Skip to content
Permalink
Branch: master
Commits on Apr 17, 2019
  1. various: Module version bump

    pebenito committed Apr 17, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  2. Add kernel_dgram_send() into logging_send_syslog_msg()

    Sugar, David authored and pebenito committed Apr 15, 2019
    This patch is based on comments from previous a patch to
    remove the many uses of kernel_dgram_send() and incorporate
    it into logging_send_syslog_msg().
    
    v2 - enclose in ifdef for redhat
    v3 - rebase this patch on e41def1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
Commits on Apr 14, 2019
  1. xserver: Module version bump.

    pebenito committed Apr 14, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Commits on Apr 12, 2019
  1. The Qt library version 5 requires to write xserver_tmp_t

    gtrentalancia committed Apr 12, 2019
    files upon starting up applications (tested on version
    5.12.1).
    
    Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
    ---
     policy/modules/services/xserver.if |    3 +++
     1 file changed, 3 insertions(+)
  2. kernel: Module version bump.

    pebenito committed Apr 12, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  3. Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t

    wrabcak authored and pebenito committed Apr 10, 2019
    CRIU can influence the PID of the threads it wants to create.
    CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
    PID it wants for the next clone().
    So it has to write to that file. This feels like a problematic as
    it opens up the container writing to all sysctl_kernel_t.
    
    Using new label container_t will just write to
    sysctl_kernel_ns_last_pid_t instad writing to more generic
    sysctl_kernel_t files.
Commits on Apr 8, 2019
  1. init: Module version bump.

    pebenito committed Apr 8, 2019
Commits on Apr 5, 2019
  1. init: Revise conditions in init_startstop_service().

    pebenito committed Mar 22, 2019
    Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Commits on Mar 27, 2019
  1. kernel, init, systemd, udev: Module version bump.

    pebenito committed Mar 27, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  2. Merge pull request #37 from pebenito/master

    pebenito committed Mar 27, 2019
    Misc system fixes.
    
    Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
  3. ntp, init, lvm: Module version bump.

    pebenito committed Mar 27, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  4. Denial of cryptsetup reading cracklib database

    Sugar, David authored and pebenito committed Mar 27, 2019
    When setting up a LUKS encrypted partition, cryptsetup is reading
    the cracklib databases to ensure password strength.  This is
    allowing the needed access.
    
    type=AVC msg=audit(1553216939.261:2652): avc:  denied  { search } for  pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
    type=AVC msg=audit(1553216980.909:2686): avc:  denied  { read } for  pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1553216980.909:2686): avc:  denied  { open } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1553216980.909:2687): avc:  denied  { getattr } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  5. Allow ntpd to read unit files

    Sugar, David authored and pebenito committed Mar 26, 2019
    Adding missing documenation (sorry about that).
    
    type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
    
    type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
Commits on Mar 24, 2019
  1. authlogin, dbus, ntp: Module version bump.

    pebenito committed Mar 24, 2019
  2. Resolve denial about logging to journal from dbus

    Sugar, David authored and pebenito committed Mar 21, 2019
    type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  3. Resolve denial about logging to journal from chkpwd

    Sugar, David authored and pebenito committed Mar 21, 2019
    type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  4. Allow ntpd to update timezone symlink

    Sugar, David authored and pebenito committed Mar 20, 2019
    type=AVC msg=audit(1553013821.624:9907): avc:  denied  { create } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
    type=AVC msg=audit(1553013821.624:9908): avc:  denied  { rename } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
    type=AVC msg=audit(1553013821.624:9908): avc:  denied  { unlink } for  pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  5. Allow ntpd to update chronyd service

    Sugar, David authored and pebenito committed Mar 20, 2019
    type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
    type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  6. Add interface ntp_dbus_chat

    Sugar, David authored and pebenito committed Mar 20, 2019
    type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
Commits on Mar 20, 2019
  1. init: Remove duplicate setenforce rule for init scripts.

    pebenito committed Mar 18, 2019
    Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
  2. udev: Drop write by udev to its executable.

    pebenito committed Mar 15, 2019
    This removes one vector for arbitrary code execution if udev is
    compromised.
    
    Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
  3. systemd: Drop unconfined kernel access for systemd_nspawn.

    pebenito committed Mar 15, 2019
    Revise kernel assertion to /proc/kmsg to be more precise.
    
    Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Commits on Mar 17, 2019
  1. Merge pull request #35 from pebenito/master

    pebenito committed Mar 17, 2019
    genhomedircon.py: Fix top-level exception handling.
  2. sysadm, udev: Module version bump.

    pebenito committed Mar 17, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  3. udev: Move one line and remove a redundant line.

    pebenito committed Mar 17, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  4. udev: Whitespace fix.

    pebenito committed Mar 17, 2019
    Signed-off-by: Chris PeBenito <pebenito@ieee.org>
  5. Separate out udevadm into a new domain

    Sugar, David authored and pebenito committed Mar 15, 2019
    This is the update I have made based on suggestions for the previous
    patches to add a udev_run interface.  This adds the new domain udevadm_t
    which is entered from /usr/bin/udevadm.
    
    It seems to meet the needs that I have, but there are some things to
    note that are probably important.
    1) There are a few systemd services that use udevadm during startup.
       I have granted the permisssions that I need based on denials I was
       seeing during startup (the machine would fail to start without the
       permisions).
    2) In the udev.fc file there are other binaries that I don't have on a
       RHEL7 box that maybe should also be labeled udevadm_exec_t.
       e.g. /usr/bin/udevinfo and /usr/bin/udevsend
       But as I don't have those binaries to test, I have not updated the
       type of that binary.
    3) There are some places that call udev_domtrans that maybe should now
       be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
       these are not things that I am using in my current situation and am
       unable to test the interactions to know if the change is correct.
    
    Other than that, I think this was a good suggestion to split udevadm
    into a different domain.
    
    Only change for v4 is to use stream_connect_pattern as suggested.
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
Commits on Mar 15, 2019
  1. genhomedircon.py: Fix top-level exception handling.

    pebenito committed Mar 15, 2019
    Fixes errors like this:
    
    Traceback (most recent call last):
      File "support/genhomedircon.py", line 490, in <module>
        errorExit("Options Error " + error)
    TypeError: Can't convert 'GetoptError' object to str implicitly
    
    Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Commits on Mar 12, 2019
  1. systemd, udev, usermanage: Module version bump.

    pebenito committed Mar 12, 2019
  2. Resolve denial while changing password

    Sugar, David authored and pebenito committed Mar 11, 2019
    I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
    and sending message for logging.  This resolves those denials.
    
    type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
    type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
    
    type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  3. Allow additional map permission when reading hwdb

    Sugar, David authored and pebenito committed Mar 9, 2019
    I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
    This creates and uses a new interface to allow the needed
    permission for udev.
    
    type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
    
    Updated from previous to create a new interface.
    
    Signed-off-by: Dave Sugar <dsugar@tresys.com>
  4. Remove incorrect comment about capability2:mac_admin.

    pebenito committed Mar 12, 2019
Older
You can’t perform that action at this time.