I'm seeing problems on RHEL7 with lvm2-activation-generator that are
coming from recent changes to put systemd-fstab-generator into it's
own domain. I resolved the issues by creaing this generator attribute
to grant common generator permissions and move all generators into
a single systemd_generator_t domain.
Then setup specific types for the following generators:
lvm2-activation-generator - needs to read lvm2 config
systemd-sysv-generator - needs to read stuff in init_t that other generators don't.
systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t
For fstab generator allow it to write /sys
[ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
According to IANA, winshadow is port 3261 for both TCP and UDP.
3161 for TCP looks like a typo that slipped through.
Signed-off-by: Florian Schmidt <flosch@nutanix.com>
There is a STIG requirement (CCE-27326-8) that all files in /dev be labeled (something other than 'device_t'). On the systems I am working on there are a few files labeled device_t.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
/dev/ipmi is labeled, but no interfaces exist to grant access to the device.
Adding interface for read/write access, I'm not sure of read-only access is usefull. ipmitool seems to only read and write
type=AVC msg=audit(1581618155.319:786): avc: denied { read write } for pid=4498 comm="ipmitool" name="ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.319:786): avc: denied { open } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.320:787): avc: denied { ioctl } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 ioctlcmd=6910 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.
Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
the permissions to write the wireless device in order to
prevent a possible Denial of Service (DoS) attack from an
unprivileged process bringing down the wireless interfaces.
Only administrative users can now enable/disable the wireless
interfaces, while normal users can only read their status.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.if | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.
Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them. dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed. Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.
Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.
This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy. For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open. For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files. They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.
These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As adding attribute fixed_disk_raw_read to a type cannot occur in a
conditional statement, create a new interface that takes a tunable as
parameter to allow a dangerous access conditionally.
Signed-off-by: Nicolas Iooss <nicolas.iooss_git@polytechnique.org>
