nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-refpolicy/testing/sechecker.ini

402 lines
16 KiB
INI
Raw Normal View History

tests.yml: Add sechecker testing. Add initial privilege and integrity tests. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-02-23 21:12:25 +00:00
#
# SELinux Reference policy validation checks
#
# Note to users: This file is a good starting point for tightening your own
# policy. However, these checks are for the entire Reference Policy, i.e.,
# all modules are included in the policy. If you are using a subset of the
# modules, the best starting place is to review each of the checks and remove
# the types in the exempt lists that are not in your policy. Types that are
# in these lists but not in your policy will *NOT* cause sechecker to fail.
#
# Note to developers: In general, please avoid using attributes in the
# exempt lists. This will make it less likely for unexpected types to pass.
#
[PRIVILEGE-load_policy]
check_type = assert_te
desc = Verify only the load_policy program can load a SELinux policy update.
tclass = security
perms = load_policy
exempt_source = kernel_t # Kernel thread loading policy at boot
load_policy_t # SELinux policy loading tool
[PRIVILEGE-setbool]
check_type = assert_te
desc = Verify SELinux Booleans can be changed only by expected domains.
tclass = security
perms = setbool
exempt_source = cloud_init_t # VM configuration on initial boot
init_t
load_policy_t # Persist Boolean state across policy loads
puppet_t # Puppet can configure Booleans
secadm_t # Security admin role
semanage_t # SELinux management tool, including Booleans
sysadm_t # System admin role
[PRIVILEGE-setenforce]
check_type = assert_te
desc = Verify only expected domains can change SELinux to permissive mode.
tclass = security
perms = setenforce
exempt_source = cloud_init_t # VM configuration on initial boot
secadm_t # Security admin role
sysadm_t # System admin role
[PRIVILEGE-CAP_SYS_MODULE]
check_type = assert_te
desc = Verify only expected domains have CAP_SYS_MODULE (kernel module capability)
tclass = capability
perms = sys_module
exempt_source = init_t
kernel_t
kmod_t
spc_t
systemd_modules_load_t
udev_t
[PRIVILEGE-module_load]
check_type = assert_te
desc = Verify only expected domains can directly load kernel modules
tclass = system
perms = module_load
# This list should match the above PRIVILEGE-CAP_SYS_MODULE exempt_source list.
exempt_source = init_t
kernel_t
kmod_t
spc_t
systemd_modules_load_t
udev_t
[PRIVILEGE-CAP_SYS_ADMIN]
check_type = assert_te
desc = Verify only expected domains have CAP_SYS_ADMIN
tclass = capability
perms = sys_admin
# CAP_SYS_ADMIN is a kitchen sink of privileges, which means many privileged domains need it.
exempt_source = acpi_t
acpid_t
afs_t
auditadm_sudo_t # Conditional access (allow_polyinstantiation)
automount_t
bluetooth_t
bootloader_t # Install bootloader
cachefilesd_t
cgclear_t # Move processes out of cgroups
cgconfig_t # Configure cgroups
cgmanager_t # Container cgroup manager
cgred_t # Move processes to cgroups based on configurable rules
chromium_sandbox_t
cockpit_session_t
container_engine_t
consoletype_t
container_t # Conditional access (container_use_sysadmin or container_use_host_all_caps)
corosync_t
crio_t
crond_t # Conditional access (allow_polyinstantiation)
cryfs_t
cupsd_t
devicekit_disk_t
devicekit_power_t
