Commit Graph

5144 Commits

Author SHA1 Message Date
Chris PeBenito 69a403cd97 Rename *_var_run_t types to *_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito 4f1346357a portage, selinuxutil: Module version bump. 2019-09-18 19:40:17 -04:00
Chris PeBenito 454fb463cf Merge pull request #87 from fishilico/portage-consoletype-optional 2019-09-18 19:39:53 -04:00
Chris PeBenito 41a1a0134c Merge pull request #107 from bachradsusi/newrole-setcap 2019-09-18 19:39:46 -04:00
Petr Lautrbach e0813db519 newrole: allow newrole to use setcap to drop capabilities
Commit 61b72e0796 ("selinuxutil: adjustments") removed negative permission
matching for newrole_t:process. One of the removed permission was setcap which
is needed by newrole as it tries to drop capabilities:

    $ newrole -r sysadm_r
    Sorry, newrole failed to drop capabilities
    : Permission denied

    type=PROCTITLE msg=audit(09/06/2019 15:07:01.908:10821) : proctitle=newrole -r sysadm_r

    type=SYSCALL msg=audit(09/06/2019 15:07:01.908:10821) : arch=x86_64
    syscall=capset success=no exit=EACCES(Permission denied) a0=0x7fbe17d4cb6c
    a1=0x7fbe17d4cb74 a2=0x7fbe17d4d5d0 a3=0x0 items=0 ppid=4981 pid=7255
    auid=admin uid=admin gid=admin euid=admin
    suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=tty1 ses=6
    comm=newrole exe=/usr/bin/newrole subj=staff_u:staff_r:newrole_t:s0
    key=(null)

    type=AVC msg=audit(09/06/2019 15:07:01.908:10821) : avc:  denied  { setcap }
    for  pid=7255 comm=newrole scontext=staff_u:staff_r:newrole_t:s0
    tcontext=staff_u:staff_r:newrole_t:s0 tclass=process permissive=0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-09-18 15:34:29 +02:00
Chris PeBenito ab4ec89d70 sudo, systemd, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-14 16:28:14 -04:00
Chris PeBenito 4de8b76b2f Merge pull request #102 from fishilico/systemd-networkd-hostnamed 2019-09-14 16:22:43 -04:00
Chris PeBenito 9021670648 Merge pull request #103 from fishilico/systemd-networkd-generic-netlink 2019-09-14 16:22:42 -04:00
Chris PeBenito df6870c51b Merge pull request #104 from fishilico/sudo-sigwinch 2019-09-14 16:22:40 -04:00
Chris PeBenito faaa9b3d0b Merge pull request #105 from fishilico/systemd-wsl 2019-09-14 16:22:38 -04:00
Nicolas Iooss a6d13cd456
systemd: allow detecting Windows Subsystem for Linux
Since systemd 242 (commit
6c8a2c6793),
systemd and its services read /proc/sys/kernel/osrelease in order to
detect whether they are running in Microsoft's WSL (Windows Subsystem
for Linux).

This leads to logs such as:

    type=AVC msg=audit(1568445663.990:10): avc:  denied  { read } for
    pid=401 comm="systemd-modules" name="osrelease" dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

    type=AVC msg=audit(1568445663.990:10): avc:  denied  { open } for
    pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
    dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

    type=AVC msg=audit(1568445663.990:11): avc:  denied  { getattr } for
    pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
    dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

Add kernel_read_kernel_sysctls() to services that read
/proc/sys/kernel/osrelease. These services have been identified by
running "grep osrelease < /var/log/audit/audit.log | audit2allow" on an
Arch Linux test system.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 14:36:13 +02:00
Nicolas Iooss 1097ce0e24
sudo: allow using CAP_KILL for SIGWINCH
With the following process tree:

    LABEL                           UID    PID  PPID  TTY   CMD
    sysadm_u:sysadm_r:sysadm_t      root  18146 12404 pts/0 /usr/bin/zsh
    sysadm_u:sysadm_r:sysadm_sudo_t root  18441 18146 pts/0 sudo -su user
    sysadm_u:sysadm_r:sysadm_sudo_t root  18443 18441 pts/1 sudo -su user
    sysadm_u:sysadm_r:sysadm_t      user  18444 18443 pts/1 /usr/bin/zsh

