From 41f15beb6646fdf7ceee9dc6c78b980f55754bbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:02:23 +0100 Subject: [PATCH 01/13] unconfined: permit io_uring access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- policy/modules/system/unconfined.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index c870bcc009..fff809d3d5 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -50,6 +50,9 @@ interface(`unconfined_domain_noaudit',` # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; + # io_uring + allow $1 self:anon_inode { create map read write }; + # Userland object managers allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv }; allow $1 self:dbus { acquire_svc send_msg }; From 068a673f53c7e22ed4f6499f6f8e82f6f3d65735 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:02:51 +0100 Subject: [PATCH 02/13] userdomain: include map in userdom_manage_user_home_content_files() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 73bb7c4106..b65153eeea 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2531,7 +2531,7 @@ interface(`userdom_manage_user_home_content_files',` type user_home_dir_t, user_home_t; ') - manage_files_pattern($1, user_home_t, user_home_t) + mmap_manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') From cf6a078ab53dc0f60753e17b84a5b4081ff963b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:04:21 +0100 Subject: [PATCH 03/13] systemd: permit ssh generator to request vsock module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit type=PROCTITLE msg=audit(28/10/24 14:04:16.969:146) : proctitle=/usr/lib/systemd/system-generators/systemd-ssh-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/genera type=SYSCALL msg=audit(28/10/24 14:04:16.969:146) : arch=x86_64 syscall=socket success=yes exit=4 a0=vsock a1=SOCK_STREAM a2=ip a3=0x7 items=0 ppid=13019 pid=13030 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-gen exe=/usr/lib/systemd/system-generators/systemd-ssh-generator subj=system_u:system_r:systemd_generator_t:s0 key=(null) type=AVC msg=audit(28/10/24 14:04:16.969:146) : avc: denied { module_request } for pid=13030 comm=systemd-ssh-gen kmod="net-pf-40" scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Signed-off-by: Christian Göttsche --- policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index d58aba30b2..df3112a5a1 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -587,6 +587,8 @@ kernel_read_kernel_sysctls(systemd_generator_t) kernel_dontaudit_getattr_proc(systemd_generator_t) # Where an unlabeled mountpoint is encounted: kernel_dontaudit_search_unlabeled(systemd_generator_t) +# vmware_vsock +kernel_request_load_module(systemd_generator_t) modutils_domtrans(systemd_generator_t) From 98f65c6fbe51c32f5d117f8488e6ae19977e73e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:05:09 +0100 Subject: [PATCH 04/13] locallogin: permit login process to signal itself MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit type=PROCTITLE msg=audit(28/10/24 14:21:43.722:110) : proctitle=/sbin/agetty -o -p -- \u --noclear - linux type=OBJ_PID msg=audit(28/10/24 14:21:43.722:110) : opid=970 oauid=root ouid=root oses=1 obj=system_u:system_r:local_login_t:s0 ocomm=login type=OBJ_PID msg=audit(28/10/24 14:21:43.722:110) : opid=970 oauid=root ouid=root oses=1 obj=system_u:system_r:local_login_t:s0 ocomm=login type=SYSCALL msg=audit(28/10/24 14:21:43.722:110) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x0 a1=TIOCNOTTY a2=0x0 a3=0x8 items=0 ppid=1 pid=970 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0 key=(null) type=AVC msg=audit(28/10/24 14:21:43.722:110) : avc: denied { signal } for pid=970 comm=login scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:system_r:local_login_t:s0 tclass=process permissive=0 Signed-off-by: Christian Göttsche --- policy/modules/system/locallogin.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 4ba131d292..4b7d926b71 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -34,7 +34,7 @@ role system_r types sulogin_t; allow local_login_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; dontaudit local_login_t self:capability net_admin; -allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; +allow local_login_t self:process { getcap setcap setexec setrlimit setsched signal }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; From d5b3f5bd33e1b1a0a01986b4eefc2188f0b9863d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:06:42 +0100 Subject: [PATCH 05/13] ssh: label sshd-session helper on Debian MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- policy/modules/services/ssh.