| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.
Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.
ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
|
|
|
|
|
| |
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Glisse
|
| |
|
|
|
|
| |
support in openrc
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
|
|
|
|
|
|
|
|
|
| |
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This interface will enable another domain to use Java without
having to domtrans to java_t
|
|
|
|
|
|
|
|
| |
When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.
No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).
|
|
|
|
|
|
|
|
|
|
|
|
| |
When sudo is invoked and the /var/run/sudo directory (in which a ts/
subdirectory would be created and managed by sudo) is not available yet,
sudo will try to create it.
Grant it this privilege and have this directory be labeled as
pam_var_run_t.
Without this, we get:
sudo: unable to mkdir /var/run/sudo: Permission denied
|
|
|
|
|
|
| |
This interface allows a domain to create resources inside the generic
pid location (/var/run) and have them created with the pam_var_run_t
type.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping
|
| |
|
| |
|
| |
|
|
|
|
| |
It's going to do the the discovery for DUN service for modems with Bluez 5.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.
-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
|
|
|
|
| |
Drop rule; if /dev/log is a symlink, it should be device_t.
|
|\
| |
| |
| | |
git+ssh://git.overlays.gentoo.org/proj/hardened-refpolicy
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since commit 0fd9dc55, logging.te contains:
term_write_all_user_ttys(syslogd_t)
As "write" is a superset of "append", this rule is no longer needed:
term_append_unallocated_ttys(syslogd_t)
While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
|
| |
| |
| |
| |
| |
| |
| |
| | |
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589
This needs domain_read_all_domains_state.
|
| | |
|