aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* netutils: /usr/bin/ss merged-usrHEADmasterNicolas PARLANT2024-10-211-0/+1
| | | | | | Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr> Closes: https://github.com/gentoo/hardened-refpolicy/pull/3 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Update mysql.fcnisbet-hubbard2024-09-211-0/+1
| | | | | Signed-off-by: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Additional permissions when fapolicyd.conf more strictDave Sugar2024-09-213-1/+64
| | | | | | | | | | | | | | | | | | | When fapolicyd is configured with allow_filesystem_mark = 1 it watches filesysems and mount points When fapolicyd is configured with integrituy = sha256 it mmaps files to perform hash node=localhost type=AVC msg=audit(1726153668.013:418): avc: denied { watch } for pid=1561 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.718:402): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.721:404): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/boot" dev="sda2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.722:406): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/var" dev="dm-9" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154706.227:415): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/kmod" dev="dm-1" ino=14600 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154743.367:999): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/lib/systemd/systemd" dev="dm-1" ino=17564 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154743.403:1030): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/bash" dev="dm-1" ino=3571 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154807.975:476): avc: denied { map } for pid=1599 comm="fapolicyd" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="dm-1" ino=17589 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:systemd_generator_exec_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow systemd-hostnamed to read vsock deviceYi Zhao2024-09-211-0/+1
| | | | | | | | | | Fixes: avc: denied { read } for pid=463 comm="systemd-hostnam" name="vsock" dev="devtmpfs" ino=170 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: fix policy for systemd-ssh-generatorYi Zhao2024-09-211-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: avc: denied { getattr } for pid=121 comm="systemd-ssh-gen" path="/usr/sbin/sshd" dev="vda" ino=7787 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1 avc: denied { execute } for pid=121 comm="systemd-ssh-gen" name="sshd" dev="vda" ino=7787 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1 avc: denied { create } for pid=121 comm="systemd-ssh-gen" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket permissive=1 avc: denied { read } for pid=121 comm="systemd-ssh-gen" name="vsock" dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 avc: denied { open } for pid=121 comm="systemd-ssh-gen" path="/dev/vsock" dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=121 comm="systemd-ssh-gen" path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* devices: add label vsock_device_t for /dev/vsockYi Zhao2024-09-213-0/+61
| | | | | | | | Vsock is a Linux socket family designed to allow communication between a VM and its hypervisor. Add a new label vsock_device_t for vsock device. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: add policy for systemd-nsresourcedYi Zhao2024-09-217-0/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The systemd-nsresourced service was added in systemd v256[1]. Add policy for this service and allow all domains to connect to it over unix socket. Fixes: avc: denied { connectto } for pid=325 comm="avahi-daemon" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { write } for pid=327 comm="dbus-daemon" name="io.systemd.NamespaceResource" dev="tmpfs" ino=54 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1 avc: denied { connectto } for pid=327 comm="dbus-daemon" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=200 comm="systemd-userwor" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:systemd_userdbd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=198 comm="systemd-userwor" path="/run/systemd/io.systemd.NamespaceResource" scontext=system_u:system_r:systemd_userdbd_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=1 [1] https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow system --user to create netlink_route_socketYi Zhao2024-09-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: avc: denied { create } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { getopt } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { setopt } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { bind } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { getattr } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { write } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { nlmsg_read } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { read } for pid=373 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket permissive=1 avc: denied { sendto } for pid=378 comm="(ystemctl)" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow systemd-networkd to manage sock files under /run/systemd/netifYi Zhao2024-09-211-0/+1
| | | | | | | | | | | Fixes: avc: denied { create } for pid=344 comm="systemd-network" name="io.systemd.Network" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:systemd_networkd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: set context to systemd_networkd_var_lib_t for /var/lib/systemd/networkYi Zhao2024-09-212-0/+8
