Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.
Hence the dontaudit call.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd
The following AVC denials are shown:
Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
In permissive mode, this goes up to:
Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc: denied { open } for pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file
Hence, adding in seutil_read_file_contexts().
A second error is that chsh, if available, wants to execute nscd:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
Similar to most other user admin utilities, we grant it the rights to run nscd.
Changes since v1
- Removed seutil_dontaudit_search_config() call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.
Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied
Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied
See also https://bugs.gentoo.org/show_bug.cgi?id=443624
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Now that we have file_contexts.subs_dist, translations that were put in the file context definition files can now be
cleaned up.
Differences from v1:
- removes a few duplicate entries in the libraries.fc file, and
- removes the contrib references
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
By default, any role attribute should be able to type their "own" types
that share the same prefix and used in the run interface. For example,
role newrole_roles types newrole_t;
so that the calling domain of the seutil_run_newrole() interface could
properly tansition into newrole_t. Without above role rule, the caller's
role won't be associated with newrole_t.
Other role attributes such as useradd_roles, groupadd_roles, chfn_roles
and run_init_roles should be fixed in the same way.
Many users use portage from within cron (for instance to update the
portage tree or even automatically update their system). As such, we
allow to run portage from the (system) cronjob domains.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
We allow portage to call gpg. However, this requires that the location
where the trustdb is stored is marked as a read/write type. The default
location used within Gentoo is /etc/portage/gpg, which would lead to
portage_conf_t. However, this type should remain a read-only type.
As such, we introduce a type called portage_gpg_t for this location and
grant portage_fetch_t the necessary rights on this type.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Enhance portage_fetch_t from an application type to a domain. Introduce
the proper portage_fetch_exec_t and add the necessary privileges to the
domain definition to allow portage_fetch_t to be used by Portage
management utilities like layman and emerge-webrsync.
We enhance portage_domtrans() to include portage_fetch_t support.
Providing a different interface (portage_fetch_domtrans) is possible
too, but since every application and role that needs to deal with
portage needs to deal with the fetching as well, and vice versa, we keep
this in portage_domtrans.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The gcc-config application uses some functions (from
/etc/init.d/functions.sh) which are simple wrappers on top of
/sbin/rc. Since this script is sourced and the functions executed
from within gcc_config_t, we allow gcc-config to execute /sbin/rc
without transitioning.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).
To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).
Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During the installation of for instance java-config, Portage wants to set
its default file creation context to root:object_r:portage_tmp_t which isn't
allowed:
creating /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild
copying src/revdep-rebuild/60-java -> /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild/
running install_egg_info
Writing /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/usr/lib64/python3.1/site-packages/java_config-2.1.11-py3.1.egg-info
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
...
ERROR: dev-java/java-config-2.1.11-r3 failed:
Merging of intermediate installation image for Python ABI '2.6 into installation image failed
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities.
If not allowed, the following error is returned:
/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The installation of the wireshark package (and perhaps others) requires
portage setting file capabilities (through the setcap binary).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The alsactl binary is often installed in /usr/sbin instead of /sbin (not a
necessity to start up the system). Used in distributions such as Gentoo,
Slackware and Arch.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Retry: forgot to include attribute mmap_low_domain_type attribute to domain_mmap_low() :
Inspired by similar implementation in Fedora.
Wine and vbetool do not always actually need the ability to mmap a low area of the address space.
In some cases this can be silently denied.
Therefore introduce an interface that facilitates "mmap low" conditionally, and the corresponding boolean.
Also implement booleans for wine and vbetool that enables the ability to not audit attempts by wine and vbetool to mmap a low area of the address space.
Rename domain_mmap_low interface to domain_mmap_low_uncond.
Change call to domain_mmap_low to domain_mmap_low_uncond for xserver_t. Also move this call to distro redhat ifndef block because Redhat does not need this ability.
Signed-off-by: Dominick Grift <domg472@gmail.com>
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
Edits:
- Removed accountsd_manage_var_lib
- Removed optional block for xserver - these interfaces didn't exist
- It looks like sys_ptrace is needed because it reads /proc/pid/loginuid
- Whitespace and style fixes
Chris PeBenito
Chris PeBenito
Nicolas Iooss
Stephen Smalley
Sven Vermeulen
Laurent Bigonville
Luis Ressel
Chris PeBenito
Dominick Grift
Harry Ciao
Matthew Ife
Dominick Grift
Jeremy Solt