When the terminal window of the first process is resized, SIGWINCH is
forwarded by process 18443, which requests capability CAP_KILL:

    type=AVC msg=audit(1567881640.754:13839): avc:  denied  { kill } for
    pid=18443 comm="sudo" capability=5
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability
    permissive=0

    type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e
    syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100
    items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0
    fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo"
    exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

    type=PROCTITLE msg=audit(1567881640.754:13839):
    proctitle=7375646F002D73750075736572

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 14:00:58 +02:00
Nicolas Iooss 42b966d2df
sudo: allow transmitting SIGWINCH to its child
When resizing the X11 window of a terminal running sudo on a remote
Debian 10 system (through ssh), sudo forwards SIGWINCH to its children
(this behavior might be caused by using "Defaults use_pty" in
/etc/sudoers). This leads to the following audit logs:

    type=AVC msg=audit(1567880108.988:13823): avc:  denied  { signal }
    for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0

    type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e
    syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100
    items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0
    fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo"
    exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

    type=PROCTITLE msg=audit(1567880108.988:13823):
    proctitle=2F7573722F62696E2F7375646F002D73

The process tree (ps -ef, edited) on this remote system was:

    LABEL                           UID    PID  PPID  TTY   CMD
    system_u:system_r:sshd_t        user  15519 15480 ?     sshd: user@pts/5
    sysadm_u:sysadm_r:sysadm_t      user  15524 15519 pts/5 -zsh
    sysadm_u:sysadm_r:sysadm_sudo_t root  15607 15524 pts/5 /usr/bin/sudo -s
    sysadm_u:sysadm_r:sysadm_sudo_t root  15670 15607 pts/6 /usr/bin/sudo -s
    sysadm_u:sysadm_r:sysadm_t      root  15671 15670 pts/6 /usr/bin/zsh

The denied syscall was:

* syscall=62: int kill(pid_t pid, int sig)
* a0=ffffc2c9: pid = -15671 (process group of sudo's child)
* a1=1c: sig = 28 = SIGWINCH

Allow such a signal to be transmitted.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:58:39 +02:00
Nicolas Iooss 19542fd26a
systemd-networkd: allow communicating with hostnamed
When systemd-netwokd receives DHCP option 12 (hostname), it changes the
hostname by calling method SetHostname from interface
org.freedesktop.hostname1 provided by systemd-hostnamed:
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1946

This access is currently denied and reported:

    type=USER_AVC msg=audit(1568403789.952:36): pid=288 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.hostname1 member=SetHostname
    dest=org.freedesktop.hostname1 spid=233 tpid=317
    scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_hostnamed_t tclass=dbus
    permissive=1  exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=?
    terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:55:57 +02:00
Nicolas Iooss ba45fc06c8
systemd-networkd: allow creating a generic netlink socket
Since systemd 237 (commit
05d0c2e3cf),
systemd-networkd requires a generic netlink socket in order to start.
Otherwise, it fails to start and systemd's journal contains:

    audit[19262]: AVC avc:  denied  { create } for  pid=19262
    comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_networkd_t
    tclass=netlink_generic_socket permissive=0

    audit[19262]: SYSCALL arch=c000003e syscall=41 success=no exit=-13
    a0=10 a1=80803 a2=10 a3=20 items=0 ppid=1 pid=19262 auid=4294967295
    uid=102 gid=103 euid=102 suid=102 fsuid=102 egid=103 sgid=103
    fsgid=103 tty=(none) ses=4294967295 comm="systemd-network"
    exe="/usr/lib/systemd/systemd-networkd"
    subj=system_u:system_r:systemd_networkd_t key=(null)

    audit: PROCTITLE proctitle="/lib/systemd/systemd-networkd"

    systemd-networkd[19262]: Could not create manager: Permission denied

For information, "syscall=41 a0=10 a1=80803 a2=10" means:

    socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_GENERIC);

... which matches the call to sd_genl_socket_open(&m->genl); in
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1143

