The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:
$ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
/usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t
Make such files labeled as bin_t again.
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:
avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1
[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
In this code, both source and target SIDs are current_sid().
Since Xen 4.7, /dev/xen/privcmd is used instead of /proc/xen/privcmd.
Add the device into the policy so `xenstored` can work.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Not auditing this turns out to be the wrong choice for
several reasons.
For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.
We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
/usr/share/xmlto/format/docbook/man
/usr/share/bash-completion/completions/man
