Merge pull request #294 from cgzones/selint
This commit is contained in:
Chris PeBenito
commit
e10d956f38
25
.travis.yml
25
.travis.yml
@ -102,12 +102,35 @@ install:
|
||||
# Drop build.conf settings to listen to env vars
|
||||
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
|
||||
|
||||
- |
|
||||
if [ -n "$LINT" ] ; then
|
||||
# Install SELint from Debian testing
|
||||
wget -O - https://ftp-master.debian.org/keys/archive-key-10.asc 2>/dev/null | sudo apt-key add -
|
||||
sudo add-apt-repository 'deb http://deb.debian.org/debian/ testing main' -y
|
||||
sudo apt-get update -q
|
||||
sudo apt-get install -y selint
|
||||
|
||||
selint -V
|
||||
fi
|
||||
|
||||
script:
|
||||
- echo $TYPE $DISTRO $MONOLITHIC $SYSTEMD $WERROR
|
||||
- set -e
|
||||
- if [ -n "$LINT" ] ; then python3 -t -t -E -W error testing/check_fc_files.py ; fi
|
||||
- make bare
|
||||
- make conf
|
||||
- |
|
||||
if [ -n "$LINT" ] ; then
|
||||
# Run filecontext checker
|
||||
python3 -t -t -E -W error testing/check_fc_files.py
|
||||
|
||||
# Run SELint
|
||||
# disable C-005 (Permissions in av rule or class declaration not ordered) for now: has 712 findings
|
||||
# disable S-010 (Permission macro usage suggested) for now: has 96 findings
|
||||
# disable W-005 (Interface call from module not in optional_policy block): refpolicy does not follow this rule
|
||||
selint --source --recursive --summary --fail --disable C-005 --disable S-010 --disable W-005 .
|
||||
|
||||
exit 0
|
||||
fi
|
||||
- make
|
||||
- make validate
|
||||
- make xml
|
||||
|
||||
@ -577,10 +577,6 @@ interface(`rpm_manage_pid_files',`
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_pid_filetrans_rpm_pid',`
|
||||
gen_require(`
|
||||
type rpm_runtime_t;
|
||||
')
|
||||
|
||||
refpolicywarn(`$0($*) has been deprecated')
|
||||
')
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
|
||||
# network_interface(if_name,linux_interface,mls_sensitivity)
|
||||
#
|
||||
define(`network_interface',`
|
||||
gen_require(``type unlabeled_t;'')
|
||||
gen_require(``type unlabeled_t;'') #selint-disable:S-001
|
||||
type $1_netif_t, netif_type;
|
||||
declare_netifs($1_netif_t,shift($*))
|
||||
')
|
||||
@ -59,7 +59,7 @@ ifdef(`__network_enabled_declared__',`',`
|
||||
gen_bool(network_enabled, true)
|
||||
define(`__network_enabled_declared__')
|
||||
')
|
||||
gen_require(``type unlabeled_t;'')
|
||||
gen_require(``type unlabeled_t;'') #selint-disable:S-001
|
||||
type $1_netif_t, netif_type;
|
||||
declare_netifs($1_netif_t,shift($*))
|
||||
')
|
||||
|
||||
@ -77,6 +77,10 @@ attribute cron_job_domain;
|
||||
# SELinux identity and role change constraints
|
||||
attribute process_uncond_exempt; # add userhelperdomain to this one
|
||||
|
||||
gen_require(` #selint-disable:S-001
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
|
||||
neverallow ~{ domain unlabeled_t } *:process *;
|
||||
|
||||
|
||||
@ -200,6 +200,8 @@ HOME_ROOT/lost\+found/.* <<none>>
|
||||
# Avoid calling m4's include by using en empty string
|
||||
/usr/include`'(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
||||
|
||||
/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
|
||||
|
||||
/usr/local/\.journal <<none>>
|
||||
|
||||
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
||||
|
||||
@ -4157,6 +4157,27 @@ interface(`files_read_kernel_modules',`
|
||||
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and mmap kernel module files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_mmap_read_kernel_modules',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
allow $1 modules_object_t:dir list_dir_perms;
|
||||
read_files_pattern($1, modules_object_t, modules_object_t)
|
||||
allow $1 modules_object_t:file map;
|
||||
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write kernel module files.
