On a Debian system, when installing a package which provides a kernel
module with DKMS, the module is compiled and depmod is executed with a
command line that looks like:
depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64
This obviously requires depmod to read System.map. Otherwise, the
following events are logged to audit.log:
type=AVC msg=audit(1567802614.408:138551): avc: denied { search }
for pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145
scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t
tclass=dir permissive=0
type=AVC msg=audit(1567802670.132:138555): avc: denied { read }
for pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
type=AVC msg=audit(1567802670.132:138555): avc: denied { open }
for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
type=AVC msg=audit(1567802670.136:138556): avc: denied { getattr }
for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
and depmod fails, which makes apt fails with:
wireguard.ko:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/
depmod...(bad exit status: 1)
[...]
Error! Problems with depmod detected. Automatically uninstalling
this module.
DKMS: Install Failed (depmod problems). Module rolled back to built
state.
dpkg: error processing package wireguard-dkms (--configure):
installed wireguard-dkms package post-installation script
subprocess returned error exit status 6
[...]
Errors were encountered while processing:
wireguard-dkms
E: Sub-process /usr/bin/dpkg returned an error code (1)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/usr/lib/jvm/java(.*/)bin(/.*)? uses misleading parentheses around
".*/". In some cases, a pattern with (.*/) is a mispelling to (.*/)?,
but not here (/usr/lib/jvm/javabin/ never exists).
Moreover, using .* here is right, as the pattern matches the content of
subdirectories of /usr/lib/jvm/ which names are prefixed by java. More
precisely, the pattern matches for example:
- programs in /usr/lib/jvm/java-10-openjdk/bin
- programs in /usr/lib/jvm/java-8-openjdk/jre/bin
In the end, the pattern does not have any error, but the parentheses are
misleading. Remove them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In libraries.fc:
- "(/.*?)" is very likely a misspelling for (/.*)?
- "sidecars/*" with "--" as file type is very likely a misspelling for
sidecars/.+, in order to match files that are shared libraries.
- "/opt/netbeans(.*/)?jdk" matches "/opt/netbeansjdk", which is buggy.
In Apache NetBeans 11.1 downloaded from
https://netbeans.apache.org/download/nb111/nb111.html, there are files
such as profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
Several websites document installing NetBeans in directories such as
/opt/netbeans-11.1/, so the installed .so files are probably installed in
/opt/netbeans-11.1/profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
There is thus an issue with the current pattern:
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)*
This pattern requires "/linux/" in the path, not "/linux-amd64/".
As this pattern was introduced in 2007 by commit 02d968c581 ("trunk:
several fc updates from dan."), consider it as outdated and remove it.
If the .so files in /opt/netbeans/ really need a label such as
textrel_shlib_t, a file pattern will need to be written with less issues
than the one which is removed.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In order to detect bugs like the one fixed by commit d938683bf4
("drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd"), forbid
the use of \d in the policy. This was actually only used to match
/usr/share/apr-1/build/...
with
/usr/share/apr(-\d)?/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr(-\d)?/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:
openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)
audit.log has:
type=AVC msg=audit(1566048720.132:1338): avc: denied { search }
for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
scontext=system_u:system_r:entropyd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:
$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -snrvm
According to https://wiki.debian.org/motd, the script is executed
through run-parts:
if (!system("/usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
run-parts --lsbsysinit /etc/update-motd.d >
/run/motd.dynamic.new"))
rename("/run/motd.dynamic.new", "/run/motd.dynamic");
This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.
Allow relevant accesses for Debian-based systems.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When a service is configured with PrivateDevices=yes, its /dev directory
has label tmpfs_t. This requires allowing more accesses in order for the
service to use /dev.
This is related to https://github.com/SELinuxProject/refpolicy/pull/61
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern "(.*)?" means "match anything including the nothing, or
nothing": the question mark is redundant. This is likely to be a
mispelling for "(/.*)?", which means "match a slash and anthing, or
nothing", or for ".*", or for other patterns.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.
Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern that matches /usr/include uses a dot, in order probably to
avoid calling m4's function include(). This also matches other paths
such as /usr/inclu/e. Such a side-effect can be avoided by inserting an
empty string which is removed by m4's preprocessing.
Mailing-list discussion: https://lore.kernel.org/selinux-refpolicy/CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com/t/#u
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There are two patterns that define file contexts for /run/rpc.statd.pid:
* in policy/modules/services/rpcbind.fc:
/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
* in policy/modules/services/rpc.dc:
/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
They coexist even though their labels differ because the first one uses
a unescaped dot. As it does not seem to exist other files matching the
first pattern, remove it in order to only keep the second one.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Patterns using this have a small issue:
/opt/Adobe/Reader.?/Reader/intellinux
The issue is that the dot can also match a slash. A bettern pattern
would be:
/opt/Adobe/Reader[^/]?/Reader/intellinux
In this specific case, the intent is to match digits (like
/opt/Adobe/Reader9). Use [0-9] for this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The following pattern seems to match much more than intended:
/usr/(.*/)?bin/java[^-]*
According to the commit which introduced it
(0190325c18),
the aim was to match java1.4, java5, java6, and not java-config nor
java-check-environment. The issue is that the pattern also matches
sub-directories such as:
/usr/share/my-application/bin/java/myfile
Prevent this by adding / in the character blacklist of the pattern.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This seems to be a misspelling, and there is no reason which would
explain why monit's init script would be labeled with a different
sensitivity while the main binary uses s0.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
haveged listens to commands using a Unix socket
(at path "\0/sys/entropy/haveged" according to
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.h#L34).
The implementation of this server is available on
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.c .
This fixes the following denial:
type=AVC msg=audit(1551002989.396:27): avc: denied { listen } for
pid=262 comm="haveged"
path=002F7379732F656E74726F70792F68617665676564
scontext=system_u:system_r:entropyd_t
tcontext=system_u:system_r:entropyd_t tclass=unix_stream_socket
permissive=1
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:
drwxrwx---. ulog adm /var/log/ulog
(root does not have an access to the directory without bypassing the DAC.)
Add a comment describing how to avoid allowing dac_read_search to ulogd_t.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Debian uses /var/log/ulog/syslogemu.log by default to log network
packets sent through a netlink multicast group by the firewall.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
