Commit Graph

3356 Commits

Author SHA1 Message Date
Chris PeBenito
6f19979a2f gpg, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-10-03 19:05:05 -04:00
Chris PeBenito
17512a799d Merge pull request #117 from fishilico/gpg-crypto-fips 2019-10-03 18:59:04 -04:00
Nicolas Iooss
15151782bd
gpg: allow gpg-agent to read crypto.fips_enabled sysctl
On Debian 10, when gpg-agent starts, it reads crypto.fips_enabled:

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { open } for
    pid=329 comm="gpg-agent" path="/proc/sys/crypto/fips_enabled"
    dev="proc" ino=14687 scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { read } for
    pid=329 comm="gpg-agent" name="fips_enabled" dev="proc" ino=14687
    scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-10-01 21:58:24 +02:00
Nicolas Iooss
90a2688712
systemd: make the kernel spawn systemd-coredump with a context transition
On Arch Linux, /proc/sys/kernel/core_pattern contains:

    |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

When a crash happens in a userspace application, this setting makes the
kernel spawn /usr/lib/systemd/systemd-coredump from kernel_t:

    type=AVC msg=audit(1569910108.877:336): avc:  denied  { execute }
    for  pid=1087 comm="kworker/u2:3" name="systemd-coredump" dev="vda1"
    ino=406365 scontext=system_u:system_r:kernel_t
    tcontext=system_u:object_r:systemd_coredump_exec_t tclass=file
    permissive=1

Introduce a transition to systemd_coredump_t to handle this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-10-01 21:30:29 +02:00
Chris PeBenito
52e9d4daf0 filesystem, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:57:29 -04:00
Chris PeBenito
1a124285df Merge pull request #112 from fishilico/systemd-sd-executor-use 2019-09-30 20:43:01 -04:00
Chris PeBenito
1a30ab4fd8 Merge pull request #111 from fishilico/filesystem-fs_rw_cgroup_files-follow-symlink 2019-09-30 20:42:21 -04:00
Chris PeBenito
7d4bdb86ce Merge pull request #108 from fishilico/systemd-user-2019-09 2019-09-30 20:41:35 -04:00
Chris PeBenito
291f68a119 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito
61ecff5c31 Remove old aliases.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
d6c7154f1c Reorder declarations based on *_runtime_t renaming.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
69a403cd97 Rename *_var_run_t types to *_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Nicolas Iooss
ea816582f0
systemd: allow user environment helpers to communicate with systemd --user
"systemd --user" spawns programs from
/usr/lib/systemd/user-environment-generators/ in order to gather
environment variables. On a Debian 10 virtual machine which gnupg, this
directory contains:

    $ ls -Z /usr/lib/systemd/user-environment-generators
    system_u:object_r:bin_t 30-systemd-environment-d-generator
    system_u:object_r:bin_t 90gpg-agent

For sysadm, these programs are run as sysadm_t (because there is a
transition in systemd_role_template() in systemd.if:
corecmd_bin_domtrans($1_systemd_t, $3)) but use file descriptors created
by their parent process, which runs as sysadm_systemd_t. This leads to:

    type=AVC msg=audit(1569756917.537:244): avc:  denied  { use } for
    pid=9713 comm="30-systemd-envi"
    path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
    dev="tmpfs" ino=24859 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0

    type=AVC msg=audit(1569756917.537:244): avc:  denied  { use } for
    pid=9713 comm="30-systemd-envi"
    path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
    dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0

    type=SYSCALL msg=audit(1569756917.537:244): arch=c000003e syscall=59
    success=no exit=-13 a0=5647d12cf020 a1=7ffc605b1fb0 a2=7ffc605b2420
    a3=0 items=0 ppid=9712 pid=9713 auid=1000 uid=1000 gid=1000
    euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000
    tty=(none) ses=10 comm="30-systemd-envi"
    exe="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
    subj=sysadm_u:sysadm_r:sysadm_t key=(null)

    [...]

