Commit Graph

5128 Commits

Author SHA1 Message Date
Chris PeBenito
a5dab43a85 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-11 06:52:32 -04:00
Chris PeBenito
c6396d5a79 Merge pull request #88 from fishilico/usr-bin-fc 2019-09-11 06:26:24 -04:00
Chris PeBenito
cfdf3b7981 Merge pull request #98 from fishilico/ulogd-dynamic-user 2019-09-11 06:22:44 -04:00
Chris PeBenito
f500ff48d2 Merge pull request #99 from fishilico/bitlbee-dynamic-user 2019-09-11 06:22:09 -04:00
Chris PeBenito
7ae433aedc Merge pull request #100 from fishilico/chromium-ifdef 2019-09-11 06:21:23 -04:00
Chris PeBenito
f7197a1b42 Merge pull request #101 from bigon/udevadm 2019-09-11 06:20:44 -04:00
Laurent Bigonville
44957d318c Allow udevadm_t to use dac_read_search capability
udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep  5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_override } for  pid=481 comm=udevadm capability=dac_override  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_read_search } for  pid=481 comm=udevadm capability=dac_read_search  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:27:50 +02:00
Laurent Bigonville
8f4f9a924a Allow udevadm to read files in /run/udev/data
With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:25:16 +02:00
Nicolas Iooss
0e045ef5fe
chromium: remove distro-specific ifdef
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:12:04 +02:00
Nicolas Iooss
10cd3fb258
bitlbee: allow using GetDynamicUser on Debian
On Debian 10, starting bitlbee daemon leads to:

    type=AVC msg=audit(1567941717.044:14204): avc:  denied  { search }
    for  pid=5704 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941717.044:14205): avc:  denied  { read } for
    pid=5704 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=AVC msg=audit(1567941756.020:14208): avc:  denied  { search }
    for  pid=6363 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941756.020:14209): avc:  denied  { read } for
    pid=6363 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=USER_AVC msg=audit(1567941770.492:14215): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=6694 tpid=1
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'

All these denials are related to getting dynamic users through a D-Bus
call to GetDynamicUsers() of interface org.freedesktop.systemd1.Manager.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:07:15 +02:00
Nicolas Iooss
f5a4ce1d35
ulogd: adjust policy for Debian
On a Debian 10 system, I saw denials for ulogd service:

* It uses a pipe with itself:

    type=AVC msg=audit(1567874422.328:13744): avc:  denied  { write }
    for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs"
    ino=29006 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0

* It enumerates users in /run/systemd/dynamic-uid/ when changing to the
  ulog user (which is not dynamic):

    type=AVC msg=audit(1567874512.576:13748): avc:  denied  { read } for
    pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0

* It connects to the system D-Bus socket in order to call GetDynamicUser:

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { write }
    for  pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs"
    ino=13799 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file
    permissive=1

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { connectto
    } for  pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket"
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket
    permissive=1

    type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db
    usd_t msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=30953 tpid=1
    scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t
    tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=106
    hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:06:34 +02:00
Chris PeBenito
031f53120c sudo: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 17:21:46 -04:00
Chris PeBenito
a8d879847e Merge pull request #97 from fishilico/sudo-use_pty 2019-09-07 17:15:58 -04:00
Chris PeBenito
208296a0c2 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 16:58:51 -04:00
Chris PeBenito
bbd7f748a6 Merge pull request #82 from fishilico/typo-cups-fc 2019-09-07 16:47:34 -04:00
Chris PeBenito
682b015be9 Merge pull request #89 from fishilico/apt-dpkg-nnp 2019-09-07 16:43:05 -04:00
Chris PeBenito
1167995694 Merge pull request #90 from fishilico/apt-dbus-systemd-logind 2019-09-07 16:42:21 -04:00
Chris PeBenito
1975b0de50 Merge pull request #91 from fishilico/utempter-debian 2019-09-07 16:41:49 -04:00
Chris PeBenito
83a8032d8e Merge pull request #92 from fishilico/irc-weechat 2019-09-07 16:40:52 -04:00
Chris PeBenito
b340b15b8b Merge pull request #93 from fishilico/systemd-read-netlink_kobject_uevent_socket 2019-09-07 16:40:27 -04:00
Chris PeBenito
1dea588464 Merge pull request #94 from fishilico/wireguard 2019-09-07 16:39:48 -04:00
Chris PeBenito
433519a8ca Merge pull request #95 from fishilico/modutils-debian 2019-09-07 16:37:45 -04:00
Chris PeBenito
fad0c3f126 Merge pull request #96 from fishilico/systemd-modules-load-sysfs 2019-09-07 16:34:34 -04:00
Dominick Grift
210b64f10a Remove shell automatic domain transitions to unconfined_t from various pam login programs
I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)

