nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,560 Commits 1 Branch 0 Tags 16 MiB
c950ada4ea
Commit Graph

5560 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nicolas Iooss
b1566c1966
sysadm: allow using hostnamectl 
Command "hostnamectl" communicates with systemd_hostnamed_t through
DBUS:

    type=USER_AVC msg=audit(1576535282.679:345): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.DBus.Properties member=GetAll
    dest=org.freedesktop.hostname1 spid=1449 tpid=1450
    scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:systemd_hostnamed_t tclass=dbus
    permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=?
    terminal=?'

    type=USER_AVC msg=audit(1576535282.683:347): pid=285 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.269 spid=1450 tpid=1449
    scontext=system_u:system_r:systemd_hostnamed_t
    tcontext=sysadm_u:sysadm_r:sysadm_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 17:26:34 +01:00
Nicolas Iooss
789307d57e
mount: allow callers of mount to search /usr/bin 
In order to be able to invoke /usr/bin/mount, /usr/bin/fusermount, etc.
callers need to be able to search /usr/bin. Otherwise, such denials are
recorded:

    type=AVC msg=audit(1576534518.220:1320): avc:  denied  { search }
    for  pid=24067 comm="cryfs" name="bin" dev="vda1" ino=524829
    scontext=sysadm_u:sysadm_r:cryfs_t tcontext=system_u:object_r:bin_t
    tclass=dir permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 16:54:51 +01:00
Nicolas Iooss
8e612038de
testing/check_fc_files: allow @ character in file context patterns 
Some systemd units use @ in their names.

Fixes: https://github.com/SELinuxProject/refpolicy/issues/131

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 16:53:05 +01:00
bauen1
09efc0087a
added bpf_t filesystem label 2019-12-16 20:16:14 +01:00
bauen1
a1f20e749e
fix ifupdown2 executable mislabeled as lib_t 2019-12-10 20:18:00 +01:00
bauen1
d4cc5cf3d2
fix: sudo can't determine default type for sysadm_r 2019-12-09 21:13:23 +01:00
Chris PeBenito
17f06cf1fe unconfined: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-12-02 08:47:19 -05:00
Chris PeBenito
9a04561643 Merge pull request #130 from pebenito/unconfined-systemd-user 2019-12-02 08:45:44 -05:00
Chris PeBenito
832face6f2 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:27:14 -05:00
Chris PeBenito
9c3c525aa8 logging: Reorder lines. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:26:50 -05:00
Sugar, David
a9ae616800 resolve syslog imuxsock denial 
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]

With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc:  denied  { create } for  pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc:  denied  { setattr } for  pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-11-23 10:24:13 -05:00
Chris PeBenito
0bfd1387ac Remove incorrect usages of "is" operator from Python scripts. 
Closes #128

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:12:53 -05:00
Chris PeBenito
45bd96f619 various: Module version bump. 2019-11-23 09:54:36 -05:00
Chris PeBenito
8fcd20b9f9 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:42 -05:00
Chris PeBenito
e05c589ae6 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:28 -05:00
Chris PeBenito
42d115aa53 unconfined: Fix systemd --user rule. 
Use the full init_pgm_spec_user_daemon_domain() to ensure correct
permissions.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-22 16:39:35 -05:00
Chris PeBenito
87745f09d9 unconfined: Add namespaced capabilities. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-15 11:13:58 -05:00
Laurent Bigonville
53a76d3fb7 Allow alsa_t to set scheduling priority and send signal to itself 
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.

