nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,823 Commits 1 Branch 0 Tags 16 MiB
ed5d860a8c
Commit Graph

3888 Commits

Author SHA1 Message Date
Chris PeBenito
fb95355f98 certbot: Drop aliases since they have never had the old names in refpolicy. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:40 -05:00
Chris PeBenito
3927e3ca50 certbot: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:09 -05:00
Russell Coker
08d32dbc2d latest iteration of certbot policy as patch 
Same .te as sent a few days ago, but as a patch and with the other
files needed.  I think this is ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 08:49:30 -05:00
Chris PeBenito
437e0c4b97 chromium: Move naclhelper lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 08:39:53 -05:00
Chris PeBenito
34a8c10cb9 chromium: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 08:39:45 -05:00
Russell Coker
31a2b463f7 base chrome/chromium patch fixed 
This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed, and the
chromium_t:file manage_file_perms removed as requested.

I believe it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 08:39:40 -05:00
Kenton Groombridge
fb377e0953
virt: add boolean to allow evdev passthrough 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-14 18:22:14 -05:00
Chris PeBenito
7b15003eae Remove modules for programs that are deprecated or no longer supported. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-14 17:14:30 -05:00
Daniel Burgener
93f5fe30f3 Fix typo in comment 
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
 2021-01-14 15:07:34 -05:00
Chris PeBenito
bb471c3f1c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:20:47 -05:00
Chris PeBenito
df5227d6d7 devicekit: Udisks uses udevadm, it does not exec udev. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:18 -05:00
Chris PeBenito
ac51d56ddc udev: Systemd 246 merged udev and udevadm executables. 
Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.

Fixes #292

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:18 -05:00
Chris PeBenito
6c69f6e3de udev: Drop udev_tbl_t. 
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev.  Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.

Fixes #221

Derived from Laurent Bigonville's work in #230

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:11 -05:00
Chris PeBenito
8c756108db corosync, pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 14:46:10 -05:00
Kenton Groombridge
03713214e2
devices: add interface for IOCTL on input devices 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-13 10:04:53 -05:00
David Schadlich
9fd6bcbcf5 add policy for pcs_snmp_agent 
create corosync_read_state interface, used by pcs_snmp_agent policy

update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it

denial for execmem
type=AVC msg=audit(1610036202.427:3772): avc:  denied  { execmem } for  pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1

create contexts for pcs_snmp_agent_t and allow it some self permissions

allow pcs_snmp_agent_t to create allows and transision context of those logs

allow pcs_snmp_agent_t to read kernel sysctls

allow pcs_snmp_agent_t to exec bin_t

allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib)
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { read write } for  pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { open } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.919:4525): avc:  denied  { map } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.906:4523): avc:  denied  { connectto } for  pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)

allow pcs_snmp_agent_t to read files with usr_t context
type=AVC msg=audit(1610037437.737:4513): avc:  denied  { getattr } for  pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037439.029:4532): avc:  denied  { read } for  pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { read } for  pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { open } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4616): avc:  denied  { getattr } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.020:4617): avc:  denied  { ioctl } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to to get cgroup information
type=AVC msg=audit(1610036387.957:3864): avc:  denied  { getattr } for  pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036480.913:3921): avc:  denied  { read } for  pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036665.036:4019): avc:  denied  { read } for  pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036788.922:4099): avc:  denied  { read } for  pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036944.042:4202): avc:  denied  { read } for  pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { read } for  pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { open } for  pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read nsswitch
type=AVC msg=audit(1610037562.211:4626): avc:  denied  { open } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037562.212:4627): avc:  denied  { getattr } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read zoneinfo
type=AVC msg=audit(1610035641.390:3398): avc:  denied  { search } for  pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610035767.532:3480): avc:  denied  { getattr } for  pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { read } for  pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { open } for  pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read certificates
type=AVC msg=audit(1610037375.994:4485): avc:  denied  { getattr } for  pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037499.874:4565): avc:  denied  { read } for  pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { read } for  pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { open } for  pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t get service status

type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s
ystem  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas
s=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=AVC msg=audit(1610034251.757:2361): avc:  denied  { getattr } for  pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to search init_t dirs
type=AVC msg=audit(1610037317.490:4460): avc:  denied  { search } for  pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to connecto to systemd unix socket
type=AVC msg=audit(1610037533.196:4600): avc:  denied  { connectto } for  pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to run corosync in corosync_t domain
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute } for  pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { read open } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute_no_trans } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { map } for  pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610034246.149:2265): avc:  denied  { execute } for  pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read corosync state
type=AVC msg=audit(1610037503.610:4570): avc:  denied  { open } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037503.611:4571): avc:  denied  { getattr } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to exec hostname
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute } for  pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { read open } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute_no_trans } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { map } for  pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to connecto to snmp socket
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { write } for  pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { connectto } for  pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to read systemd journal files
type=AVC msg=audit(1610037472.176:4552): avc:  denied  { map } for  pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { read } for  pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { open } for  pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1

Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>
 2021-01-12 10:30:32 -05:00
Chris PeBenito
010692dda2
Merge pull request #326 from dburgener/no-self 
Use self keyword when an AV rule source type matches destination
 2021-01-04 09:14:46 -05:00
Chris PeBenito
8a1bc98a31 authlogin, init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-17 09:23:18 -05:00
Chris PeBenito
a63c24c6b7 Merge pull request #269 from bauen1/systemd-userdb 2020-12-17 09:22:55 -05:00
Daniel Burgener
37cc0aae1d Use self keyword when an AV rule source type matches destination 
This is reported in a new SELint check in soon to be released selint version 1.2.0

Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
 2020-12-15 10:29:52 -05:00
Peter Morrow
b3bfd10ccd selinux: add selinux_get_all_booleans() interface 
Allow the caller to read the state of selinuxfs booleans.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
 2020-12-15 15:19:30 +00:00
Chris PeBenito
cef667fa31 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-15 09:40:48 -05:00
Chris PeBenito
2c2d27ce70 Merge pull request #324 from dburgener/dburgener/systemd-watch 2020-12-15 09:33:50 -05:00
Daniel Burgener
b3204ea4c1 Allow systemd-ask-password to watch files 
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-12-11 19:47:13 +00:00
Chris PeBenito
c8c418267d systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-12-11 19:45:54 +00:00
Chris PeBenito
87c4adc790 kernel, modutils, userdomain, xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 15:13:57 -05:00
Chris PeBenito
97eda18388 Merge pull request #323 from dsugar100/master 2020-12-08 15:09:54 -05:00
Chris PeBenito
7fd6d78c2c userdomain: Fix error in calling userdom_xdg_user_template(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 15:09:27 -05:00
Chris PeBenito
cdfcec0e9a Merge pull request #320 from 0xC0ncord/master 2020-12-08 15:01:27 -05:00
0xC0ncord
1d15c9e009
userdomain, xserver: move xdg rules to userdom_xdg_user_template 
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2020-12-08 10:59:17 -05:00
Dave Sugar
ca5f1a5662 Allow systemd-modules-load to search kernel keys 
I was seeing the following errors from systemd-modules-load without this search permission.

Dec  7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec  7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec  7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec  7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec  7 14:36:19 systemd: Failed to start Load Kernel Modules.

This is the denial:

Dec  7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc:  denied { search } for  pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-12-08 10:51:44 -05:00
Chris PeBenito
699268ff41 init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:32:57 -05:00
Chris PeBenito
b31d8308da systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:31:22 -05:00
Chris PeBenito
42b184c2a8 systemd: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:31:17 -05:00
(GalaxyMaster)
c98d287fa3 added policy for systemd-socket-proxyd 
Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>
 2020-12-02 17:38:00 +11:00
Chris PeBenito
fe29a74cad various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-22 14:03:11 -05:00
Jason Zaman
d03b8ffdf5 systemd: make remaining dbus_* optional 
Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman
6dd6823280 init: upstream fcontexts from gentoo policy 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman
c9880f52d5 Add transition on gentoo init_t to openrc 
Commit "init: replace call to init_domtrans_script"
(be231899f5c7f0882843942624dd268f99bab141 in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies
b1927e9f39 init: Added fcontext for openrc-shutdown. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies
b7acd3c4f9 init: Added fcontext for openrc-init. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies
1a39e4dfbe portage: Added /var/cache/distfiles path. 
Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman
0ad23a33ef getty: allow watching file /run/agetty.reload 
avc:  denied  { watch } for  pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman
a98f25ce73 userdomain: Add watch on home dirs 
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Chris PeBenito
82c0b4dd3e dbus: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-20 09:54:32 -05:00
Daniel Burgener
47c495d6f1 Allow init to mount over the system bus 
In portable profiles, systemd bind mounts the system bus into process
namespaces

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-11-13 14:44:22 +00:00
Chris PeBenito
f1b83f8ef4 lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-09 11:45:32 -05:00
Guido Trentalancia
7122154c19 Add LVM module permissions needed to open cryptsetup devices. 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/lvm.te |    2 ++
 1 file changed, 2 insertions(+)
 2020-11-09 15:43:01 +01:00
Chris PeBenito
aa8d432584 filesystem, xen: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-05 06:55:25 -05:00
Anthony PERARD
4f23a54b52 xen: Allow xenstored to map /proc/xen/xsd_kva 
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
 2020-11-05 06:55:17 -05:00
Dannick Pomerleau
b5bc33bc9c access_vectors: Add new capabilities to cap2 
Updated location of capability definitions to point to current location within kernel source code.

CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c
CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f

The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1.

Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
 2020-10-15 20:55:35 -04:00
Chris PeBenito
493f56b59d corosync, pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-10-13 15:25:24 -04:00
Dave Sugar
871348f040 Allow pacemaker to map/read/write corosync shared memory files 
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc:  denied  { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc:  denied  { open } for  pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc:  denied  { map } for  pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-13 13:44:18 -04:00
Dave Sugar
f36e39b45e pacemaker systemd permissions 
Allow pacemaker to get status of all running services and reload systemd

Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow pacemaker to start/sotp all units (when enabled)

Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow for dynamic creation of unit files (with private type)

By using a private type pacemaker doesn't need permission to
read/write all init_runtime_t files.

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { write } for  pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { add_name } for  pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { create } for  pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { create } for  pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { write open } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc:  denied  { getattr } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-13 13:44:18 -04:00
Dave Sugar
428cc2ef9c To get pacemaker working in enforcing 
Allow pacemaker to map its shared memory

Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc:  denied  { map } for  pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1

Label pacemaker private log file

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { write } for  pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { add_name } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { create } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1

It writes to log, but also reads

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc:  denied  { read } for  pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1

Pacemaker can read stuff in /usr/share/pacemaker/

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { read } for  pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { open } for  pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

pacemaker dbus related stuff

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { write } for  pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Pacemaker execute network monitoring

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc:  denied  { getattr } for  pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc:  denied  { execute } for  pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc:  denied  { getattr } for  pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc:  denied  { execute } for  pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc:  denied  { read } for  pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { open } for  pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { map } for  pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { nlmsg_write } for  pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for  pid=7617 comm="ip" capability=12  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1

Update pacemaker process perms

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc:  denied  { getsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc:  denied  { setsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc:  denied  { signull } for  pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

pacemaker network communication

Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc:  denied  { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc:  denied  { net_raw } for  pid=8317 comm="send_arp" capability=13  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc:  denied  { getcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc:  denied  { setcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

Let pacemaker exec lib_t files

Oct  1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc:  denied  { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct  1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc:  denied  { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct  1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc:  denied  { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-13 13:43:41 -04:00
Dave Sugar
ea1e0e7a9b Updates for corosync to work in enforcing 
Allow corosync to map its own shared memory

Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc:  denied  { map } for  pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Setup corosync lock file type

Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { read } for  pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { search } for  pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { add_name } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { create } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-13 10:28:00 -04:00
Chris PeBenito
14a45a594b devices, filesystem, systemd, ntp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-10-09 09:45:11 -04:00
Chris PeBenito
785677771d Merge pull request #313 from bootlin/buildroot-systemd-fixes 2020-10-09 09:42:40 -04:00
Chris PeBenito
b5525a3fca systemd: Move systemd-pstore block up in alphabetical order. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-10-09 09:42:31 -04:00
Antoine Tenart
35a417d0ef ntp: allow systemd-timesyn to setfscreate 
Fixes:

avc:  denied  { setfscreate } for  pid=68 comm="systemd-timesyn"
scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t
tclass=process permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-10-09 08:58:31 +02:00
Antoine Tenart
32e5008867 ntp: allow systemd-timesyn to watch dbus objects 
Fixes:

avc:  denied  { watch } for  pid=68 comm="systemd-timesyn"
path="/run/dbus" dev="tmpfs" ino=2707 scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { watch } for  pid=68 comm="systemd-timesyn"
path="/run/dbus/system_bus_socket" dev="tmpfs" ino=2716
scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-10-09 08:58:31 +02:00
Antoine Tenart
e9228b49bb systemd: allow systemd-network to list the runtime directory 
Fixes:

avc:  denied  { read } for  pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

avc:  denied  { read } for  pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-10-09 08:58:31 +02:00
Antoine Tenart
49a0771dd3 systemd: allow systemd-getty-generator to read and write unallocated ttys 
Fixes:

avc:  denied  { read write } for  pid=40 comm="systemd-getty-g"
name="ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

avc:  denied  { open } for  pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

avc:  denied  { ioctl } for  pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-10-09 08:58:31 +02:00
Deepak Rawat
f5c8a117d9 Add selinux-policy for systemd-pstore service 
systemd-pstore is a service to archive contents of pstore.

Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>
 2020-10-09 03:20:09 +00:00
Chris PeBenito
bc7a84d643 snmp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-10-05 09:55:13 -04:00
Dave Sugar
9da3f3a131 Allow snmpd to read hwdata 
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc:  denied  { getattr } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { read } for  pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { open } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-10-01 22:11:28 -04:00
Chris PeBenito
39e2af539d corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-22 08:27:05 -04:00
Chris PeBenito
941620c89c Merge pull request #309 from yizhao1/dhcpcd 2020-09-22 08:23:49 -04:00
Antoine Tenart
86476f30cf corecommands: add entry for Busybox shell 
Fixes:

vc:  denied  { execute } for  pid=87 comm="login" name="sh" dev="vda"
ino=408 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
fdda7befa5 systemd: allow systemd-resolve to read in tmpfs 
Fixes:
avc:  denied  { read } for  pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
34547434b8 systemd: allow systemd-network to get attributes of fs 
Fixes:

avc:  denied  { getattr } for  pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:25:09 +02:00
Antoine Tenart
1ee738f708 systemd: allow systemd-hwdb to search init runtime directories 
Fixes:

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
f71d288e54 systemd: add extra systemd_generator_t rules 
Fixes:

avc:  denied  { setfscreate } for  pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1

avc:  denied  { dac_override } for  pid=40 comm="systemd-fstab-g"
capability=1  scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
f99b6907f4 dbus: allow clients to list runtime dirs and named sockets 
Fixes:

avc:  denied  { read } for  pid=77 comm="systemd-resolve" name="dbus"
dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=77 comm="systemd-resolve"
name="system_bus_socket" dev="tmpfs" ino=2765
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="dbus"
dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network"
name="system_bus_socket" dev="tmpfs" ino=2791
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart
66c2ff9060 dbus: add two interfaces to allow reading from directories and named sockets 
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Yi Zhao
25251b1f3b sysnet: allow dhcpcd to create socket file 
The dhcpcd needs to create socket file under /run/dhcpcd directory.

Fixes:
AVC avc:  denied  { create } for  pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { setattr } for  pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { sendto } for  pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-09-21 14:23:09 +08:00
Antoine Tenart
23f1e4316b sysnetwork: allow to read network configuration files 
Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
5c604e806b logging: allow systemd-journal to write messages to the audit socket 
Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
8cb806fbdf locallogin: allow login to get attributes of procfs 
Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart
7014af08ff udev: allow udevadm to retrieve xattrs 
Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Chris PeBenito
c33866e1f6 selinux, init, systemd, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 16:55:06 -04:00
Chris PeBenito
4e2b3545c6 Merge pull request #308 from cgzones/systemd_status 2020-09-09 16:54:23 -04:00
Christian Göttsche
24827d8073 selinux: add selinux_use_status_page and deprecate selinux_map_security_files 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-09 21:00:47 +02:00
Chris PeBenito
a0aee3cbcc bind: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 11:25:28 -04:00
Dominick Grift
93113bce78 bind: add a few fc specs for unbound 
unbound-checkconf is the unbound bind-checkconf equivalent
unbound-control is the unbound bind ndc equivalent

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
 2020-09-09 11:24:43 -04:00
Christian Göttsche
1103350ee3 init/systemd: allow systemd to map the SELinux status page 
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-08 13:18:18 +02:00
Chris PeBenito
dcf7ae9f48 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-31 15:36:14 -04:00
Jonathan Davies
9d3321e4fe userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. 
Thanks to Dominick Grift for helping me pin-point this.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-29 20:43:38 +00:00
Chris PeBenito
72e221fd4d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-28 15:30:52 -04:00
Chris PeBenito
cc15ff2086 Merge pull request #302 from dsugar100/master 2020-08-28 15:26:50 -04:00
Chris PeBenito
74b37e16db Merge pull request #301 from bauen1/fix-selint-s-010 2020-08-28 15:26:47 -04:00
bauen1
fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Dave Sugar
1627ab361e Looks like this got dropped in pull request #294 
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc:  denied  { map } for  pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2020-08-27 08:10:58 -04:00
Chris PeBenito
f8b0c1641c acpi: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-26 12:52:59 -07:00
Chris PeBenito
3991ecf54f Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown 2020-08-26 12:49:14 -07:00
Jonathan Davies
99ad371868 acpi.te: Removed unnecessary init_write_initctl(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-25 22:53:40 +00:00
Christian Göttsche
850fefc626 postfixpolicyd: split multi-class rule 
The rule uses the permission manage_file_perms on the classes file and
sock_file.  This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.

Found by SELint

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-25 20:44:16 +02:00
bauen1
b172fd71d2
systemd-logind: utilize nsswitch 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-24 16:37:10 +02:00
bauen1
69b709930a
authlogin: connect to userdb 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-24 16:37:10 +02:00
bauen1
ada848b352
systemd: private type for /run/systemd/userdb 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-24 16:37:07 +02:00