nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,205 Commits 1 Branch 0 Tags 16 MiB
Commit Graph

7205 Commits

Author SHA1 Message Date
Dmitry Sharshakov a6cf207363
filesystem, devices: move gadgetfs to usbfs_t 
It is a USB Gadget config pseudo-FS, not a network nor distributed FS

Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
 2024-07-20 20:37:47 +03:00
Chris PeBenito 1b11d94cd7
Merge pull request #792 from yizhao1/systemd 
systemd: make xdg optional
 2024-07-12 08:28:35 -04:00
Yi Zhao 75492f95f7 systemd: make xdg optional 
Make xdg optional to avoid a potential build error.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-07-12 19:23:06 +08:00
Chris PeBenito 302e66507a
Merge pull request #794 from 0xC0ncord/main 
systemd: allow logind to use locallogin pidfds
 2024-07-10 10:19:43 -04:00
Chris PeBenito b65469f826
Merge pull request #793 from 0xC0ncord/sshd-session 
sshd: label sshd-session as sshd_exec_t
 2024-07-10 10:19:15 -04:00
Kenton Groombridge 097d688ff8 sshd: label sshd-session as sshd_exec_t 
OpenSSH 9.8 splits out much of the session code from the main sshd
binary into a new sshd-session binary. Allow the sshd server to execute
this binary by labeling it as sshd_exec_t.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-07-05 14:47:47 -04:00
Chris PeBenito 6cacc4871a
Merge pull request #791 from pebenito/quic_nakella-bluetoothctl 
Setting bluetooth helper domain for bluetoothctl
 2024-07-01 15:24:37 -04:00
Chris PeBenito b3c272d6ac
Merge pull request #790 from pebenito/quic_rbujala-pulseaudio 
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
 2024-07-01 15:17:54 -04:00
Chris PeBenito 73c2c68ee7
Merge pull request #789 from yizhao1/update 
userdomain: allow administrative user to get attributes of shadow his…
 2024-07-01 15:12:24 -04:00
Naga Bhavani Akella b57b6005c5 Setting bluetooth helper domain for bluetoothctl 
Required for fixing the below avc denials -

    1. audit: type=1400 audit(1651238006.276:496):
    avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
    path="socket:[43207]" dev="sockfs" ino=43207
    scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
    tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
    tclass=unix_stream_socket permissive=1
    2. audit: type=1400 audit(1651238006.276:497):
    avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
    path="socket:[43207]" dev="sockfs" ino=43207
    scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
    tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
    tclass=unix_stream_socket permissive=1
    3. audit: type=1400 audit(1651238006.272:495):
    avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
    path="socket:[43207]" dev="sockfs" ino=43207
    scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
    tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
    tclass=unix_stream_socket permissive=1
    4. audit[1894]: AVC avc:  denied  { read write } for  pid=1894
    comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
    scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
    tcontext=system_u:object_r:initrc_devpts_t:s0
    tclass=chr_file permissive=0
    5. audit[2022]: AVC avc:  denied  { use } for  pid=2022
    comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
    scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
    tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
    tclass=fd permissive=0
    6. audit[2006]: AVC avc:  denied  { read write } for  pid=2006
    comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
    scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
    tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
    tclass=unix_stream_socket permissive=0

    Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
 2024-07-01 14:48:07 -04:00
Raghavender Reddy Bujala 30f451d6a4 Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets. 
pulseaudio uses bluetooth sockets for HFP-AG and
HSP-HS profile to do SLC and SCO connection with
remote.

avc:  denied  { create } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { bind } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { listen } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { accept } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { getopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { setopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { read } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { write } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { shutdown } for  pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { connect } for  pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

Signed-off-by: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>
 2024-07-01 14:46:40 -04:00
Kenton Groombridge 7037c341fb systemd: allow logind to use locallogin pidfds 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-07-01 09:42:33 -04:00
Yi Zhao 5f7f494d19 userdomain: allow administrative user to get attributes of shadow history file 
Before the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-?????????? ? ?    ?    ?                                    ?  ? /etc/security/opasswd

After the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-rw-------. 1 root root user_u:object_r:shadow_history_t 237 Jun 30 12:03 /etc/security/opasswd

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-30 22:27:12 +08:00
Chris PeBenito 7c797909a2
Merge pull request #787 from 0xC0ncord/various/20240515 
Various fixes
 2024-06-28 13:25:54 -04:00
Kenton Groombridge 0126cb1e66 node_exporter: allow reading RPC sysctls 
For NFS mounts.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:42 -04:00
Kenton Groombridge 9c90f9f7d9 asterisk: allow reading certbot lib 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:42 -04:00
Kenton Groombridge bfcaec9bab postfix: allow postfix pipe to watch mail spool 
type=AVC msg=audit(1719451104.395:18364): avc:  denied  { watch } for  pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/me@concord.sh/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:42 -04:00
Kenton Groombridge 06a80c3d8a netutils: allow ping to read net sysctls 
ping will check whether IPv6 is disabled.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:42 -04:00
Kenton Groombridge 2e0509c9e7 node_exporter: allow reading localization 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:42 -04:00
Kenton Groombridge 50a8cddd10 container: allow containers to execute tmpfs files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 12:21:41 -04:00
Chris PeBenito ae71af8b4f
Merge pull request #786 from 0xC0ncord/haproxy 
Initial policy for haproxy
 2024-06-28 11:34:45 -04:00
Chris PeBenito 790ab4ee96
Merge pull request #788 from freedom1b2830/main 
C-005 Cleanup (Reorder perms and classes)(rebased)
 2024-06-28 10:51:32 -04:00
Kenton Groombridge 09a747a16d sysadm: make haproxy admin 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:52:40 -04:00
Kenton Groombridge c8c3ae2cba haproxy: initial policy 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:52:37 -04:00
Kenton Groombridge 4e97f87cee init: use pidfds from local login 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 7fd9032d88 dbus, init: add interface for pidfd usage 
Commit 4e7511f4a previously added access for init to use DBUS system bus
file descriptors while the intended access was for pidfds. Add an
interface for pidfd usage so that when pidfds are eventually handled
separately from regular fds, this interface can be adjusted.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge a6d6921a9c asterisk: allow watching spool dirs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 72c1d912ff su, sudo: allow sudo to signal all su domains 
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.

