Commit Graph

5560 Commits

Author SHA1 Message Date
Christian Göttsche
e683d67f46 portage: drop bizarre conditional TODO blocks
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Christian Göttsche
8f308eb846 unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit()
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Christian Göttsche
f6a7365cc0 consolesetup: drop unused requires
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Christian Göttsche
20323a2ab5 example: use module name matching file name
Using a different name in a non-base module will be rejected by checkmodule

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Christian Göttsche
31153edcb4 chromium: drop dead conditional block
The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Christian Göttsche
c7d77a32b9 samba: fix wrong interface context smbd_runtime_t
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.

Use samba_runtime_t instead.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-05-11 21:42:50 +02:00
Chris PeBenito
ded295d16f
Merge pull request #252 from bauen1/add-lockdown-class
define lockdown class and access
2020-05-11 08:48:47 -04:00
bauen1
3cdae47364
dirmngr: ~/.gnupg/crls.d might not exist
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-10 14:44:41 +02:00
bauen1
a356bce2d4
dirmngr: also requires access to /dev/urandom
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-10 14:44:41 +02:00
bauen1
5bd2650602
dirmngr: allow to probe for tor
dirmngr will test if tor is running, even if it isn't and this check
fails dirmngr will fail to retrieve any keys, this is the default (see
https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
for --use-tor)

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-10 14:44:40 +02:00
bauen1
f9758ae558
define lockdown class and access
This was introduced in the merge b1dba2473114588be3df916bf629a61bdcc83737 in the linux kernel.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-08 19:18:52 +02:00
Chris PeBenito
6df603e814 apache, bird, ntp: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-05 13:35:34 -04:00
Chris PeBenito
370160dcb9 Merge pull request #251 from bauen1/fix-systemd-timesyncd 2020-05-05 13:28:54 -04:00
Chris PeBenito
45733fcfb1 Merge pull request #250 from bauen1/nginx 2020-05-05 13:28:31 -04:00
Chris PeBenito
809c39fa50 Merge pull request #239 from bauen1/fix-bird2 2020-05-05 13:27:55 -04:00
bauen1
5a18466573
ntpd: fixes for systemd-timesyncd after linux 5.4
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-05 18:09:56 +02:00
bauen1
6b90780fdd
apache: add nginx to policy
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.

See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-05 12:42:07 +02:00
Chris PeBenito
a7a327a921 sysnetwork, filesystem, userdomain: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-04 09:10:54 -04:00
Chris PeBenito
100a3fb02b Merge pull request #233 from fishilico/ip-netns 2020-05-04 09:05:34 -04:00
Chris PeBenito
6819d8883e
Merge pull request #236 from cgzones/all_interfaces
Override old all_interfaces.conf.tmp file
2020-05-04 09:02:48 -04:00
Chris PeBenito
4ae3713c45 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-04 08:55:09 -04:00
Chris PeBenito
a1c97cbab2 Merge pull request #249 from topimiettinen/ping-sendrecv-icmp 2020-05-04 08:47:55 -04:00
Chris PeBenito
271e4bb8c9 Merge pull request #248 from dburgener/remove-outdated-stunnel-port-access 2020-05-04 08:47:07 -04:00
Chris PeBenito
6137441c69 Merge pull request #247 from dburgener/repeated-perms 2020-05-04 08:46:42 -04:00
Chris PeBenito
671d5da3d7 Merge pull request #245 from dburgener/tty-pty-cleanup 2020-05-04 08:46:15 -04:00
Chris PeBenito
82a127f0a9 Merge pull request #244 from dsugar100/master 2020-05-04 08:37:30 -04:00
Topi Miettinen
a614e755ae
netutils: allow ping to send and receive ICMP packets
Let ping send and receive ICMP packets when Netfilter SECMARK packet
labeling is active.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-05-04 12:43:18 +03:00
Daniel Burgener
a01820155f Remove out of date "hack" from stunnel. The underlying problem needing
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.

Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
2020-05-02 16:24:53 -04:00
Daniel Burgener
ce8f00538a Remove the second copy of a permission in instances where the exact same permission is repeated twice in a row
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-05-01 12:22:40 -04:00
Daniel Burgener
5ba931d49d Fix a few places where command line applications were only granted one of tty or pty permissions and could be used from either
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-30 14:53:31 -04:00
bauen1
56d16a79ae
bird: fixes for bird 2.0
Signed-off-by: bauen1 <j2468h@gmail.com>

bird: allow admin to connect to the bird daemon socket

Signed-off-by: bauen1 <j2468h@gmail.com>

bird: read /proc/sys/crypto/fips_enabled

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-29 18:13:21 +02:00
Dave Sugar
a0403b52d8 Interfaces needed to support IMA/EVM keys
I have been working to support IMA/EVM on a system.  It
requires having keys added to the kernel keyring.  Keys
added with keyctl and evmctl.  I am creating keys in the
ima_key_t type.  Once the keys are created, many domains
then need search permission on the type of the key.  The
following changes are needed to get things to work.

Need to add keys to the kernel keyring (keyctl).

type=AVC msg=audit(1585420717.704:1868): avc:  denied  { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Allow all domains to search key

type=AVC msg=audit(1587936822.802:556): avc:  denied  { search } for  pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc:  denied  { search } for  pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc:  denied  { search } for  pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc:  denied  { search } for  pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc:  denied  { search } for  pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-29 11:50:16 -04:00
Christian Göttsche
13337ba8df Override old all_interfaces.conf.tmp file
Do not keep interfaces from previous builds.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-04-29 17:34:45 +02:00
Chris PeBenito
4f846ea99d bootloader, filesystem: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-29 10:51:26 -04:00
Chris PeBenito
b518966455 Merge pull request #243 from topimiettinen/bootloader-add-refind-systemd-boot 2020-04-29 10:51:09 -04:00
Topi Miettinen
eae4ecde22
bootloader: add rEFInd and systemd-boot
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25 13:15:46 +03:00
Chris PeBenito
841cce42e8
Merge pull request #238 from topimiettinen/build-install-netfilter-contexts
Build and install Netfilter rules
2020-04-24 11:20:01 -04:00
Chris PeBenito
d401ff2a21 systemd, ssh, wm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-24 10:22:30 -04:00
Chris PeBenito
9e9490cddf Merge pull request #242 from topimiettinen/wm-add-kwin 2020-04-24 10:10:30 -04:00
Chris PeBenito
292366f88d Merge pull request #241 from bauen1/fix-ssh-agent-debian 2020-04-24 10:03:18 -04:00
Topi Miettinen
79731d6fd2
Build and install Netfilter rules
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-24 16:36:56 +03:00
bauen1
5124a48bf5
ssh: fix for debian wrapper script
debian ships a wrapper script that moves the ssh-agent socket to
/run/user/$UID/openssh_agent

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-24 15:29:17 +02:00
Topi Miettinen
352249fc05
wm: add KWin
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t
files to avoid a crash. Related audit event:
type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc:  denied  { map } for  pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-24 16:19:51 +03:00
Chris PeBenito
4a3cf58a8c Merge pull request #240 from bauen1/allow-users-to-use-systemd-run 2020-04-24 08:09:10 -04:00
bauen1
09c311f57f
allow normal users to use 'systemd-run'
It can also be used to create temporary units under `systemd --user`.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-23 21:48:35 +02:00
Chris PeBenito
466b59f447
Merge pull request #237 from topimiettinen/gennetfilter-add-icmp-rules
gennetfilter: add rules for ICMP/ICMPv6 packets
2020-04-22 10:23:08 -04:00
Chris PeBenito
01990a484e corenetwork, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-22 10:21:45 -04:00
Chris PeBenito
4ebd33c46d Merge pull request #234 from topimiettinen/systemd-networkd-allow-icmp-dhcpc 2020-04-22 10:21:16 -04:00
Topi Miettinen
4e1979a66b
gennetfilter: add rules for ICMP/ICMPv6 packets
Generate rules for SECMARKing ICMP and ICMPv6 packets as
icmp_packet_t.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-22 17:03:28 +03:00
Topi Miettinen
a3b688d1cf
Allow systemd-networkd to handle ICMP and DHCP packets
Allow systemd-networkd to send and receive ICMPv6 Router Solicitation
and Router Advertisement packets (in reality all ICMP/ICMPv6 packets)
and DHCP client packets.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-22 15:46:56 +03:00