When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: line 527 is missing fields
tmp/all_mods.fc: Invalid argument
Here is the content of tmp/all_mods.fc around line 527:
# this is a static /dev dir "backup mount"
# if you want to disable udev, youll have to boot permissive and relabel!
/dev/\.static -d system_u:object_r:device_t
/dev/\.static/dev -d system_u:object_r:device_t
/dev/\.static/dev/(.*)? <<none>>
'
The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.
Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446
* reorder file contexts
* rename getty_var_run_t into getty_runtime_t and getty_etc_t into getty_conf_t
* remove unneeded and confusing init permissions
* delete access on generic pids
* remove invalid etc filetrans: getty has no create permissions for its config files
* restrict logfile access
These are needed by several patches I'm about to send.
Description: some new interfaces for init/systemd
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-24
This patch defines rw_inherited_file_perms. It's needed by a few patches
I'm going to send soon so I need to get it in before they go in.
Also it's generally a good thing to have. We should reconsider some of the
other policy for whether it should use this.
When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces.
Useful for monit.
* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials
userdomains should not alter labels of kernel pseudo filesystems, but allowing setfiles/restorecon(d) to check the contexts helps spotting incorrect labels
When you merged the mon patch you removed the ability for mon_t to execute
lib_t files.
The following patch re-enables the ability to execute alert scripts.
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.
I've had this in Debian for a while and some Debian policy relies on it.
I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.
We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited. The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family. Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.
This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.
Thanks to Dominick for the tip.
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.
Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.
This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.
The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.
This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).
It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).
The second version of the patch correctly uses file type
transitions and uses more tight permissions.
The third version simply moves some interface calls.
The fourth version introduces the new template for
username-dependent file contexts.
The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).
This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.
The corresponding base policy patch is at version 4.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Interface fs_register_binary_executable_type allow registering
interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In
order to access this filesystem, the process needs to search every
parent directory of the mountpoint.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight@.service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
I do apologize for the broken interface in the previous version
of this patch.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The udev daemon should be able to load kernel modules not only on
systems using systemd but also on systems using former versions of
the udev daemon.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the udev module so that the udev domain can manage tmpfs files
and directories.
Thanks to Christian Göttsche for pointing out that this only applies
to systems not using systemd (v2).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
Since the window managers are not limited by gnome-shell, the
userdomain module is modified by this patch in order to use
separate optional conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.
THIS IS THE BASE POLICY PART.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>From the package description: "IP Tables State displays states being kept
by iptables in a top-like format". The netutils_t permission set fits it
snugly.
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains. Allowing access
by other domains to the new socket security classes is left to future
commits.
The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The kernel_read_unix_sysctls() and kernel_rw_unix_sysctls() currenly
don't allow listing the /proc/sys/net/unix directory, contrary to the
other sysctl interfaces.
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.
Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
When reading or managing noxattr fs files or symbolic links, also
let the user list noxattr fs directories.
This patch should be applied after the following one:
http://oss.tresys.com/pipermail/refpolicy/2016-October/008539.html
"Let users read/manage symlinks on fs that do not support xattr"
posted on Sat, 29 Oct 2016 15:39:46 UTC.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).
This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools? Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur. Separate domains may still make sense.
As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.
I've attached a new patch which renames to kmod_t as you suggested. Please
consider it for inclusion.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25
commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing
validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.
Introduce a new file context for user certificates (user_cert_t)
located in home directories.
Introduce new auxiliary interfaces to read and manage such files
files and directories.
Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.
Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).
This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the lvm module to add a permission needed by cryptsetup.
At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.
In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.
A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
xdm (currently used by the userdomain module in
the common user template);
- added permission to chat over dbus with colord.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
This new version fixes a typographic error in the previous version.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t. I can't seem to find the
reason it was set that way originally.
Signed-off-by: Garrett Holmstrom <gholms@devzero.com>
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.
Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata
V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces
Signed-off-by: Dominick Grift <dac.override@gmail.com>
Chris PeBenito
cgzones
Jason Zaman
Nicolas Iooss
Russell Coker
Guido Trentalancia
Stephen Smalley
Laurent Bigonville
Guido Trentalancia via refpolicy
Luis Ressel
Naftuli Tzvi Kay
Lukas Vrabec
Garrett Holmstrom
Chris PeBenito
Dominick Grift