Commit Graph

175 Commits

Author SHA1 Message Date
Chris PeBenito d387e79989 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
Christian Göttsche e9b2e1ea4f work on SELint issues
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
Chris PeBenito 71e653980b various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
Chris PeBenito fe737c405d selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:33:07 -04:00
Chris PeBenito 613708cad6 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
Chris PeBenito 0992763548 Update callers for "pid" to "runtime" interface rename.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
Chris PeBenito 5b171c223a various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-14 10:32:30 -04:00
bauen1 096b8f59f2
semanage: create directories for new policies
semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-14 09:31:31 +02:00
Chris PeBenito 24e1e2c8a3 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-21 11:03:01 -04:00
Daniel Burgener 410a682138 Fix mismatches between object class and permission macro.
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-20 15:46:33 -04:00
Chris PeBenito b2f72e833b Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito 335d9425c0 various: Module version bump. 2019-12-26 11:48:27 -05:00
Chris PeBenito 4f1346357a portage, selinuxutil: Module version bump. 2019-09-18 19:40:17 -04:00
Petr Lautrbach e0813db519 newrole: allow newrole to use setcap to drop capabilities
Commit 61b72e0796 ("selinuxutil: adjustments") removed negative permission
matching for newrole_t:process. One of the removed permission was setcap which
is needed by newrole as it tries to drop capabilities:

    $ newrole -r sysadm_r
    Sorry, newrole failed to drop capabilities
    : Permission denied

    type=PROCTITLE msg=audit(09/06/2019 15:07:01.908:10821) : proctitle=newrole -r sysadm_r

    type=SYSCALL msg=audit(09/06/2019 15:07:01.908:10821) : arch=x86_64
    syscall=capset success=no exit=EACCES(Permission denied) a0=0x7fbe17d4cb6c
    a1=0x7fbe17d4cb74 a2=0x7fbe17d4d5d0 a3=0x0 items=0 ppid=4981 pid=7255
    auid=admin uid=admin gid=admin euid=admin
    suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=tty1 ses=6
    comm=newrole exe=/usr/bin/newrole subj=staff_u:staff_r:newrole_t:s0
    key=(null)

    type=AVC msg=audit(09/06/2019 15:07:01.908:10821) : avc:  denied  { setcap }
    for  pid=7255 comm=newrole scontext=staff_u:staff_r:newrole_t:s0
    tcontext=staff_u:staff_r:newrole_t:s0 tclass=process permissive=0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-09-18 15:34:29 +02:00
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito 2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Nicolas Iooss 0ab9035efa
Remove a broad read-files rule for restorecond
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):

    auth_read_all_files_except_shadow(restorecond_t)

Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.

This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
2019-02-23 21:20:21 +01:00
Nicolas Iooss 7bb9172b67
Allow restorecond to read customizable_types
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { open } for
    pid=281 comm="restorecond"
    path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { read } for
    pid=281 comm="restorecond" name="customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
2019-02-23 21:14:10 +01:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito b5cda0e2c5 selinuxutil: Module version bump. 2019-01-16 18:20:51 -05:00
Nicolas Iooss 6e2896098c
selinuxutil: restorecond is buggy when it dereferencies symlinks
restorecond uses libselinux's selinux_restorecon() to relabel files,
which dereferences symlinks in a useless call to statfs(). This produces
AVC denials which are noisy.

Fixes: https://github.com/SELinuxProject/refpolicy/pull/22
2019-01-16 22:10:38 +01:00
Chris PeBenito 4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Nicolas Iooss ae35b48f8e
selinuxutil: allow restorecond to read symlinks
As restorecond dereferences symlinks when it encounters them in user
home directories, allow this access.
2019-01-13 22:47:11 +01:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Nicolas Iooss 49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):

    /*
     * This is called once when selinux_restorecon() is first called.
     * Searches /proc/mounts for all file systems that do not support extended
     * attributes and adds them to the exclude directory table.  File systems
     * that support security labels have the seclabel option, return
     * approximate total file count.
     */

The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().

