CryFS (https://www.cryfs.org/) is a software that can be run by non-root
users that have access to /dev/fuse. Its command is directly used to
mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command
"mount". Unmounting a mountpoint is done with "fusermount -u
mountpoint", /usr/bin/fusermount being a setuid-root program labeled
mount_exec_t.
EncFS (https://www.arg0.net/encfs) is a similar software that has been
considered insecure since a security audit in 2014 found vulnerabilities
that are not yet fixed (like https://github.com/vgough/encfs/issues/9).
gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that
has been inspired by EncFS.
Allow users with role sysadm to use all these projects.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In order to be able to invoke /usr/bin/mount, /usr/bin/fusermount, etc.
callers need to be able to search /usr/bin. Otherwise, such denials are
recorded:
type=AVC msg=audit(1576534518.220:1320): avc: denied { search }
for pid=24067 comm="cryfs" name="bin" dev="vda1" ino=524829
scontext=sysadm_u:sysadm_r:cryfs_t tcontext=system_u:object_r:bin_t
tclass=dir permissive=0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]
With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc: denied { create } for pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc: denied { setattr } for pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
On Arch Linux, /proc/sys/kernel/core_pattern contains:
|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
When a crash happens in a userspace application, this setting makes the
kernel spawn /usr/lib/systemd/systemd-coredump from kernel_t:
type=AVC msg=audit(1569910108.877:336): avc: denied { execute }
for pid=1087 comm="kworker/u2:3" name="systemd-coredump" dev="vda1"
ino=406365 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:systemd_coredump_exec_t tclass=file
permissive=1
Introduce a transition to systemd_coredump_t to handle this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
"systemd --user" spawns programs from
/usr/lib/systemd/user-environment-generators/ in order to gather
environment variables. On a Debian 10 virtual machine which gnupg, this
directory contains:
$ ls -Z /usr/lib/systemd/user-environment-generators
system_u:object_r:bin_t 30-systemd-environment-d-generator
system_u:object_r:bin_t 90gpg-agent
For sysadm, these programs are run as sysadm_t (because there is a
transition in systemd_role_template() in systemd.if:
corecmd_bin_domtrans($1_systemd_t, $3)) but use file descriptors created
by their parent process, which runs as sysadm_systemd_t. This leads to:
type=AVC msg=audit(1569756917.537:244): avc: denied { use } for
pid=9713 comm="30-systemd-envi"
path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
dev="tmpfs" ino=24859 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0
type=AVC msg=audit(1569756917.537:244): avc: denied { use } for
pid=9713 comm="30-systemd-envi"
path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0
type=SYSCALL msg=audit(1569756917.537:244): arch=c000003e syscall=59
success=no exit=-13 a0=5647d12cf020 a1=7ffc605b1fb0 a2=7ffc605b2420
a3=0 items=0 ppid=9712 pid=9713 auid=1000 uid=1000 gid=1000
euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000
tty=(none) ses=10 comm="30-systemd-envi"
exe="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
subj=sysadm_u:sysadm_r:sysadm_t key=(null)
[...]
type=AVC msg=audit(1569756917.541:246): avc: denied { use } for
pid=9714 comm="90gpg-agent"
path=2F6D656D66643A39306770672D6167656E74202864656C6574656429
dev="tmpfs" ino=24860 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0
type=AVC msg=audit(1569756917.541:246): avc: denied { use } for
pid=9714 comm="90gpg-agent" path="/usr/bin/bash" dev="vda1"
ino=524662 scontext=sysadm_u:sysadm_r:sysadm_t
tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0
In systemd's source, here are the relevant functions:
* manager_run_environment_generators() calls execute_directories(paths,
DEFAULT_TIMEOUT_USEC, gather_environment, ...) [1], with
gather_environment a global table defined in exec-util.c [2]
* execute_directories() opens a "serialization fd" [3], that creates a
memfd for communication with the child processes [4].
* execute_directories() calls fork() and do_execute() [5] in order to
run each child process, providing them with the memfd descriptor in
order to gather their output.
