The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:
$ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
/usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t
Make such files labeled as bin_t again.
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:
avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1
[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
In this code, both source and target SIDs are current_sid().
Since Xen 4.7, /dev/xen/privcmd is used instead of /proc/xen/privcmd.
Add the device into the policy so `xenstored` can work.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Not auditing this turns out to be the wrong choice for
several reasons.
For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.
We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
/usr/share/xmlto/format/docbook/man
/usr/share/bash-completion/completions/man
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.
This refpolicy change defines map permission for refpolicy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.
This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.
It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.
Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Chris PeBenito
David Sugar
Russell Coker
Krzysztof Nowicki
Nicolas Iooss
Anthony PERARD
Guido Trentalancia
Luis Ressel
cgzones
Jason Zaman
Stephen Smalley