    type=AVC msg=audit(1569756917.541:246): avc:  denied  { use } for
    pid=9714 comm="90gpg-agent"
    path=2F6D656D66643A39306770672D6167656E74202864656C6574656429
    dev="tmpfs" ino=24860 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0

    type=AVC msg=audit(1569756917.541:246): avc:  denied  { use } for
    pid=9714 comm="90gpg-agent" path="/usr/bin/bash" dev="vda1"
    ino=524662 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=fd permissive=0

In systemd's source, here are the relevant functions:

* manager_run_environment_generators() calls execute_directories(paths,
  DEFAULT_TIMEOUT_USEC, gather_environment, ...) [1], with
  gather_environment a global table defined in exec-util.c [2]

* execute_directories() opens a "serialization fd" [3], that creates a
  memfd for communication with the child processes [4].

* execute_directories() calls fork() and do_execute() [5] in order to
  run each child process, providing them with the memfd descriptor in
  order to gather their output.

* When a child process is executed, its context transitions from
  sysadm_systemd_t to sysadm_t. The child then writes environment
  variables to its output.

* The parent process (systemd --user) collects the environment variables
  that have been written, and "consumes" the produced output in order to
  override its environment variables.

[1] https://github.com/systemd/systemd/blob/v243/src/core/manager.c#L3836
[2] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L413
[3] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213
[4] https://github.com/systemd/systemd/blob/v243/src/shared/serialize.c#L200
[5] https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L226

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-30 22:43:31 +02:00
Nicolas Iooss
d2c553d528
filesystem: allow following symlinks with fs_rw_cgroup_files()
fs_read_cgroup_files() grants access to reading files and to following
symlinks (with "read_lnk_files_pattern($1, cgroup_t, cgroup_t)").
fs_rw_cgroup_files() does not include such a rule, which is needed in
order to transparently use symlinks such as /sys/fs/cgroup/cpu. This
access is currently denied, for example to "systemd --user" daemon:

    type=AVC msg=audit(1569756917.537:242): avc:  denied  { getattr }
    for  pid=9710 comm="systemd" path="/sys/fs/cgroup/cpu" dev="tmpfs"
    ino=9683 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:cgroup_t tclass=lnk_file permissive=0

    type=SYSCALL msg=audit(1569756917.537:242): arch=c000003e
    syscall=262 success=no exit=-13 a0=ffffff9c a1=7ffc605b1f70
    a2=7ffc605b1ea0 a3=100 items=0 ppid=1 pid=9710 auid=1000 uid=1000
    gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
    fsgid=1000 tty=(none) ses=10 comm="systemd"
    exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1569756917.537:242):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

On this system (Debian 10), /sys/fs/cgroup/cpu is a symlink to
/sys/fs/cgroup/cpu,cpuacct.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-30 22:42:40 +02:00
Nicolas Iooss
7b61521c4c
systemd: remove unnecessary init_write_runtime_socket()
init_write_runtime_socket(systemd_user_session_type) is redundant with
init_dgram_send(systemd_user_session_type).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-19 23:06:58 +02:00
Nicolas Iooss
e942a3171e
systemd: allow more accesses to systemd --user
systemd --user needs to:

* run statfs() on /sys/fs/cgroup, which is a tmpfs on Debian 10:

    type=AVC msg=audit(1568544950.691:309): avc:  denied  { getattr }
    for  pid=10128 comm="systemd" name="/" dev="tmpfs" ino=9656
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

    type=SYSCALL msg=audit(1568544950.691:309): arch=c000003e
    syscall=137 success=no exit=-13 a0=7f96e8b23ddb a1=7ffefbffb410
    a2=7f96e7b3c2a0 a3=0 items=0 ppid=1 pid=10128 auid=1000 uid=1000
    gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000
    fsgid=1000 tty=(none) ses=14 comm="systemd"
    exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1568544950.691:309):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

