From 2de74b9ca1f151d7a919e007a80a5f00f94d1074 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 12 Jan 2020 20:51:45 +0100 Subject: [PATCH 1/2] systemd-logind: allow using BootLoaderEntries DBUS property systemd-logind exposes several properties related to the bootloader. One of them is BootLoaderEntries [1], which scans the disks using util-linux's blkid in order to find the ESP (EFI System Partition) [2][3]. This triggers the following logs in audit.log (where /dev/sda1 is the ESP, mounted on /boot): type=AVC msg=audit(1577692922.834:310): avc: denied { getattr } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 type=AVC msg=audit(1577692922.841:311): avc: denied { search } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:312): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { read } for pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { open } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:314): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:315): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { read } for pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:317): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:318): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { read } for pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 As allowing read access to fixed disks (such as /dev/sda1 here) can be considered as dangerous, add a conditional to allow the accesses. [1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315 [2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118 [3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835 Signed-off-by: Nicolas Iooss --- policy/modules/system/systemd.te | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1422d8e20..c4a8c3816 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -20,6 +20,15 @@ gen_tunable(systemd_tmpfiles_manage_all, false) ## gen_tunable(systemd_nspawn_labeled_namespace, false) +## +##

+## Allow systemd-logind to interact with the bootloader (read which one is +## installed on fixed disks, enumerate entries for dbus property +## BootLoaderEntries, etc.) +##

+## +gen_tunable(systemd_logind_get_bootloader, false) + attribute systemd_log_parse_env_type; attribute systemd_tmpfiles_conf_type; attribute systemd_user_session_type; @@ -546,6 +555,16 @@ ifdef(`distro_redhat',` userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir) ') +tunable_policy(`systemd_logind_get_bootloader',` + fs_getattr_dos_fs(systemd_logind_t) + fs_list_dos(systemd_logind_t) + fs_read_dos_files(systemd_logind_t) + + # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition). + # This reads the first sectors of fixed disk devices. + storage_raw_read_fixed_disk(systemd_logind_t) +') + optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) From 98a298f8a1e54c647b1c0dd76507f032c6d754f8 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 12 Jan 2020 21:57:17 +0100 Subject: [PATCH 2/2] storage: introduce storage_raw_read_fixed_disk_cond As adding attribute fixed_disk_raw_read to a type cannot occur in a conditional statement, create a new interface that takes a tunable as parameter to allow a dangerous access conditionally. Signed-off-by: Nicolas Iooss --- policy/modules/kernel/storage.if | 33 ++++++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 7 +++---- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 0292eee48..ab1f339ce 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -104,6 +104,39 @@ interface(`storage_raw_read_fixed_disk',` typeattribute $1 fixed_disk_raw_read; ') +######################################## +## +## Allow the caller to directly read from a fixed disk +## if a tunable is set. +## This is extremely dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## +## Domain allowed access. +## +## +## +## +## Tunable to depend on +## +## +# +interface(`storage_raw_read_fixed_disk_cond',` + gen_require(` + attribute fixed_disk_raw_read; + type fixed_disk_device_t; + ') + + typeattribute $1 fixed_disk_raw_read; + tunable_policy($2, ` + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; + allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + ') +') + ######################################## ## ## Do not audit attempts made by the caller to read diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index c4a8c3816..e7950279e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -559,11 +559,10 @@ tunable_policy(`systemd_logind_get_bootloader',` fs_getattr_dos_fs(systemd_logind_t) fs_list_dos(systemd_logind_t) fs_read_dos_files(systemd_logind_t) - - # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition). - # This reads the first sectors of fixed disk devices. - storage_raw_read_fixed_disk(systemd_logind_t) ') +# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition). +# This reads the first sectors of fixed disk devices. +storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader) optional_policy(` dbus_connect_system_bus(systemd_logind_t)