From 662d55ed5efbb7aebb1435e4878f62303020ff36 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 28 Jul 2020 10:09:24 -0400 Subject: [PATCH 1/3] kernel: Drop unlabeled_t as a files_mountpoint(). This made unlabeled_t a file and provided much more access than an unlabeled file should have. Access to unlabeled objects should be explicit. Signed-off-by: Chris PeBenito --- policy/modules/kernel/kernel.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index c8218bf8c..ed536321a 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -190,7 +190,6 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # type unlabeled_t; kernel_rootfs_mountpoint(unlabeled_t) -files_mountpoint(unlabeled_t) fs_associate(unlabeled_t) sid file gen_context(system_u:object_r:unlabeled_t,s0) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) From fe737c405d8b995e898e7b9ab20c7421ab408c41 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 28 Jul 2020 10:10:59 -0400 Subject: [PATCH 2/3] selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. Signed-off-by: Chris PeBenito --- policy/modules/kernel/kernel.if | 37 ++++++++++++++++++++++++++++ policy/modules/system/selinuxutil.te | 10 ++++++++ policy/modules/system/userdomain.if | 8 ++++++ 3 files changed, 55 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 7914e1fd4..2e915da3e 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3210,6 +3210,43 @@ interface(`kernel_delete_unlabeled_sockets',` delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) ') + +######################################## +## +## Allow caller to relabel from unlabeled block devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelfrom_unlabeled_blk_devs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:blk_file { getattr relabelfrom }; +') + +######################################## +## +## Allow caller to relabel from unlabeled character devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_relabelfrom_unlabeled_chr_devs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:chr_file { getattr relabelfrom }; +') + ######################################## ## ## Send and receive messages from an diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index fad28f179..8d062dd88 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -354,6 +354,14 @@ kernel_getattr_debugfs(restorecond_t) kernel_read_system_state(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_use_fds(restorecond_t) +kernel_list_unlabeled(restorecond_t) +kernel_relabelfrom_unlabeled_dirs(restorecond_t) +kernel_relabelfrom_unlabeled_files(restorecond_t) +kernel_relabelfrom_unlabeled_symlinks(restorecond_t) +kernel_relabelfrom_unlabeled_pipes(restorecond_t) +kernel_relabelfrom_unlabeled_sockets(restorecond_t) +kernel_relabelfrom_unlabeled_blk_devs(restorecond_t) +kernel_relabelfrom_unlabeled_chr_devs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_all_xattr_fs(restorecond_t) @@ -586,6 +594,8 @@ kernel_relabelfrom_unlabeled_files(setfiles_t) kernel_relabelfrom_unlabeled_symlinks(setfiles_t) kernel_relabelfrom_unlabeled_pipes(setfiles_t) kernel_relabelfrom_unlabeled_sockets(setfiles_t) +kernel_relabelfrom_unlabeled_blk_devs(setfiles_t) +kernel_relabelfrom_unlabeled_chr_devs(setfiles_t) kernel_use_fds(setfiles_t) kernel_rw_pipes(setfiles_t) kernel_rw_unix_dgram_sockets(setfiles_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 5aab9ada7..e9556084f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1425,6 +1425,14 @@ template(`userdom_security_admin_template',` # Necessary for managing /boot/efi fs_manage_dos_files($1) + kernel_relabelfrom_unlabeled_dirs($1) + kernel_relabelfrom_unlabeled_files($1) + kernel_relabelfrom_unlabeled_symlinks($1) + kernel_relabelfrom_unlabeled_pipes($1) + kernel_relabelfrom_unlabeled_sockets($1) + kernel_relabelfrom_unlabeled_blk_devs($1) + kernel_relabelfrom_unlabeled_chr_devs($1) + mls_process_read_all_levels($1) mls_file_read_all_levels($1) mls_file_upgrade($1) From 27deadbecd5607198c63a1b1f539c0d18ad3603a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 28 Jul 2020 10:11:24 -0400 Subject: [PATCH 3/3] files: Restore mounton access to files_mounton_all_mountpoints(). Signed-off-by: Chris PeBenito --- policy/modules/kernel/files.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 6a53f886b..3a93e1419 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1684,6 +1684,8 @@ interface(`files_mounton_all_mountpoints',` allow $1 mountpoint:dir { search_dir_perms mounton }; allow $1 mountpoint:file { getattr mounton }; + + kernel_mounton_unlabeled_dirs($1) ') ########################################