* When a child process is executed, its context transitions from
sysadm_systemd_t to sysadm_t. The child then writes environment
variables to its output.
* The parent process (systemd --user) collects the environment variables
that have been written, and "consumes" the produced output in order to
override its environment variables.
[1] https://github.com/systemd/systemd/blob/v243/src/core/manager.c#L3836
[2] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L413
[3] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213
[4] https://github.com/systemd/systemd/blob/v243/src/shared/serialize.c#L200
[5] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L226
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
fs_read_cgroup_files() grants access to reading files and to following
symlinks (with "read_lnk_files_pattern($1, cgroup_t, cgroup_t)").
fs_rw_cgroup_files() does not include such a rule, which is needed in
order to transparently use symlinks such as /sys/fs/cgroup/cpu. This
access is currently denied, for example to "systemd --user" daemon:
type=AVC msg=audit(1569756917.537:242): avc: denied { getattr }
for pid=9710 comm="systemd" path="/sys/fs/cgroup/cpu" dev="tmpfs"
ino=9683 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:cgroup_t tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1569756917.537:242): arch=c000003e
syscall=262 success=no exit=-13 a0=ffffff9c a1=7ffc605b1f70
a2=7ffc605b1ea0 a3=100 items=0 ppid=1 pid=9710 auid=1000 uid=1000
gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
fsgid=1000 tty=(none) ses=10 comm="systemd"
exe="/usr/lib/systemd/systemd"
subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)
type=PROCTITLE msg=audit(1569756917.537:242):
proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572
On this system (Debian 10), /sys/fs/cgroup/cpu is a symlink to
/sys/fs/cgroup/cpu,cpuacct.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
init_write_runtime_socket(systemd_user_session_type) is redundant with
init_dgram_send(systemd_user_session_type).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Since systemd 242 (commit
6c8a2c6793),
systemd and its services read /proc/sys/kernel/osrelease in order to
detect whether they are running in Microsoft's WSL (Windows Subsystem
for Linux).
This leads to logs such as:
type=AVC msg=audit(1568445663.990:10): avc: denied { read } for
pid=401 comm="systemd-modules" name="osrelease" dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
type=AVC msg=audit(1568445663.990:10): avc: denied { open } for
pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
type=AVC msg=audit(1568445663.990:11): avc: denied { getattr } for
pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
Add kernel_read_kernel_sysctls() to services that read
/proc/sys/kernel/osrelease. These services have been identified by
running "grep osrelease < /var/log/audit/audit.log | audit2allow" on an
Arch Linux test system.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When resizing the X11 window of a terminal running sudo on a remote
Debian 10 system (through ssh), sudo forwards SIGWINCH to its children
(this behavior might be caused by using "Defaults use_pty" in
/etc/sudoers). This leads to the following audit logs:
type=AVC msg=audit(1567880108.988:13823): avc: denied { signal }
for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0
type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e
syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100
items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo"
exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)
type=PROCTITLE msg=audit(1567880108.988:13823):
proctitle=2F7573722F62696E2F7375646F002D73
The process tree (ps -ef, edited) on this remote system was:
LABEL UID PID PPID TTY CMD
system_u:system_r:sshd_t user 15519 15480 ? sshd: user@pts/5
sysadm_u:sysadm_r:sysadm_t user 15524 15519 pts/5 -zsh
sysadm_u:sysadm_r:sysadm_sudo_t root 15607 15524 pts/5 /usr/bin/sudo -s
sysadm_u:sysadm_r:sysadm_sudo_t root 15670 15607 pts/6 /usr/bin/sudo -s
sysadm_u:sysadm_r:sysadm_t root 15671 15670 pts/6 /usr/bin/zsh
The denied syscall was:
* syscall=62: int kill(pid_t pid, int sig)
* a0=ffffc2c9: pid = -15671 (process group of sudo's child)
* a1=1c: sig = 28 = SIGWINCH
Allow such a signal to be transmitted.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:
--w------- 1 root root 4096 sep 5 17:06 /sys/module/snd_hda_codec_generic/uevent
We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"
type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_override } for pid=481 comm=udevadm capability=dac_override scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_read_search } for pid=481 comm=udevadm capability=dac_read_search scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)
Some aspect to note:
1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins
The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.