    # ls -Zdi /sys/fs/cgroup  # ino=9656 is /sys/fs/cgroup
    9656 system_u:object_r:cgroup_t /sys/fs/cgroup

    # findmnt /sys/fs/cgroup
    /sys/fs/cgroup tmpfs  tmpfs  ro,nosuid,nodev,noexec,seclabel,mode=755

* read /proc/sys/fs/nr_open:

    type=AVC msg=audit(1568545206.580:392): avc:  denied  { search } for
    pid=19003 comm="systemd" name="fs" dev="proc" ino=9699
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1

    type=AVC msg=audit(1568545206.580:392): avc:  denied  { read } for
    pid=19003 comm="systemd" name="nr_open" dev="proc" ino=14620
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1

    type=AVC msg=audit(1568545206.580:392): avc:  denied  { open } for
    pid=19003 comm="systemd" path="/proc/sys/fs/nr_open" dev="proc"
    ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1

    type=SYSCALL msg=audit(1568545206.580:392): arch=c000003e
    syscall=257 success=yes exit=4 a0=ffffff9c a1=7fe0d8a8665f a2=80000
    a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none)
    ses=16 comm="systemd" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1568545206.580:392):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

* notify systemd like services (this was not allowed because *_systemd_t
  is not associated with attribute "daemon"):

    type=AVC msg=audit(1568545206.748:410): avc:  denied  { write } for
    pid=19003 comm="systemd" name="notify" dev="tmpfs" ino=9840
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:init_runtime_t tclass=sock_file
    permissive=1

    type=AVC msg=audit(1568545206.748:410): avc:  denied  { sendto } for
    pid=19003 comm="systemd" path="/run/systemd/notify"
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:system_r:init_t tclass=unix_dgram_socket
    permissive=1

    type=SERVICE_START msg=audit(1568545206.756:411): pid=1 uid=0
    auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t
    msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd"
    hostname=? addr=? terminal=? res=success'

    type=SYSCALL msg=audit(1568545206.748:410): arch=c000003e syscall=46
    success=yes exit=36 a0=1e a1=7ffe70f2abf0 a2=4000 a3=7ffe70f2ab84
    items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none)
    ses=16 comm="systemd" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1568545206.748:410):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

* use /sys/fs/selinux/create to help define its own sockcreate
  attribute:

    type=AVC msg=audit(1568545206.748:406): avc:  denied  { write } for
    pid=19003 comm="systemd" name="create" dev="selinuxfs" ino=7
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:security_t tclass=file permissive=1
    type=SYSCALL msg=audit(1568545206.748:406): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7ffe70f29da0 a2=80002
    a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none)
    ses=16 comm="systemd" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)
    type=PROCTITLE msg=audit(1568545206.748:406):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

    type=AVC msg=audit(1568545206.748:407): avc:  denied  {
    compute_create } for  pid=19003 comm="systemd"
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:security_t tclass=security permissive=1
    type=SYSCALL msg=audit(1568545206.748:407): arch=c000003e syscall=1
    success=yes exit=71 a0=c a1=5555d61eadb0 a2=47 a3=0 items=0 ppid=1
    pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
    egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd"
    exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)
    type=PROCTITLE msg=audit(1568545206.748:407):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

    type=AVC msg=audit(1568545206.748:408): avc:  denied  {
    setsockcreate } for  pid=19003 comm="systemd"
    scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=process
    permissive=1
    type=SYSCALL msg=audit(1568545206.748:408): arch=c000003e syscall=1
    success=yes exit=35 a0=c a1=5555d61e1320 a2=23 a3=3 items=0 ppid=1
    pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
    egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd"
    exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)
    type=PROCTITLE msg=audit(1568545206.748:408):
    proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-19 21:20:57 +02:00
Chris PeBenito
4f1346357a portage, selinuxutil: Module version bump. 2019-09-18 19:40:17 -04:00
Chris PeBenito
454fb463cf Merge pull request #87 from fishilico/portage-consoletype-optional 2019-09-18 19:39:53 -04:00
Petr Lautrbach
e0813db519 newrole: allow newrole to use setcap to drop capabilities
Commit 61b72e0796 ("selinuxutil: adjustments") removed negative permission
matching for newrole_t:process. One of the removed permission was setcap which
is needed by newrole as it tries to drop capabilities:

