Lukas Vrabec
ce570ab34d
Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t
...
CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.
Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
2019-04-12 07:52:27 -04:00
Chris PeBenito
beb4a290b0
init: Module version bump.
2019-04-07 20:56:22 -04:00
Chris PeBenito
4c2f16bb26
Merge pull request #39 from pebenito/revise-init-stopstart
2019-04-07 20:54:40 -04:00
Chris PeBenito
b06126dca3
init: Revise conditions in init_startstop_service().
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-05 15:18:29 -04:00
Chris PeBenito
df696a3254
kernel, init, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:58:15 -04:00
Chris PeBenito
98c16077ba
Merge pull request #37 from pebenito/master
...
Misc system fixes.
Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
2019-03-27 18:57:39 -04:00
Chris PeBenito
4f6614ba7f
ntp, init, lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-27 18:49:54 -04:00
Sugar, David
d3c4e19f72
Denial of cryptsetup reading cracklib database
...
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength. This is
allowing the needed access.
type=AVC msg=audit(1553216939.261:2652): avc: denied { search } for pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc: denied { read } for pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc: denied { open } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc: denied { getattr } for pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Sugar, David
7525ba9c1e
Allow ntpd to read unit files
...
Adding missing documenation (sorry about that).
type=AVC msg=audit(1553013917.359:9935): avc: denied { read } for pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc: denied { open } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc: denied { getattr } for pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013821.622:9902): avc: denied { getattr } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc: denied { read } for pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc: denied { open } for pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-27 18:48:01 -04:00
Chris PeBenito
32f3f09dc4
authlogin, dbus, ntp: Module version bump.
2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4
Resolve denial about logging to journal from dbus
...
type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
5f14e530ad
Resolve denial about logging to journal from chkpwd
...
type=AVC msg=audit(1553029357.588:513): avc: denied { sendto } for pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Sugar, David
9f2b1e2b4c
Allow ntpd to update timezone symlink
...
type=AVC msg=audit(1553013821.624:9907): avc: denied { create } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc: denied { rename } for pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc: denied { unlink } for pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
1b4ffb7806
Allow ntpd to update chronyd service
...
type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Sugar, David
a50afdcc84
Add interface ntp_dbus_chat
...
type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:35:44 -04:00
Chris PeBenito
e19f3d658c
init: Remove duplicate setenforce rule for init scripts.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:23 -04:00
Chris PeBenito
99f967d3b5
udev: Drop write by udev to its executable.
...
This removes one vector for arbitrary code execution if udev is
compromised.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:10:10 -04:00
Chris PeBenito
40bf663090
systemd: Drop unconfined kernel access for systemd_nspawn.
...
Revise kernel assertion to /proc/kmsg to be more precise.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-03-20 10:09:37 -04:00
Chris PeBenito
c46eba9c02
sysadm, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:27:34 -04:00
Chris PeBenito
ceadf42b75
udev: Move one line and remove a redundant line.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:28 -04:00
Chris PeBenito
2297487654
udev: Whitespace fix.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-03-17 16:25:03 -04:00
Sugar, David
ba31e59cd1
Separate out udevadm into a new domain
...
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo and /usr/bin/udevsend
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think this was a good suggestion to split udevadm
into a different domain.
Only change for v4 is to use stream_connect_pattern as suggested.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-17 16:15:21 -04:00
Chris PeBenito
60b8e08f4f
systemd, udev, usermanage: Module version bump.
2019-03-11 20:59:21 -04:00
Chris PeBenito
5260679657
usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
2019-03-11 20:59:16 -04:00
Sugar, David
1cc0045642
Resolve denial while changing password
...
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging. This resolves those denials.
type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:54:29 -04:00
Sugar, David
9d2b68e0ba
Allow additional map permission when reading hwdb
...
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Updated from previous to create a new interface.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:53:30 -04:00
Chris PeBenito
5fda529636
Remove incorrect comment about capability2:mac_admin.
2019-03-11 20:49:42 -04:00
Chris PeBenito
bb83a721cf
filesystem, cron, authlogin: Module version bump.
2019-03-07 19:02:57 -05:00
Sugar, David
3fd0d7df8b
Update cron use to pam interface
...
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t. These are all due to the fact cron is using pam (and my
system is configured with pam_faillog). I have updated cron to use
auth_use_pam interface to grant needed permissions.
Additional change to allow systemd_logind dbus for cron.
I have included many of the denials I'm seeing, but there are probably
others I didn't capture.
type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Sugar, David
4f8d21ea71
Add interface to allow relabeling of iso 9660 filesystems.
...
I have a case where I'm labeling media with my own types to control
access. But that is requiring that I relabel from iso9660_t to my
own type. This interface allows that relabel.
type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-07 19:02:57 -05:00
Chris PeBenito
712e6056d9
aide, clamav: Module version bump.