|
||||
@ -4213,6 +4234,7 @@ interface(`files_manage_kernel_modules',`
|
||||
|
||||
allow $1 modules_object_t:dir rw_dir_perms;
|
||||
manage_files_pattern($1, modules_object_t, modules_object_t)
|
||||
allow $1 modules_object_t:file map;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -7000,7 +7022,6 @@ interface(`files_write_runtime_pipes',`
|
||||
interface(`files_delete_all_runtime_dirs',`
|
||||
gen_require(`
|
||||
attribute pidfile;
|
||||
type var_t, var_run_t;
|
||||
')
|
||||
|
||||
delete_dirs_pattern($1, pidfile, pidfile)
|
||||
|
||||
@ -96,7 +96,7 @@ interface(`xserver_restricted_role',`
|
||||
|
||||
miscfiles_read_fonts($2)
|
||||
|
||||
xserver_common_x_domain_template(user, $2)
|
||||
xserver_common_x_domain_template(user, $2) #selint-disable:S-004
|
||||
xserver_domtrans($2)
|
||||
xserver_unconfined($2)
|
||||
xserver_xsession_entry_type($2)
|
||||
|
||||
@ -185,6 +185,7 @@ domain_sigstop_all_domains(init_t)
|
||||
domain_sigchld_all_domains(init_t)
|
||||
|
||||
files_read_etc_files(init_t)
|
||||
files_mmap_read_kernel_modules(init_t)
|
||||
files_rw_runtime_files(init_t)
|
||||
files_manage_etc_runtime_files(init_t)
|
||||
files_etc_filetrans_etc_runtime(init_t, file)
|
||||
@ -547,7 +548,6 @@ ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
modutils_read_module_config(init_t)
|
||||
modutils_read_module_deps(init_t)
|
||||
modutils_read_module_objects(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -21,7 +21,6 @@ ifdef(`init_systemd',`
|
||||
/usr/bin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)
|
||||
/usr/bin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0)
|
||||
|
||||
/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
|
||||
/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
|
||||
/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
|
||||
|
||||
|
||||
@ -12,10 +12,11 @@
|
||||
#
|
||||
interface(`modutils_getattr_module_deps',`
|
||||
gen_require(`
|
||||
type modules_dep_t, modules_object_t;
|
||||
type modules_dep_t;
|
||||
')
|
||||
|
||||
getattr_files_pattern($1, modules_object_t, modules_dep_t)
|
||||
files_search_kernel_modules($1)
|
||||
allow $1 modules_dep_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -39,7 +40,7 @@ interface(`modutils_read_module_deps',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the kernel modules.
|
||||
## Read the kernel modules. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -48,12 +49,8 @@ interface(`modutils_read_module_deps',`
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_read_module_objects',`
|
||||
gen_require(`
|
||||
type modules_object_t;
|
||||
')
|
||||
|
||||
files_list_kernel_modules($1)
|
||||
allow $1 modules_object_t:file { read_file_perms map };
|
||||
refpolicywarn(`$0($*) has been deprecated, please use files_mmap_read_kernel_modules() instead.')
|
||||
files_mmap_read_kernel_modules($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -46,11 +46,7 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
|
||||
list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
|
||||
manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
|
||||
allow kmod_t modules_dep_t:file map;
|
||||
filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
|
||||
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
|
||||
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
|
||||
allow kmod_t modules_object_t:file map;
|
||||
files_kernel_modules_filetrans(kmod_t, modules_dep_t, file)
|
||||
|
||||
can_exec(kmod_t, kmod_exec_t)
|
||||
|
||||
@ -87,7 +83,7 @@ dev_rw_acpi_bios(kmod_t)
|
||||
domain_signal_all_domains(kmod_t)
|
||||
domain_use_interactive_fds(kmod_t)
|
||||
|
||||
files_read_kernel_modules(kmod_t)
|
||||
files_manage_kernel_modules(kmod_t)
|
||||
files_read_kernel_symbol_table(kmod_t)
|
||||
files_read_etc_runtime_files(kmod_t)
|
||||
files_read_etc_files(kmod_t)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
policy_module(selinuxutil, 1.27.4)
|
||||
|
||||
gen_require(`
|
||||
gen_require(` #selint-disable:S-001
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
|
||||
@ -727,11 +727,11 @@ kernel_request_load_module(systemd_modules_load_t)
|
||||
|
||||
dev_read_sysfs(systemd_modules_load_t)
|
||||
|
||||
files_mmap_read_kernel_modules(systemd_modules_load_t)
|
||||
files_read_etc_files(systemd_modules_load_t)
|
||||
|
||||
modutils_read_module_config(systemd_modules_load_t)
|
||||
modutils_read_module_deps(systemd_modules_load_t)
|
||||
modutils_read_module_objects(systemd_modules_load_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_modules_load_t)
|
||||
|
||||
|
||||
@ -128,7 +128,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
||||
files_read_usr_files(udev_t)
|
||||
files_read_etc_runtime_files(udev_t)
|
||||
files_read_etc_files(udev_t)
|
||||
files_read_kernel_modules(udev_t)
|
||||
files_mmap_read_kernel_modules(udev_t)
|
||||
files_exec_etc_files(udev_t)
|
||||
files_getattr_generic_locks(udev_t)
|
||||
files_search_mnt(udev_t)
|
||||
@ -182,7 +182,6 @@ modutils_domtrans(udev_t)
|
||||
modutils_read_module_config(udev_t)
|
||||
# read modules.inputmap:
|
||||
modutils_read_module_deps(udev_t)
|
||||
modutils_read_module_objects(udev_t)
|
||||
|
||||
seutil_read_config(udev_t)
|
||||
seutil_read_default_contexts(udev_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user