The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5. Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.
Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them. dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed. Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.
Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.
This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy. For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open. For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When using libvirt to manage virtual machines, libvirt_leaseshelper
wants to:
* read /etc/libnl/classid
* list the content of /sys/devices/system/node/ in order to read files
such as /sys/devices/system/node/node0/meminfo
* use getsched
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr
type=AVC msg=audit(1554175286.968:2720907): avc: denied { accept } for pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)
Some aspect to note:
1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins
The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.
Signed-off-by: Dominick Grift <dac.override@gmail.com>
WireGuard is a fast, modern, secure VPN tunnel, according to
https://www.wireguard.com/. In order to install it, the mostly
documented way consists in building and installing an out-of-tree kernel
module and using userland tools to configure this module (wg and
wg-quick).
* WireGuard is like "ip": the userland tool communicates with the kernel
module through a netlink socket.
* WireGuard is like "iptables": there is no daemon, but some
distributions ship systemd units that restores a WireGuard
configuration when started.
* WireGuard is like other services: its configuration files are in /etc,
and it can use /run and /tmp.
Create a new policy module which handles all of this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some recent modifications added patterns in .fc files for programs in
/usr/sbin without adding the patterns for /usr/bin. On Arch Linux, where
/usr/sbin is a symlink to /usr/bin, such patterns are never matched.
Add the missing patterns.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern /opt/brother/Printers(.*/)?inf(/.*)? matches the content of
directories such as /opt/brother/Printersinf/, which seems buggy. On
several systems, /opt/brother/Printers/ is a directory that contains
directories named as printer models.
Add a "/" before "(.*/)?" in order to make sure subdirectories of
/opt/brother/Printers named "inf" are matched by the pattern.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:
openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)
audit.log has:
type=AVC msg=audit(1566048720.132:1338): avc: denied { search }
for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
scontext=system_u:system_r:entropyd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:
$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -snrvm
According to https://wiki.debian.org/motd, the script is executed
through run-parts:
if (!system("/usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
run-parts --lsbsysinit /etc/update-motd.d >
/run/motd.dynamic.new"))
rename("/run/motd.dynamic.new", "/run/motd.dynamic");
This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.
Allow relevant accesses for Debian-based systems.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