disk_munin_plugin_t
dmesg_t # Clear kernel printk buffer/set kernel log level
dockerd_t # Container engine (namespacing)
dockerd_user_t # Container engine (namespacing)
dphysswapfile_t # Configure swap files
entropyd_t # Add entropy to the system
fapolicyd_t
fsadm_t
fsdaemon_t
ftpd_t
getty_t # Configure tty devices
glusterd_t
gpm_t
hostname_t # Set hostname
hypervvssd_t
ifconfig_t
init_t
initrc_t
iscsid_t
kdump_t
kernel_t # Kernel threads have all caps
klogd_t
kubeadm_t
lircd_t
local_login_t # Conditional access (allow_polyinstantiation)
lvm_t # Configure logical volumes
mcelog_t # Decode and log CPU machine check exceptions
mdadm_t # Configure software RAID
modemmanager_t
mon_local_test_t
mount_t # (un)mount filesystems
nagios_checkdisk_plugin_t
newrole_t # Conditional access (allow_polyinstantiation)
nfsd_t
ntop_t
plymouthd_t
podman_t
podman_user_t
postgresql_t
pppd_t
quota_t # Configure filesystem quotas
remote_login_t # Conditional access (allow_polyinstantiation)
resmgrd_t
rlogind_t # Conditional access (allow_polyinstantiation)
rngd_t
rootlesskit_t # Container engine (namespacing)
rpcd_t
rpm_script_t # Package manager post-install scripts
rshd_t # Conditional access (allow_polyinstantiation)
secadm_sudo_t # Conditional access (allow_polyinstantiation)
seunshare_t # Create new flesystem namespaces
shorewall_t
smbd_t
smbmount_t # Mount SMB and CIFS filesystems
sosreport_t
spc_t
sshd_t # Conditional access (allow_polyinstantiation)
sssd_t
staff_sudo_t # Conditional access (allow_polyinstantiation)
sulogin_t
sysadm_t # System admin role
sysadm_sudo_t # Conditional access (allow_polyinstantiation)
syslogd_t
sysstat_t
systemd_generator_t
systemd_homework_t # Mount home directory images
systemd_hostnamed_t # Set hostname
systemd_logind_t
systemd_machine_id_setup_t
systemd_nspawn_t
systemd_sysctl_t
systemd_tmpfiles_t
systemd_user_runtime_dir_t
tuned_t
udev_t
user_sudo_t # Conditional access (allow_polyinstantiation)
vbetool_t
virtd_t # libvirt virtualization manager
virtd_lxc_t # libvirt LXC container engine (namespacing)
vmware_t # VMWare virtualization manager
watchdog_t
xserver_t
zed_t # ZFS events daemon (filesystem event monitoring)
zfs_t # ZFS filesystem tools
[PRIVILEGE-CAP_SYS_RAWIO]
check_type = assert_te
desc = Verify only expected domains can use CAP_SYS_RAWIO
tclass = capability
perms = sys_rawio
exempt_source = abrt_t # Conditional access (allow_raw_memory_access)
blkmapd_t
bootloader_t # Install bootloader, raw disk access
cdrecord_t # Burn optical media
container_t # Conditional access (container_use_host_all_caps)
cpucontrol_t
cupsd_t
devicekit_disk_t
disk_munin_plugin_t
dmidecode_t
fsadm_t
fsdaemon_t
hddtemp_t
hwclock_t
init_t
initrc_t
kernel_t # Kernel threads have all caps
kdump_t
klogd_t # Conditional access (allow_raw_memory_access)
lvm_t
mcelog_t # Conditional access (allow_raw_memory_access)
mount_t
munin_t
nagios_checkdisk_plugin_t
rasdaemon_t # Monitors ECC errors
resmgrd_t # Device resource manager
rpm_script_t # Package manager post-install scripts
smbmount_t
sosreport_t # Conditional access (allow_raw_memory_access)
spc_t
sysadm_t # System admin role
udev_t
vbetool_t # Conditional access (allow_raw_memory_access)
vmware_t
xdm_t
xserver_t
zfs_t
[PRIVILEGE-CAP_NET_ADMIN]
check_type = assert_te
desc = Verify only expected domains can use CAP_NET_ADMIN.