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index a30d01afc0..93bfa8d26f 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -10,6 +10,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/lib/misc/sshd-session -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/openssh/sshd-session -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/lib/systemd/system/ssh.* -- gen_context(system_u:object_r:sshd_unit_t,s0) From d8d7e8ceed93fb6e24c3fb9bfee6b569048cd9c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:07:56 +0100 Subject: [PATCH 06/13] kernel: create /dev/vsock with correct context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- policy/modules/kernel/devices.if | 19 +++++++++++++++++++ policy/modules/kernel/kernel.te | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 24c480290a..199d6479a6 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5628,6 +5628,25 @@ interface(`dev_rw_vsock',` rw_chr_files_pattern($1, device_t, vsock_device_t) ') +######################################## +## +## Automatic type transition to the type +## for the vsock device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_vsock_dev',` + gen_require(` + type device_t, vsock_device_t; + ') + + filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") +') + ######################################## ## ## Read from watchdog devices. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8cad5ed326..65c814a97e 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -388,6 +388,7 @@ ifdef(`init_systemd',` optional_policy(` dev_manage_input_dev(kernel_t) dev_filetrans_input_dev(kernel_t) + dev_filetrans_vsock_dev(kernel_t) ') optional_policy(` From 9d62f678a7a4366a21931390a92c724a23027da4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:09:10 +0100 Subject: [PATCH 07/13] Reorder permissions to please SELint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SELint reports: haproxy.te: 65: (C): Permissions in av rule not ordered (setuid before setgid) (C-005) container.te: 1012: (C): Permissions in av rule not ordered (setuid before setpcap) (C-005) Signed-off-by: Christian Göttsche --- policy/modules/services/container.te | 2 +- policy/modules/services/haproxy.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 1c88308369..c71ae54f47 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -1009,7 +1009,7 @@ allow spc_t self:process { getcap setexec setrlimit }; # Normally triggered when rook-ceph executes lvm tools which creates noise. # This can be allowed if actually needed. dontaudit spc_t self:process setfscreate; -allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource }; +allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource }; allow spc_t self:capability2 { bpf perfmon }; allow spc_t self:bpf { map_create map_read map_write prog_load prog_run }; allow spc_t self:key manage_key_perms; diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te index e4046dd2dd..d302820ed9 100644 --- a/policy/modules/services/haproxy.te +++ b/policy/modules/services/haproxy.te @@ -62,7 +62,7 @@ files_tmpfs_file(haproxy_tmpfs_t) # allow haproxy_t self:process { getsched setrlimit signal }; -allow haproxy_t self:capability { kill setuid setgid }; +allow haproxy_t self:capability { kill setgid setuid }; dontaudit haproxy_t self:capability net_admin; allow haproxy_t self:fifo_file rw_fifo_file_perms; allow haproxy_t self:tcp_socket create_stream_socket_perms; From b001b9923127ed42b571cf2728ca79dc1fb4f632 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:09:49 +0100 Subject: [PATCH 08/13] bootloader: get scheduling information MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit type=PROCTITLE msg=audit(28/03/24 20:06:02.246:111) : proctitle=sort -V -r type=SYSCALL msg=audit(28/03/24 20:06:02.246:111) : arch=x86_64 syscall=sched_getaffinity success=no exit=EACCES(Permission denied) a0=0x0 a1=0x80 a2=0x7fffcffce4f0 a3=0x7f2e4b437a98 items=0 ppid=5539 pid=5542 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=sort exe=/usr/bin/sort subj=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(28/03/24 20:06:02.246:111) : avc: denied { getsched } for pid=5542 comm=sort scontext=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 tclass=process permissive=0 Signed-off-by: Christian Göttsche --- policy/modules/admin/bootloader.