Commit Graph

63 Commits

Author SHA1 Message Date
Chris PeBenito 4b91cc3a18 Remove deprecated flask.py script. 2018-05-31 17:40:10 -04:00
Christian Göttsche 7b6042b29c add definition of bpf class and systemd perms 2018-03-21 14:16:52 -04:00
Richard Haines 437e48ac53 refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-21 14:14:37 -04:00
Chris PeBenito 1637a8b407 Add nnp_nosuid_transition policycap and related class/perm definitions. 2017-08-05 12:13:21 -04:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Stephen Smalley cfe0a94feb refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:57 -04:00
Stephen Smalley c5cdfec50b refpolicy: Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:50 -04:00
Stephen Smalley 4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Stephen Smalley 09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
cgzones d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Guido Trentalancia d932d7349d Add module_load permission to class system
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-13 08:26:30 -04:00
Laurent Bigonville fd9bfbbfba Add the validate_trans access vector to the security class
This access vector has been added in version 4.5, commitid:
f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-02 08:41:07 -04:00
Chris PeBenito 0be4f9ba0f Add user namespace capability object classes.
Define cap and cap2 commons to manage the permissions.
2016-04-06 14:52:26 -04:00
Chris PeBenito d326c3878c Add systemd access vectors. 2015-10-20 15:01:27 -04:00
Stephen Smalley 58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Laurent Bigonville 946d0237d2 Add "binder" security class and access vectors 2015-05-08 08:17:48 -04:00
Laurent Bigonville cbb1f36ef5 Add new audit_read access vector in capability2 class
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Artyom Smirnov e1804807ba Renamed db_type to db_datatype, to avoid confusion with SELinux "type" 2014-06-25 16:24:33 +04:00
Artyom Smirnov fb0bedcbf8 Fixes for db_domain and db_exception
Rename db_domain to db_type
Add "use" permission to db_domain and db_type
2014-06-25 12:47:15 +04:00
Artyom Smirnov 019b439a48 New database object classes
Pair of objects which supported by Interbase/Firebird/Red Database:

db_exception - exception which can be thrown from PSQL
db_domain - named set of column attributes
2014-06-24 15:25:22 +04:00
Paul Moore 965e098af8 flask: add the attach_queue permission to the tun_socket object class
New permission added to Linux 3.8 via the new multiqueue TUN device.

Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-01-22 12:46:06 -05:00
Chris PeBenito e3c57d3156 Rename epollwakeup capability2 permission to block_suspend to match the
corresponding kernel capability rename.
2012-07-25 09:01:55 -04:00
Sven Vermeulen afeb8c4cb9 Refactoring code to support python3
This patch includes the necessary refactoring to support python 3.

Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-06-26 09:08:48 -04:00
Chris PeBenito 425adc3b2d Update capability2 object class for new wake_alarm and epollwakeup capabilities. 2012-06-06 13:34:45 -04:00
Chris PeBenito c5114fef5e SEPostgresql changes from Kohei KaiGai.
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
2012-05-18 09:28:18 -04:00
Chris PeBenito 6f76afe44e Update access vectors. 2011-03-28 11:45:46 -04:00
Chris PeBenito 640df09275 Add syslog capability. 2011-01-19 14:11:00 -05:00
KaiGai Kohei 82c32d5cf4 New database object classes
The attached patch adds a few database object classes, as follows:

* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html

In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.

Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.

* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createview.html

* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html

* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.

In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
  http://developer.postgresql.org/pgdocs/postgres/sql-do.html

P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

 policy/flask/access_vectors           |   29 ++++++++
 policy/flask/security_classes         |    6 ++
 policy/mcs                            |   16 ++++-
 policy/mls                            |   58 ++++++++++++++-
 policy/modules/kernel/kernel.if       |    8 ++
 policy/modules/services/postgresql.if |  125 +++++++++++++++++++++++++++++++--
 policy/modules/services/postgresql.te |  116 +++++++++++++++++++++++++++++-
 7 files changed, 342 insertions(+), 16 deletions(-)
2011-01-14 10:02:50 -05:00
Chris PeBenito deb527262a Add module_request permission, from Dan Walsh. 2009-11-19 08:52:06 -05:00
Eamon Walsh e4928c5f79 Add separate x_pointer and x_keyboard classes inheriting from x_device.
This is needed to allow more fine-grained control over X devices without
using different types.  Using different types is problematic because
devices act as subjects in the X Flask implementation, and subjects
cannot be labeled through a type transition (since the output role is
hardcoded to object_r).

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-14 08:44:44 -04:00
Chris PeBenito bd75703c7d reorganize tun patch changes. 2009-08-31 08:49:57 -04:00
Paul Moore 333494fd59 refpol: Add the "tun_socket" object class flask definitions
Add the new "tun_socket" class to the flask definitions.  The "tun_socket"
object class is used by the new TUN driver hooks which allow policy to control
access to TUN/TAP devices.

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:00 -04:00
Chris PeBenito 4254cec711 Add missing x_device rules for XI2 functions, from Eamon Walsh.
> Whats the difference between add/remove and create/destroy?
>
> The devices are in a kind of hierarchy.  You can now create one or more
> "master devices" (mouse cursor and keyboard focus).  The physical input
> devices are "slave devices" that attach to master devices.
>
> Add/remove controls the ability to add/remove slave devices from a
> master device.  Create/destroy controls the ability to create new master
> devices.
2009-08-14 13:18:16 -04:00
Chris PeBenito 95ea7d6986 trunk: Add x_device permissions for XI2 functions, from Eamon Walsh. 2009-06-18 13:07:23 +00:00
Chris PeBenito 350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito d3cdc3d07c trunk: add open perm to sock_file. 2009-03-11 14:58:03 +00:00
Chris PeBenito b4ad699e57 trunk: add nlmsg_tty_audit permission. 2009-03-05 14:11:24 +00:00
Chris PeBenito 466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito 347a701119 trunk: Add kernel_service access vectors, from Stephen Smalley. 2009-01-05 21:44:33 +00:00
Chris PeBenito d923d54c08 trunk: X application data class from Eamon Walsh and Ted Toth. 2008-05-06 14:37:05 +00:00
Chris PeBenito 2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito 210607be61 trunk: Definitions for open permisson on file and similar objects from Eric Paris. 2008-03-04 20:19:29 +00:00
Chris PeBenito f03433313a trunk: labeled networking permission update from paul moore. 2008-02-12 14:46:29 +00:00
Chris PeBenito 8b9ffed517 trunk: add capability2 class, from Stephen Smalley. 2008-02-07 17:51:59 +00:00
Chris PeBenito d4623f3d24 trunk: add setfcap capabiltiy, from Serge Hallyn. 2008-01-11 14:08:02 +00:00
Chris PeBenito f3da31d339 trunk: Labeled networking peer object class updates. 2008-01-03 16:20:01 +00:00
Chris PeBenito e83edee5d2 trunk: fix do not userspace commons in kernel version of av_permissions.h. 2007-10-16 19:05:27 +00:00
Chris PeBenito 32c05ccbcd trunk: fix flask.py Flask class userspace dictionary usage. 2007-10-16 18:56:32 +00:00
Chris PeBenito 651df3ceb6 trunk: do not emit lines in the kernel version of av_inherit.h for commons that are only inherited by userspace object classes. 2007-10-16 18:30:23 +00:00