nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,092 Commits 1 Branch 0 Tags 16 MiB
e399c7f642
Commit Graph

502 Commits

Author SHA1 Message Date
Chris PeBenito
6b11dcef89 Various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-31 06:55:57 -04:00
Nicolas Iooss
f0cade07b2
Remove unescaped single dot from the policy 
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-27 23:38:09 +02:00
Chris PeBenito
921eb37a97 rpm, selinux, sysadm, init: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:07:11 -04:00
Sugar, David
2831598bb5 grant rpm_t permission to map security_t 
type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

v2 - Create new interface to allow mapping security_t and use this interface by rpm_t

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-13 14:00:23 -04:00
Chris PeBenito
b85c93b582 rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-08 20:49:31 -04:00
Sugar, David
72cc3e9136 Allow rpm scripts to alter systemd services 
In RPM scripts it is common to enable/start services that are being
installed.  This allows rpm_script_t to manage sysemd units

type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
66bbd568e4 Allow rpm to map file contexts 
type=AVC msg=audit(1560944465.365:270): avc:  denied  { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
79fd6ddb3e grant rpm permissions to map locale_t 
type=AVC msg=audit(1560913896.408:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David
8e09ba5637 grant permission for rpm to write to audit log 
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=?  terminal=? res=success'

These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc:  denied  { audit_write } for  pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1561298132.446:240): avc:  denied  { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { nlmsg_relay } for  pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc:  denied  { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Sugar, David
c2f504c25e grant rpm permission to map rpm_var_lib_t 
type=AVC msg=audit(1560913896.432:218): avc:  denied  { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Chris PeBenito
8c3893e427 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 14:05:19 -04:00
Chris PeBenito
3a6b7c1856 logrotate: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-05-27 19:30:24 -04:00
Chris PeBenito
5a8c36f390 logrotate: Make MTA optional. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-05-16 11:48:05 -04:00
Chris PeBenito
2d9ad29d04 dovecot, logrotate: Module version bump. 2019-05-03 20:39:36 -04:00
Laurent Bigonville
83f8240f04 Allow logrotate to execute fail2ban-client 
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
 2019-05-03 13:34:16 +02:00
Chris PeBenito
e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito
60b8e08f4f systemd, udev, usermanage: Module version bump. 2019-03-11 20:59:21 -04:00
Chris PeBenito
5260679657 usermanage: Move kernel_dgram_send(passwd_t) to systemd block. 2019-03-11 20:59:16 -04:00
Sugar, David
1cc0045642 Resolve denial while changing password 
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-11 20:54:29 -04:00
Chris PeBenito
712e6056d9 aide, clamav: Module version bump. 2019-02-26 19:21:27 -08:00
Sugar, David
59413b10b8 Allow AIDE to mmap files 
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420 Allow AIDE to read kernel sysctl_crypto_t 
type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88 Allow AIDE to sendto kernel datagram socket 
type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Chris PeBenito
445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito
30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Russell Coker
eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito
bf21c5c0d2 dpkg: Move interface implementations. 2019-01-23 18:30:15 -05:00
Chris PeBenito
ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito
a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Russell Coker
54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito
4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker
dcb2d1d8b8 another trivial 
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
 2019-01-14 17:43:15 -05:00
Chris PeBenito
e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito
e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Russell Coker
da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss
c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Chris PeBenito
e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Sugar, David
82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Russell Coker
b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Chris PeBenito
d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito
da9ff19d94 sudo: Whitespace fix. 2019-01-05 14:17:18 -05:00
Russell Coker
e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito
6f12a29ecc apt, rpm: Remove and move lines to fix fc conflicts. 2019-01-05 14:09:57 -05:00
Chris PeBenito
39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Russell Coker
5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Russell Coker
73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito
e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00