The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:

    type=AVC msg=audit(1546727200.623:67): avc:  denied  { getattr } for
    pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
    scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0

    type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
    success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
    a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
    ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
    subj=system_u:system_r:restorecond_t key=(null)

    type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"

Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
2019-01-05 23:51:36 +01:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Russell Coker 5125b8eb2d last misc stuff
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
2019-01-05 13:54:38 -05:00
Chris PeBenito b4d7c65fc4 Various modules: Version bump. 2018-11-11 15:58:59 -05:00
Laurent Bigonville 6060f35f03 Allow semanage_t to connect to system D-Bus bus
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
2018-11-10 19:01:33 +01:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 78a49b640d Add new mmap permission set and pattern support macros.
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access.  Replace with a full set of permission
set macros for mmap.

Requested for selinux-testsuite usage.
2017-12-13 18:58:34 -05:00
Chris PeBenito 095ad7923a Several module version bumps. 2017-09-11 20:34:13 -04:00
Luis Ressel bbab9e970d selinuxutil: Add map permissions neccessary for semanage 2017-09-11 20:31:23 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 602b77236d Module version bump for mmap fixes from Stephen Smalley. 2017-05-24 19:58:32 -04:00
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Chris PeBenito 3cdaad6e29 Module version bump for changes from Jason Zaman and Luis Ressel. 2017-05-11 19:54:25 -04:00
Luis Ressel a114d07fd3 system/selinuxutil: Allow semanage to execute its tmp files
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):

Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
    import seobject
  File "py/seobject.py", line 34, in <module>
    import sepolicy
  File "py/sepolicy/__init__.py", line 8, in <module>
    import setools
  File "py/setools/__init__.py", line 77, in <module>
    from .infoflow import InfoFlowAnalysis
  File "py/setools/infoflow.py", line 22, in <module>
    import networkx as nx
  File "py/networkx/__init__.py", line 93, in <module>
    import networkx.linalg
  File "py/networkx/linalg/__init__.py", line 9, in <module>
    from networkx.linalg.algebraicconnectivity import *
  File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
    from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
  File "py/numpy/__init__.py", line 180, in <module>
    from . import add_newdocs
  File "py/numpy/add_newdocs.py", line 13, in <module>
    from numpy.lib import add_newdoc
  File "py/numpy/lib/__init__.py", line 8, in <module>
    from .type_check import *
  File "py/numpy/lib/type_check.py", line 11, in <module>
    import numpy.core.numeric as _nx
  File "py/numpy/core/__init__.py", line 22, in <module>
    from . import _internal  # for freeze programs
  File "py/numpy/core/_internal.py", line 14, in <module>
    import ctypes
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
    _reset_cache()
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
    CFUNCTYPE(c_int)(lambda: None)
MemoryError
2017-05-11 19:43:38 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito caca2e7e6e some little misc things from Russell Coker.
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
2017-04-26 18:03:02 -04:00
Chris PeBenito a8a360c178 devicekit, mount, xserver, and selinuxutil from Russell Coker
Allow devicekit_power_t to chat to xdm via dbus and log via syslog.

Allow mount_t to do more with it's runtime files and stat more filesystem
types.

Allow xauth to send sigchld to xdm.

Allow semanage to search policy_src_t dirs and read /dev/urandom.
2017-04-18 21:28:16 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones d2702a4224 corecmd_read_bin_symlinks(): remove deprecated and redundant calls 2017-03-03 12:00:07 +01:00
Chris PeBenito ca04cdb14b Module version bump for patches from cgzones. 2017-02-26 12:23:19 -05:00
Chris PeBenito 10388e1319 auth: Move optional out of auth_use_pam_systemd() to callers. 2017-02-26 12:08:02 -05:00
Chris PeBenito 15f0cc4fe1 Merge branch 'newrole_fixes' of git://github.com/cgzones/refpolicy 2017-02-26 11:58:43 -05:00
Chris PeBenito 132db642bd Module version bump for selinuxutil and systmd changes from cgzones. 2017-02-20 10:57:50 -05:00
Chris PeBenito 34cfce5410 Merge branch 'selinuxutil_module' of git://github.com/cgzones/refpolicy 2017-02-20 10:53:56 -05:00
cgzones 9b5d89fcf6 newrole: fix denials
dontaudit net_admin access due to setsockopt
allow communication with systemd-logind
2017-02-20 14:10:17 +01:00