mechanism based on an authorization file which
is critical for X security.
For example, a common attack is to remove the
file in order to disable authorization.
At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.if | 33 +++++++++++++++++++++++++++++++++
policy/modules/services/xserver.te | 11 +++++++++++
3 files changed, 45 insertions(+)
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.
The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.te | 82 +++++++++++++++++++++++--------------
1 file changed, 52 insertions(+), 30 deletions(-)
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.
For reference, see the security warning in the
D-Bus specification:
https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.te | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.
This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.if | 3 -
policy/modules/services/spamassassin.te | 56 ++++++--------------------------
2 files changed, 12 insertions(+), 47 deletions(-)
the rules updating script; this achieved by employing
two distinct domains for increased security and network
isolation: a first domain is used for fetching the updated
rules from the network and second domain is used for
verifying the GPG signatures of the received rules.
The rules update feature is now controlled by a boolean
for increased flexibility (it overrides the generic
networking boolean).
The specific file type for the spamassassin update feature
temporary files has been removed: just use spamd_tmp_t instead
of spamd_update_tmp_t and add a corresponding alias.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.if | 11 ++-
policy/modules/services/spamassassin.te | 100 +++++++++++++++++++++++++-------
2 files changed, 86 insertions(+), 25 deletions(-)
auditing search operations on files and directories that
are not strictly needed and might pose a security risk.
The new interfaces will be used in a forthcoming update to
allow fetching updates from the network for the spamassassin
rules and the fsdaemon drive database.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/gpg.if | 80 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
* Daemon to monitor memory pressure and notify applications and change kernel
OOM settings.
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed the self dgram access to create_socket_perms
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Aug 28 19:01:43 localhost.localdomain audisp-syslog[1565]: node=localhost type=AVC msg=audit(1693249303.693:415): avc: denied { setpcap } for pid=1722 comm="rsyslogd" capability=8 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0
Aug 28 19:01:43 localhost.localdomain rsyslogd[1722]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
transport agent configuration directories and files.
This interface will be used by a forthcoming update of the
rule updating feature of the spamassassin module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/mta.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
Seting /etc/security/opasswd to shadow_t has some negative side
effects like the fact that pam_unix needs to read that. Once
pam_unix can read shadow_t that changes the behavour of how
pam_unix uses unix_update to update the password. So, this
change defines the new type, shadow_history_t, for
/etc/secuirty/opasswd.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
system bus, but also for the session bus (in addition
to connecting to them), so its policy module is
modified accordingly.
See also: https://github.com/SELinuxProject/refpolicy/pull/667
which was merged in the following commit:
b4cb09a38c
Date: Mon Sep 11 20:42:50 2023 +0200
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
to fetch new keys from the network.
Without this patch the following error is produced:
$ gpg --recv-keys EA3A87F0A4EBA030E45DF2409E8C1AFBBEFFDB32
gpg: error running '/usr/bin/dirmngr': exit status 1
gpg: failed to start dirmngr '/usr/bin/dirmngr': Generic error
gpg: can't connect to the dirmngr: Generic error
gpg: keyserver receive failed: dirmngr is not installed
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)
the newly created file label and interface needed
to manage the random seed file.
Add the sys_boot capability permission that was
missing in the shutdown domain in order to be
able to reboot/shutdown correctly.
Let the shutdown domain signal init and all other
domains.
Fix the shutdown executable file labels, as the
executable normally lives in /sbin.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/admin/shutdown.fc | 4 +++-
policy/modules/admin/shutdown.te | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
file saved before shutting down or rebooting the system
and rework the interface needed to manage such file.
Use the newly created interface to fix the init policy
and deprecate the old one in the kernel files module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/files.if | 29 +++++++++++++++++++++++------
policy/modules/system/init.fc | 3 ++-
policy/modules/system/init.if | 24 ++++++++++++++++++++++++
policy/modules/system/init.te | 7 +++++--
4 files changed, 54 insertions(+), 9 deletions(-)
since it has now been moved to the xscreensaver domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/userdomain.if | 2 --
1 file changed, 2 deletions(-)
listening on and connecting to them), so its policy
module is modified accordingly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
fixed in the following previous commit:
3eef4bc6fd
Date: Sun Sep 3 17:40:30 2023 +0200
This time the bug is already effective in the
following modules: virt, firstboot, wine and
mono.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
