This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230):
/*
* This is called once when selinux_restorecon() is first called.
* Searches /proc/mounts for all file systems that do not support extended
* attributes and adds them to the exclude directory table. File systems
* that support security labels have the seclabel option, return
* approximate total file count.
*/
The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().
The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:
type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for
pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
subj=system_u:system_r:restorecond_t key=(null)
type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"
Allow this, like commit 5125b8eb2d ("last misc stuff") did for
setfiles_t.
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning. This still requires
the file type to be readable by clamd.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action. This interface allows a domain transition to occur for the run action.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.
The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
mcstransd never implemented this permission. To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
Currently, sepolgen-ifgen fails with the following error:
/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]
error parsing headers
error parsing file /usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: could not parse text: "/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt: Syntax error on line 157 ` [type=TICK]"
Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:
Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t
Fix this by labelling e2mmpstatus like dumpe2fs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.
Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };
map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.
SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.
Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.
- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).
Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.
In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.
Changes since v2:
- Fix typo in gen_require (had a closing : instead of ;)
Changes since v1:
- Use in-line XML comment and tunable definition
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:
- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content
Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.
As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.
Changes since v2:
- Fix typo in pattern call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.
The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).
The necessary file transitions for the directories are added as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).
Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.
The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_t, which is generally at $HOME/.config
The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.
This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.
The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.
Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.
[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
commit f865919872
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
These interfaces are not being called in the policy.
corenetwork.if.in:corenet_sctp_bind_generic_port(),
corenet_dontaudit_sctp_bind_generic_port(), and
corenet_sctp_connect_generic_port()
Removed references to undeclared type ephemeral_port_t.
corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
Removed references to undeclared type attribute corenet_unlabled_type.
devices.if:dev_read_printk()
Removed references to undeclared type printk_device_t and marked
interface as deprecated because it is now empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.
Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type systemd_unit_t is actually declared in init.te.
Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.
Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type var_log_t is actually declared in logging.te.
Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Marked unused parameters as unused in the interfaces listed below.
userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