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:53:17 +02:00
Chris PeBenito a5dab43a85 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-11 06:52:32 -04:00
Chris PeBenito c6396d5a79 Merge pull request #88 from fishilico/usr-bin-fc 2019-09-11 06:26:24 -04:00
Chris PeBenito cfdf3b7981 Merge pull request #98 from fishilico/ulogd-dynamic-user 2019-09-11 06:22:44 -04:00
Chris PeBenito f500ff48d2 Merge pull request #99 from fishilico/bitlbee-dynamic-user 2019-09-11 06:22:09 -04:00
Chris PeBenito 7ae433aedc Merge pull request #100 from fishilico/chromium-ifdef 2019-09-11 06:21:23 -04:00
Chris PeBenito f7197a1b42 Merge pull request #101 from bigon/udevadm 2019-09-11 06:20:44 -04:00
Laurent Bigonville 44957d318c Allow udevadm_t to use dac_read_search capability
udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep  5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_override } for  pid=481 comm=udevadm capability=dac_override  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_read_search } for  pid=481 comm=udevadm capability=dac_read_search  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:27:50 +02:00
Laurent Bigonville 8f4f9a924a Allow udevadm to read files in /run/udev/data
With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:25:16 +02:00
Nicolas Iooss 0e045ef5fe
chromium: remove distro-specific ifdef
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:12:04 +02:00
Nicolas Iooss 10cd3fb258
bitlbee: allow using GetDynamicUser on Debian
On Debian 10, starting bitlbee daemon leads to:

    type=AVC msg=audit(1567941717.044:14204): avc:  denied  { search }
    for  pid=5704 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941717.044:14205): avc:  denied  { read } for
    pid=5704 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=AVC msg=audit(1567941756.020:14208): avc:  denied  { search }
    for  pid=6363 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941756.020:14209): avc:  denied  { read } for
    pid=6363 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=USER_AVC msg=audit(1567941770.492:14215): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=6694 tpid=1
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'

All these denials are related to getting dynamic users through a D-Bus
call to GetDynamicUsers() of interface org.freedesktop.systemd1.Manager.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:07:15 +02:00
Nicolas Iooss f5a4ce1d35
ulogd: adjust policy for Debian
On a Debian 10 system, I saw denials for ulogd service:

* It uses a pipe with itself:

    type=AVC msg=audit(1567874422.328:13744): avc:  denied  { write }
    for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs"
    ino=29006 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0

* It enumerates users in /run/systemd/dynamic-uid/ when changing to the
  ulog user (which is not dynamic):

    type=AVC msg=audit(1567874512.576:13748): avc:  denied  { read } for
    pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0

* It connects to the system D-Bus socket in order to call GetDynamicUser:

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { write }
    for  pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs"
    ino=13799 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file
    permissive=1

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { connectto
    } for  pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket"
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket
    permissive=1

    type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db
    usd_t msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=30953 tpid=1
    scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t
    tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=106
    hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:06:34 +02:00
Chris PeBenito 031f53120c sudo: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 17:21:46 -04:00
Chris PeBenito a8d879847e Merge pull request #97 from fishilico/sudo-use_pty 2019-09-07 17:15:58 -04:00
Chris PeBenito 208296a0c2 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 16:58:51 -04:00
Chris PeBenito bbd7f748a6 Merge pull request #82 from fishilico/typo-cups-fc 2019-09-07 16:47:34 -04:00
Chris PeBenito 682b015be9 Merge pull request #89 from fishilico/apt-dpkg-nnp 2019-09-07 16:43:05 -04:00
Chris PeBenito 1167995694 Merge pull request #90 from fishilico/apt-dbus-systemd-logind 2019-09-07 16:42:21 -04:00
Chris PeBenito 1975b0de50 Merge pull request #91 from fishilico/utempter-debian 2019-09-07 16:41:49 -04:00
Chris PeBenito 83a8032d8e Merge pull request #92 from fishilico/irc-weechat 2019-09-07 16:40:52 -04:00
Chris PeBenito b340b15b8b Merge pull request #93 from fishilico/systemd-read-netlink_kobject_uevent_socket 2019-09-07 16:40:27 -04:00
Chris PeBenito 1dea588464 Merge pull request #94 from fishilico/wireguard 2019-09-07 16:39:48 -04:00
Chris PeBenito 433519a8ca Merge pull request #95 from fishilico/modutils-debian 2019-09-07 16:37:45 -04:00
Chris PeBenito fad0c3f126 Merge pull request #96 from fishilico/systemd-modules-load-sysfs 2019-09-07 16:34:34 -04:00
Dominick Grift 210b64f10a Remove shell automatic domain transitions to unconfined_t from various pam login programs
I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)

Some aspect to note:

1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins

The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2019-09-07 16:26:49 -04:00
Nicolas Iooss c06b3d6dd0
sudo: allow using use_pty flag
When /etc/sudoers contains "Defaults use_pty", sudo creates a new
pseudo-pty when running a command. This is currently denied from
a sysadm_u session:

    type=AVC msg=audit(1567807315.843:13300): avc:  denied  { read write
    } for  pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0

As it seems logical for the newly-created pty to be labeled
user_devpts_t, use userdom_create_user_pty() to allow this.