2019-02-26 19:21:27 -08:00
Sugar, David
59413b10b8
Allow AIDE to mmap files
...
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning. RHEL7 has set this option in the
aide rpm they distribute.
Changes made to add a tunable to enable permissions allowing
aide to map files that it needs. I have set the default to
false as this seems perfered (in my mind).
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420
Allow AIDE to read kernel sysctl_crypto_t
...
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88
Allow AIDE to sendto kernel datagram socket
...
type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
c418d0e81d
Add interfaces to run freshclam
...
Currently freshclam can only be started from cron or init. This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
899520233d
Allow freshclam to read sysctl_crypto_t
...
type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2d105029d0
Fix incorrect type in clamav_enableddisable_clamd interface
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Chris PeBenito
e6dcad5002
systemd: Module version bump.
2019-02-24 08:19:27 -08:00
Nicolas Iooss
2fb15c8268
Update systemd-update-done policy
...
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:
type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for
pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { write } for
pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for
pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t
tclass=unix_dgram_socket permissive=1
Moreover it creates /etc/.updated and /var/.updated using temporary
files:
type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate }
for pid=277 comm="systemd-update-"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:system_r:systemd_update_done_t tclass=process
permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { read write
open } for pid=277 comm="systemd-update-"
path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:84): avc: denied { create } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
[...]
type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for
pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for
pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
ino=806171 scontext=system_u:system_r:systemd_update_done_t
tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 11:08:20 +01:00
Chris PeBenito
2623984b83
logging, selinuxutil: Module version bump.
2019-02-23 19:30:58 -08:00
Chris PeBenito
0805aaca8d
Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy
2019-02-23 18:43:02 -08:00
Nicolas Iooss
0ab9035efa
Remove a broad read-files rule for restorecond
...
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):
auth_read_all_files_except_shadow(restorecond_t)
Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.
This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
2019-02-23 21:20:21 +01:00
Nicolas Iooss
7bb9172b67
Allow restorecond to read customizable_types
...
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:
type=AVC msg=audit(1550921968.443:654): avc: denied { open } for
pid=281 comm="restorecond"
path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
ino=928006 scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:default_context_t tclass=file
permissive=1
type=AVC msg=audit(1550921968.443:654): avc: denied { read } for
pid=281 comm="restorecond" name="customizable_types" dev="vda1"
ino=928006 scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:default_context_t tclass=file
permissive=1
As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
2019-02-23 21:14:10 +01:00
Nicolas Iooss
5250bd4863
Allow systemd-journald to use kill(pid, 0) on its clients
...
Since systemd 241, systemd-journald is using kill(pid, 0) in order to
find dead processes and reduce its cache. The relevant commit is
91714a7f42
("journald: periodically drop cache for all dead PIDs"). This commit
added a call to pid_is_unwaited(c->pid), which is a function implemented in
https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 :
bool pid_is_unwaited(pid_t pid) {
/* Checks whether a PID is still valid at all, including a zombie */
if (pid < 0)
return false;
if (pid <= 1) /* If we or PID 1 would be dead and have been waited for, this code would not be running */
return true;
if (pid == getpid_cached())
return true;
if (kill(pid, 0) >= 0)
return true;
return errno != ESRCH;
}
This new code triggers the following AVC denials:
type=AVC msg=audit(1550911933.606:332): avc: denied { signull }
for pid=224 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:auditd_t tclass=process permissive=1
type=AVC msg=audit(1550911933.606:333): avc: denied { signull }
for pid=224 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1
type=AVC msg=audit(1550911933.606:334): avc: denied { signull }
for pid=224 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:sshd_t tclass=process permissive=1
2019-02-23 20:55:17 +01:00
Chris PeBenito
5986fdc4df
logging, miscfiles, authlogin: Module version bump.
2019-02-20 19:38:55 -08:00
Sugar, David
81c10b077a
New interface to dontaudit access to cert_t
...
I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki. They seem to be working OK even with the denial. The
tunable authlogin_nsswitch_use_ldap controls access to cert_t
(for domains that are part of nsswitch_domain attribute). Use this
new interface when that tunable is off to quiet the denials.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-20 19:28:45 -08:00
Sugar, David
d8492558b3
Add interface to get status of rsyslog service
...
Updated based on feedback.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-20 19:28:45 -08:00
Chris PeBenito
98a7f0446d
init, systemd, cdrecord: Module version bump.
2019-02-19 19:31:04 -08:00
Chris PeBenito
b3e8e5a4ba
systemd: Remove unnecessary brackets.
2019-02-19 19:20:57 -08:00
Sugar, David
31ac26dd58
Add interface to run cdrecord in caller domain
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-19 19:19:28 -08:00