nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,686 Commits 1 Branch 0 Tags 16 MiB
9da3f3a131
Commit Graph

5686 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dave Sugar
9da3f3a131 Allow snmpd to read hwdata 
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc:  denied  { getattr } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { read } for  pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { open } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-01 22:11:28 -04:00
Chris PeBenito
39e2af539d corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-22 08:27:05 -04:00
Chris PeBenito
941620c89c Merge pull request #309 from yizhao1/dhcpcd 2020-09-22 08:23:49 -04:00
Chris PeBenito
4ac187dba2 Merge pull request #307 from atenart/buildroot-fixes 2020-09-22 08:23:45 -04:00
Antoine Tenart
86476f30cf corecommands: add entry for Busybox shell 
Fixes:

vc:  denied  { execute } for  pid=87 comm="login" name="sh" dev="vda"
ino=408 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
fdda7befa5 systemd: allow systemd-resolve to read in tmpfs 
Fixes:
avc:  denied  { read } for  pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
34547434b8 systemd: allow systemd-network to get attributes of fs 
Fixes:

avc:  denied  { getattr } for  pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
1ee738f708 systemd: allow systemd-hwdb to search init runtime directories 
Fixes:

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
f71d288e54 systemd: add extra systemd_generator_t rules 
Fixes:

avc:  denied  { setfscreate } for  pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1

avc:  denied  { dac_override } for  pid=40 comm="systemd-fstab-g"
capability=1  scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
f99b6907f4 dbus: allow clients to list runtime dirs and named sockets 
Fixes:

avc:  denied  { read } for  pid=77 comm="systemd-resolve" name="dbus"
dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=77 comm="systemd-resolve"
name="system_bus_socket" dev="tmpfs" ino=2765
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="dbus"
dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network"
name="system_bus_socket" dev="tmpfs" ino=2791
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
66c2ff9060 dbus: add two interfaces to allow reading from directories and named sockets 
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Yi Zhao
25251b1f3b sysnet: allow dhcpcd to create socket file 
The dhcpcd needs to create socket file under /run/dhcpcd directory.

Fixes:
AVC avc:  denied  { create } for  pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { setattr } for  pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { sendto } for  pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-09-21 14:23:09 +08:00
Antoine Tenart
23f1e4316b sysnetwork: allow to read network configuration files 
Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
5c604e806b logging: allow systemd-journal to write messages to the audit socket 
Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
8cb806fbdf locallogin: allow login to get attributes of procfs 
Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
7014af08ff udev: allow udevadm to retrieve xattrs 
Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Chris PeBenito
2e5eefbfce .travis.yml: Point selint at only the policy dir. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-17 09:58:02 -04:00
Chris PeBenito
c33866e1f6 selinux, init, systemd, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 16:55:06 -04:00
Chris PeBenito
4e2b3545c6 Merge pull request #308 from cgzones/systemd_status 2020-09-09 16:54:23 -04:00
Christian Göttsche
24827d8073 selinux: add selinux_use_status_page and deprecate selinux_map_security_files 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-09 21:00:47 +02:00
Chris PeBenito
a0aee3cbcc bind: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 11:25:28 -04:00
Dominick Grift
93113bce78 bind: add a few fc specs for unbound 
unbound-checkconf is the unbound bind-checkconf equivalent
unbound-control is the unbound bind ndc equivalent

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
 2020-09-09 11:24:43 -04:00
Christian Göttsche
1103350ee3 init/systemd: allow systemd to map the SELinux status page 
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-08 13:18:18 +02:00
Chris PeBenito
dcf7ae9f48 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-31 15:36:14 -04:00
Chris PeBenito
58ea9ac7c3 Merge pull request #303 from jpds/optional-userdomain-usbguard 2020-08-31 15:32:18 -04:00
Jonathan Davies
9d3321e4fe userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. 
Thanks to Dominick Grift for helping me pin-point this.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-29 20:43:38 +00:00
Chris PeBenito
72e221fd4d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-28 15:30:52 -04:00
Chris PeBenito
cc15ff2086 Merge pull request #302 from dsugar100/master 2020-08-28 15:26:50 -04:00
Chris PeBenito
74b37e16db Merge pull request #301 from bauen1/fix-selint-s-010 2020-08-28 15:26:47 -04:00
bauen1
fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Dave Sugar
1627ab361e Looks like this got dropped in pull request #294 
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc:  denied  { map } for  pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2020-08-27 08:10:58 -04:00
Chris PeBenito
f8b0c1641c acpi: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-26 12:52:59 -07:00
Chris PeBenito
565f41e474 Merge pull request #299 from jpds/acpid_shutdown 2020-08-26 12:49:20 -07:00
Chris PeBenito
3991ecf54f Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown 2020-08-26 12:49:14 -07:00
Chris PeBenito
d655ae7afa
Merge pull request #300 from cgzones/macro 
postfixpolicyd: split multi-class rule
 2020-08-26 15:29:52 -04:00
Jonathan Davies
99ad371868 acpi.te: Removed unnecessary init_write_initctl(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-25 22:53:40 +00:00
Christian Göttsche
850fefc626 postfixpolicyd: split multi-class rule 
The rule uses the permission manage_file_perms on the classes file and
sock_file.  This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.

Found by SELint

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-25 20:44:16 +02:00
Jonathan Davies
ec0ebc8b11 acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-23 20:00:29 +00:00
Chris PeBenito
bdb9ffd00e Update Changelog and VERSION for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:23:17 -04:00
Chris PeBenito
d387e79989 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:09:10 -04:00
Chris PeBenito
80abd29f0d
Merge pull request #297 from cgzones/travis 
travis: resolve Linter tags
 2020-08-18 08:34:07 -04:00
Christian Göttsche
f8f87a8085 travis: resolve Linter tags 
root: duplicate key: matrix
root: deprecated key sudo (The key `sudo` has no effect anymore.)
root: missing os, using the default linux
root: key matrix is an alias for jobs, using jobs

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-15 19:40:14 +02:00
Chris PeBenito
ab47695bdb files, init, modutils, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 09:38:09 -04:00
Chris PeBenito
e10d956f38 Merge pull request #294 from cgzones/selint 2020-08-14 09:36:44 -04:00
Chris PeBenito
60516aaeaa xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 08:53:38 -04:00
Chris PeBenito
b93ff5fe03 Merge pull request #291 from yizhao1/fix 2020-08-14 08:53:13 -04:00
Yi Zhao
afb2021524 xserver: allow xserver_t to connect to resmgrd 
This was probably a typo:
resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 11:13:34 +08:00
Yi Zhao
8322f0e0d9 Remove duplicated rules 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 10:55:31 +08:00
Christian Göttsche
09ed84b632 files/modutils: unify modules_object_t usage into files module 
modutils.te:         50: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         51: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         52: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         53: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.if:         15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if:         52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc:         24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Christian Göttsche
e9b2e1ea4f work on SELint issues 
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00