From 140ee8109432cd7dfb160fdcc8d11a51b47a1f21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 11 Aug 2020 15:27:07 +0200 Subject: [PATCH 1/3] travis-ci: add SELint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Göttsche --- .travis.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9fb002473..660cd7299 100755 --- a/.travis.yml +++ b/.travis.yml @@ -102,12 +102,35 @@ install: # Drop build.conf settings to listen to env vars - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf + - | + if [ -n "$LINT" ] ; then + # Install SELint from Debian testing + wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add - + sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y + sudo apt-get update -q + sudo apt-get install -y selint + + selint -V + fi + script: - echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR - set -e - - if [ -n "$LINT" ] ; then python3 -t -t -E -W error testing/check_fc_files.py ; fi - make bare - make conf + - | + if [ -n "$LINT" ] ; then + # Run filecontext checker + python3 -t -t -E -W error testing/check_fc_files.py + + # Run SELint + # disable C-005 (Permissions in av rule or class declaration not ordered) for now: has 712 findings + # disable S-010 (Permission macro usage suggested) for now: has 96 findings + # disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule + selint --source --recursive --summary --fail --disable C-005 --disable S-010 --disable W-005 . + + exit 0 + fi - make - make validate - make xml From e9b2e1ea4fbc7307d57138b4af22182d115ffa38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 11 Aug 2020 15:48:27 +0200 Subject: [PATCH 2/3] work on SELint issues MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - selinuxutil.te: ignore gen_require usage for bool secure_mode - corenetwork.te: ignore gen_require usage for type unlabeled_t - files.if: drop unneeded required types in interface - rpm.if: drop unneeded required type in interface - xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template - domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel Signed-off-by: Christian Göttsche --- policy/modules/admin/rpm.if | 4 ---- policy/modules/kernel/corenetwork.te.m4 | 4 ++-- policy/modules/kernel/domain.te | 4 ++++ policy/modules/kernel/files.if | 1 - policy/modules/services/xserver.if | 2 +- policy/modules/system/selinuxutil.te | 2 +- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index 6dbec6be3..2b5e0768e 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -577,10 +577,6 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans_rpm_pid',` - gen_require(` - type rpm_runtime_t; - ') - refpolicywarn(`$0($*) has been deprecated') ') diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index a58e08f1c..e512750a2 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -44,7 +44,7 @@ ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl # network_interface(if_name,linux_interface,mls_sensitivity) # define(`network_interface',` -gen_require(``type unlabeled_t;'') +gen_require(``type unlabeled_t;'') #selint-disable:S-001 type $1_netif_t, netif_type; declare_netifs($1_netif_t,shift($*)) ') @@ -59,7 +59,7 @@ ifdef(`__network_enabled_declared__',`',` gen_bool(network_enabled, true) define(`__network_enabled_declared__') ') -gen_require(``type unlabeled_t;'') +gen_require(``type unlabeled_t;'') #selint-disable:S-001 type $1_netif_t, netif_type; declare_netifs($1_netif_t,shift($*)) ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 4e43a208d..4350d71f6 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -77,6 +77,10 @@ attribute cron_job_domain; # SELinux identity and role change constraints attribute process_uncond_exempt; # add userhelperdomain to this one +gen_require(` #selint-disable:S-001 + type unlabeled_t; +') + neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *; neverallow ~{ domain unlabeled_t } *:process *; diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e4afacf5e..6ea38aa0f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -7000,7 +7000,6 @@ interface(`files_write_runtime_pipes',` interface(`files_delete_all_runtime_dirs',` gen_require(` attribute pidfile; - type var_t, var_run_t; ') delete_dirs_pattern($1, pidfile, pidfile) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c245ca190..b6f98d15f 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -96,7 +96,7 @@ interface(`xserver_restricted_role',` miscfiles_read_fonts($2) - xserver_common_x_domain_template(user, $2) + xserver_common_x_domain_template(user, $2) #selint-disable:S-004 xserver_domtrans($2) xserver_unconfined($2) xserver_xsession_entry_type($2) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index ab4d6b08f..1598b4317 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,6 +1,6 @@ policy_module(selinuxutil, 1.27.4) -gen_require(` +gen_require(` #selint-disable:S-001 bool secure_mode; ') From 09ed84b632d03e3906c5f1e539cc4bc15749dcc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Wed, 12 Aug 2020 18:17:19 +0200 Subject: [PATCH 3/3] files/modutils: unify modules_object_t usage into files module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002) Signed-off-by: Christian Göttsche --- policy/modules/kernel/files.fc | 2 ++ policy/modules/kernel/files.if | 22 ++++++++++++++++++++++ policy/modules/system/init.te | 2 +- policy/modules/system/modutils.fc | 1 - policy/modules/system/modutils.if | 15 ++++++--------- policy/modules/system/modutils.te | 8 ++------ policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 3 +-- 8 files changed, 35 insertions(+), 20 deletions(-) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index a3993f5cc..ceded24c8 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -200,6 +200,8 @@ HOME_ROOT/lost\+found/.