- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).
Signed-off-by: bauen1 <j2468h@gmail.com>
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:
type=AVC msg=audit(1550921968.443:654): avc: denied { open } for
pid=281 comm="restorecond"
path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
ino=928006 scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:default_context_t tclass=file
permissive=1
type=AVC msg=audit(1550921968.443:654): avc: denied { read } for
pid=281 comm="restorecond" name="customizable_types" dev="vda1"
ino=928006 scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:default_context_t tclass=file
permissive=1
As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
restorecond uses libselinux's selinux_restorecon() to relabel files,
which dereferences symlinks in a useless call to statfs(). This produces
AVC denials which are noisy.
Fixes: https://github.com/SELinuxProject/refpolicy/pull/22
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):
/*
* This is called once when selinux_restorecon() is first called.
* Searches /proc/mounts for all file systems that do not support extended
* attributes and adds them to the exclude directory table. File systems
* that support security labels have the seclabel option, return
* approximate total file count.
*/
The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().
The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:
type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for
pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
subj=system_u:system_r:restorecond_t key=(null)
type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"
Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access. Replace with a full set of permission
set macros for mmap.
Requested for selinux-testsuite usage.
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.
This refpolicy change defines map permission for refpolicy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.
This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.
It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.
Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
import seobject
File "py/seobject.py", line 34, in <module>
import sepolicy
File "py/sepolicy/__init__.py", line 8, in <module>
import setools
File "py/setools/__init__.py", line 77, in <module>
from .infoflow import InfoFlowAnalysis
File "py/setools/infoflow.py", line 22, in <module>
import networkx as nx
File "py/networkx/__init__.py", line 93, in <module>
import networkx.linalg
File "py/networkx/linalg/__init__.py", line 9, in <module>
from networkx.linalg.algebraicconnectivity import *
File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
File "py/numpy/__init__.py", line 180, in <module>
from . import add_newdocs
File "py/numpy/add_newdocs.py", line 13, in <module>
from numpy.lib import add_newdoc
File "py/numpy/lib/__init__.py", line 8, in <module>
from .type_check import *
File "py/numpy/lib/type_check.py", line 11, in <module>
import numpy.core.numeric as _nx
File "py/numpy/core/__init__.py", line 22, in <module>
from . import _internal # for freeze programs
File "py/numpy/core/_internal.py", line 14, in <module>
import ctypes
File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
_reset_cache()
File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
CFUNCTYPE(c_int)(lambda: None)
MemoryError
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.
Allow mount_t to do more with it's runtime files and stat more filesystem
types.
Allow xauth to send sigchld to xdm.
Allow semanage to search policy_src_t dirs and read /dev/urandom.
Chris PeBenito
Christian Göttsche
Chris PeBenito
bauen1
Daniel Burgener
Petr Lautrbach
Nicolas Iooss
Russell Coker
Laurent Bigonville
Luis Ressel
Stephen Smalley