Commit Graph

5417 Commits

Author SHA1 Message Date
Chris PeBenito
eb5fa6e1eb Merge pull request #212 from topimiettinen/deny-generic-files-in-dev 2020-04-09 10:12:01 -04:00
Chris PeBenito
5a9e52f328 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:41:05 -04:00
Chris PeBenito
5dbdce80f5 pulseaudio: Drop call to nonexistant interface.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:40:22 -04:00
Chris PeBenito
d823a4c661 spamassassin: Remove unnecessary brackets in type alias.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:34:57 -04:00
Chris PeBenito
5b78c1c86b spamassassin: Add missing class requires in systemd interfaces.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:34:02 -04:00
Chris PeBenito
4cff02edd2 spamassassin: Rename systemd interfaces.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:33:07 -04:00
Chris PeBenito
b2b385891d spamassassin: Move systemd interfaces.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-09 09:32:25 -04:00
Russell Coker
47b44a0fc7 latest ver of trivial mail server patch
Yes mmap is the standard way of accessing the mail spool.

Removed spamd_gpg_t because there's no point to it, the separation doesn't
provide an actual benefit.

Made the other requested changes.

Signed-off-by: Russell Coker <russell@coker.com.au>
2020-04-09 09:29:10 -04:00
Russell Coker
886aa39bfb pulseaudio patch
Patch for pulseaudio against latest GIT

Signed-off-by: Russell Coker <russell@coker.com.au>
2020-04-09 09:26:31 -04:00
Topi Miettinen
8982ce5945
Don't allow creating regular files in /dev
Init, init scripts and udisks don't need to be able to create regular
files in /dev.

Thanks to Jarkko Sakkinen for the idea.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-07 23:03:16 +03:00
Chris PeBenito
a2ec18d2a3 dbus, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:56 -04:00
Chris PeBenito
ba3818ebcc dbus: Rename tunable to dbus_pass_tuntap_fd.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:02 -04:00
Chris PeBenito
85f3e8efe6 Merge pull request #210 from bauen1/fixup-systemd-user-runtime-dir 2020-04-06 10:50:57 -04:00
Chris PeBenito
f5646b7e75 Merge pull request #209 from dsommers/dbus-can-tuntap-2 2020-04-06 10:50:26 -04:00
bauen1
ca0bcb0b51
systemd-user-runtime-dir: add required permissions
systemd-user-runtime-dir reads /proc/sys/kernel/osrelease and the
selinux config
2020-04-04 16:56:19 +02:00
David Sommerseth
79c7859a48
dbus: Add tunable - dbus_can_pass_tuntap_fd
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.

Without this privilege the following denial will happen:

    type=AVC msg=audit(1582227542.557:3045): avc:  denied  { read write } for  pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0

This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.

GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
2020-04-02 22:40:00 +02:00
Chris PeBenito
d38afda010 Makefile: Remove shell brace expansion in ctags target.
This doesn't work on dash, the default shell on Debian.

Closes #110

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-01 15:01:50 -04:00
Chris PeBenito
eff4494519 corecommands, init, lvm, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-01 13:15:28 -04:00
Chris PeBenito
a78ba97105 Merge pull request #197 from dsugar100/generator 2020-04-01 13:14:03 -04:00
Dave Sugar
ea2dc052c7 Setup generic generator attribute and change generator types.
I'm seeing problems on RHEL7 with lvm2-activation-generator that are
coming from recent changes to put systemd-fstab-generator into it's
own domain.  I resolved the issues by creaing this generator attribute
to grant common generator permissions and move all generators into
a single systemd_generator_t domain.

Then setup specific types for the following generators:
lvm2-activation-generator - needs to read lvm2 config
systemd-sysv-generator - needs to read stuff in init_t that other generators don't.
systemd-efi-boot-generator -  needs to read stuff on the EFI boot partition labeled boot_t

For fstab generator allow it to write /sys

[   19.482951] type=1400 audit(1584548691.268:7): avc:  denied  { write } for  pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1

audit(1585500099.139:6): avc:  denied  { read } for  pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:7): avc:  denied  { setattr } for  pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:8): avc:  denied  { rename } for  pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-31 22:54:41 -04:00
Chris PeBenito
07c77bf481 Merge pull request #202 from cgzones/build_misc 2020-03-31 14:08:48 -04:00
Chris PeBenito
2effe84e27 systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-31 14:06:26 -04:00
Chris PeBenito
581062e28d Merge pull request #206 from cgzones/genfs_seclabel_symlinks 2020-03-31 14:05:59 -04:00
Chris PeBenito
991b366047 Merge pull request #205 from dburgener/template-to-interface 2020-03-31 14:05:47 -04:00
Chris PeBenito
4a5d656ee6 Merge pull request #204 from dburgener/systemd-coredump-mountpoint 2020-03-31 14:05:32 -04:00
Christian Göttsche
c43fb57221 Correct estimate kernel version for polcap genfs_seclabel_symlinks
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-31 17:11:41 +02:00
Daniel Burgener
6409045cdc Change incorrect template definitions into interface definitions
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-03-28 14:08:57 -04:00
Daniel Burgener
956a8ceb47 Allow systemd-coredump to stat mountpoints.
When getting dumps from a crash in a mount namespace, systemd wants to run stat on the root in that namespace