    $ newrole -r sysadm_r
    Sorry, newrole failed to drop capabilities
    : Permission denied

    type=PROCTITLE msg=audit(09/06/2019 15:07:01.908:10821) : proctitle=newrole -r sysadm_r

    type=SYSCALL msg=audit(09/06/2019 15:07:01.908:10821) : arch=x86_64
    syscall=capset success=no exit=EACCES(Permission denied) a0=0x7fbe17d4cb6c
    a1=0x7fbe17d4cb74 a2=0x7fbe17d4d5d0 a3=0x0 items=0 ppid=4981 pid=7255
    auid=admin uid=admin gid=admin euid=admin
    suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=tty1 ses=6
    comm=newrole exe=/usr/bin/newrole subj=staff_u:staff_r:newrole_t:s0
    key=(null)

    type=AVC msg=audit(09/06/2019 15:07:01.908:10821) : avc:  denied  { setcap }
    for  pid=7255 comm=newrole scontext=staff_u:staff_r:newrole_t:s0
    tcontext=staff_u:staff_r:newrole_t:s0 tclass=process permissive=0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-09-18 15:34:29 +02:00
Chris PeBenito
ab4ec89d70 sudo, systemd, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-14 16:28:14 -04:00
Chris PeBenito
4de8b76b2f Merge pull request #102 from fishilico/systemd-networkd-hostnamed 2019-09-14 16:22:43 -04:00
Chris PeBenito
9021670648 Merge pull request #103 from fishilico/systemd-networkd-generic-netlink 2019-09-14 16:22:42 -04:00
Chris PeBenito
df6870c51b Merge pull request #104 from fishilico/sudo-sigwinch 2019-09-14 16:22:40 -04:00
Nicolas Iooss
a6d13cd456
systemd: allow detecting Windows Subsystem for Linux
Since systemd 242 (commit
6c8a2c6793),
systemd and its services read /proc/sys/kernel/osrelease in order to
detect whether they are running in Microsoft's WSL (Windows Subsystem
for Linux).

This leads to logs such as:

    type=AVC msg=audit(1568445663.990:10): avc:  denied  { read } for
    pid=401 comm="systemd-modules" name="osrelease" dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

    type=AVC msg=audit(1568445663.990:10): avc:  denied  { open } for
    pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
    dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

    type=AVC msg=audit(1568445663.990:11): avc:  denied  { getattr } for
    pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
    dev="proc" ino=13319
    scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1

Add kernel_read_kernel_sysctls() to services that read
/proc/sys/kernel/osrelease. These services have been identified by
running "grep osrelease < /var/log/audit/audit.log | audit2allow" on an
Arch Linux test system.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 14:36:13 +02:00
Nicolas Iooss
1097ce0e24
sudo: allow using CAP_KILL for SIGWINCH
With the following process tree:

    LABEL                           UID    PID  PPID  TTY   CMD
    sysadm_u:sysadm_r:sysadm_t      root  18146 12404 pts/0 /usr/bin/zsh
    sysadm_u:sysadm_r:sysadm_sudo_t root  18441 18146 pts/0 sudo -su user
    sysadm_u:sysadm_r:sysadm_sudo_t root  18443 18441 pts/1 sudo -su user
    sysadm_u:sysadm_r:sysadm_t      user  18444 18443 pts/1 /usr/bin/zsh

When the terminal window of the first process is resized, SIGWINCH is
forwarded by process 18443, which requests capability CAP_KILL:

    type=AVC msg=audit(1567881640.754:13839): avc:  denied  { kill } for
    pid=18443 comm="sudo" capability=5
    scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability
    permissive=0

    type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e
    syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100
    items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0
    fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo"
    exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

    type=PROCTITLE msg=audit(1567881640.754:13839):
    proctitle=7375646F002D73750075736572