Some aspect to note:

1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins

The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2019-09-07 16:26:49 -04:00
Nicolas Iooss
c06b3d6dd0
sudo: allow using use_pty flag
When /etc/sudoers contains "Defaults use_pty", sudo creates a new
pseudo-pty when running a command. This is currently denied from
a sysadm_u session:

    type=AVC msg=audit(1567807315.843:13300): avc:  denied  { read write
    } for  pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0

As it seems logical for the newly-created pty to be labeled
user_devpts_t, use userdom_create_user_pty() to allow this.

Then, a new denial appears:

    type=AVC msg=audit(1567808670.441:13341): avc:  denied  { setattr }
    for  pid=30256 comm="sudo" name="9" dev="devpts" ino=12
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file
    permissive=0

    type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e
    syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5
    a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0
    gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
    tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo"
    subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

On x86-64, syscall 92 is chown(). Allow this access with
userdom_setattr_user_ptys().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-07 00:37:52 +02:00
Nicolas Iooss
233e13cb44
systemd: allow systemd-modules-load.service to read sysfs
systemd-modules-load.service needs to read file
/sys/module/${MODULE}/initstate for each ${MODULE} defined in
/etc/modules-load.d/. These files are labeled sysfs_t.

This fixes:

    type=AVC msg=audit(1567804818.331:138713): avc:  denied  { read }
    for  pid=31153 comm="systemd-modules" name="initstate" dev="sysfs"
    ino=14778 scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysfs_t tclass=file permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:28:40 +02:00
Nicolas Iooss
b4377dfd67
modutils: allow depmod and modprobe to use the I/O provided by apt
On Debian, when installing a package which provides a kernel module with
DKMS, depmod and modprobe are invoked using a dedicated pseudo-tty:

    type=AVC msg=audit(1567803320.004:138586): avc:  denied  { read
    write } for  pid=19269 comm="depmod" path="/dev/pts/2" dev="devpts"
    ino=5 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { use } for
    pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=sysadm_u:sysadm_r:apt_t
    tclass=fd permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { append }
    for  pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:08:24 +02:00
Nicolas Iooss
b3119f1d17
modutils: allow depmod to read /boot/System.map
On a Debian system, when installing a package which provides a kernel
module with DKMS, the module is compiled and depmod is executed with a
command line that looks like:

    depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64

This obviously requires depmod to read System.map. Otherwise, the
following events are logged to audit.log:

    type=AVC msg=audit(1567802614.408:138551): avc:  denied  { search }
    for  pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t
    tclass=dir permissive=0

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { read }
    for  pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { open }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.136:138556): avc:  denied  { getattr }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

and depmod fails, which makes apt fails with:

    wireguard.ko:
    Running module version sanity check.
     - Original module
       - No original module exists within this kernel
     - Installation
       - Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/

    depmod...(bad exit status: 1)

    [...]

    Error! Problems with depmod detected.  Automatically uninstalling
    this module.
    DKMS: Install Failed (depmod problems).  Module rolled back to built
    state.
    dpkg: error processing package wireguard-dkms (--configure):
     installed wireguard-dkms package post-installation script
    subprocess returned error exit status 6

    [...]

    Errors were encountered while processing:
     wireguard-dkms
    E: Sub-process /usr/bin/dpkg returned an error code (1)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:03:19 +02:00
Nicolas Iooss
a7c9634eca
Add a policy module for WireGuard VPN
WireGuard is a fast, modern, secure VPN tunnel, according to
https://www.wireguard.com/. In order to install it, the mostly
documented way consists in building and installing an out-of-tree kernel
module and using userland tools to configure this module (wg and
wg-quick).

* WireGuard is like "ip": the userland tool communicates with the kernel
  module through a netlink socket.

* WireGuard is like "iptables": there is no daemon, but some
  distributions ship systemd units that restores a WireGuard
  configuration when started.

* WireGuard is like other services: its configuration files are in /etc,
  and it can use /run and /tmp.