Then, a new denial appears:

    type=AVC msg=audit(1567808670.441:13341): avc:  denied  { setattr }
    for  pid=30256 comm="sudo" name="9" dev="devpts" ino=12
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file
    permissive=0

    type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e
    syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5
    a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0
    gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
    tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo"
    subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

On x86-64, syscall 92 is chown(). Allow this access with
userdom_setattr_user_ptys().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-07 00:37:52 +02:00
Nicolas Iooss 233e13cb44
systemd: allow systemd-modules-load.service to read sysfs
systemd-modules-load.service needs to read file
/sys/module/${MODULE}/initstate for each ${MODULE} defined in
/etc/modules-load.d/. These files are labeled sysfs_t.

This fixes:

    type=AVC msg=audit(1567804818.331:138713): avc:  denied  { read }
    for  pid=31153 comm="systemd-modules" name="initstate" dev="sysfs"
    ino=14778 scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysfs_t tclass=file permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:28:40 +02:00
Nicolas Iooss b4377dfd67
modutils: allow depmod and modprobe to use the I/O provided by apt
On Debian, when installing a package which provides a kernel module with
DKMS, depmod and modprobe are invoked using a dedicated pseudo-tty:

    type=AVC msg=audit(1567803320.004:138586): avc:  denied  { read
    write } for  pid=19269 comm="depmod" path="/dev/pts/2" dev="devpts"
    ino=5 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { use } for
    pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=sysadm_u:sysadm_r:apt_t
    tclass=fd permissive=1

    type=AVC msg=audit(1567803320.664:138589): avc:  denied  { append }
    for  pid=19276 comm="modprobe" path="/dev/pts/2" dev="devpts" ino=5
    scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=sysadm_u:object_r:apt_devpts_t tclass=chr_file
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:08:24 +02:00
Nicolas Iooss b3119f1d17
modutils: allow depmod to read /boot/System.map
On a Debian system, when installing a package which provides a kernel
module with DKMS, the module is compiled and depmod is executed with a
command line that looks like:

    depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64

This obviously requires depmod to read System.map. Otherwise, the
following events are logged to audit.log:

    type=AVC msg=audit(1567802614.408:138551): avc:  denied  { search }
    for  pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145
    scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t
    tclass=dir permissive=0

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { read }
    for  pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.132:138555): avc:  denied  { open }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

    type=AVC msg=audit(1567802670.136:138556): avc:  denied  { getattr }
    for  pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
    dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
    tcontext=system_u:object_r:system_map_t tclass=file permissive=1

and depmod fails, which makes apt fails with:

    wireguard.ko:
    Running module version sanity check.
     - Original module
       - No original module exists within this kernel
     - Installation
       - Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/

    depmod...(bad exit status: 1)

    [...]

    Error! Problems with depmod detected.  Automatically uninstalling
    this module.
    DKMS: Install Failed (depmod problems).  Module rolled back to built
    state.
    dpkg: error processing package wireguard-dkms (--configure):
     installed wireguard-dkms package post-installation script
    subprocess returned error exit status 6

    [...]

    Errors were encountered while processing:
     wireguard-dkms
    E: Sub-process /usr/bin/dpkg returned an error code (1)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 23:03:19 +02:00
Nicolas Iooss a7c9634eca
Add a policy module for WireGuard VPN
WireGuard is a fast, modern, secure VPN tunnel, according to
https://www.wireguard.com/. In order to install it, the mostly
documented way consists in building and installing an out-of-tree kernel
module and using userland tools to configure this module (wg and
wg-quick).

* WireGuard is like "ip": the userland tool communicates with the kernel
  module through a netlink socket.

* WireGuard is like "iptables": there is no daemon, but some
  distributions ship systemd units that restores a WireGuard
  configuration when started.

* WireGuard is like other services: its configuration files are in /etc,
  and it can use /run and /tmp.

