When reading or managing noxattr fs files or symbolic links, also
let the user list noxattr fs directories.
This patch should be applied after the following one:
http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html
"Let users read/manage symlinks on fs that do not support xattr"
posted on Sat, 29 Oct 2016 15:39:46 UTC.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools? Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur. Separate domains may still make sense.
As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.
I've attached a new patch which renames to kmod_t as you suggested. Please
consider it for inclusion.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.
A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t. I can't seem to find the
reason it was set that way originally.
Signed-off-by: Garrett Holmstrom <gholms@devzero.com>
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.
Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903
AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
When a device gets removed, for example with "cryptsetup close",
kdevtmpfs (a kernel thread) removes its entry from devtmpfs filesystem:
avc: denied { unlink } for pid=48 comm="kdevtmpfs"
name="dm-4" dev="devtmpfs" ino=144111
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
Allow this access on systems using systemd.
On Arch Linux, /usr/lib/gvfs directory contains both executable files
(gvfsd, gvfs-udisks2-volume-monitor...) and libraries (libgvfscommon.so
and libgvfsdaemon.so). As all executable files are prefixed with
"gfvs", so use this to distinguish them with the libraries.
This fixes the following AVC denials, reported from geoclue service
using a library wrongly labelled bin_t:
avc: denied { read } for pid=14872 comm="geoclue"
name="libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
avc: denied { open } for pid=14872 comm="geoclue"
path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
avc: denied { execute } for pid=14872 comm="geoclue"
path="/usr/lib/gvfs/libgvfscommon.so" dev="dm-0" ino=3152594
scontext=system_u:system_r:geoclue_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1
It is used by system-config-printer, as shown by these AVC denials:
avc: denied { execute } for pid=1061 comm="system-config-p"
name="applet.py" dev="dm-0" ino=9568316
scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:object_r:usr_t
tclass=file permissive=1
avc: denied { execute_no_trans } for pid=1061
comm="system-config-p"
path="/usr/share/system-config-printer/applet.py" dev="dm-0"
ino=9568316 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=system_u:object_r:usr_t tclass=file permissive=1
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