Signed-off-by: Dominick Grift <dac.override@gmail.com>
When /etc/sudoers contains "Defaults use_pty", sudo creates a new
pseudo-pty when running a command. This is currently denied from
a sysadm_u session:
type=AVC msg=audit(1567807315.843:13300): avc: denied { read write
} for pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108
scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0
As it seems logical for the newly-created pty to be labeled
user_devpts_t, use userdom_create_user_pty() to allow this.
Then, a new denial appears:
type=AVC msg=audit(1567808670.441:13341): avc: denied { setattr }
for pid=30256 comm="sudo" name="9" dev="devpts" ino=12
scontext=sysadm_u:sysadm_r:sysadm_sudo_t
tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file
permissive=0
type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e
syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5
a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0
gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo"
subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)
On x86-64, syscall 92 is chown(). Allow this access with
userdom_setattr_user_ptys().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
systemd-modules-load.service needs to read file
/sys/module/${MODULE}/initstate for each ${MODULE} defined in
/etc/modules-load.d/. These files are labeled sysfs_t.
This fixes:
type=AVC msg=audit(1567804818.331:138713): avc: denied { read }
for pid=31153 comm="systemd-modules" name="initstate" dev="sysfs"
ino=14778 scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysfs_t tclass=file permissive=0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On a Debian system, when installing a package which provides a kernel
module with DKMS, the module is compiled and depmod is executed with a
command line that looks like:
depmod -a 4.19.0-5-amd64 -F /boot/System.map-4.19.0-5-amd64
This obviously requires depmod to read System.map. Otherwise, the
following events are logged to audit.log:
type=AVC msg=audit(1567802614.408:138551): avc: denied { search }
for pid=12090 comm="depmod" name="boot" dev="vda1" ino=262145
scontext=sysadm_u:sysadm_r:kmod_t tcontext=system_u:object_r:boot_t
tclass=dir permissive=0
type=AVC msg=audit(1567802670.132:138555): avc: denied { read }
for pid=14210 comm="depmod" name="System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
type=AVC msg=audit(1567802670.132:138555): avc: denied { open }
for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
type=AVC msg=audit(1567802670.136:138556): avc: denied { getattr }
for pid=14210 comm="depmod" path="/boot/System.map-4.19.0-5-amd64"
dev="vda1" ino=262148 scontext=sysadm_u:sysadm_r:kmod_t
tcontext=system_u:object_r:system_map_t tclass=file permissive=1
and depmod fails, which makes apt fails with:
wireguard.ko:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/4.19.0-5-amd64/updates/dkms/
depmod...(bad exit status: 1)
[...]
Error! Problems with depmod detected. Automatically uninstalling
this module.
DKMS: Install Failed (depmod problems). Module rolled back to built
state.
dpkg: error processing package wireguard-dkms (--configure):
installed wireguard-dkms package post-installation script
subprocess returned error exit status 6
[...]
Errors were encountered while processing:
wireguard-dkms
E: Sub-process /usr/bin/dpkg returned an error code (1)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
WireGuard is a fast, modern, secure VPN tunnel, according to
https://www.wireguard.com/. In order to install it, the mostly
documented way consists in building and installing an out-of-tree kernel
module and using userland tools to configure this module (wg and
wg-quick).
* WireGuard is like "ip": the userland tool communicates with the kernel
module through a netlink socket.
* WireGuard is like "iptables": there is no daemon, but some
distributions ship systemd units that restores a WireGuard
configuration when started.
* WireGuard is like other services: its configuration files are in /etc,
and it can use /run and /tmp.
