When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This partially reverts commit 65da822c1b
Connecting to setransd is still very much necessary for any domain that
uses SELinux labels in any way.
Signed-off-by: bauen1 <j2468h@gmail.com>
The content types are named httpd_user_rw_content_t and
httpd_user_ra_content_t not httpd_user_content_rw_t and
httpd_user_content_ra_t in apache_content_template()
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).
Signed-off-by: bauen1 <j2468h@gmail.com>
Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.
Signed-off-by: bauen1 <j2468h@gmail.com>
* Drop permissions implied by domtrans_pattern
* Use fifo_file permission macro for fifo_file class
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The attribute systemdunit is defined in the file init.te, so interfaces
granting access on it should be defined in init.if
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.
Use samba_runtime_t instead.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.
See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/
Signed-off-by: bauen1 <j2468h@gmail.com>
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
I have been working to support IMA/EVM on a system. It
requires having keys added to the kernel keyring. Keys
added with keyctl and evmctl. I am creating keys in the
ima_key_t type. Once the keys are created, many domains
then need search permission on the type of the key. The
following changes are needed to get things to work.
Need to add keys to the kernel keyring (keyctl).
type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Allow all domains to search key
type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t
files to avoid a crash. Related audit event:
type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc: denied { map } for pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Allow systemd-networkd to send and receive ICMPv6 Router Solicitation
and Router Advertisement packets (in reality all ICMP/ICMPv6 packets)
and DHCP client packets.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
When using network namespaces with `ip netns`, command `ip` creates
files in `/run/netns` that are mountpoints for `nsfs`. For example:
$ ip netns add VPN
$ ls -Z /run/netns/VPN
system_u:object_r:nsfs_t /run/netns/VPN
$ findmnt /run/netns/VPN
TARGET SOURCE FSTYPE OPTIONS
/run/netns/VPN nsfs[net:[4026532371]] nsfs rw
/run/netns/VPN nsfs[net:[4026532371]] nsfs rw
From a shell CLI, it is possible to retrieve the name of the current
network namespace:
$ ip netns exec VPN bash
$ ip netns identify $$
VPN
This requires reading `/proc/$PID/ns/net`, which is labelled as a user
domain. Allow this access using `userdom_read_all_users_state()`.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
`sysdig` is a tool that enables introspecting the system, debugging it,
etc. It uses a driver that creates `/dev/sysdig0`. Define a specific
label in order to be able to allow using it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian 10, ``systemd --user`` runs some generators in
/usr/lib/systemd/user-environment-generators when a user session starts.
Here is what is logged in audit.log for a sysadm user.
type=AVC msg=audit(1586962888.516:65): avc: denied { getattr } for
pid=309 comm="(sd-executor)"
path="/usr/lib/systemd/user-environment-generators/90gpg-agent"
dev="vda1" ino=662897 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
type=AVC msg=audit(1586962888.516:66): avc: denied { map } for
pid=310 comm="30-systemd-envi"
path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
type=AVC msg=audit(1586962888.516:66): avc: denied
{ execute_no_trans } for pid=310 comm="(direxec)"
path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
Run these program without domain transition.
This follows a discussion that took place in
https://github.com/SELinuxProject/refpolicy/pull/224
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The various /bin/tpm2_* binaries use dbus to communicate
with tpm2-abrmd and also can directly access /dev/tpmrm0. This
seems like a way to help limit access to the TPM by running the
tpm_* binaries in their own domain.
I setup this domain because I have a process that needs to use
tpm2_hmac to encode something, but didn't want that domain to
have direct access to the TPM. I did some basic testing to verify
that the other tpm2_* binaries have basically the same access needs.
But it wasn't through testing of all the tpm2_* binaries.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Yes mmap is the standard way of accessing the mail spool.
Removed spamd_gpg_t because there's no point to it, the separation doesn't
provide an actual benefit.
Made the other requested changes.
Signed-off-by: Russell Coker <russell@coker.com.au>
Init, init scripts and udisks don't need to be able to create regular
files in /dev.
Thanks to Jarkko Sakkinen for the idea.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.
Without this privilege the following denial will happen:
type=AVC msg=audit(1582227542.557:3045): avc: denied { read write } for pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0
This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.
GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
I'm seeing problems on RHEL7 with lvm2-activation-generator that are
coming from recent changes to put systemd-fstab-generator into it's
own domain. I resolved the issues by creaing this generator attribute
to grant common generator permissions and move all generators into
a single systemd_generator_t domain.
Then setup specific types for the following generators:
lvm2-activation-generator - needs to read lvm2 config
systemd-sysv-generator - needs to read stuff in init_t that other generators don't.
systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t
For fstab generator allow it to write /sys
[ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
When getting dumps from a crash in a mount namespace, systemd wants to run stat on the root in that namespace
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
According to IANA, winshadow is port 3261 for both TCP and UDP.
3161 for TCP looks like a typo that slipped through.
Signed-off-by: Florian Schmidt <flosch@nutanix.com>
There is a STIG requirement (CCE-27326-8) that all files in /dev be labeled (something other than 'device_t'). On the systems I am working on there are a few files labeled device_t.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Usbguard enforces the USB device authorization policy for all USB
devices. Users can be authorized to manage rules and make device
authorization decisions using a command line tool.
Add rules for usbguard. Optionally, allow authorized users to control
the daemon, which requires usbguard-daemon to be able modify its rules
in /etc/usbguard.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
/dev/ipmi is labeled, but no interfaces exist to grant access to the device.
Adding interface for read/write access, I'm not sure of read-only access is usefull. ipmitool seems to only read and write
type=AVC msg=audit(1581618155.319:786): avc: denied { read write } for pid=4498 comm="ipmitool" name="ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.319:786): avc: denied { open } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.320:787): avc: denied { ioctl } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 ioctlcmd=6910 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.
Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
Required for example to start/stop systemd-journal-flush.service
which moves the journal storage back and forth between tmpfs and
permanent storage.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
fifo_files inherited from domains allowed to change role to sysadm_r.
This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
the permissions to write the wireless device in order to
prevent a possible Denial of Service (DoS) attack from an
unprivileged process bringing down the wireless interfaces.
Only administrative users can now enable/disable the wireless
interfaces, while normal users can only read their status.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.if | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