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 875c5df819..56d35ded47 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t) allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; dontaudit bootloader_t self:capability { net_admin sys_resource }; -allow bootloader_t self:process { execmem signal_perms }; +allow bootloader_t self:process { execmem getsched signal_perms }; allow bootloader_t self:fifo_file rw_fifo_file_perms; allow bootloader_t bootloader_etc_t:file read_file_perms; From 42a3add9d477659c104ebfbb46b67686bb999151 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:15:20 +0100 Subject: [PATCH 09/13] Fix typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found by codespell(1). Signed-off-by: Christian Göttsche --- policy/mls | 2 +- policy/modules/apps/uml.te | 2 +- policy/modules/kernel/corenetwork.if.in | 10 +++++----- policy/modules/kernel/corenetwork.te.m4 | 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/domain.if | 2 +- policy/modules/kernel/files.if | 21 +++++++++++++++++++-- policy/modules/kernel/selinux.te | 2 +- policy/modules/services/cockpit.if | 2 +- policy/modules/services/corosync.te | 2 +- policy/modules/services/gssproxy.if | 2 +- policy/modules/services/iiosensorproxy.if | 2 +- policy/modules/services/iiosensorproxy.te | 2 +- policy/modules/services/lircd.if | 2 +- policy/modules/services/ppp.if | 4 ++-- policy/modules/services/tgtd.if | 2 +- policy/modules/services/virt.if | 4 ++-- policy/modules/system/iscsi.if | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/userdomain.if | 10 +++++----- support/gennetfilter.py | 12 ++++++------ support/validate-appconfig.py | 6 +++--- 22 files changed, 57 insertions(+), 40 deletions(-) diff --git a/policy/mls b/policy/mls index 3cf4110d67..6a4e78cc29 100644 --- a/policy/mls +++ b/policy/mls @@ -2,7 +2,7 @@ ifdef(`enable_mls',` # # Define sensitivities # -# Domination of sensitivities is in increasin +# Domination of sensitivities is in increasing # numerical order, with s0 being the lowest gen_sens(mls_num_sens) diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index d48d60279e..52c043df5e 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -32,7 +32,7 @@ type uml_switch_t; type uml_switch_exec_t; init_daemon_domain(uml_switch_t, uml_switch_exec_t) -type uml_switch_runtime_t alias uml_swich_var_run_t; +type uml_switch_runtime_t alias uml_switch_var_run_t; files_runtime_file(uml_switch_runtime_t) ######################################## diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index d2f346efa0..857844ba0a 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1612,7 +1612,7 @@ interface(`corenet_tcp_bind_all_ports',` ######################################## ## -## Do not audit attepts to bind TCP sockets to any ports. +## Do not audit attempts to bind TCP sockets to any ports. ## ## ## @@ -1667,7 +1667,7 @@ interface(`corenet_sctp_connect_generic_port',` ######################################## ## -## Do not audit attepts to bind UDP sockets to any ports. +## Do not audit attempts to bind UDP sockets to any ports. ## ## ## @@ -1881,7 +1881,7 @@ interface(`corenet_tcp_connect_reserved_port',` ######################################## ## -## Do not audit attepts to bind SCTP sockets to any ports. +## Do not audit attempts to bind SCTP sockets to any ports. ## ## ## @@ -2474,7 +2474,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## -## Receive TCP packets from an unlabled connection. +## Receive TCP packets from an unlabeled connection. ## ## ## @@ -3325,7 +3325,7 @@ interface(`corenet_relabelto_all_server_packets',` ######################################## ## -## Receive SCTP packets from an unlabled connection. +## Receive SCTP packets from an unlabeled connection. ## ## ## diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index e512750a28..5c1d69f7b8 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -125,7 +125,7 @@ ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl ') # -# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) +# ib_pkey(name, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) # define(`ib_pkey',` type $1_ibpkey_t, ibpkey_type; diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index a3eeba4afc..84c0069abb 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -86,7 +86,7 @@ genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_onli type crash_device_t; dev_node(crash_device_t) -# for the IBM zSeries z90crypt hardware ssl accelorator +# for the IBM zSeries z90crypt hardware ssl accelerator type crypt_device_t; dev_node(crypt_device_t) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 944d6d3b30..fca31ffb0a 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -417,7 +417,7 @@ interface(`domain_dontaudit_use_interactive_fds',` ######################################## ## ## Send a SIGCHLD signal to domains whose file -## discriptors are widely inheritable. +## descriptors are widely inheritable. ## ## ## diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 811efef945..e1fafd4abd 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3838,7 +3838,7 @@ interface(`files_dontaudit_read_etc_runtime_files',` ######################################## ## -## Do not audit attempts to execuite files +## Do not audit attempts to execute files ## in /etc that are dynamically ## created on boot, such as mtab. ## @@ -3848,7 +3848,7 @@ interface(`files_dontaudit_read_etc_runtime_files',` ## ## # -interface(`files_dontaudit_execuite_etc_runtime_files',` +interface(`files_dontaudit_exec_etc_runtime_files',` gen_require(` type etc_runtime_t; ') @@ -3856,6 +3856,23 @@ interface(`files_dontaudit_execuite_etc_runtime_files',` dontaudit $1 etc_runtime_t:file execute; ') +######################################## +## +## Do not audit attempts to execute files +## in /etc that are dynamically +## created on boot, such as mtab. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_execuite_etc_runtime_files',` + refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_exec_etc_runtime_files() instead.') + files_dontaudit_exec_etc_runtime_files($1) +') + ######################################## ## ## Do not audit attempts to read files diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 97b236aa9a..d2ccfd0ed0 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -15,7 +15,7 @@ gen_bool(secure_mode_policyload,false) ## ##

-## Boolean to determine whether the system permits setting Booelan values. +## Boolean to determine whether the system permits setting Boolean values. ##

## gen_bool(secure_mode_setbool,false) diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index b79854374c..325672d2f5 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -54,7 +54,7 @@ template(`cockpit_role_template',` dev_dontaudit_execute_dev_nodes($2) files_dontaudit_execute_default_files($2) - files_dontaudit_execuite_etc_runtime_files($2) + files_dontaudit_exec_etc_runtime_files($2) files_dontaudit_exec_runtime($2) files_watch_etc_files($2) files_watch_root_dirs($2) diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te index 3ed8ef4390..3e0a8014f3 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -37,7 +37,7 @@ logging_log_file(corosync_var_log_t) # allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource }; -# for hearbeat +# for heartbeat allow corosync_t self:capability { chown net_raw }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/services/gssproxy.if b/policy/modules/services/gssproxy.if index 693d5228e3..34c9631bec 100644 --- a/policy/modules/services/gssproxy.if +++ b/policy/modules/services/gssproxy.if @@ -2,7 +2,7 @@ ######################################## ## -## Execute gssproxy in the gssproxy domin. +## Execute gssproxy in the gssproxy domain. ## ## ## diff --git a/policy/modules/services/iiosensorproxy.if b/policy/modules/services/iiosensorproxy.if index 0dc70034c8..f991edf018 100644 --- a/policy/modules/services/iiosensorproxy.if +++ b/policy/modules/services/iiosensorproxy.if @@ -2,7 +2,7 @@ ## ## ## Industrial I/O subsystem is intended to provide support for devices -## that in some sense are analog to digital or digital to analog convertors +## that in some sense are analog to digital or digital to analog converters ## . ## Devices that fall into this category are: ## * ADCs diff --git a/policy/modules/services/iiosensorproxy.te b/policy/modules/services/iiosensorproxy.te index a820877fad..348c2839ba 100644 --- a/policy/modules/services/iiosensorproxy.te +++ b/policy/modules/services/iiosensorproxy.te @@ -5,7 +5,7 @@ policy_module(iiosensorproxy) # iio-sensor-proxy (Debian package iio-sensor-proxy) # IIO sensors to D-Bus proxy # Industrial I/O subsystem is intended to provide support for devices -# that in some sense are analog to digital or digital to analog convertors +# that in some sense are analog to digital or digital to analog converters # . # Devices that fall into this category are: # * ADCs diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if index d7cbf4ddbf..4394dd3f2b 100644 --- a/policy/modules/services/lircd.if +++ b/policy/modules/services/lircd.if @@ -1,4 +1,4 @@ -## Linux infared remote control daemon. +## Linux infrared remote control