -04:00
Nicolas Iooss
ae4d07c8a8
Support logging with /run/systemd/journal/dev-log
...
In June 2014 systemd moved the socket used by journald to /run. This
requires two new directory search access for every domain sending syslog
messages:
* /run/systemd/ (handled by init_search_run)
* /run/systemd/journal/ (labeled syslogd_var_run_t)
systemd commit:
http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99
2014-09-12 09:50:48 -04:00
Chris PeBenito
a30feb2a5b
Whitespace change in logging.fc.
2014-09-12 09:49:37 -04:00
Nicolas Iooss
d7b2ccf89a
Label systemd-journald files and directories
2014-09-12 09:47:59 -04:00
Nicolas Iooss
687b5d3391
Introduce init_search_run interface
2014-09-12 09:46:01 -04:00
Chris PeBenito
8cfe827a3d
Move systemd fc entry.
2014-09-12 09:42:59 -04:00
Nicolas Iooss
dcca3e977b
Label systemd files in init module
2014-09-12 09:41:25 -04:00