tclass = capability
perms = net_admin
exempt_source = arpwatch_t
asterisk_t
avahi_t
bird_t
blueman_t
bluetooth_t
brctl_t
cgred_t
chronyd_t # Conditional access (chronyd_hwtimestamp)
condor_startd_t
container_engine_t
container_t # Conditional access (container_use_host_all_caps)
crio_t
ctdbd_t
devicekit_disk_t
devicekit_power_t
dhcpc_t
dnsmasq_t
dockerd_t
dockerd_user_t
dpkg_script_t
drbd_t
fcoemon_t
firewalld_t
hostapd_t
hypervkvpd_t
hypervvssd_t
ifconfig_t
ifplugd_t
init_t
initrc_t
iodined_t
ipsec_t
ipsec_mgmt_t
ipsec_supervisor_t
iptables_t
iscsid_t
kernel_t
kismet_t
krb5kdc_t
kubeadm_t
kubelet_t
l2tpd_t
lldpad_t
lvm_t
minissdpd_t
modemmanager_t
ncftool_t
ndc_t
netlabel_mgmt_t
netutils_t
NetworkManager_t
nsd_t
ntop_t
openvpn_t
openvswitch_t
pegasus_t
podman_t
podman_user_t
portslave_t
pppd_t
pptp_t
psad_t
racoon_t
radvd_t
rkhunter_t
rootlesskit_t
rpm_script_t
setkey_t
shorewall_t
snmpd_t
snort_t
sosreport_t
spc_t
squid_t # Conditional access (squid_use_tproxy)
sssd_t
sysadm_t
syslogd_t # Conditional network config (logging_syslog_can_network)
system_cronjob_t
system_munin_plugin_t
systemd_cgroups_t
systemd_networkd_t
systemd_nspawn_t
systemd_sysctl_t
systemd_tmpfiles_t
traceroute_t
udev_t
ulogd_t
virt_bridgehelper_t
virtd_t
virtd_lxc_t
vpnc_t
watchdog_t
wireguard_t
wireshark_t
xm_t
zebra_t
[PRIVILEGE-setcurrent]
check_type = assert_te
desc = Verify only the expected domains can change their process label.
tclass = process
perms = setcurrent
exempt_source = chromium_t # Changes MCS level for each tab
kernel_t # When systemd loads the policy it has the kernel_t label and changes context to init_t
sepgsql_ranged_proc_t # Changes MCS level
[NONTRANQUILITY-systemd]
check_type = assert_te
desc = Verify dynamic transition allowed by PRIVILEGE-setcurrent test can only
go from kernel_t to init_t (systemd)
source = kernel_t
tclass = process
perms = dyntransition
# kernel_t -> kernel_t and kernel_t -> init_t
exempt_target = init_t kernel_t
[INTEGRITY-readonly-executables]
check_type = ro_execs
#
# This is an expensive check, but this security goal is important to verify.
# To tighten your policy, first try to remove entries from exempt_file, as it
# is very broad in terms of this check, as the type is simply ignored both for
# write checks and for execute checks.
#
# Next, try to remove entries from exempt_write_domain. These are domains that
# are accepted as able to write executables.
#
# If you don't have unconfined domains, you should remove the
# exempt_exec_domain option. The only purpose for this option is because all
# file types would be considered executable otherwise.
#
# When you have a failure on this test, first verify that the file type is
# supposed to be executable; if not, remove the exec access. If it is supposed
# to be executable, verify domains that have write access are legitimate
# writers. If the access is legitimate, e.g. by a package manager, add the
# domain to exempt_write_domain. If not, remove the write access.
#
desc = Enforce executable files (including libraries) are not writable
except from expected domains, such as package managers.
exempt_file = container_file_t # Container files don't distinguish executables.
container_ro_file_t # Container files don't distinguish executables.
gstreamer_orcexec_t # OIL Runtime Compiler code optimizer is used by pulseaudio
httpd_script_exec_type # Web admin can edit scripts
httpdcontent # Web admin can edit scripts, webalizer output, etc.
noxattrfs # Filesystem does not support xattrs; executable by users, can't distinguish executables
user_home_content_type # User home content, users can install apps in own home, write scripts, etc. JIT compiles, and libFFI use.
exempt_write_domain = cloud_init_t # Can conditionally manage all non-auth files (cloudinit_manage_non_security)
dpkg_t # Package manager
dpkg_script_t # Package manager
gcc_config_t # Gentoo compiler chooser
init_t # Systemd can create file mountpoints
ftpd_t # Can conditionally manage all non-auth files (allow_ftpd_full_access)
kernel_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
nfsd_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
nmbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
prelink_t # Prelinking executables
portage_t # Package manager
puppet_t # Can conditionally manage all non-auth files (puppet_manage_all_files)
rpm_t # Package manager
rpm_script_t # Package manager
sftpd_t # Can conditionally manage all non-auth files (sftpd_full_access)
smbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
systemd_tmpfiles_t # Can conditionally manage all non-auth files (systemd_tmpfiles_manage_all)
sysadm_t # Privileged admin domain
files_unconfined_type
# files_unconfined_type: Unconfined; can execute anything; muddies the water on what is
# intended to be executable by constrained domains.
exempt_exec_domain = files_unconfined_type