Commit Graph

3198 Commits

Author SHA1 Message Date
Chris PeBenito
ae2d2ec470 kernel, devices, plymouthd, xserver: Module version bump. 2019-04-23 18:37:22 -04:00
Dave Sugar
51aadce3c2 Changes to support plymouth working in enforcing
plymouth is started very early in the boot process.  Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t.  Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.

type=AVC msg=audit(1554917011.127:225): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc:  denied  { remove_name } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc:  denied  { unlink } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1554917011.116:224): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1

type=AVC msg=audit(1555069712.938:237): avc:  denied  { ioctl } for  pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-23 07:48:15 -04:00
Dave Sugar
2b42f0c13d Allow xdm (lightdm) start plymouth
type=AVC msg=audit(1554917007.995:194): avc:  denied  { execute } for  pid=7647 comm="lightdm" name="plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { read open } for  pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { execute_no_trans } for  pid=7647 comm="lightdm" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917007.995:194): avc:  denied  { map } for  pid=7647 comm="plymouth" path="/usr/bin/plymouth" dev="dm-1" ino=6508817 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouth_exec_t:s0 tclass=file permissive=1
2019-04-16 22:20:29 -04:00
Chris PeBenito
e2e4094bd4 various: Module version bump
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f Add kernel_dgram_send() into logging_send_syslog_msg()
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito
e41def136a xserver: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-14 14:20:55 -04:00
Chris PeBenito
2356eda7fc Merge pull request #40 from gtrentalancia/master 2019-04-14 14:15:16 -04:00
Guido Trentalancia
db33386c01 The Qt library version 5 requires to write xserver_tmp_t
files upon starting up applications (tested on version
5.12.1).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    3 +++
 1 file changed, 3 insertions(+)
2019-04-12 17:52:50 +02:00
Chris PeBenito
32ce73f9b8 kernel: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-12 07:57:00 -04:00
Lukas Vrabec
ce570ab34d Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.

Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
2019-04-12 07:52:27 -04:00
Chris PeBenito
beb4a290b0 init: Module version bump. 2019-04-07 20:56:22 -04:00
Chris PeBenito
4c2f16bb26 Merge pull request #39 from pebenito/revise-init-stopstart 2019-04-07 20:54:40 -04:00
Chris PeBenito
b06126dca3 init: Revise conditions in init_startstop_service().
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-05 15:18:29 -04:00
Chris PeBenito
df696a3254 kernel, init, systemd, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:58:15 -04:00
Chris PeBenito
98c16077ba Merge pull request #37 from pebenito/master
Misc system fixes.

Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
2019-03-27 18:57:39 -04:00
Chris PeBenito
4f6614ba7f ntp, init, lvm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72 Denial of cryptsetup reading cracklib database
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength.  This is
allowing the needed access.

type=AVC msg=audit(1553216939.261:2652): avc:  denied  { search } for  pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { read } for  pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { open } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc:  denied  { getattr } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Sugar, David
7525ba9c1e Allow ntpd to read unit files
Adding missing documenation (sorry about that).

type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1

type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Chris PeBenito
32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4 Resolve denial about logging to journal from dbus
type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
5f14e530ad Resolve denial about logging to journal from chkpwd
type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
9f2b1e2b4c Allow ntpd to update timezone symlink
type=AVC msg=audit(1553013821.624:9907): avc:  denied  { create } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { rename } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { unlink } for  pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
1b4ffb7806 Allow ntpd to update chronyd service
type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
a50afdcc84 Add interface ntp_dbus_chat
type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Chris PeBenito
e19f3d658c init: Remove duplicate setenforce rule for init scripts.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:23 -04:00
Chris PeBenito
99f967d3b5 udev: Drop write by udev to its executable.
This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:10 -04:00
Chris PeBenito
40bf663090 systemd: Drop unconfined kernel access for systemd_nspawn.
Revise kernel assertion to /proc/kmsg to be more precise.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:09:37 -04:00
Chris PeBenito
c46eba9c02 sysadm, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:27:34 -04:00
Chris PeBenito
ceadf42b75 udev: Move one line and remove a redundant line.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:28 -04:00
Chris PeBenito
2297487654 udev: Whitespace fix.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:03 -04:00
Sugar, David
ba31e59cd1 Separate out udevadm into a new domain
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-17 16:15:21 -04:00
Chris PeBenito
60b8e08f4f systemd, udev, usermanage: Module version bump. 2019-03-11 20:59:21 -04:00
Chris PeBenito
5260679657 usermanage: Move kernel_dgram_send(passwd_t) to systemd block. 2019-03-11 20:59:16 -04:00
Sugar, David
1cc0045642 Resolve denial while changing password
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:54:29 -04:00
Sugar, David
9d2b68e0ba Allow additional map permission when reading hwdb
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:53:30 -04:00
Chris PeBenito
5fda529636 Remove incorrect comment about capability2:mac_admin. 2019-03-11 20:49:42 -04:00
Chris PeBenito
bb83a721cf filesystem, cron, authlogin: Module version bump. 2019-03-07 19:02:57 -05:00
Sugar, David
3fd0d7df8b Update cron use to pam interface
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Sugar, David
4f8d21ea71 Add interface to allow relabeling of iso 9660 filesystems.
I have a case where I'm labeling media with my own types to control
access.  But that is requiring that I relabel from iso9660_t to my
own type.  This interface allows that relabel.

type=AVC msg=audit(1551621984.372:919): avc:  denied  { relabelfrom } for  pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Chris PeBenito
712e6056d9 aide, clamav: Module version bump. 2019-02-26 19:21:27 -08:00
Sugar, David
59413b10b8 Allow AIDE to mmap files
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420 Allow AIDE to read kernel sysctl_crypto_t
type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88 Allow AIDE to sendto kernel datagram socket
type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
c418d0e81d Add interfaces to run freshclam
Currently freshclam can only be started from cron or init.  This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
899520233d Allow freshclam to read sysctl_crypto_t
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { search } for  pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { read } for  pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { open } for  pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2d105029d0 Fix incorrect type in clamav_enableddisable_clamd interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Chris PeBenito
e6dcad5002 systemd: Module version bump. 2019-02-24 08:19:27 -08:00
Nicolas Iooss
2fb15c8268
Update systemd-update-done policy
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { sendto } for
    pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
    permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { write } for
    pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { connect } for
    pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t
    tclass=unix_dgram_socket permissive=1

Moreover it creates /etc/.updated and /var/.updated using temporary
files:

    type=AVC msg=audit(1550865504.463:83): avc:  denied  { setfscreate }
    for  pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t tclass=process
    permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { read write
    open } for  pid=277 comm="systemd-update-"
    path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { create } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    [...]

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { unlink } for
    pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { rename } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
    ino=806171 scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 11:08:20 +01:00
Chris PeBenito
2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Chris PeBenito
0805aaca8d Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy 2019-02-23 18:43:02 -08:00