----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc:  denied  { setsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc:  denied  { getsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc:  denied  { signal } for  pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
56a11f07c3 Allow alsa_t to create alsa_runtime_t file as well 
When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
9b18951eb0 Allow realmd_t to read localization files 
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:148): avc:  denied  { open } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=262415 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { search } for  pid=1382 comm="realmd" name="locale" dev="dm-1" ino=262056 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:149): avc:  denied  { getattr } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville
69d88981bc Allow geoclue to log in syslog 
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:513): avc:  denied  { create } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:514): avc:  denied  { sendto } for  pid=1384 comm="geoclue" path="/run/systemd/journal/socket" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tc
lass=unix_dgram_socket permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" name="socket" dev="tmpfs" ino=1781 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:devlog_t:s0 tcla
ss=sock_file permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="journal" dev="tmpfs" ino=1777 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:syslogd_runtim
e_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="systemd" dev="tmpfs" ino=11001 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:init_runtime_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Laurent Bigonville
805f2d9cd4 Allow the systemd dbus-daemon to talk to systemd 
Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Chris PeBenito
04a83b9616 init: Module version bump. 2019-10-31 04:12:24 -04:00
Chris PeBenito
bb48674bd1 init: Whitespace change. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-31 03:33:14 -04:00
Sugar, David
36ebc670cb Add missing gen_require for init_t in init_script_domain 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-10-31 03:31:52 -04:00
Chris PeBenito
3952ecb4dd Fix file common ordering and kernel version from previous commit. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-31 03:09:14 -04:00
Chris PeBenito
b7e5454fac
Merge pull request #124 from pebenito/watch 
Add watch access vectors.
 2019-10-29 07:11:51 -04:00
Chris PeBenito
c656b97a28 Add file and filesystem watch access vectors. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-10-25 15:46:00 -04:00
Chris PeBenito
e5dbe75276 Move open, audit_access, and execmod to file common. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-10-25 15:45:31 -04:00
Chris PeBenito
69cd9b4614 xserver: Move XDM dbus chats under main dbus optional. 2019-10-12 11:38:52 -04:00
Chris PeBenito
9731e44e43 xserver: Remove duplicate colord rule. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-12 11:37:00 -04:00
Chris PeBenito
dffe3df251 fc_sort.py: Use "==" for comparing integers. 
"is" is for testing two references are the same object.  The fact that this
worked is specific to the Python implementation.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-08 15:45:27 -04:00
Chris PeBenito
3562ba3ca4 Merge pull request #118 from cgzones/fc_sort 2019-10-08 14:47:20 -04:00
Christian Göttsche
16af31d5a1 re-implement fc_sort in python 
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
 2019-10-06 00:11:30 +02:00
Chris PeBenito
1f947b191d
Merge pull request #120 from cgzones/travis_lint_py 
travis: run check_fc_files linter with python 3.7
 2019-10-03 21:02:55 -04:00
Christian Göttsche
64ae3bb727 travis: run check_fc_files linter with python 3.7 2019-10-04 01:43:37 +02:00
Chris PeBenito
6f19979a2f gpg, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-03 19:05:05 -04:00
Chris PeBenito
17512a799d Merge pull request #117 from fishilico/gpg-crypto-fips 2019-10-03 18:59:04 -04:00
Chris PeBenito
c26c3786c9 Merge pull request #116 from fishilico/systemd-kernel-coredump-transition 2019-10-03 18:59:02 -04:00
Chris PeBenito
a00fbd47d5
Merge pull request #115 from cgzones/fixpy 
segenxml.py: fix format usage in warning message
 2019-10-03 18:58:37 -04:00
Chris PeBenito
4d614d4a5d
Merge pull request #114 from cgzones/samename 
fix Makefile for policy-module directories with same ending
 2019-10-03 18:57:54 -04:00
Chris PeBenito
c83202c20b
Merge pull request #113 from fishilico/travis-fc-typo-checker 
.travis.yml: check the .fc files in CI
 2019-10-03 18:56:26 -04:00
Chris PeBenito
2da74e1169
Merge pull request #119 from cgzones/py3 
travis: force the use of python3.5
 2019-10-03 18:53:26 -04:00
Christian Göttsche
1fa8caec19 travis: force the use of python3.5 
python3.5 is the oldest available one on bionic (though refpolicy requires only 3.4)

Also print the python3 (not 2) version during build
 2019-10-04 00:18:34 +02:00
Nicolas Iooss
15151782bd
gpg: allow gpg-agent to read crypto.fips_enabled sysctl 
On Debian 10, when gpg-agent starts, it reads crypto.fips_enabled:

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { open } for
    pid=329 comm="gpg-agent" path="/proc/sys/crypto/fips_enabled"
    dev="proc" ino=14687 scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { read } for
    pid=329 comm="gpg-agent" name="fips_enabled" dev="proc" ino=14687
    scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 21:58:24 +02:00
Nicolas Iooss
90a2688712
systemd: make the kernel spawn systemd-coredump with a context transition 
On Arch Linux, /proc/sys/kernel/core_pattern contains:

    |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

When a crash happens in a userspace application, this setting makes the
kernel spawn /usr/lib/systemd/systemd-coredump from kernel_t:

    type=AVC msg=audit(1569910108.877:336): avc:  denied  { execute }
    for  pid=1087 comm="kworker/u2:3" name="systemd-coredump" dev="vda1"
    ino=406365 scontext=system_u:system_r:kernel_t
    tcontext=system_u:object_r:systemd_coredump_exec_t tclass=file
    permissive=1

Introduce a transition to systemd_coredump_t to handle this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 21:30:29 +02:00
Christian Göttsche
67a27c2738 segenxml.py: fix format usage in warning message 2019-10-01 20:38:58 +02:00
Christian Göttsche
25bb0cab98 fix Makefile for policy-module directories with same ending 
Currently policy module directories must have a same ending.
Reproduce with:

  mv policy/modules/admin/ policy/modules/adminapps
  make conf

Results in:

  ...
  cat policy/modules/adminapps/metadata.xml policy/modules/apps/metadata.xml > tmp/apps.xml
  ...
  doc/policy.xml:4332: element layer: validity error : Element layer content does not follow the DTD, expecting (summary , module+), got (summary summary module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module )
  Document doc/policy.xml does not validate against doc/policy.dtd
  make: *** [Makefile:452: doc/policy.xml] Error 3

Add a leading slash to the filter pattern, to not match partial names
 2019-10-01 20:24:29 +02:00
Nicolas Iooss
3b698bd9e4
.travis.yml: check the .fc files in CI 
Now that all issues reported by testing/check_fc_files.py have been
fixed, call this script in Travis-CI in order to prevent common errors
from being introduced in .fc files.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 19:54:17 +02:00
Chris PeBenito
324ecfe95c
Merge pull request #74 from fishilico/fc-typo-checker 
Check the .fc files for common typos
 2019-09-30 21:14:42 -04:00