From aa6c7f28f269eb8194dcac6f1e572f1c2197577b Mon Sep 17 00:00:00 2001 From: bauen1 Date: Thu, 4 Jun 2020 22:03:34 +0200 Subject: [PATCH 1/7] allow most common permissions for systemd sandboxing options Signed-off-by: bauen1 --- policy/modules/kernel/devices.if | 36 +++++++++++++++++++++++++++ policy/modules/kernel/terminal.if | 41 +++++++++++++++++++++++++++++++ policy/modules/system/init.te | 7 ++++++ 3 files changed, 84 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 9f6c79293..406b29796 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3791,6 +3791,24 @@ interface(`dev_write_rand',` write_chr_files_pattern($1, device_t, random_device_t) ') +######################################## +## +## Create the random device (/dev/random). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_rand_dev',` + gen_require(` + type device_t, random_device_t; + ') + + create_chr_files_pattern($1, device_t, random_device_t) +') + ######################################## ## ## Read the realtime clock (/dev/rtc). @@ -4675,6 +4693,24 @@ interface(`dev_write_urand',` write_chr_files_pattern($1, device_t, urandom_device_t) ') +######################################## +## +## Create the urandom device (/dev/urandom). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_urand_dev',` + gen_require(` + type device_t, urandom_device_t; + ') + + create_chr_files_pattern($1, device_t, urandom_device_t) +') + ######################################## ## ## Getattr generic the USB devices. diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 2b56068be..aece29822 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -729,6 +729,27 @@ interface(`term_dontaudit_use_generic_ptys',` dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') +####################################### +## +## Create the tty device. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_create_controlling_term',` + gen_require(` + type devtty_t; + ') + + dev_list_all_dev_nodes($1) + dev_add_entry_generic_dirs($1) + allow $1 devtty_t:chr_file create_chr_file_perms; + allow $1 self:capability mknod; +') + ####################################### ## ## Set the attributes of the tty device @@ -768,6 +789,26 @@ interface(`term_use_controlling_term',` allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') +####################################### +## +## Create the pty multiplexor (/dev/ptmx). +## +## +## +## Domain to not audit. +## +## +# +interface(`term_create_ptmx',` + gen_require(` + type ptmx_t; + ') + + dev_add_entry_generic_dirs($1) + allow $1 ptmx_t:chr_file create_chr_file_perms; + allow $1 self:capability mknod; +') + ####################################### ## ## Get the attributes of the pty multiplexor (/dev/ptmx). diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 4970e0b61..5d52490bb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -332,6 +332,11 @@ ifdef(`init_systemd',` dev_manage_sysfs_dirs(init_t) dev_relabel_sysfs_dirs(init_t) dev_read_usbfs(initrc_t) + # sandbox + dev_create_null_dev(init_t) + dev_create_zero_dev(init_t) + dev_create_rand_dev(init_t) + dev_create_urand_dev(init_t) # systemd writes to /dev/watchdog on shutdown dev_write_watchdog(init_t) @@ -458,6 +463,8 @@ ifdef(`init_systemd',` systemd_rw_networkd_netlink_route_sockets(init_t) term_create_devpts_dirs(init_t) + term_create_ptmx(init_t) + term_create_controlling_term(init_t) # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t) From d9a58c8434d23a085ad1049004fb0378a06baa93 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Thu, 11 Jun 2020 18:37:17 +0200 Subject: [PATCH 2/7] terminal: cleanup term_create interfaces Signed-off-by: bauen1 --- policy/modules/kernel/terminal.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index aece29822..4bd4884f8 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -163,6 +163,7 @@ interface(`term_create_devpts_dirs',` type devpts_t; ') + dev_add_entry_generic_dirs($1) allow $1 devpts_t:dir create_dir_perms; ') @@ -395,7 +396,7 @@ interface(`term_create_console_dev',` ') dev_add_entry_generic_dirs($1) - allow $1 console_device_t:chr_file create; + allow $1 console_device_t:chr_file create_chr_file_perms; allow $1 self:capability mknod; ') From 0a596401f11a483f54aaf3a2b601af5fd3fee5ce Mon Sep 17 00:00:00 2001 From: bauen1 Date: Fri, 17 Apr 2020 20:42:18 +0200 Subject: [PATCH 3/7] logrotate.service sandbox required permissions Signed-off-by: bauen1 --- policy/modules/kernel/files.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index a681ec51a..24eae3b4d 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -101,6 +101,10 @@ files_mountpoint(mnt_t) type modules_object_t; files_type(modules_object_t) +optional_policy(` + init_mountpoint(modules_object_t) +') + type no_access_t; files_type(no_access_t) From 83a39ad4fdce90e2a9c4bc765a338ef7f06ae2e5 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sat, 16 May 2020 22:45:36 +0200 Subject: [PATCH 4/7] udev.service sandbox required permissions Signed-off-by: bauen1 --- policy/modules/kernel/kernel.