Commit Graph

118 Commits

Author SHA1 Message Date
Chris PeBenito 2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman 9adc6c5ddb gssproxy: Allow others to stream connect
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
2017-11-04 14:00:56 -04:00
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
Chris PeBenito 0ba1970b7c kernel: Module version bump for patch from Nicolas Iooss. 2017-08-08 20:02:22 -04:00
Nicolas Iooss 5cfe0def8b Add module_load permission to self when loading modules is allowed
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
2017-08-08 19:58:47 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito 8f5927ec7c Module version bump for minor fixes from Guido Trentalancia. 2017-05-01 18:45:01 -04:00
Guido Trentalancia efc6502e8f kernel: low-priority update
Update the kernel module with some low priority fixes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-05-01 18:41:42 -04:00
Chris PeBenito 2cd92db5cd systemd-nspawn again
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way.  I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.

Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.

Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.

Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
2017-04-01 12:08:42 -04:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia cd85f4705d kernel: add missing plymouth interface
Add a previously missed optional plymouth interface to the kernel
module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 12:57:20 -05:00
Chris PeBenito e378390e8d Module version bump for systemd patch from Nicolas Iooss. 2016-12-27 10:56:39 -05:00
Chris PeBenito 19c3addb99 Module version bump for patches from Guido Trentalancia. 2016-12-27 10:51:56 -05:00
Guido Trentalancia d52463b9fe kernel: missing permissions for confined execution
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.

This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-27 10:38:07 -05:00
Chris PeBenito 97470c7670 Module version bump for kernel sysctl patch from Luis Ressel 2016-12-06 20:26:43 -05:00
Chris PeBenito f9c98632f5 Module version bumps for patches from Guido Trentalancia. 2016-10-30 14:31:50 -04:00
Russell Coker 44bedbfad0 single binary modutils
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools?  Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur.  Separate domains may still make sense.

As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.

I've attached a new patch which renames to kmod_t as you suggested.  Please
consider it for inclusion.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25
2016-10-23 19:12:07 -04:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00
Chris PeBenito c720d99e30 Module version bump for module_load perm use from Guido Trentalancia. 2016-08-29 20:29:46 -04:00
Guido Trentalancia 5c5d2d8d49 Add module_load permission to can_load_kernmodule
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.

A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-29 20:29:46 -04:00
Chris PeBenito 464c5df247 Reduce broad entrypoints for unconfined domains.
Entrypoints into unconfined domains, like with confined domains, should be
tightly controlled to make arbitrary code execution more difficult.
2016-03-22 15:43:30 -04:00
Chris PeBenito 5db5b62c42 Module version bump for several Arch fixes from Nicolas Iooss. 2016-03-22 15:34:53 -04:00
Nicolas Iooss 4bf3dfaeb2 Allow kdevtmpfs to unlink fixed disk devices
When a device gets removed, for example with "cryptsetup close",
kdevtmpfs (a kernel thread) removes its entry from devtmpfs filesystem:

    avc:  denied  { unlink } for  pid=48 comm="kdevtmpfs"
    name="dm-4" dev="devtmpfs" ino=144111
    scontext=system_u:system_r:kernel_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

Allow this access on systems using systemd.
2016-03-19 11:12:28 +01:00
Chris PeBenito 2b972fefd1 Module version bump for vm overcommit sysctl interfaces from Laurent Bigonville. 2015-12-14 10:04:14 -05:00
Chris PeBenito 6b1b2e3965 Module version bumps for 2 patches from Dominick Grift. 2015-12-10 15:46:13 -05:00
Dominick Grift 6d6370c98a kernel: implement sysctl_vm_overcommit_t for /proc/sys/vm/overcommit_memory
Whoever requires this type first gets to create the interfaces to operate on this object

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2015-12-10 14:10:16 -05:00
Chris PeBenito c23353bcd8 Bump module versions for release. 2015-12-08 09:53:02 -05:00
Chris PeBenito 17694adc7b Module version bump for systemd additions. 2015-10-23 14:53:14 -04:00
Chris PeBenito 579849912d Add supporting rules for domains tightly-coupled with systemd. 2015-10-23 10:17:46 -04:00
Chris PeBenito 459a19f18d Module version bump for debufs mount point fc entry from Laurent Bigonville. 2015-05-06 09:50:14 -04:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 617466b2bd Module version bump for losetup fixes from Luis Ressel. 2014-08-19 08:45:38 -04:00
Luis Ressel 9946965a53 Add neccessary permissions for losetup
This allows losetup to bind mount_loopback_t files to loop devices.
2014-08-18 15:24:46 -04:00
Chris PeBenito b383c8075e Module version bump for missing unlabeled interfaces from Sven Vermeulen. 2014-08-14 15:49:59 -04:00
Chris PeBenito 342498065e Module version bump for deprecated interface usage removal from Nicolas Iooss. 2014-05-27 09:23:29 -04:00
Nicolas Iooss 40c155f732 No longer use deprecated MLS interfaces
Since commit 2d0c9cec mls_file_read_up and mls_file_write_down
interfaces are deprecated even though they are still present.

Replace mls_file_read_up with mls_file_read_all_levels and
mls_file_write_down with mls_file_write_all_levels.
2014-05-27 09:08:36 -04:00
Chris PeBenito 10ff4d0fa3 Bump module versions for release. 2014-03-11 08:16:57 -04:00
Chris PeBenito 3501307078 Fix read loopback file interface. 2014-02-08 11:35:57 -05:00
Chris PeBenito 92cd2e251c Module version bump for loopback file mounting fixes from Luis Ressel. 2014-02-08 10:50:34 -05:00
Chris PeBenito acf1229dad Rename mount_read_mount_loopback() to mount_read_loopback_file().
Also make kernel block optional since the calls are to a higher layer.
2014-02-08 10:49:47 -05:00
Luis Ressel 7ac64b8a5a Grant kernel_t necessary permissions for loopback mounts
For loopback mounts to work, the kernel requires access permissions to
fd's passed in by mount and to the source files (labeled mount_loopback_t).
2014-02-08 10:32:45 -05:00
Chris PeBenito d66aeb8436 Merge file_t into unlabeled_t, as they are security equivalent. 2014-01-16 11:19:00 -05:00
Chris PeBenito 1a01976fc4 Module version bump for first batch of patches from Dominick Grift. 2013-12-02 14:22:29 -05:00
Dominick Grift 5c49af2076 kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-12-02 08:43:33 -05:00
Chris PeBenito 2b7b44d80e Remove general unlabeled packet usage.
Back when the SECMARK implementation was new, the packet class was always
checked.  Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules.  Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules.  Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.

To have partial SECMARK confinement, the following rule applies:

allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };

It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:

allow * unlabeled_t:packet { send recv };

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2013-05-14 10:15:34 -04:00
Chris PeBenito d174521a64 Bump module versions for release. 2013-04-24 16:14:52 -04:00
Chris PeBenito b7bc3d1506 Module version bump for kernel_stream_connect() from Dominick Grift. 2012-10-19 09:18:53 -04:00