Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
This is a minor update of the last attempt at this patch.
Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
Dave Sugar
dsugar@tresys.com
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
Now in the proper location.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:
avc: denied { associate } for pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1
The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
- drop libustr-dev from package list, as the SELinux userland tools dropped this build dependency
- switch to container based build environments
- drop unnecessary make flags
Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree. This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:
$ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
/usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t
Make such files labeled as bin_t again.
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:
avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1
[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
In this code, both source and target SIDs are current_sid().
Since Xen 4.7, /dev/xen/privcmd is used instead of /proc/xen/privcmd.
Add the device into the policy so `xenstored` can work.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Not auditing this turns out to be the wrong choice for
several reasons.
For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Luis Ressel
Chris PeBenito
Nicolas Iooss
Christian Göttsche
David Sugar
Nicolas Iooss via refpolicy
Russell Coker
Krzysztof Nowicki
Anthony PERARD
Guido Trentalancia