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 14:00:58 +02:00
Nicolas Iooss
42b966d2df
sudo: allow transmitting SIGWINCH to its child
When resizing the X11 window of a terminal running sudo on a remote
Debian 10 system (through ssh), sudo forwards SIGWINCH to its children
(this behavior might be caused by using "Defaults use_pty" in
/etc/sudoers). This leads to the following audit logs:

    type=AVC msg=audit(1567880108.988:13823): avc:  denied  { signal }
    for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t
    tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0

    type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e
    syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100
    items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0
    fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo"
    exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null)

    type=PROCTITLE msg=audit(1567880108.988:13823):
    proctitle=2F7573722F62696E2F7375646F002D73

The process tree (ps -ef, edited) on this remote system was:

    LABEL                           UID    PID  PPID  TTY   CMD
    system_u:system_r:sshd_t        user  15519 15480 ?     sshd: user@pts/5
    sysadm_u:sysadm_r:sysadm_t      user  15524 15519 pts/5 -zsh
    sysadm_u:sysadm_r:sysadm_sudo_t root  15607 15524 pts/5 /usr/bin/sudo -s
    sysadm_u:sysadm_r:sysadm_sudo_t root  15670 15607 pts/6 /usr/bin/sudo -s
    sysadm_u:sysadm_r:sysadm_t      root  15671 15670 pts/6 /usr/bin/zsh

The denied syscall was:

* syscall=62: int kill(pid_t pid, int sig)
* a0=ffffc2c9: pid = -15671 (process group of sudo's child)
* a1=1c: sig = 28 = SIGWINCH

Allow such a signal to be transmitted.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:58:39 +02:00
Nicolas Iooss
19542fd26a
systemd-networkd: allow communicating with hostnamed
When systemd-netwokd receives DHCP option 12 (hostname), it changes the
hostname by calling method SetHostname from interface
org.freedesktop.hostname1 provided by systemd-hostnamed:
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1946

This access is currently denied and reported:

    type=USER_AVC msg=audit(1568403789.952:36): pid=288 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.hostname1 member=SetHostname
    dest=org.freedesktop.hostname1 spid=233 tpid=317
    scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_hostnamed_t tclass=dbus
    permissive=1  exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=?
    terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:55:57 +02:00
Nicolas Iooss
ba45fc06c8
systemd-networkd: allow creating a generic netlink socket
Since systemd 237 (commit
05d0c2e3cf),
systemd-networkd requires a generic netlink socket in order to start.
Otherwise, it fails to start and systemd's journal contains:

    audit[19262]: AVC avc:  denied  { create } for  pid=19262
    comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_networkd_t
    tclass=netlink_generic_socket permissive=0

    audit[19262]: SYSCALL arch=c000003e syscall=41 success=no exit=-13
    a0=10 a1=80803 a2=10 a3=20 items=0 ppid=1 pid=19262 auid=4294967295
    uid=102 gid=103 euid=102 suid=102 fsuid=102 egid=103 sgid=103
    fsgid=103 tty=(none) ses=4294967295 comm="systemd-network"
    exe="/usr/lib/systemd/systemd-networkd"
    subj=system_u:system_r:systemd_networkd_t key=(null)

    audit: PROCTITLE proctitle="/lib/systemd/systemd-networkd"

    systemd-networkd[19262]: Could not create manager: Permission denied

For information, "syscall=41 a0=10 a1=80803 a2=10" means:

    socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_GENERIC);

... which matches the call to sd_genl_socket_open(&m->genl); in
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1143

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:53:17 +02:00
Chris PeBenito
a5dab43a85 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-11 06:52:32 -04:00
Chris PeBenito
c6396d5a79 Merge pull request #88 from fishilico/usr-bin-fc 2019-09-11 06:26:24 -04:00
Chris PeBenito
cfdf3b7981 Merge pull request #98 from fishilico/ulogd-dynamic-user 2019-09-11 06:22:44 -04:00
Chris PeBenito
f500ff48d2 Merge pull request #99 from fishilico/bitlbee-dynamic-user 2019-09-11 06:22:09 -04:00
Chris PeBenito
7ae433aedc Merge pull request #100 from fishilico/chromium-ifdef 2019-09-11 06:21:23 -04:00
Laurent Bigonville
44957d318c Allow udevadm_t to use dac_read_search capability
udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep  5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_override } for  pid=481 comm=udevadm capability=dac_override  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_read_search } for  pid=481 comm=udevadm capability=dac_read_search  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:27:50 +02:00
Laurent Bigonville
8f4f9a924a Allow udevadm to read files in /run/udev/data
With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-09-09 08:25:16 +02:00
Nicolas Iooss
0e045ef5fe
chromium: remove distro-specific ifdef
Arch Linux installs Chromium in /usr/lib/chromium/ like Debian. Instead
of adding a new ifdef(`distro_arch') block, remove the restriction in
chromium.fc.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:12:04 +02:00
Nicolas Iooss
10cd3fb258
bitlbee: allow using GetDynamicUser on Debian
On Debian 10, starting bitlbee daemon leads to:

    type=AVC msg=audit(1567941717.044:14204): avc:  denied  { search }
    for  pid=5704 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941717.044:14205): avc:  denied  { read } for
    pid=5704 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=AVC msg=audit(1567941756.020:14208): avc:  denied  { search }
    for  pid=6363 comm="bitlbee" name="dbus" dev="tmpfs" ino=13798
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
    permissive=0

    type=AVC msg=audit(1567941756.020:14209): avc:  denied  { read } for
    pid=6363 comm="bitlbee" name="direct:64707" dev="tmpfs" ino=16529
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=0

    type=USER_AVC msg=audit(1567941770.492:14215): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=6694 tpid=1
    scontext=system_u:system_r:bitlbee_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?'

All these denials are related to getting dynamic users through a D-Bus
call to GetDynamicUsers() of interface org.freedesktop.systemd1.Manager.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:07:15 +02:00
Nicolas Iooss
f5a4ce1d35
ulogd: adjust policy for Debian
On a Debian 10 system, I saw denials for ulogd service:

* It uses a pipe with itself:

    type=AVC msg=audit(1567874422.328:13744): avc:  denied  { write }
    for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs"
    ino=29006 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0

* It enumerates users in /run/systemd/dynamic-uid/ when changing to the
  ulog user (which is not dynamic):

    type=AVC msg=audit(1567874512.576:13748): avc:  denied  { read } for
    pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0

* It connects to the system D-Bus socket in order to call GetDynamicUser:

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { write }
    for  pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs"
    ino=13799 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file
    permissive=1

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { connectto
    } for  pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket"
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket
    permissive=1

    type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db
    usd_t msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=30953 tpid=1
    scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t
    tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=106
    hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:06:34 +02:00
Chris PeBenito
031f53120c sudo: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 17:21:46 -04:00
Chris PeBenito
a8d879847e Merge pull request #97 from fishilico/sudo-use_pty 2019-09-07 17:15:58 -04:00
Chris PeBenito
208296a0c2 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-07 16:58:51 -04:00
Chris PeBenito
bbd7f748a6 Merge pull request #82 from fishilico/typo-cups-fc 2019-09-07 16:47:34 -04:00
Chris PeBenito
682b015be9 Merge pull request #89 from fishilico/apt-dpkg-nnp 2019-09-07 16:43:05 -04:00
Chris PeBenito
1167995694 Merge pull request #90 from fishilico/apt-dbus-systemd-logind 2019-09-07 16:42:21 -04:00
Chris PeBenito
1975b0de50 Merge pull request #91 from fishilico/utempter-debian 2019-09-07 16:41:49 -04:00
Chris PeBenito
83a8032d8e Merge pull request #92 from fishilico/irc-weechat 2019-09-07 16:40:52 -04:00
Chris PeBenito
b340b15b8b Merge pull request #93 from fishilico/systemd-read-netlink_kobject_uevent_socket 2019-09-07 16:40:27 -04:00
Chris PeBenito
1dea588464 Merge pull request #94 from fishilico/wireguard 2019-09-07 16:39:48 -04:00
Chris PeBenito
433519a8ca Merge pull request #95 from fishilico/modutils-debian 2019-09-07 16:37:45 -04:00
Chris PeBenito
fad0c3f126 Merge pull request #96 from fishilico/systemd-modules-load-sysfs 2019-09-07 16:34:34 -04:00