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 9600ec1fd..562671bcd 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -136,6 +136,10 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) +optional_policy(` + init_mountpoint(sysctl_kernel_t) +') + # /sys/kernel/ns_last_pid file type sysctl_kernel_ns_last_pid_t, sysctl_type; genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0) From e20db26b7b7be4cf98989662a8bdc62d8d1b7b51 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sun, 17 May 2020 13:36:56 +0200 Subject: [PATCH 5/7] systemd-timesyncd.service sandbox requried permissions For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 --- policy/modules/kernel/devices.te | 6 +++++- policy/modules/kernel/files.te | 4 ++++ policy/modules/kernel/filesystem.te | 4 ++++ policy/modules/kernel/kernel.te | 8 ++++++++ policy/modules/services/ntp.te | 2 ++ policy/modules/system/init.te | 1 + 6 files changed, 24 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 2795ad803..33f743b83 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -197,6 +197,10 @@ type mtrr_device_t; dev_node(mtrr_device_t) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) +optional_policy(` + init_mountpoint(mtrr_device_t) +') + # # null_device_t is the type of /dev/null. # @@ -285,7 +289,7 @@ type tpm_device_t; dev_node(tpm_device_t) # -# uhid_device_t is the thpe of /dev/uhid - +# uhid_device_t is the type of /dev/uhid - # User-space I/O driver support for HID subsystem # type uhid_device_t; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 24eae3b4d..9cd71d5ab 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -136,6 +136,10 @@ type system_map_t; files_type(system_map_t) genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) +optional_policy(` + init_mountpoint(system_map_t) +') + # # tmp_t is the type of the temporary directories # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index a6a56bf1e..a345398fa 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -181,6 +181,10 @@ type tracefs_t; fs_type(tracefs_t) genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) +optional_policy(` + init_mountpoint(tracefs_t) +') + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 562671bcd..750dccac7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -95,6 +95,10 @@ type proc_kcore_t, proc_type; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +optional_policy(` + init_mountpoint(proc_kcore_t) +') + type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -119,6 +123,10 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) type sysctl_irq_t, sysctl_type; genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) +optional_policy(` + init_mountpoint(sysctl_irq_t) +') + # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index a8ab90d47..b5dc138d2 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -12,6 +12,7 @@ files_config_file(ntp_conf_t) type ntp_drift_t; files_type(ntp_drift_t) +init_mountpoint(ntp_drift_t) type ntpd_t; type ntpd_exec_t; @@ -33,6 +34,7 @@ logging_log_file(ntpd_log_t) type ntpd_pid_t; files_pid_file(ntpd_pid_t) +init_mountpoint(ntpd_pid_t) type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d52490bb..cc9438ce5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -408,6 +408,7 @@ ifdef(`init_systemd',` fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t) fs_relabelfrom_tmpfs_sockets(init_t) + fs_manage_tmpfs_symlinks(init_t) # mount-setup fs_unmount_autofs(init_t) fs_getattr_pstore_dirs(init_t) From 93beef3ce52df1a7fdc2b7938a92e54b7e41d2b3 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sun, 17 May 2020 13:37:04 +0200 Subject: [PATCH 6/7] systemd-logind.service sandbox required permissions Signed-off-by: bauen1 --- policy/modules/system/systemd.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index bff2471cf..de9d6fb74 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -137,13 +137,16 @@ init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t; files_pid_file(systemd_logind_inhibit_runtime_t) +init_mountpoint(systemd_logind_inhibit_runtime_t) type systemd_logind_runtime_t alias systemd_logind_var_run_t; files_pid_file(systemd_logind_runtime_t) init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind") +init_mountpoint(systemd_logind_runtime_t) type systemd_logind_var_lib_t; files_type(systemd_logind_var_lib_t) +init_mountpoint(systemd_logind_var_lib_t) type systemd_machined_t; type systemd_machined_exec_t; @@ -222,6 +225,7 @@ init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) type systemd_sessions_runtime_t alias systemd_sessions_var_run_t; files_pid_file(systemd_sessions_runtime_t) init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions") +init_mountpoint(systemd_sessions_runtime_t) type systemd_tmpfiles_t; type systemd_tmpfiles_exec_t; From 0f4eb2a324f7c5e1d618b7035377525bddcd75f2 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sat, 16 May 2020 22:25:40 +0200 Subject: [PATCH 7/7] init: fix systemd boot Signed-off-by: bauen1 --- policy/modules/system/init.te | 1 + policy/modules/system/logging.if | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index cc9438ce5..29dd74633 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -447,6 +447,7 @@ ifdef(`init_systemd',` logging_relabelto_devlog_sock_files(init_t) logging_relabel_generic_log_dirs(init_t) logging_audit_socket_activation(init_t) + logging_use_syslogd_fd(init_t) # lvm2-activation-generator checks file labels seutil_read_file_contexts(init_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4223e6b76..583b873a4 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -687,6 +687,25 @@ interface(`logging_send_syslog_msg',` ') ') +######################################## +## +## Allow domain to use a file descriptor +## from syslogd. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_use_syslogd_fd', ` + gen_require(` + type syslogd_t; + ') + + allow $1 syslogd_t:fd use; +') + ######################################## ## ## Allow domain to relabelto devlog sock_files