type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc:  denied  { signal } for  pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 8b31782480 sudo: allow systemd-logind to read cgroup state of sudo 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 871f0b0dd7 postfix: allow smtpd to mmap SASL keytab files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 578375480d sysnetwork: allow ifconfig to read usr files 
ip wants to read files in /usr/share/iproute2.

type=AVC msg=audit(1715785441.968:297208): avc:  denied  { read } for  pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
Kenton Groombridge 6916e9b20c systemd: allow systemd-logind to use sshd pidfds 
This is to avoid a long timeout in pam_systemd when logging on. This is
the second half of the fix described in
ddc6ac493c.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-06-28 09:36:57 -04:00
freedom1b2830 96ebb7c4e0
Reorder perms and classes 
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
 2024-06-28 05:37:18 +00:00
Chris PeBenito eca307c232
Merge pull request #785 from pebenito/sediff 
tests.yml: Add policy diff on PRs.
 2024-06-27 09:59:38 -04:00
Chris PeBenito cb68df0873 tests.yml: Add policy diff on PRs. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-27 09:32:25 -04:00
Chris PeBenito 99258825ce tests.yml: Divide into reusable workflows. 
Keep artifacts from each to allow analysis when there are failures.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-27 09:31:38 -04:00
freedom1b2830 1e4b689301
Reorder perms and classes 
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
 2024-06-16 15:41:05 +00:00
Chris PeBenito 04eca2fa9b
Merge pull request #770 from pebenito/systemd-analyze 
Misc fixes
 2024-06-06 12:07:27 -04:00
Chris PeBenito c920fc5d9e
Merge pull request #781 from yizhao1/selinuxutil 
selinuxutil: make policykit optional
 2024-06-05 19:48:02 -04:00
Chris PeBenito c963ddfae0
Merge pull request #782 from pebenito/quic_amisjain-bt-uhid 
Sepolicy changes for bluez to access uhid
 2024-06-05 19:42:16 -04:00
Chris PeBenito 2102055d4d devices: Change dev_rw_uhid() to use a policy pattern. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-05 15:26:56 -04:00
Chris PeBenito 1cbe455a5e device: Move dev_rw_uhid definition. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-05 15:25:24 -04:00
Amisha Jain 7a33b4bc87 Sepolicy changes for bluez to access uhid 
Resolve selinux premission for HID

Below avc denials that are fixed with this patch -

avc:  denied  { read write } for  pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Amisha Jain <quic_amisjain@quicinc.com>
 2024-06-05 14:50:39 -04:00
Yi Zhao c6dd4087de selinuxutil: make policykit optional 
Make policykit optional to avoid a potential build error.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-05 10:52:34 +08:00
Chris PeBenito d53aa53110
Merge pull request #779 from yizhao1/fixes 
Fixes for dhcpcd and newrole
 2024-06-04 10:05:54 -04:00
Chris PeBenito 50a1ee7e9c
Merge pull request #780 from pebenito/quic_nakella-gatt 
Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.
 2024-06-04 09:54:45 -04:00
Yi Zhao 10feb47e55 newrole: allow newrole to search faillock runtime directory 
Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.

Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root

After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole  -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:

Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-04 21:18:58 +08:00
Yi Zhao bf34d3e5e8 sysnetwork: fixes for dhcpcd 
Allow dhcpcd to create netlink socket and read files under /run/udev/.

Fixes:
avc: denied { search } for pid=393 comm="dhcpcd" name="udev" dev="tmpfs"
ino=49 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=1

avc: denied { create } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { getopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { setopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { bind } for  pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { getattr } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

avc: denied { read } for  pid=393 comm="dhcpcd" name="n1" dev="tmpfs"
ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc: denied { open } for pid=393 comm="dhcpcd" path="/run/udev/data/n1"
dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

avc: denied { getattr } for pid=393 comm="dhcpcd"
path="/run/udev/data/n1" dev="tmpfs" ino=222
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-06-04 21:12:36 +08:00
Naga Bhavani Akella 4663e613f0 Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. 
Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)

Below are the avc denials that are fixed with this patch -

1. audit: type=1400 audit(315966559.395:444):
avc:  denied  { use } for  pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. audit: type=1400 audit(315999854.939:523):
avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1

Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-06-04 09:08:18 -04:00
Chris PeBenito af26e63697
Merge pull request #778 from 0xC0ncord/various-20240506 
Various fixes
 2024-05-13 08:38:14 -04:00