Create a new policy module which handles all of this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 22:20:40 +02:00
Nicolas Iooss
bfcf3918d8
systemd: allow systemd --user to receive messages from netlink_kobject_uevent_socket
When bringing up a Wireguard interface with "wg-quick up wg0" from a
sysadm_u:sysadm_r:sysadm_t session, "systemd --user" spams the logs
with this event repeated between 100 and 200 times per second:

    type=AVC msg=audit(1567798007.591:138076): avc:  denied  { read }
    for  pid=711 comm="systemd"
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tclass=netlink_kobject_uevent_socket permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 21:49:22 +02:00
Nicolas Iooss
665782f797
irc: add WeeChat policy
WeeChat is an extensible IRC client: https://weechat.org/

* Label WeeChat program and configuration file like other IRC clients
* Allow WeeChat to create a pipe in ~/.weechat/weechat_fifo
* Allow WeeChat to read /proc/sys/crypto/fips_enabled
* Allow WeeChat to use a Unix datagram socket with its forked children
* Allow other accesses

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 19:16:24 +02:00
Nicolas Iooss
4b02c2230d
authlogin: label utempter correctly on Debian
When starting tmux on Debian, the following audit log appears:

    type=AVC msg=audit(1567781766.314:820): avc:  denied  {
    execute_no_trans } for  pid=6686 comm=746D75783A20736572766572
    path="/usr/lib/x86_64-linux-gnu/utempter/utempter" dev="vda1"
    ino=545302 scontext=sysadm_u:sysadm_r:sysadm_screen_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=0

/usr/lib/x86_64-linux-gnu/utempter/utempter is indeed labeled as
system_u:object_r:lib_t, which is wrong.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:43:23 +02:00
Nicolas Iooss
de99bc36dd
apt: allow preventing shutdown by calling a systemd-logind D-Bus method
Since apt 1.8.1 (more precisely since commit
60cc44d160),
apt calls D-Bus method "Inhibit" of interface
"org.freedesktop.login1.Manager" in order to prevent a shutdown from
happening while installing software.

The call from apt to systemd-logind was already allowed through
unconfined_dbus_send(apt_t), but not the reply, which triggered the
following audit log:

    type=USER_AVC msg=audit(1567780304.196:651): pid=287 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.137 spid=290 tpid=29557
    scontext=system_u:system_r:systemd_logind_t
    tcontext=sysadm_u:sysadm_r:apt_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:38:59 +02:00
Nicolas Iooss
4f5f923171
apt: allow transition from apt_t to dpkg_t with NNP
On a Debian 10 virtual machine, when running "apt-get update", the
following messages are logged to audit.log, several times:

    type=AVC msg=audit(1567717969.162:1639): avc:  denied  {
    nnp_transition } for  pid=5538 comm="apt-config"
    scontext=sysadm_u:sysadm_r:apt_t tcontext=sysadm_u:sysadm_r:dpkg_t
    tclass=process2 permissive=0

    type=SELINUX_ERR msg=audit(1567717969.162:1639):
    op=security_bounded_transition seresult=denied
    oldcontext=sysadm_u:sysadm_r:apt_t
    newcontext=sysadm_u:sysadm_r:dpkg_t

    type=SYSCALL msg=audit(1567717969.162:1639): arch=c000003e
    syscall=59 success=yes exit=0 a0=55ebb33d7780 a1=55ebb33ed610
    a2=7ffedd210980 a3=0 items=0 ppid=5537 pid=5538 auid=1000 uid=100
    gid=65534 euid=100 suid=100 fsuid=100 egid=65534 sgid=65534
    fsgid=65534 tty=(none) ses=45 comm="dpkg" exe="/usr/bin/dpkg"
    subj=sysadm_u:sysadm_r:apt_t key=(null)

    type=PROCTITLE msg=audit(1567717969.162:1639):
    proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573

According to strace, this occurs when sub-commands like "apt-config
shell MASTER_KEYRING APT::Key::MasterKeyring" execute
"/usr/bin/dpkg --print-foreign-architectures".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:36:25 +02:00
Nicolas Iooss
e399c7f642
Label programs in /usr/bin like /usr/sbin
Some recent modifications added patterns in .fc files for programs in
/usr/sbin without adding the patterns for /usr/bin. On Arch Linux, where
/usr/sbin is a symlink to /usr/bin, such patterns are never matched.