daemon. ######################################## ## diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index cf7f567db8..610e4bff33 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -90,7 +90,7 @@ interface(`ppp_home_filetrans_ppp_home',` ######################################## ## -## Inherit and use ppp file discriptors. +## Inherit and use ppp file descriptors. ## ## ## @@ -109,7 +109,7 @@ interface(`ppp_use_fds',` ######################################## ## ## Do not audit attempts to inherit -## and use ppp file discriptors. +## and use ppp file descriptors. ## ## ## diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if index 3fb94581db..998e5ee073 100644 --- a/policy/modules/services/tgtd.if +++ b/policy/modules/services/tgtd.if @@ -21,7 +21,7 @@ interface(`tgtd_rw_semaphores',` ###################################### ## ## Create, read, write, and delete -## tgtd sempaphores. +## tgtd semaphores. ## ## ## diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 01e8a125d8..9b28d670e0 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -1083,7 +1083,7 @@ interface(`virt_lxc_sigchld',` ######################################## ## -## Read and write virtd lxc unamed pipes. +## Read and write virtd lxc unnamed pipes. ## ## ## @@ -1195,7 +1195,7 @@ interface(`virt_virsh_sigchld',` ######################################## ## -## Read and write virsh unamed pipes. +## Read and write virsh unnamed pipes. ## ## ## diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if index 8268483eb2..971a36edb0 100644 --- a/policy/modules/system/iscsi.if +++ b/policy/modules/system/iscsi.if @@ -22,7 +22,7 @@ interface(`iscsid_domtrans',` ######################################## ## ## Create, read, write, and delete -## iscsid sempaphores. +## iscsid semaphores. ## ## ## diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index df3112a5a1..5fe522163d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -585,7 +585,7 @@ kernel_use_fds(systemd_generator_t) kernel_read_system_state(systemd_generator_t) kernel_read_kernel_sysctls(systemd_generator_t) kernel_dontaudit_getattr_proc(systemd_generator_t) -# Where an unlabeled mountpoint is encounted: +# Where an unlabeled mountpoint is encountered: kernel_dontaudit_search_unlabeled(systemd_generator_t) # vmware_vsock kernel_request_load_module(systemd_generator_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b65153eeea..aa389da0f6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -109,7 +109,7 @@ template(`userdom_base_user_template',` files_read_world_readable_symlinks($1_t) files_read_world_readable_pipes($1_t) files_read_world_readable_sockets($1_t) - # old broswer_domain(): + # old browser_domain(): files_dontaudit_list_non_security($1_t) files_dontaudit_getattr_non_security_files($1_t) files_dontaudit_getattr_non_security_symlinks($1_t) @@ -4453,7 +4453,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` ####################################### ## -## Read and write unpriviledged user SysV sempaphores. +## Read and write unprivileged user SysV semaphores. ## ## ## @@ -4471,7 +4471,7 @@ interface(`userdom_rw_unpriv_user_semaphores',` ######################################## ## -## Manage unpriviledged user SysV sempaphores. +## Manage unprivileged user SysV semaphores. ## ## ## @@ -4489,7 +4489,7 @@ interface(`userdom_manage_unpriv_user_semaphores',` ####################################### ## -## Read and write unpriviledged user SysV shared +## Read and write unprivileged user SysV shared ## memory segments. ## ## @@ -4508,7 +4508,7 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ######################################## ## -## Manage unpriviledged user SysV shared +## Manage unprivileged user SysV shared ## memory segments. ## ## diff --git a/support/gennetfilter.py b/support/gennetfilter.py index 83b27f352e..7376f45062 100644 --- a/support/gennetfilter.py +++ b/support/gennetfilter.py @@ -171,15 +171,15 @@ def parse_corenet(file_name): # parse out the parameters openparen = corenet_line.find('(')+1 closeparen = corenet_line.find(')',openparen) - parms = re.split(r'[^-a-zA-Z0-9_]+',corenet_line[openparen:closeparen]) - name = parms[0] - del parms[0] + params = re.split(r'[^-a-zA-Z0-9_]+',corenet_line[openparen:closeparen]) + name = params[0] + del params[0] ports = [] - while len(parms) > 0: + while len(params) > 0: # add a port combination. - ports.append(Port(parms[0],parms[1],parms[2])) - del parms[:3] + ports.append(Port(params[0],params[1],params[2])) + del params[:3] packets.append(Packet(name,ports)) diff --git a/support/validate-appconfig.py b/support/validate-appconfig.py index 1f4ed727aa..a5d1581fcd 100755 --- a/support/validate-appconfig.py +++ b/support/validate-appconfig.py @@ -1,6 +1,6 @@ #!