| | | | | | | | | | | | | | | | | | | | | Fixes: avc: denied { read } for pid=344 comm="systemd-network" path="/var/lib/systemd/network" dev="vda" ino=30708 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1 avc: denied { write } for pid=344 comm="systemd-network" name="network" dev="vda" ino=30708 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1 avc: denied { getattr } for pid=344 comm="systemd-network" path="/var/lib/systemd/network" dev="vda" ino=30708 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Allow interactive user terminal output for the NetLabel management tool.Guido Trentalancia2024-09-211-0/+2
| | | | | Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* bluetooth: Move line.Chris PeBenito2024-09-211-3/+2
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Adding SE Policy rules to allow usage of unix stream sockets by dbus and ↵Naga Bhavani Akella2024-09-213-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bluetooth contexts when Gatt notifications are turned on by remote. Below are the avc denials that are resolved - 1. AVC avc: denied { use } for pid=916 comm="dbus-daemon" path="socket:[71126]" dev="sockfs" ino=71126 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=fd permissive=0 2. AVC avc: denied { read write } for pid=913 comm="dbus-daemon" path="socket:[25037]" dev="sockfs" ino=25037 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=0 3. AVC avc: denied { use } for pid=910 comm="bluetoothd" path="socket:[23966]" dev="sockfs" ino=23966 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=fd permissive=0 4. AVC avc: denied { read write } for pid=2229 comm="bluetoothd" path="socket:[27264]" dev="sockfs" ino=27264 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=0 Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* kubernetes: allow kubelet to connect all TCP portsKenton Groombridge2024-09-211-3/+1
| | | | | | | For pod health checks. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: allow reading generic certsKenton Groombridge2024-09-211-0/+1
| | | | | | | | There are cases where one may want to mount certs on the host into a container. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: rules required for DV manipulation in kubevirtKenton Groombridge2024-09-217-0/+48
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: add container_kvm_t and supporting kubevirt rulesKenton Groombridge2024-09-211-1/+33
| | | | | | | | container_kvm_t is the type for containers with access to KVM for running virtual machines. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: allow reading container engine tmp filesKenton Groombridge2024-09-212-2/+23
| | | | | | | | When multus creates a new network, iptables rules get written to /tmp and iptables will be called to load them. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: allow spc various rules for kubevirtKenton Groombridge2024-09-212-2/+29
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container, kubernetes: add supporting rules for kubevirt and multusKenton Groombridge2024-09-213-0/+50
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* dbus: dontaudit session bus domains the netadmin capabilityKenton Groombridge2024-09-211-1/+1
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: allow super privileged containers to manage BPF dirsKenton Groombridge2024-09-212-1/+19
| | | | | | | Seen on a recent update to Cilium. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* kubernetes: allow kubelet to create unlabeled dirsKenton Groombridge2024-09-212-0/+21
| | | | | | | | | | When kubelet sets up a container that 1) has mountpoints using subPath directories and 2) has a volume that is newly provisioned and not yet relabeled, kubelet will create the mountpoint directories on this volume before relabeling it. Allow kubelet to create these directories. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* haproxy: allow interactive usageKenton Groombridge2024-09-211-0/+4
| | | | | | | | Allow haproxy to be run interactively, e.g. to test its config file and report errors. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* podman: allow managing init runtime unitsKenton Groombridge2024-09-211-0/+6
| | | | | | | | Containers created via quadlet become runtime units. Podman auto-update can still restart these, but it needs the appropriate access. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: allow reading usr filesKenton Groombridge2024-09-211-0/+1
| | | | | | | The nftables program reads files in /usr/share/iproute2. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* filesystem, devices: move gadgetfs to usbfs_tDmitry Sharshakov2024-09-212-1/+1
| | | | | | | It is a USB Gadget config pseudo-FS, not a network nor distributed FS Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: make xdg optionalYi Zhao2024-09-211-2/+8
| | | | | | | Make xdg optional to avoid a potential build error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sshd: label sshd-session as sshd_exec_tKenton Groombridge2024-09-211-0/+1