Create a new policy module which handles all of this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 22:20:40 +02:00
Nicolas Iooss bfcf3918d8
systemd: allow systemd --user to receive messages from netlink_kobject_uevent_socket
When bringing up a Wireguard interface with "wg-quick up wg0" from a
sysadm_u:sysadm_r:sysadm_t session, "systemd --user" spams the logs
with this event repeated between 100 and 200 times per second:

    type=AVC msg=audit(1567798007.591:138076): avc:  denied  { read }
    for  pid=711 comm="systemd"
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tclass=netlink_kobject_uevent_socket permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 21:49:22 +02:00
Nicolas Iooss 665782f797
irc: add WeeChat policy
WeeChat is an extensible IRC client: https://weechat.org/

* Label WeeChat program and configuration file like other IRC clients
* Allow WeeChat to create a pipe in ~/.weechat/weechat_fifo
* Allow WeeChat to read /proc/sys/crypto/fips_enabled
* Allow WeeChat to use a Unix datagram socket with its forked children
* Allow other accesses

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 19:16:24 +02:00
Nicolas Iooss 4b02c2230d
authlogin: label utempter correctly on Debian
When starting tmux on Debian, the following audit log appears:

    type=AVC msg=audit(1567781766.314:820): avc:  denied  {
    execute_no_trans } for  pid=6686 comm=746D75783A20736572766572
    path="/usr/lib/x86_64-linux-gnu/utempter/utempter" dev="vda1"
    ino=545302 scontext=sysadm_u:sysadm_r:sysadm_screen_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=0

/usr/lib/x86_64-linux-gnu/utempter/utempter is indeed labeled as
system_u:object_r:lib_t, which is wrong.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:43:23 +02:00
Nicolas Iooss de99bc36dd
apt: allow preventing shutdown by calling a systemd-logind D-Bus method
Since apt 1.8.1 (more precisely since commit
60cc44d160),
apt calls D-Bus method "Inhibit" of interface
"org.freedesktop.login1.Manager" in order to prevent a shutdown from
happening while installing software.

The call from apt to systemd-logind was already allowed through
unconfined_dbus_send(apt_t), but not the reply, which triggered the
following audit log:

    type=USER_AVC msg=audit(1567780304.196:651): pid=287 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.137 spid=290 tpid=29557
    scontext=system_u:system_r:systemd_logind_t
    tcontext=sysadm_u:sysadm_r:apt_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:38:59 +02:00
Nicolas Iooss 4f5f923171
apt: allow transition from apt_t to dpkg_t with NNP
On a Debian 10 virtual machine, when running "apt-get update", the
following messages are logged to audit.log, several times:

    type=AVC msg=audit(1567717969.162:1639): avc:  denied  {
    nnp_transition } for  pid=5538 comm="apt-config"
    scontext=sysadm_u:sysadm_r:apt_t tcontext=sysadm_u:sysadm_r:dpkg_t
    tclass=process2 permissive=0

    type=SELINUX_ERR msg=audit(1567717969.162:1639):
    op=security_bounded_transition seresult=denied
    oldcontext=sysadm_u:sysadm_r:apt_t
    newcontext=sysadm_u:sysadm_r:dpkg_t

    type=SYSCALL msg=audit(1567717969.162:1639): arch=c000003e
    syscall=59 success=yes exit=0 a0=55ebb33d7780 a1=55ebb33ed610
    a2=7ffedd210980 a3=0 items=0 ppid=5537 pid=5538 auid=1000 uid=100
    gid=65534 euid=100 suid=100 fsuid=100 egid=65534 sgid=65534
    fsgid=65534 tty=(none) ses=45 comm="dpkg" exe="/usr/bin/dpkg"
    subj=sysadm_u:sysadm_r:apt_t key=(null)

    type=PROCTITLE msg=audit(1567717969.162:1639):
    proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573

According to strace, this occurs when sub-commands like "apt-config
shell MASTER_KEYRING APT::Key::MasterKeyring" execute
"/usr/bin/dpkg --print-foreign-architectures".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:36:25 +02:00
Nicolas Iooss e399c7f642
Label programs in /usr/bin like /usr/sbin
Some recent modifications added patterns in .fc files for programs in
/usr/sbin without adding the patterns for /usr/bin. On Arch Linux, where
/usr/sbin is a symlink to /usr/bin, such patterns are never matched.

Add the missing patterns.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 22:28:09 +02:00