Chris PeBenito
ae2d2ec470
kernel, devices, plymouthd, xserver: Module version bump.
2019-04-23 18:37:22 -04:00
Dave Sugar
51aadce3c2
Changes to support plymouth working in enforcing
...
plymouth is started very early in the boot process. Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t. Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.
type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-23 07:48:15 -04:00
Dave Sugar
2b42f0c13d
Allow xdm (lightdm) start plymouth
...
type=AVC msg=audit(1554917007.995:194): avc: denied { execute } for pid=7647 comm="lightdm" name="plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc: denied { read open } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc: denied { execute_no_trans } for pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc: denied { map } for pid=7647 comm="plymouth" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
2019-04-16 22:20:29 -04:00
Chris PeBenito
e2e4094bd4
various: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f
Add kernel_dgram_send() into logging_send_syslog_msg()
...
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito
e41def136a
xserver: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-14 14:20:55 -04:00
Chris PeBenito
2356eda7fc
Merge pull request #40 from gtrentalancia/master
2019-04-14 14:15:16 -04:00
Guido Trentalancia
db33386c01
The Qt library version 5 requires to write xserver_tmp_t
...
files upon starting up applications (tested on version
5.12.1).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.if | 3 +++
1 file changed, 3 insertions(+)
2019-04-12 17:52:50 +02:00
Chris PeBenito
32ce73f9b8
kernel: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-12 07:57:00 -04:00
Lukas Vrabec
ce570ab34d
Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
...
CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.
Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
2019-04-12 07:52:27 -04:00
Chris PeBenito
beb4a290b0
init: Module version bump.
2019-04-07 20:56:22 -04:00
Chris PeBenito
4c2f16bb26
Merge pull request #39 from pebenito/revise-init-stopstart
2019-04-07 20:54:40 -04:00
Chris PeBenito
b06126dca3
init: Revise conditions in init_startstop_service().
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-05 15:18:29 -04:00
Chris PeBenito
df696a3254
kernel, init, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:58:15 -04:00
Chris PeBenito
98c16077ba
Merge pull request #37 from pebenito/master
...
Misc system fixes.
Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
2019-03-27 18:57:39 -04:00
Chris PeBenito
4f6614ba7f
ntp, init, lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72
Denial of cryptsetup reading cracklib database
...
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength. This is
allowing the needed access.
type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Sugar, David
7525ba9c1e
Allow ntpd to read unit files
...
Adding missing documenation (sorry about that).
type=AVC msg=audit(1553013917.359:9935): avc: denied { read } for pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc: denied { open } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc: denied { getattr } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013821.622:9902): avc: denied { getattr } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc: denied { read } for pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc: denied { open } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Chris PeBenito
32f3f09dc4
authlogin, dbus, ntp: Module version bump.
2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4
Resolve denial about logging to journal from dbus
...
type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
5f14e530ad
Resolve denial about logging to journal from chkpwd
...
type=AVC msg=audit(1553029357.588:513): avc: denied { sendto } for pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
9f2b1e2b4c
Allow ntpd to update timezone symlink
...
type=AVC msg=audit(1553013821.624:9907): avc: denied { create } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc: denied { rename } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc: denied { unlink } for pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
1b4ffb7806
Allow ntpd to update chronyd service
...
type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
a50afdcc84
Add interface ntp_dbus_chat
...
type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Chris PeBenito
e19f3d658c
init: Remove duplicate setenforce rule for init scripts.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:23 -04:00
Chris PeBenito
99f967d3b5
udev: Drop write by udev to its executable.
...
This removes one vector for arbitrary code execution if udev is
compromised.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:10 -04:00
Chris PeBenito
40bf663090
systemd: Drop unconfined kernel access for systemd_nspawn.
...
Revise kernel assertion to /proc/kmsg to be more precise.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:09:37 -04:00
Chris PeBenito
c46eba9c02
sysadm, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:27:34 -04:00
Chris PeBenito
ceadf42b75
udev: Move one line and remove a redundant line.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:28 -04:00
Chris PeBenito
2297487654
udev: Whitespace fix.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:03 -04:00
Sugar, David
ba31e59cd1
Separate out udevadm into a new domain
...
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo and /usr/bin/udevsend
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think this was a good suggestion to split udevadm
into a different domain.
Only change for v4 is to use stream_connect_pattern as suggested.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-17 16:15:21 -04:00
Chris PeBenito
60b8e08f4f
systemd, udev, usermanage: Module version bump.
2019-03-11 20:59:21 -04:00
Chris PeBenito
5260679657
usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
2019-03-11 20:59:16 -04:00
Sugar, David
1cc0045642
Resolve denial while changing password
...
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging. This resolves those denials.
type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:54:29 -04:00
Sugar, David
9d2b68e0ba
Allow additional map permission when reading hwdb
...
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Updated from previous to create a new interface.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:53:30 -04:00
Chris PeBenito
5fda529636
Remove incorrect comment about capability2:mac_admin.
2019-03-11 20:49:42 -04:00
Chris PeBenito
bb83a721cf
filesystem, cron, authlogin: Module version bump.
2019-03-07 19:02:57 -05:00
Sugar, David
3fd0d7df8b
Update cron use to pam interface
...
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t. These are all due to the fact cron is using pam (and my
system is configured with pam_faillog). I have updated cron to use
auth_use_pam interface to grant needed permissions.
Additional change to allow systemd_logind dbus for cron.
I have included many of the denials I'm seeing, but there are probably
others I didn't capture.
type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Sugar, David
4f8d21ea71
Add interface to allow relabeling of iso 9660 filesystems.
...
I have a case where I'm labeling media with my own types to control
access. But that is requiring that I relabel from iso9660_t to my
own type. This interface allows that relabel.
type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Chris PeBenito
712e6056d9
aide, clamav: Module version bump.
2019-02-26 19:21:27 -08:00
Sugar, David
59413b10b8
Allow AIDE to mmap files
...
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning. RHEL7 has set this option in the
aide rpm they distribute.
Changes made to add a tunable to enable permissions allowing
aide to map files that it needs. I have set the default to
false as this seems perfered (in my mind).
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420
Allow AIDE to read kernel sysctl_crypto_t
...
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88
Allow AIDE to sendto kernel datagram socket
...
type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
c418d0e81d
Add interfaces to run freshclam
...
Currently freshclam can only be started from cron or init. This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
899520233d
Allow freshclam to read sysctl_crypto_t
...
type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2d105029d0
Fix incorrect type in clamav_enableddisable_clamd interface
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Chris PeBenito
e6dcad5002
systemd: Module version bump.
2019-02-24 08:19:27 -08:00
Nicolas Iooss
2fb15c8268
Update systemd-update-done policy
...
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:
type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for
pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { write } for
pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for
pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t
tclass=unix_dgram_socket permissive=1
Moreover it creates /etc/.updated and /var/.updated using temporary
files:
type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate }
for pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t tclass=process
permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { read write
open } for pid=277 comm="systemd-update-"
path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { create } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
[...]
type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for
pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
ino=806171 scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 11:08:20 +01:00
Chris PeBenito
2623984b83
logging, selinuxutil: Module version bump.
2019-02-23 19:30:58 -08:00
Chris PeBenito
0805aaca8d
Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy
2019-02-23 18:43:02 -08:00