Commit Graph

4282 Commits

Author SHA1 Message Date
Chris PeBenito 187019a615 Module version bump for various patches from Guido Trentalancia. 2016-08-14 14:58:57 -04:00
Chris PeBenito 19b84c95b1 Remove redundant libs_read_lib_files() for ifconfig_t. 2016-08-14 14:52:32 -04:00
Chris PeBenito 6caa443d18 Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:52:07 -04:00
Chris PeBenito 5481c1cc84 Update the sysnetwork module to add some permissions needed by
the dhcp client (another separate patch makes changes to the
ifconfig part).

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:51:42 -04:00
Chris PeBenito 9e0566104a Update alsa module use from Guido Trentalancia. 2016-08-14 14:34:19 -04:00
Chris PeBenito 2bfcba6624 Allow the system user domains to chat over dbus with a few other
domains (e.g. gnome session).

Thanks to Jason Zaman for pointing out the correct interface to
achieve this.

This new version fixes a typographic error in the previous version.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-14 14:12:50 -04:00
Chris PeBenito bfa6cc8bf5 Update contrib. 2016-08-13 10:51:41 -04:00
Guido Trentalancia d932d7349d Add module_load permission to class system
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-13 08:26:30 -04:00
Chris PeBenito 1f4b280519 corenetwork: Missed version bump for previous commit. 2016-08-07 16:07:35 -04:00
Chris PeBenito ae0ba583d3 corenetwork: Add port labeling for Global Catalog over LDAPS. 2016-08-07 14:46:42 -04:00
Chris PeBenito 71a425fdcd Systemd units from Russell Coker. 2016-08-06 19:14:18 -04:00
Russell Coker a4b8f773c1 getattr on unlabeled blk devs
The following has been in my tree for a few years.  It allows initrc_t to stat
devices early in the boot process.

>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
 (device_t) early on boot, soon later the node context is properly reset
 (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2016-08-06 15:57:52 -04:00
Chris PeBenito 493070a95b Update contrib. 2016-08-02 20:32:25 -04:00
Chris PeBenito 87c82aa865 libraries: Module version bump for libsystemd fc entry from Lukas Vrabec. 2016-08-02 20:22:06 -04:00
Chris PeBenito 9cfbb9b30a libraries: Move libsystemd fc entry. 2016-08-02 20:21:24 -04:00
Lukas Vrabec 81a130b071 Systemd by version 231 starts using shared library and systemd daemons execute it. For this reason lib_t type is needed. 2016-08-02 20:18:57 -04:00
Chris PeBenito b417a7130e Module version bump for user_udp_server tunable from Russell Coker. 2016-08-02 19:46:02 -04:00
Russell Coker 6f7d03bd34 user_udp_server tunable
The following patch adds a tunable user_udp_server for the user domains to
run UDP services.
2016-08-02 19:44:16 -04:00
Chris PeBenito 461451d7a7 Get attributes of generic ptys, from Russell Coker. 2016-07-30 16:25:42 -04:00
Chris PeBenito 9f55b76f2a Module version bump for MLS relabeling patch from Lukas Vrabec. 2016-07-27 18:37:56 -04:00
Lukas Vrabec d4964ae808 Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
Example of denial:
type=AVC msg=audit(1461664028.583:784): avc:  denied  { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
2016-07-27 18:32:24 -04:00
Chris PeBenito 611a617cde Module version bump for corecommands update from Garrett Holmstrom. 2016-06-30 20:36:16 -04:00
Garrett Holmstrom 58ac82612d corecmd: Remove fcontext for /etc/sysconfig/libvirtd
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t.  I can't seem to find the
reason it was set that way originally.

Signed-off-by: Garrett Holmstrom <gholms@devzero.com>
2016-06-30 20:34:49 -04:00
Chris PeBenito c3a587934a Update contrib. 2016-06-21 11:16:13 -04:00
Chris PeBenito b7c7209cff Module version bumps + contrib update for user_runtime from Jason Zaman. 2016-06-01 13:34:14 -04:00
Jason Zaman 89d07b3266 userdomain: introduce interfaces for user runtime 2016-06-01 13:22:39 -04:00
Jason Zaman cff5a53cde userdomain: user_tmp requires searching /run/user 2016-06-01 13:22:39 -04:00
Jason Zaman 0f43a7b826 userdomain: Introduce types for /run/user
These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.
2016-06-01 13:22:39 -04:00
Jason Zaman 7320c483f4 authlogin: remove fcontext for /var/run/user 2016-06-01 13:22:39 -04:00
Chris PeBenito 672ea96b45 Module version bump for mlstrustedsocket from qqo. 2016-05-31 09:15:40 -04:00
Chris PeBenito e07f51a923 Merge branch 'qqo-master' 2016-05-31 09:15:01 -04:00
Chris PeBenito 203d4a70db Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master 2016-05-31 09:04:38 -04:00
Chris PeBenito ffc9a79525 Module version bump for systemd-resolved patch from Laurent BIgonville. 2016-05-26 08:53:00 -04:00
Laurent Bigonville 4f9bfeb7b0 Add policy for systemd-resolved
Initial policy for systemd-resolved, tested with systemd 230 on debian
2016-05-26 08:52:23 -04:00
Chris PeBenito cce300b960 Module version bump for LMNR port from Laurent Bigonville. 2016-05-26 07:47:18 -04:00
Laurent Bigonville 8f6cd59aea Add llmnr/5355 (Link-local Multicast Name Resolution) 2016-05-26 07:46:03 -04:00
Chris PeBenito 7857d2724f Update contrib. 2016-05-16 09:20:39 -04:00
Chris PeBenito 7fd44b8fb8 Module version bump for nftables fc entry from Jason Zaman. 2016-05-16 09:20:30 -04:00
Jason Zaman d85ff7f0b9 iptables: add fcontext for nftables 2016-05-16 09:13:30 -04:00
Laurent Bigonville fd9bfbbfba Add the validate_trans access vector to the security class
This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-02 08:41:07 -04:00
Chris PeBenito 78111e98d6 Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz Andrejczuk. 2016-05-02 08:32:42 -04:00
Dominick Grift 6232348be8 Update refpolicy to handle hwloc
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-05-02 08:22:58 -04:00
Nicolas Iooss 4e8768d8a0 Fix typo in module compilation message 2016-04-27 08:31:49 -04:00
qqo aedd5c314d Adds attribute mlstrustedsocket, along with the interface.
Sample AVC:
 type=AVC msg=audit(1459979143.990:219): avc:  denied  { sendto } for  pid=1935
 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0

This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html
2016-04-12 19:28:13 +03:00
Chris PeBenito 0be4f9ba0f Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00
Chris PeBenito 599e5cf7f5 Module version bump for patches from Dominick Grift and Lukas Vrabec. 2016-03-31 08:32:18 -04:00
Lukas Vrabec 78d42e648b SELinux support for cgroup2 filesystem.
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.

Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903

AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc:  denied  { write } for  pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
2016-03-31 08:22:56 -04:00
Dominick Grift 3c9fa86f15 systemd: Add support for --log-target
https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

v2: Add comment about dontaudit rule

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-03-31 08:22:50 -04:00
Chris PeBenito f72f1a48d9 Module version bump for Debian fc entries from Laurent Bigonville. 2016-03-28 09:59:02 -04:00
Chris PeBenito f839472baa Merge branch 'selinux-1' of https://github.com/bigon/refpolicy 2016-03-28 09:58:09 -04:00