From a9ff07d886dcd7682d6593c77fbe01d1559ba374 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Mon, 13 Apr 2020 13:58:11 +0200 Subject: [PATCH 01/12] postfix: add filetrans for sendmail and postfix for aliases db operations Signed-off-by: bauen1 --- policy/modules/services/postfix.te | 1 + policy/modules/services/sendmail.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 81fbbd223..202b39a10 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -310,6 +310,7 @@ seutil_dontaudit_search_config(postfix_master_t) mta_manage_aliases(postfix_master_t) mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") +mta_etc_filetrans_aliases(postfix_master_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) mta_read_sendmail_bin(postfix_master_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index d1c0e83b3..e921bca4e 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -118,6 +118,7 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t) mta_etc_filetrans_aliases(sendmail_t, file, "aliases") mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") +mta_etc_filetrans_aliases(sendmail_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") mta_manage_aliases(sendmail_t) mta_manage_queue(sendmail_t) @@ -208,6 +209,7 @@ optional_policy(` optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") + mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "__db.aliases.db") mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") unconfined_domain(unconfined_sendmail_t) ') From 6ce9865e6c85dc6b014b74c43db93963a1820b83 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sat, 12 Oct 2019 15:51:53 +0200 Subject: [PATCH 02/12] systemd: fixed systemd_rfkill_t denial spam Signed-off-by: bauen1 --- policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index bff2471cf..830a2399b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1072,6 +1072,8 @@ optional_policy(` # Rfkill local policy # +allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt }; + manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir) From a5c3c7038554b5511a0572fcf8bb9f18462687a5 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Fri, 24 Apr 2020 14:28:28 +0200 Subject: [PATCH 03/12] thunderbird: label files under /tmp Signed-off-by: bauen1 --- policy/modules/apps/thunderbird.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index 7de51489b..af3c02ebd 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -15,6 +15,9 @@ role thunderbird_roles types thunderbird_t; type thunderbird_home_t; userdom_user_home_content(thunderbird_home_t) +type thunderbird_tmp_t; +userdom_user_tmp_file(thunderbird_tmp_t) + type thunderbird_tmpfs_t; userdom_user_tmpfs_file(thunderbird_tmpfs_t) @@ -42,6 +45,11 @@ manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t) userdom_user_home_dir_filetrans(thunderbird_t, thunderbird_home_t, dir, ".thunderbird") +manage_dirs_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +manage_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +manage_lnk_files_pattern(thunderbird_t, thunderbird_tmp_t, thunderbird_tmp_t) +files_tmp_filetrans(thunderbird_t, thunderbird_tmp_t, { dir file lnk_file }) + manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t) From 6f7bc3da4665c1dba41bf7250cb44b81ade7e99d Mon Sep 17 00:00:00 2001 From: bauen1 Date: Wed, 20 May 2020 18:35:17 +0200 Subject: [PATCH 04/12] init: systemd will run chkpwd to start user@1000 This was likely also hidden by the unconfined module. Signed-off-by: bauen1 --- policy/modules/system/init.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 4970e0b61..c5595a611 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -317,7 +317,6 @@ ifdef(`init_systemd',` dev_manage_input_dev(init_t) dev_relabel_all_sysfs(init_t) dev_relabel_generic_symlinks(init_t) - dev_read_urand(init_t) dev_write_kmsg(init_t) dev_write_urand(init_t) dev_rw_lvm_control(init_t) @@ -435,9 +434,9 @@ ifdef(`init_systemd',` auth_manage_var_auth(init_t) auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) + auth_domtrans_chk_passwd(init_t) logging_manage_pid_sockets(init_t) - logging_send_audit_msgs(init_t) logging_relabelto_devlog_sock_files(init_t) logging_relabel_generic_log_dirs(init_t) logging_audit_socket_activation(init_t) From a42a15dd4d0d20aa7896ce489f137c2a42187c02 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Fri, 5 Jun 2020 12:38:44 +0200 Subject: [PATCH 05/12] authlogin: unix_chkpwd is linked to libselinux Signed-off-by: bauen1 --- policy/modules/system/authlogin.