Commit Graph

4508 Commits

Author SHA1 Message Date
Chris PeBenito
690d6ca905 Update contrib. 2017-08-19 12:03:11 -04:00
Chris PeBenito
42d109d30c Module version bump for fixes from Nicolas Iooss. 2017-08-19 12:02:58 -04:00
Nicolas Iooss
98170eaf55 Allow dhcpcd to use generic netlink and raw IP sockets
dhcpcd uses a raw IPv6 socket to receive router advertisement and
neighbor advertisement packets in
https://roy.marples.name/git/dhcpcd.git/tree/ipv6nd.c?h=dhcpcd-6.11.5
and uses NETLINK_GENERIC in
https://roy.marples.name/git/dhcpcd.git/tree/if-linux.c?h=dhcpcd-6.11.5
for some NetLink sockets.
2017-08-19 12:01:56 -04:00
Nicolas Iooss
179e3217b0 Add "/usr/(.*/)?bin(/.*)?" pattern back
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:

    /usr/(.*/)?bin(/.*)?    gen_context(system_u:object_r:bin_t,s0)

Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:

    $ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
    /usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t

Make such files labeled as bin_t again.
2017-08-19 12:01:56 -04:00
Chris PeBenito
9f7cbe1427 Module version bump for patches from Nicolas Iooss. 2017-08-13 19:52:41 -04:00
Chris PeBenito
81aa9242aa logging: Move line. 2017-08-13 19:52:16 -04:00
Nicolas Iooss
28ad98572b corecommands: label dhcpcd hook scripts bin_t
dhcpcd executes scripts in /usr/lib/dhcpcd/:

    avc:  denied  { execute_no_trans } for  pid=608 comm="dhcpcd"
    path="/usr/lib/dhcpcd/dhcpcd-run-hooks" dev="vda1" ino=406981
    scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:lib_t
    tclass=file permissive=1
2017-08-13 19:51:19 -04:00
Nicolas Iooss
52109514d5 audit: allow reading /etc/localtime
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:

    avc:  denied  { read } for  pid=191 comm="auditctl" name="UTC"
    dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1
    avc:  denied  { open } for  pid=191 comm="auditctl"
    path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
    scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1

This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":

    [pid   635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
    "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
    ...
    [pid   635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
    such file or directory)
    [pid   635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
    [pid   635] lseek(4, -71, SEEK_CUR)     = 56
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
    [pid   635] close(4)                    = 0
    [pid   635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
    [pid   635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
    [pid   635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
    /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
    NULL, 0) = 81
    [pid   635] exit_group(0)               = ?

More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.

[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
2017-08-13 19:51:18 -04:00
Chris PeBenito
495e2c203b Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
Chris PeBenito
0ba1970b7c kernel: Module version bump for patch from Nicolas Iooss. 2017-08-08 20:02:22 -04:00
Nicolas Iooss
5cfe0def8b Add module_load permission to self when loading modules is allowed
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
2017-08-08 19:58:47 -04:00
Chris PeBenito
8067ed0181 .travis.yml: Use git tag instead of release tarball for selinux userspace. 2017-08-06 19:06:28 -04:00
Chris PeBenito
efa32d9b56 Remove deprecated interfaces older than one year old.
Additionally one deprecated attribute removed.
2017-08-06 17:03:17 -04:00
Chris PeBenito
2b74c54f62 Rules.modular: Fix file context verification.
Disabled modules were included in the file contexts, resulting in false
verification errors.
2017-08-06 16:54:40 -04:00
Chris PeBenito
a1820d2b38 Module version bump for patches from Guido Trentalancia and Anthony PERARD. 2017-08-06 11:26:52 -04:00
Anthony PERARD
86479f7118 Update for Xen 4.7
Since Xen 4.7, /dev/xen/privcmd is used instead of /proc/xen/privcmd.
Add the device into the policy so `xenstored` can work.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2017-08-06 11:19:29 -04:00
Guido Trentalancia
ff8675f1c8 userdomain: allow netlink_kobject_uvent_socket creation
Not auditing this turns out to be the wrong choice for
several reasons.

