This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.
We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
/usr/share/xmlto/format/docbook/man
/usr/share/bash-completion/completions/man
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying). The kernel commit is anticipated to
be included in Linux 4.13.
This refpolicy change defines map permission for refpolicy. It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets. This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.
This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.
It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.
Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).
Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process. It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
import seobject
File "py/seobject.py", line 34, in <module>
import sepolicy
File "py/sepolicy/__init__.py", line 8, in <module>
import setools
File "py/setools/__init__.py", line 77, in <module>
from .infoflow import InfoFlowAnalysis
File "py/setools/infoflow.py", line 22, in <module>
import networkx as nx
File "py/networkx/__init__.py", line 93, in <module>
import networkx.linalg
File "py/networkx/linalg/__init__.py", line 9, in <module>
from networkx.linalg.algebraicconnectivity import *
File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
File "py/numpy/__init__.py", line 180, in <module>
from . import add_newdocs
File "py/numpy/add_newdocs.py", line 13, in <module>
from numpy.lib import add_newdoc
File "py/numpy/lib/__init__.py", line 8, in <module>
from .type_check import *
File "py/numpy/lib/type_check.py", line 11, in <module>
import numpy.core.numeric as _nx
File "py/numpy/core/__init__.py", line 22, in <module>
from . import _internal # for freeze programs
File "py/numpy/core/_internal.py", line 14, in <module>
import ctypes
File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
_reset_cache()
File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
CFUNCTYPE(c_int)(lambda: None)
MemoryError
Improve the initrc domain within the init module with some permissions
needed for a smoother boot.
Let the iptables init scripts read the iptables configuration.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).
Thanks to Dominick Grift for suggesting this.
Other modules are likely affected by the same issue.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
I have used optional sections for dbus and xserver as requested and also
fixed a minor issue of a rule not being in the correct section.
Please merge this.
This patch fixes the policy for sulogin. It is very important
because without this patch, sulogin cannot work properly and
it should be considered that it is used as an emergency shell
when there are serious consistency errors in the system, so it
constitutes the only way to recover the system in such
circumstances.
Nowadays, sulogin never uses PAM (at least not the official one
from util-linux), so obsolete, confusing and buggy policy has
been removed.
Extensive testing carried out while creating this patch indicates
that there aren't other permissions needed to successfully run
sulogin.
This second version should apply cleanly to the latest git tree.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