* <> # Avoid calling m4's include by using en empty string /usr/include`'(/.*)? gen_context(system_u:object_r:usr_t,s0) +/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + /usr/local/\.journal <> /usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 6ea38aa0f..2b453301e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4157,6 +4157,27 @@ interface(`files_read_kernel_modules',` read_lnk_files_pattern($1, modules_object_t, modules_object_t) ') +######################################## +## +## Read and mmap kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mmap_read_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir list_dir_perms; + read_files_pattern($1, modules_object_t, modules_object_t) + allow $1 modules_object_t:file map; + read_lnk_files_pattern($1, modules_object_t, modules_object_t) +') + ######################################## ## ## Write kernel module files. @@ -4213,6 +4234,7 @@ interface(`files_manage_kernel_modules',` allow $1 modules_object_t:dir rw_dir_perms; manage_files_pattern($1, modules_object_t, modules_object_t) + allow $1 modules_object_t:file map; ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 52c4cb05a..9bafeae29 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -185,6 +185,7 @@ domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) +files_mmap_read_kernel_modules(init_t) files_rw_runtime_files(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) @@ -547,7 +548,6 @@ ifdef(`distro_redhat',` optional_policy(` modutils_read_module_config(init_t) modutils_read_module_deps(init_t) - modutils_read_module_objects(init_t) ') optional_policy(` diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index c77dea007..c4eda80c4 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -21,7 +21,6 @@ ifdef(`init_systemd',` /usr/bin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) /usr/bin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0) -/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) /usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) /usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index beec3112e..809506917 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,10 +12,11 @@ # interface(`modutils_getattr_module_deps',` gen_require(` - type modules_dep_t, modules_object_t; + type modules_dep_t; ') - getattr_files_pattern($1, modules_object_t, modules_dep_t) + files_search_kernel_modules($1) + allow $1 modules_dep_t:file getattr; ') ######################################## @@ -39,7 +40,7 @@ interface(`modutils_read_module_deps',` ######################################## ## -## Read the kernel modules. +## Read the kernel modules. (Deprecated) ## ## ## @@ -48,12 +49,8 @@ interface(`modutils_read_module_deps',` ## # interface(`modutils_read_module_objects',` - gen_require(` - type modules_object_t; - ') - - files_list_kernel_modules($1) - allow $1 modules_object_t:file { read_file_perms map }; + refpolicywarn(`$0($*) has been deprecated, please use files_mmap_read_kernel_modules() instead.') + files_mmap_read_kernel_modules($1) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 8fb78caf6..4cd82c422 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -46,11 +46,7 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t) manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t) -allow kmod_t modules_dep_t:file map; -filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file) -create_files_pattern(kmod_t, modules_object_t, modules_dep_t) -delete_files_pattern(kmod_t, modules_object_t, modules_dep_t) -allow kmod_t modules_object_t:file map; +files_kernel_modules_filetrans(kmod_t, modules_dep_t, file) can_exec(kmod_t, kmod_exec_t) @@ -87,7 +83,7 @@ dev_rw_acpi_bios(kmod_t) domain_signal_all_domains(kmod_t) domain_use_interactive_fds(kmod_t) -files_read_kernel_modules(kmod_t) +files_manage_kernel_modules(kmod_t) files_read_kernel_symbol_table(kmod_t) files_read_etc_runtime_files(kmod_t) files_read_etc_files(kmod_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 2d02477cc..a9e5ab842 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -727,11 +727,11 @@ kernel_request_load_module(systemd_modules_load_t) dev_read_sysfs(systemd_modules_load_t) +files_mmap_read_kernel_modules(systemd_modules_load_t) files_read_etc_files(systemd_modules_load_t) modutils_read_module_config(systemd_modules_load_t) modutils_read_module_deps(systemd_modules_load_t) -modutils_read_module_objects(systemd_modules_load_t) systemd_log_parse_environment(systemd_modules_load_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 7e57d0de6..ac62aa591 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -128,7 +128,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) -files_read_kernel_modules(udev_t) +files_mmap_read_kernel_modules(udev_t) files_exec_etc_files(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) @@ -182,7 +182,6 @@ modutils_domtrans(udev_t) modutils_read_module_config(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) -modutils_read_module_objects(udev_t) seutil_read_config(udev_t) seutil_read_default_contexts(udev_t)