Add new required accesses for systemd-pcrphase and label the new
systemd-pcrextend under the same domain.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
As of systemd 255, services are no longer forked from PID 1 but instead
are spawned by a new systemd-executor helper binary. Label this binary
accordingly and add a rule for systemd user session domains to use it.
Closes: https://github.com/SELinuxProject/refpolicy/issues/732
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Dec 05 22:41:49 localhost.localdomain cockpit-tls[7887]: cockpit-tls: $RUNTIME_DIRECTORY environment variable must be set to a private directory
Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE
Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Failed with result 'exit-code'.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
SELint version 1.5 emits issues for missing or unused declarations of
userspace classes:
init.te: 270: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
init.te: 312: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1116: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
init.te: 1124: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1132: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1136: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1137: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
unconfined.te: 64: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
systemd.te: 1250: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
systemd.te: 1377: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 56: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 157: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 297: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
kernel.te: 566: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
chromium.if: 139: (W): Class dbus is listed in require block but not used in interface (W-003)
init.if: 1192: (W): Class system is used in interface but not required (W-002)
init.if: 1210: (W): Class system is used in interface but not required (W-002)
init.if: 1228: (W): Class system is used in interface but not required (W-002)
init.if: 1246: (W): Class system is used in interface but not required (W-002)
init.if: 1264: (W): Class system is used in interface but not required (W-002)
init.if: 1282: (W): Class system is used in interface but not required (W-002)
init.if: 1300: (W): Class system is used in interface but not required (W-002)
init.if: 1318: (W): Class system is used in interface but not required (W-002)
init.if: 1393: (W): Class bpf is listed in require block but is not a userspace class (W-003)
unconfined.if: 34: (W): Class service is listed in require block but not used in interface (W-003)
systemd.if: 144: (W): Class system is used in interface but not required (W-002)
systemd.if: 159: (W): Class service is used in interface but not required (W-002)
systemd.if: 160: (W): Class service is used in interface but not required (W-002)
systemd.if: 413: (W): Class system is used in interface but not required (W-002)
systemd.if: 437: (W): Class system is used in interface but not required (W-002)
systemd.if: 461: (W): Class system is used in interface but not required (W-002)
postgresql.if: 31: (W): Class db_database is listed in require block but not used in interface (W-003)
postgresql.if: 37: (W): Class db_language is listed in require block but not used in interface (W-003)
postgresql.if: 465: (W): Class db_database is listed in require block but not used in interface (W-003)
postgresql.if: 471: (W): Class db_language is listed in require block but not used in interface (W-003)
xserver.if: 370: (W): Class x_property is listed in require block but not used in interface (W-003)
Found the following issue counts:
W-001: 14
W-002: 14
W-003: 8
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Like the name suggests only grant the permission getattr in
init_getattr_generic_units_files().
Adjust the only caller to use init_read_generic_units_files() instead.
Reported-by: Laurent Bigonville
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super
privileged containers which require various accesses in order to load
BPF programs and modify the host network.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
When start up adbd by adb initscript, there's a command like:
mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb
will cause below deny because lack of functionfs related contexts.
avc: denied { mount } for pid=346 comm="mount" name="/"
dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>
* Set context for /runcryptesetup created by systemd-cryptsetup.
* Remove duplicate line 'fs_getattr_cgroup(lvm_t)'.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Avoid relabel loops if the helper binaries are hardlinked:
$ restorecon -vRF -T0 /usr/libexec/
Relabeled /usr/libexec/git-core/git from system_u:object_r:git_exec_t to system_u:object_r:bin_t
Relabeled /usr/libexec/git-core/git-rev-parse from system_u:object_r:bin_t to system_u:object_r:git_exec_t
Relabeled /usr/libexec/git-core/git-fsmonitor--daemon from system_u:object_r:bin_t to system_u:object_r:git_exec_t
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
If gluster ever experiences data corruption on its underlying bricks, a
situation may arise where the corrupted files have bad or missing
xattrs and are therefore presented as unlabeled to SELinux. Gluster will
then be unable to repair these files until the access is allowed or the
user manually relabels these files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
https://github.com/SELinuxProject/refpolicy/issues/735
This patch extends the fix for a serious Information
Disclosure vulnerability caused by the erroneous labeling
of TLS Private Keys and CSR.
See: commit 5c9038ec98
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
and CSR used for example by the HTTP and/or Mail
Transport daemons.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/certmonger.te | 3 +++
1 file changed, 3 insertions(+)
Apache HTTP server according to the default locations:
http://www.apache.com/how-to-setup-an-ssl-certificate-on-apache
Add the correct TLS Private Keys file label for Debian
systems.
This patch fixes a serious Information Disclosure
vulnerability caused by the erroneous labeling of
TLS Private Keys and CSR, as explained above.
See: https://github.com/SELinuxProject/refpolicy/issues/735
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/miscfiles.fc | 3 +++
1 file changed, 3 insertions(+)
files, not manage them.
Modify the init policy to match the comment and the
LDAP server actual behavior.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