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 3f49e9c21..915f68c21 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -104,8 +104,6 @@ allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) -# is_selinux_enabled -kernel_read_system_state(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) @@ -120,7 +118,6 @@ files_dontaudit_search_var(chkpwd_t) fs_dontaudit_getattr_xattr_fs(chkpwd_t) selinux_get_enforce_mode(chkpwd_t) -selinux_getattr_fs(chkpwd_t) term_dontaudit_use_console(chkpwd_t) term_dontaudit_use_unallocated_ttys(chkpwd_t) @@ -134,7 +131,7 @@ logging_send_syslog_msg(chkpwd_t) miscfiles_read_localization(chkpwd_t) -seutil_read_config(chkpwd_t) +seutil_libselinux_linked(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) userdom_use_user_terminals(chkpwd_t) From 66b4101b36528eb2c3894748c6c5135c4cf2fe87 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Wed, 27 May 2020 13:48:18 +0200 Subject: [PATCH 06/12] systemd: maintain /memfd:systemd-state Signed-off-by: bauen1 --- policy/modules/system/init.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index c5595a611..97d3fd17f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -284,6 +284,8 @@ ifdef(`init_systemd',` manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) + # /memfd:systemd-state + fs_tmpfs_filetrans(init_t, init_runtime_t, file) manage_files_pattern(init_t, systemd_unit_t, systemdunit) From e7fc029a958380288b1e6ef0189cfa7056c9ceb6 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Fri, 29 May 2020 20:31:00 +0200 Subject: [PATCH 07/12] dpkg: allow dpkg frontends to acquire lock by labeling it correctly Signed-off-by: bauen1 --- policy/modules/admin/dpkg.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc index 9ba6e3123..514237b4c 100644 --- a/policy/modules/admin/dpkg.fc +++ b/policy/modules/admin/dpkg.fc @@ -9,6 +9,7 @@ /var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) /var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) /var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) +/var/lib/dpkg/lock-frontend -- gen_context(system_u:object_r:dpkg_lock_t,s0) /usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) /usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) From 583f435c7b7f52407a793ee29de84b456b68143f Mon Sep 17 00:00:00 2001 From: bauen1 Date: Wed, 27 May 2020 11:37:39 +0200 Subject: [PATCH 08/12] systemd: systemd --user add essential permissions Allow selinux awareness (libselinux) and access to setsockcreatecon to correctly set the label of sockets. Signed-off-by: bauen1 --- policy/modules/system/systemd.if | 5 +++++ policy/modules/system/systemd.te | 29 ++++++++++++++++++++++------- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index bfdb4560a..3e9ad764e 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -60,7 +60,12 @@ template(`systemd_role_template',` # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; + # systemctl --user + stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) + can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) + + dbus_system_bus_client($1_systemd_t) ') ###################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 830a2399b..12b5ba68f 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1314,14 +1314,17 @@ systemd_log_parse_environment(systemd_update_done_t) # User session (systemd --user) local policy # +allow systemd_user_session_type self:bpf { prog_load prog_run }; allow systemd_user_session_type self:capability { dac_read_search sys_resource }; dontaudit systemd_user_session_type self:capability dac_override; -allow systemd_user_session_type self:process { setfscreate setsockcreate }; +allow systemd_user_session_type self:fifo_file rw_fifo_file_perms; +allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap }; allow systemd_user_session_type self:udp_socket create_socket_perms; allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms; allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt }; allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms; +allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms; allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write }; userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir) @@ -1337,32 +1340,44 @@ can_exec(systemd_user_session_type, systemd_generator_exec_t) dev_write_sysfs_dirs(systemd_user_session_type) dev_read_sysfs(systemd_user_session_type) +domain_getattr_all_entry_files(systemd_user_session_type) + files_read_etc_files(systemd_user_session_type) files_list_usr(systemd_user_session_type) +# /etc/localtime +files_watch_etc_symlinks(systemd_user_session_type) fs_getattr_cgroup(systemd_user_session_type) fs_getattr_tmpfs(systemd_user_session_type) fs_rw_cgroup_files(systemd_user_session_type) fs_manage_cgroup_dirs(systemd_user_session_type) -# for /run/systemd/notify -init_dgram_send(systemd_user_session_type) -init_signal(systemd_user_session_type) - # for /proc/sys/fs/nr_open kernel_read_fs_sysctls(systemd_user_session_type) kernel_read_kernel_sysctls(systemd_user_session_type) -mount_list_runtime(systemd_user_session_type) - +selinux_compute_access_vector(systemd_user_session_type) selinux_compute_create_context(systemd_user_session_type) storage_getattr_fixed_disk_dev(systemd_user_session_type) +# for /run/systemd/notify +init_dgram_send(systemd_user_session_type) +init_signal(systemd_user_session_type) + +logging_send_audit_msgs(systemd_user_session_type) + +miscfiles_read_localization(systemd_user_session_type) + +mount_list_runtime(systemd_user_session_type) +mount_watch_runtime_dirs(systemd_user_session_type) + # for systemd to read udev status udev_read_pid_files(systemd_user_session_type) udev_list_pids(systemd_user_session_type) +seutil_libselinux_linked(systemd_user_session_type) + ######################################### # # systemd-user-runtime-dir local policy From 083e5d1d58ed7742c8f9a824f2f36b5476871507 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Fri, 29 May 2020 21:18:30 +0200 Subject: [PATCH 09/12] dpkg: dpkg scripts are part of dpkg and therefor also an application domain Signed-off-by: bauen1 --- policy/modules/admin/dpkg.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 28b38fd0f..a389bc629 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -30,7 +30,7 @@ type dpkg_var_lib_t; files_type(dpkg_var_lib_t) type dpkg_script_t; -domain_type(dpkg_script_t) +application_type(dpkg_script_t) domain_entry_file(dpkg_t, dpkg_var_lib_t) domain_entry_file(dpkg_script_t, dpkg_var_lib_t) corecmd_shell_entry_type(dpkg_script_t) From cb2d84b0d1f644c733c3c877ef6e2b6026842d88 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sun, 7 Jun 2020 21:35:07 +0200 Subject: [PATCH 10/12] gpg: don't allow gpg-agent to read /proc/kcore This was probably a typo and shouldn't have been merged. Signed-off-by: bauen1 --- policy/modules/apps/gpg.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 4a8a31ef9..acca807f8 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -244,7 +244,6 @@ filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file) domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) kernel_dontaudit_search_sysctl(gpg_agent_t) -kernel_read_core_if(gpg_agent_t) kernel_read_crypto_sysctls(gpg_agent_t) kernel_read_system_state(gpg_agent_t) From e12d84181bf052030857fec8896f81db70b2f3ee Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sun, 7 Jun 2020 21:45:58 +0200 Subject: [PATCH 11/12] corecommands: correct label for debian ssh-agent helper script Signed-off-by: bauen1 --- policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 92788219b..b473850d4 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -367,6 +367,7 @@ ifdef(`distro_debian',` ifdef(`distro_debian',` /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/openssh/agent-launch -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) ') From cbdf1fad22bbd36544f14d8bbae9ff6d73924431 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Mon, 8 Jun 2020 21:28:45 +0200 Subject: [PATCH 12/12] systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp Signed-off-by: bauen1 --- policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 12b5ba68f..bdd5d3b97 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1218,6 +1218,7 @@ files_manage_etc_symlinks(systemd_tmpfiles_t) fs_getattr_tmpfs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) fs_list_tmpfs(systemd_tmpfiles_t) +fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t)