Create a new policy module which handles all of this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When bringing up a Wireguard interface with "wg-quick up wg0" from a
sysadm_u:sysadm_r:sysadm_t session, "systemd --user" spams the logs
with this event repeated between 100 and 200 times per second:
type=AVC msg=audit(1567798007.591:138076): avc: denied { read }
for pid=711 comm="systemd"
scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=sysadm_u:sysadm_r:sysadm_systemd_t
tclass=netlink_kobject_uevent_socket permissive=0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
WeeChat is an extensible IRC client: https://weechat.org/
* Label WeeChat program and configuration file like other IRC clients
* Allow WeeChat to create a pipe in ~/.weechat/weechat_fifo
* Allow WeeChat to read /proc/sys/crypto/fips_enabled
* Allow WeeChat to use a Unix datagram socket with its forked children
* Allow other accesses
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When starting tmux on Debian, the following audit log appears:
type=AVC msg=audit(1567781766.314:820): avc: denied {
execute_no_trans } for pid=6686 comm=746D75783A20736572766572
path="/usr/lib/x86_64-linux-gnu/utempter/utempter" dev="vda1"
ino=545302 scontext=sysadm_u:sysadm_r:sysadm_screen_t
tcontext=system_u:object_r:lib_t tclass=file permissive=0
/usr/lib/x86_64-linux-gnu/utempter/utempter is indeed labeled as
system_u:object_r:lib_t, which is wrong.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Since apt 1.8.1 (more precisely since commit
60cc44d160),
apt calls D-Bus method "Inhibit" of interface
"org.freedesktop.login1.Manager" in order to prevent a shutdown from
happening while installing software.
The call from apt to systemd-logind was already allowed through
unconfined_dbus_send(apt_t), but not the reply, which triggered the
following audit log:
type=USER_AVC msg=audit(1567780304.196:651): pid=287 uid=105
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_return
dest=:1.137 spid=290 tpid=29557
scontext=system_u:system_r:systemd_logind_t
tcontext=sysadm_u:sysadm_r:apt_t tclass=dbus permissive=0
exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some recent modifications added patterns in .fc files for programs in
/usr/sbin without adding the patterns for /usr/bin. On Arch Linux, where
/usr/sbin is a symlink to /usr/bin, such patterns are never matched.
Add the missing patterns.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
All callers of consoletype_exec() put it in an optional_policy() block
but portage. This makes consoletype module mandatory when module portage
is loaded, even when consoletype is not installed.
Fix this issue by introducing an optional_policy() block.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern /opt/brother/Printers(.*/)?inf(/.*)? matches the content of
directories such as /opt/brother/Printersinf/, which seems buggy. On
several systems, /opt/brother/Printers/ is a directory that contains
directories named as printer models.
Add a "/" before "(.*/)?" in order to make sure subdirectories of
/opt/brother/Printers named "inf" are matched by the pattern.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
/usr/lib/jvm/java(.*/)bin(/.*)? uses misleading parentheses around
".*/". In some cases, a pattern with (.*/) is a mispelling to (.*/)?,
but not here (/usr/lib/jvm/javabin/ never exists).
Moreover, using .* here is right, as the pattern matches the content of
subdirectories of /usr/lib/jvm/ which names are prefixed by java. More
precisely, the pattern matches for example:
- programs in /usr/lib/jvm/java-10-openjdk/bin
- programs in /usr/lib/jvm/java-8-openjdk/jre/bin
In the end, the pattern does not have any error, but the parentheses are
misleading. Remove them.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In libraries.fc:
- "(/.*?)" is very likely a misspelling for (/.*)?
- "sidecars/*" with "--" as file type is very likely a misspelling for
sidecars/.+, in order to match files that are shared libraries.
- "/opt/netbeans(.*/)?jdk" matches "/opt/netbeansjdk", which is buggy.
In Apache NetBeans 11.1 downloaded from
https://netbeans.apache.org/download/nb111/nb111.html, there are files
such as profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
Several websites document installing NetBeans in directories such as
/opt/netbeans-11.1/, so the installed .so files are probably installed in
/opt/netbeans-11.1/profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
There is thus an issue with the current pattern:
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)*
This pattern requires "/linux/" in the path, not "/linux-amd64/".