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-03-27 10:20:26 -04:00
Christian Göttsche
0ee922264a Rules: allow the usage of class sets in context_defaults
Allow class sets , e.g. defined in policy/support/obj_perm_sets.spt, to
be used in default_* statements in the file policy/context_defaults

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-23 17:17:15 +01:00
Chris PeBenito
dc1a274f06 corenetwork, devices, bluetooth: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-22 17:20:42 -04:00
Chris PeBenito
efa13957eb Merge pull request #200 from fajs/flosch/winshadow-port 2020-03-22 17:00:13 -04:00
Chris PeBenito
7dc5df7ea4 Merge pull request #199 from bigon/bluetoothd 2020-03-22 17:00:06 -04:00
Chris PeBenito
3fb1dd3622 Merge pull request #198 from dsugar100/label_devices 2020-03-22 16:59:27 -04:00
Florian Schmidt
c0d7ddaa5e corenetwork: fix winshadow port number
According to IANA, winshadow is port 3261 for both TCP and UDP.
3161 for TCP looks like a typo that slipped through.

Signed-off-by: Florian Schmidt <flosch@nutanix.com>
2020-03-20 14:58:56 +00:00
Laurent Bigonville
6c810a07c9 Label bluetooth daemon as bluetooth_exec_t
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2020-03-20 13:00:48 +01:00
Dave Sugar
c6c2983c29 Update labeling in /dev/
There is a STIG requirement (CCE-27326-8) that all files in /dev be labeled (something other than 'device_t'). On the systems I am working on there are a few files labeled device_t.

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2020-03-19 14:48:34 -04:00
Chris PeBenito
2b94966763 devices, userdomain: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-19 14:31:59 -04:00
Chris PeBenito
d046419bf4 Merge pull request #178 from gtrentalancia/master 2020-03-19 14:16:28 -04:00
Chris PeBenito
b2cc317a64 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-19 14:07:12 -04:00
Chris PeBenito
1f6ef018db networkmanager: Fix interface commenting.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-19 14:04:13 -04:00
Chris PeBenito
9ee2a6d42e Makefile: Warn if policy.xml xmllint check does not run.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-03-19 13:59:06 -04:00
Chris PeBenito
ecfaae80de Merge pull request #192 from topimiettinen/raw_memory_access_boolean 2020-03-19 13:07:57 -04:00
Chris PeBenito
7f3f512ef2 Merge pull request #191 from topimiettinen/add-usbguard 2020-03-19 13:07:05 -04:00
Chris PeBenito
b3959fb415 Merge pull request #196 from gtrentalancia/watch-perms 2020-03-19 13:05:42 -04:00
Guido Trentalancia
bf806fd589 userdomain: add watch perms
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/miscfiles.if  |   19 +++++++++++++++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 25 insertions(+)
2020-03-19 05:50:42 +01:00
Guido Trentalancia
8c72952ea4 getty: add watch perms
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/getty.te |    1 +
 1 file changed, 1 insertion(+)
2020-03-19 05:50:11 +01:00
Guido Trentalancia
77174969ba wm: add watch perms
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/wm.if                 |    4 ++++
 policy/modules/services/networkmanager.if |   18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
2020-03-19 05:41:43 +01:00
Guido Trentalancia
0cd4068aea mozilla: add watch perms
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/mozilla.te |    2 ++
 1 file changed, 2 insertions(+)
2020-03-19 05:41:43 +01:00
Topi Miettinen
1d2fb171b5
Add usbguard
Usbguard enforces the USB device authorization policy for all USB
devices. Users can be authorized to manage rules and make device
authorization decisions using a command line tool.

Add rules for usbguard. Optionally, allow authorized users to control
the daemon, which requires usbguard-daemon to be able modify its rules
in /etc/usbguard.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-03-18 20:23:38 +02:00
Chris PeBenito
0e9b6995cd
Merge pull request #194 from dburgener/support-dnl
Add dnl builtins to places in support macros where blocks ending in n…
2020-03-18 12:41:57 -04:00