For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2017-08-06 11:14:37 -04:00
Chris PeBenito
794ed7efd0 Update Changelog and VERSION for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito
aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito
acac1fcf4e init: Add NoNewPerms support for systemd. 2017-08-05 12:22:05 -04:00
Chris PeBenito
c51b772d2f Add cgroup_seclabel policycap. 2017-08-05 12:15:02 -04:00
Chris PeBenito
1637a8b407 Add nnp_nosuid_transition policycap and related class/perm definitions. 2017-08-05 12:13:21 -04:00
Chris PeBenito
933280d8f7 Enable extended_socket_class policy capability; 2017-08-05 12:01:00 -04:00
Chris PeBenito
fc24afc454 travis-ci: Update to 2.7 userspace release. 2017-08-05 11:56:27 -04:00
Chris PeBenito
95ab6e9524 README: Update build requirements.
Closes #124
2017-07-19 21:19:43 -04:00
Chris PeBenito
4680d9c659 netutils: Module version bump for patch from Luis Ressel. 2017-06-18 19:26:29 -04:00
Luis Ressel
b6fe74c67c netutils: Allow tcpdump to reduce its capability bounding set 2017-06-18 19:23:21 -04:00
Luis Ressel
261e2772d1 netutils: Add some permissions required by nmap to traceroute_t
nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
2017-06-18 19:23:13 -04:00
Luis Ressel
afe26f2e2f netutils: Mix nmap perms in with the other traceroute_t perms 2017-06-18 19:23:02 -04:00
Chris PeBenito
6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones
ce7aa47ff5 iptables: update
v2:
 - do not remove interfaces superseded by auth_use_nsswitch()
2017-06-12 18:42:53 -04:00
cgzones
ea74a35ba7 netutils: update
v2:
 - keep files_read_etc_files interfaces
2017-06-12 18:41:56 -04:00
cgzones
c6f76058dc chkrootkit: add interfaces and sysadm permit
v2:
 - add bin_t fc to corecommands
2017-06-12 18:41:56 -04:00
Chris PeBenito
5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
cgzones
4d22001265 iptables: align file contexts 2017-06-08 18:43:48 -04:00
cgzones
9ab63a1bdf rkhunter: add interfaces for rkhunter module and sysadm permit 2017-06-08 18:22:53 -04:00
Chris PeBenito
cf8dbdc5e4 miscfiles: Module version bump for patch from Luis Ressel. 2017-06-07 19:26:06 -04:00
Luis Ressel
2da36b7d71 system/miscfiles: Generalize the man_t fc's
This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.

We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
  /usr/share/xmlto/format/docbook/man
  /usr/share/bash-completion/completions/man
2017-06-07 19:19:22 -04:00
Guido Trentalancia
89b53fafa9 fc_sort: avoid compiler warning/error
Fix a "-Werror=implicit-fallthrough" compiler warning/error on
the switch statement.

This third version (v3) fixes a bug introduced in the first
version and improves the style over the second version.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
2017-06-07 19:13:28 -04:00
Chris PeBenito
01311965dd gpg: Module version bump for patch from Guido Trentalancia. 2017-06-06 20:10:47 -04:00
Chris PeBenito
89d1b3a71e Module version bumps for patches from Jason Zaman. 2017-06-04 20:45:23 -04:00
Chris PeBenito
ff041dd6fc filesystem: Fix error in fs_cgroup_filetrans(). 2017-06-04 20:45:13 -04:00
Jason Zaman
b93c403dd7 filesystem: introduce fs_cgroup_filetrans interface 2017-06-04 20:24:51 -04:00
Chris PeBenito
2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman
d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito
1a7a723891 Update contrib. 2017-05-25 21:05:38 -04:00
Chris PeBenito
602b77236d Module version bump for mmap fixes from Stephen Smalley. 2017-05-24 19:58:32 -04:00
Stephen Smalley
7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Chris PeBenito
6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Chris PeBenito
412fc7e7fd corenet/sysadm: Move lines. 2017-05-24 19:36:04 -04:00