/usr/bin/python3 # SPDX-License-Identifier: GPL-2.0-only -"""Validate refpolicy userpace configuration files (appconfig) have valid contexts.""" +"""Validate refpolicy userspace configuration files (appconfig) have valid contexts.""" import argparse from contextlib import suppress @@ -183,7 +183,7 @@ def validate_domain_transition(self, source_domain: str, target_domain: str, /) valid = False # - # Vaidate domain (TE) transition + # Validate domain (TE) transition # if source_type == target_type: # unlikely @@ -395,7 +395,7 @@ def validate_single_line_context_files(validator: ContextValidator, filenames: list[Path], /) -> bool: """ Validate the contexts in the files with single context per line. This - is primarily for files tha have a single context, such as initrc_context, + is primarily for files that have a single context, such as initrc_context, but can also be used for virtual_image_context, which can have multiple lines of a single context. """ From 566ac0b9f886b7e0372cd50ee5928f0fdde3709e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:26:30 +0100 Subject: [PATCH 10/13] policy_capabilities: add stub for userspace_initial_context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- policy/policy_capabilities | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policy/policy_capabilities b/policy/policy_capabilities index 2faabdfa9f..73b52998d1 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -115,6 +115,14 @@ policycap nnp_nosuid_transition; # #policycap ioctl_skip_cloexec; +# Enable separate user space context for processes started before first +# policy load. +# Requires libsepol 3.7 and kernel 6.8. +# +# Added checks: +# (none) +#policycap userspace_initial_context; + # Enable netlink xperms support. Requires libsepol 3.8+ # and kernel 6.13. # From c08366ca611789acf85642755947fa0947e46e2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:27:52 +0100 Subject: [PATCH 11/13] validate-appconfig: replace tab indentation by spaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- support/validate-appconfig.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/validate-appconfig.py b/support/validate-appconfig.py index a5d1581fcd..9a92c13557 100755 --- a/support/validate-appconfig.py +++ b/support/validate-appconfig.py @@ -688,7 +688,7 @@ def format(self, record: logging.LogRecord) -> str: try: # Validate the elements under sys.exit(0 if validate_appconfig_files(args.APPCONFIG_DIR, - policy_path=args.POLICY_PATH, + policy_path=args.POLICY_PATH, chkcon_path=args.chkcon, lxc=args.lxc, sepgsql=args.sepgsql, From b30075243c2adc63d92741bf765e33d9f834fff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 30 Oct 2024 15:28:44 +0100 Subject: [PATCH 12/13] check_fc_files: support trailing optional version number MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- testing/check_fc_files.py | 1 + 1 file changed, 1 insertion(+) diff --git a/testing/check_fc_files.py b/testing/check_fc_files.py index 1d41a3b7a1..9849b2b5df 100755 --- a/testing/check_fc_files.py +++ b/testing/check_fc_files.py @@ -55,6 +55,7 @@ ('[0-9]+', '0'), # Match at least one digit ('(\\.bin)?', ''), # Match an optional extension ('(-.*)?', ''), # Match an optional suffix with a minus sign + ('(-[0-9\\.]+)?', ''), # Match an optional version suffix ) # File types in a .fc file From 248f2116d504c0aa1761dbf7fc382816214e51f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 5 Nov 2024 20:17:17 +0100 Subject: [PATCH 13/13] github: add codespell check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- .github/workflows/lint-policy.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/lint-policy.yml b/.github/workflows/lint-policy.yml index f7004ce631..69aceadea0 100644 --- a/.github/workflows/lint-policy.yml +++ b/.github/workflows/lint-policy.yml @@ -71,3 +71,17 @@ jobs: - name: Run file context checker run: python${{ inputs.python-version }} -t -t -E -W error testing/check_fc_files.py + + codespell: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v4 + + - name: Install dependencies + run: | + sudo apt-get update -q + sudo apt-get install -qy codespell + + - name: Run codespell + run: codespell --skip Changelog,Changelog.contrib,Changelog.old --ignore-words-list busses,chage,doesnt,lik,msdos,nd,racoon,shouldnt,startd,te,thats,xwindows --context 1 .