As this pattern was introduced in 2007 by commit 02d968c581 ("trunk:
several fc updates from dan."), consider it as outdated and remove it.
If the .so files in /opt/netbeans/ really need a label such as
textrel_shlib_t, a file pattern will need to be written with less issues
than the one which is removed.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In order to detect bugs like the one fixed by commit d938683bf4
("drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd"), forbid
the use of \d in the policy. This was actually only used to match
/usr/share/apr-1/build/...
with
/usr/share/apr(-\d)?/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr(-\d)?/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:
openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)
audit.log has:
type=AVC msg=audit(1566048720.132:1338): avc: denied { search }
for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
scontext=system_u:system_r:entropyd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:
$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -snrvm
According to https://wiki.debian.org/motd, the script is executed
through run-parts:
if (!system("/usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
run-parts --lsbsysinit /etc/update-motd.d >
/run/motd.dynamic.new"))
rename("/run/motd.dynamic.new", "/run/motd.dynamic");
This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.
Allow relevant accesses for Debian-based systems.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When a service is configured with PrivateDevices=yes, its /dev directory
has label tmpfs_t. This requires allowing more accesses in order for the
service to use /dev.
This is related to https://github.com/SELinuxProject/refpolicy/pull/61
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern "(.*)?" means "match anything including the nothing, or
nothing": the question mark is redundant. This is likely to be a
mispelling for "(/.*)?", which means "match a slash and anthing, or
nothing", or for ".*", or for other patterns.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.
Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The pattern that matches /usr/include uses a dot, in order probably to
avoid calling m4's function include(). This also matches other paths
such as /usr/inclu/e. Such a side-effect can be avoided by inserting an
empty string which is removed by m4's preprocessing.
Mailing-list discussion: https://lore.kernel.org/selinux-refpolicy/CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com/t/#u
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There are two patterns that define file contexts for /run/rpc.statd.pid:
* in policy/modules/services/rpcbind.fc:
/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
* in policy/modules/services/rpc.dc:
/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
They coexist even though their labels differ because the first one uses
a unescaped dot. As it does not seem to exist other files matching the
first pattern, remove it in order to only keep the second one.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Patterns using this have a small issue:
/opt/Adobe/Reader.?/Reader/intellinux
The issue is that the dot can also match a slash. A bettern pattern
would be:
/opt/Adobe/Reader[^/]?/Reader/intellinux
In this specific case, the intent is to match digits (like
/opt/Adobe/Reader9). Use [0-9] for this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The following pattern seems to match much more than intended:
/usr/(.*/)?bin/java[^-]*
According to the commit which introduced it
(0190325c18),
the aim was to match java1.4, java5, java6, and not java-config nor
java-check-environment. The issue is that the pattern also matches
sub-directories such as:
/usr/share/my-application/bin/java/myfile
Prevent this by adding / in the character blacklist of the pattern.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This seems to be a misspelling, and there is no reason which would
explain why monit's init script would be labeled with a different
sensitivity while the main binary uses s0.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
haveged listens to commands using a Unix socket
(at path "\0/sys/entropy/haveged" according to
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.h#L34).
The implementation of this server is available on
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.c .
This fixes the following denial:
type=AVC msg=audit(1551002989.396:27): avc: denied { listen } for
pid=262 comm="haveged"
path=002F7379732F656E74726F70792F68617665676564
scontext=system_u:system_r:entropyd_t
tcontext=system_u:system_r:entropyd_t tclass=unix_stream_socket
permissive=1
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:
drwxrwx---. ulog adm /var/log/ulog
(root does not have an access to the directory without bypassing the DAC.)
Add a comment describing how to avoid allowing dac_read_search to ulogd_t.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Debian uses /var/log/ulog/syslogemu.log by default to log network
packets sent through a netlink multicast group by the firewall.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success'
These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Devices with the netcontrol_device_t type are actually PM QoS devices.
Rename the type and add labeling for /dev/memory_bandwidth.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
An example is mmcblk0rpmb, which is for the replay protected memory block
subsystem.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
plymouth is started very early in the boot process. Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t. Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.
type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.
Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