Add the missing patterns.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 22:28:09 +02:00
Nicolas Iooss
b8f2c55109
cups: use ([^/]+/)? to match a subdirectory of CUPS configuration
It seems that /opt/brother/Printers/ only has one level of directories
before a directory named "inf", according to several websites. For
example:

* https://www.linuxquestions.org/questions/slackware-14/trying-to-add-driver-for-brother-hl-l2300d-4175535636/
* https://forums.opensuse.org/showthread.php/531271-Brother-printer-driver-installs-but-can-t-print/page2

Modify the pattern for /opt/brother/Printers/${MODEL_NAME}/inf in order
to only allow at most one level, with "([^/]+/)?".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 20:57:07 +02:00
Chris PeBenito
51c4812c23 INSTALL: Fix build requirements.
Closes #85.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-03 19:47:48 -04:00
Chris PeBenito
5d636c2d16 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-03 19:47:12 -04:00
Chris PeBenito
9d80ada777 Merge pull request #78 from fishilico/debian-dynamic-motd 2019-09-03 19:44:13 -04:00
Chris PeBenito
2fa4070b60 Merge pull request #63 from fishilico/systemd-privatedev 2019-09-03 19:39:18 -04:00
Chris PeBenito
f907287428 Merge pull request #79 from fishilico/corecommands-no-backslash-d 2019-09-03 19:34:47 -04:00
Chris PeBenito
05e9bc96f3 Merge pull request #80 from fishilico/typo-libraries-fc 2019-09-03 19:34:16 -04:00
Chris PeBenito
57562d974a Merge pull request #81 from fishilico/unnecessary-paren-java-fc 2019-09-03 19:33:43 -04:00
Chris PeBenito
39fd1ed486 Merge pull request #83 from fishilico/vagrant-devel 2019-09-03 19:30:48 -04:00
Chris PeBenito
dadf53bd6e Merge pull request #84 from fishilico/systemd-timesyncd-networkd 2019-09-03 19:30:13 -04:00
Dominick Grift
3228c2b997 domain: unconfined access to bpf
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2019-09-03 19:25:41 -04:00
Nicolas Iooss
aa7e8d4091
ntp: allow systemd-timesyncd to read network status
systemd-timesyncd uses network_is_online() [1], which calls
sd_network_get_operational_state() [2], which reads
/run/systemd/netif/state [3]:

    r = parse_env_file(NULL, "/run/systemd/netif/state", "OPER_STATE", &s);

On a Debian virtual machine created with Vagrant,
/run/systemd/netif/state contains:

    # This is private data. Do not parse.
    OPER_STATE=routable
    DNS=192.168.121.1 172.28.128.1

systemd-timesyncd's access produces the following logs:

    type=AVC msg=audit(1567359197.660:323): avc:  denied  { read } for
    pid=230 comm="systemd-timesyn" name="state" dev="tmpfs" ino=24564
    scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

    type=AVC msg=audit(1567359197.660:324): avc:  denied  { open } for
    pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
    dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

    type=AVC msg=audit(1567359197.660:325): avc:  denied  { getattr }
    for  pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
    dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

Allow these accesses.

[1] https://github.com/systemd/systemd/blob/v242/src/timesync/timesyncd.c#L158
[2] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/network-util.c#L13
[3] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/sd-network.c#L27

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 20:44:14 +02:00
Nicolas Iooss
82e7ff119f
Vagrantfile: add a Debian virtual machine
Configure a Debian 10 "buster" VM in order to use SELinux with
refpolicy.

This is useful in order to test refpolicy on a minimal Debian system,
for example to debug issues related to Debian patches such as the one
fixed in https://github.com/SELinuxProject/refpolicy/pull/78.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 18:58:29 +02:00
Nicolas Iooss
ea8a79e36a
Vagrantfile: build and install refpolicy on Fedora VM
Add provisioning commands that set-up refpolicy with the required build
configuration for Fedora.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 18:58:11 +02:00
Nicolas Iooss
e09bcff3d2
cups: add a slash to match /opt/brother/Printers/
The pattern /opt/brother/Printers(.*/)?inf(/.*)? matches the content of
directories such as /opt/brother/Printersinf/, which seems buggy. On
several systems, /opt/brother/Printers/ is a directory that contains
directories named as printer models.

Add a "/" before "(.*/)?" in order to make sure subdirectories of
/opt/brother/Printers named "inf" are matched by the pattern.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 16:07:41 +02:00