Commit Graph

175 Commits

Author SHA1 Message Date
Sugar, David a9ae616800 resolve syslog imuxsock denial
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]

With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc:  denied  { create } for  pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc:  denied  { setattr } for  pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-11-23 10:24:13 -05:00
Chris PeBenito 291f68a119 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito d6c7154f1c Reorder declarations based on *_runtime_t renaming.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito 69a403cd97 Rename *_var_run_t types to *_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito 6b11dcef89 Various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-31 06:55:57 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito e2e4094bd4 various: Module version bump
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg()
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito 2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Chris PeBenito 5986fdc4df logging, miscfiles, authlogin: Module version bump. 2019-02-20 19:38:55 -08:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 238bd4f91f logging, sysnetwork, systemd: Module version bump. 2019-01-16 18:19:22 -05:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Nicolas Iooss c3b588bc65
init: rename *_pid_* interfaces to use "runtime"
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
2019-01-12 17:11:00 +01:00
Chris PeBenito 143ed2cc1b init, logging: Module version bump. 2019-01-10 20:26:36 -05:00
Nicolas Iooss 6f5e31431e
Allow systemd-journald to read systemd unit symlinks
type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:user@1000.service"
    dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0
    type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
    pid=240 comm="systemd-journal" name="invocation:dbus.service"
    dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

"ls -lZ" on these files gives:

    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:user@1000.service -> a12344e990e641d9a43065b2d1e115a7
    lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 32
        /run/systemd/units/invocation:dbus.service -> 70bd8da4e0c14bf8b7fcadcd71d22214
2019-01-10 23:51:08 +01:00
Chris PeBenito 85536c64e1 kernel, jabber, ntp, init, logging, systemd: Module version bump. 2019-01-09 19:36:41 -05:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Russell Coker e1babbc375 systemd related interfaces
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
2019-01-05 14:17:01 -05:00
Chris PeBenito e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar 6167b9b6e5 Allow auditctl_t to read bin_t symlinks.
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod.  But policy didn't allow auditctl_t to follow
that link.

type=AVC msg=audit(1543853530.925:141): avc:  denied  { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc:  denied  { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc:  denied  { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc:  denied  { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Dave Sugar ceec13419f Fix problems booting with fips=1
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
Chris PeBenito e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter 2268d42fee Removed unnecessary semicolons
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
Chris PeBenito 03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito d2c047bfd4 authlogin, logging, udev: Module version bump. 2017-09-16 13:30:33 -04:00
Jason Zaman via refpolicy 18778fcb49 syslog: allow map persist file 2017-09-16 13:05:53 -04:00
Chris PeBenito 3548e3b3fe Module version bumps. 2017-09-12 20:16:35 -04:00
Luis Ressel 487de20913 logging: Various audit tools (auditctl, ausearch, etc) map their config and logs
Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().

Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
2017-09-12 19:29:34 -04:00
Chris PeBenito 095ad7923a Several module version bumps. 2017-09-11 20:34:13 -04:00
David Sugar c974aa56b1 Label /etc/rsyslog.d as syslog_conf_t
This is a minor update of the last attempt at this patch.

Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf).  Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable).  Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.

The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.

Dave Sugar
dsugar@tresys.com

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-11 18:57:29 -04:00
Chris PeBenito 9f7cbe1427 Module version bump for patches from Nicolas Iooss. 2017-08-13 19:52:41 -04:00
Chris PeBenito 81aa9242aa logging: Move line. 2017-08-13 19:52:16 -04:00
Nicolas Iooss 52109514d5 audit: allow reading /etc/localtime
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:

    avc:  denied  { read } for  pid=191 comm="auditctl" name="UTC"
    dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1
    avc:  denied  { open } for  pid=191 comm="auditctl"
    path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
    scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1

This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":

    [pid   635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
    "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
    ...
    [pid   635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
    such file or directory)
    [pid   635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
    [pid   635] lseek(4, -71, SEEK_CUR)     = 56
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
    [pid   635] close(4)                    = 0
    [pid   635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
    [pid   635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
    [pid   635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
    /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
    NULL, 0) = 81
    [pid   635] exit_group(0)               = ?

More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.

[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
2017-08-13 19:51:18 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 602b77236d Module version bump for mmap fixes from Stephen Smalley. 2017-05-24 19:58:32 -04:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 477d984415 systemd init from Russell Coker
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems.  Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.

Allow init_t to do several things that it requires when init is systemd.

Allow various operations on var_log_t to access var_log_t symlinks too.

Let auditd setattr it's directory.
2017-04-16 19:08:40 -04:00
Chris PeBenito 160d08f3ae systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
2017-03-28 18:51:35 -04:00
Chris PeBenito 4dcbc032cf Module version bump from /var/run fixes from cgzones. 2017-03-25 13:05:13 -04:00
Chris PeBenito 5e20a0ee5b /var/run -> /run again
Here's the latest version of my patch to remove all /var/run when it's not
needed.  I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it.  So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.

From Russell Coker
2017-03-25 12:56:03 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
Chris PeBenito c3c767bae2 Module version bump for CI fixes. 2017-02-23 20:32:10 -05:00
Chris PeBenito 65e60689d4 Fix CI errors. 2017-02-23 20:16:40 -05:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito cb35cd587f Little misc patches from Russell Coker. 2017-02-18 09:39:01 -05:00