| | | | | | | | | OpenSSH 9.8 splits out much of the session code from the main sshd binary into a new sshd-session binary. Allow the sshd server to execute this binary by labeling it as sshd_exec_t. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Setting bluetooth helper domain for bluetoothctlNaga Bhavani Akella2024-09-212-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Required for fixing the below avc denials - 1. audit: type=1400 audit(1651238006.276:496): avc: denied { read write } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 2. audit: type=1400 audit(1651238006.276:497): avc: denied { getattr } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 3. audit: type=1400 audit(1651238006.272:495): avc: denied { read write } for pid=689 comm="dbus-daemon" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 4. audit[1894]: AVC avc: denied { read write } for pid=1894 comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0 5. audit[2022]: AVC avc: denied { use } for pid=2022 comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769 scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=fd permissive=0 6. audit[2006]: AVC avc: denied { read write } for pid=2006 comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106 scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=0 Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.Raghavender Reddy Bujala2024-09-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | pulseaudio uses bluetooth sockets for HFP-AG and HSP-HS profile to do SLC and SCO connection with remote. avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { shutdown } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 avc: denied { connect } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 Signed-off-by: Raghavender Reddy Bujala <quic_rbujala@quicinc.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow logind to use locallogin pidfdsKenton Groombridge2024-09-211-0/+4
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* userdomain: allow administrative user to get attributes of shadow history fileYi Zhao2024-09-212-0/+20
| | | | | | | | | | | | | Before the patch: root@qemux86-64:~# ls -lZ /etc/security/opasswd -?????????? ? ? ? ? ? ? /etc/security/opasswd After the patch: root@qemux86-64:~# ls -lZ /etc/security/opasswd -rw-------. 1 root root user_u:object_r:shadow_history_t 237 Jun 30 12:03 /etc/security/opasswd Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* node_exporter: allow reading RPC sysctlsKenton Groombridge2024-09-211-0/+1
| | | | | | | For NFS mounts. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* asterisk: allow reading certbot libKenton Groombridge2024-09-211-0/+4
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* postfix: allow postfix pipe to watch mail spoolKenton Groombridge2024-09-211-0/+1
| | | | | | | type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/me@concord.sh/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* netutils: allow ping to read net sysctlsKenton Groombridge2024-09-211-0/+1
| | | | | | | ping will check whether IPv6 is disabled. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* node_exporter: allow reading localizationKenton Groombridge2024-09-211-0/+2
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: allow containers to execute tmpfs filesKenton Groombridge2024-09-211-0/+1
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sysadm: make haproxy adminKenton Groombridge2024-09-211-0/+4
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* haproxy: initial policyKenton Groombridge2024-09-213-0/+222
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* init: use pidfds from local loginKenton Groombridge2024-09-212-0/+22
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* dbus, init: add interface for pidfd usageKenton Groombridge2024-09-212-1/+20
| | | | | | | | | | Commit 4e7511f4a previously added access for init to use DBUS system bus file descriptors while the intended access was for pidfds. Add an interface for pidfd usage so that when pidfds are eventually handled separately from regular fds, this interface can be adjusted. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* asterisk: allow watching spool dirsKenton Groombridge2024-09-211-0/+1
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* su, sudo: allow sudo to signal all su domainsKenton Groombridge2024-09-213-2/+27
| | | | | | | | | | | | | sudo sends a SIGWINCH to child processes when invoked. If an administrator uses sudo in the fashion of "sudo su - root", sudo will send a signal to the corresponding su process. type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74 type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null) type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sudo: allow systemd-logind to read cgroup state of sudoKenton Groombridge2024-09-211-0/+2
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* postfix: allow smtpd to mmap SASL keytab filesKenton Groombridge2024-09-212-1/+20
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sysnetwork: allow ifconfig to read usr filesKenton Groombridge2024-09-211-0/+1
| | | | | | | | | ip wants to read files in /usr/share/iproute2. type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow systemd-logind to use sshd pidfdsKenton Groombridge2024-09-211-0/+6
| | | | | | | | | This is to avoid a long timeout in pam_systemd when logging on. This is the second half of the fix described in ddc6ac493cef7bb64c3d1904b2c660f61b931f59. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Reorder perms and classesfreedom1b28302024-09-21219-758/+758
| | | | | Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>