Commit Graph

51 Commits

Author SHA1 Message Date
David Sugar
87d4a65059 Create interfaces to write to inherited xserver log files.
Updated based on feedback

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-08 21:03:53 -05:00
Chris PeBenito
1c503e140c loadable_module.spt: Add debugging comments for tunable_policy blocks. 2017-11-28 20:22:59 -05:00
Stephen Smalley
7a4e93a385 refpolicy: Define and allow map permission
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:53:14 -04:00
Stephen Smalley
cfe0a94feb refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:00:57 -04:00
cgzones
da89b955a0 domtrans_pattern: use inherited fifo perms 2017-03-08 17:19:26 +01:00
cgzones
d3462090d5 m4 errprint: add __program__ info 2017-03-08 17:16:27 +01:00
Russell Coker
d504e1ef1b rw_inherited_file_perms
This patch defines rw_inherited_file_perms.  It's needed by a few patches
I'm going to send soon so I need to get it in before they go in.

Also it's generally a good thing to have.  We should reconsider some of the
other policy for whether it should use this.
2017-02-23 20:52:04 -05:00
Chris PeBenito
7d9a3be9f0 Merge pull request #98 from cgzones/admin_process_pattern
add admin_process_pattern macro
2017-02-18 12:38:23 -05:00
Chris PeBenito
dd03d589e2 Implement WERROR build option to treat warnings as errors.
Add this to all Travis-CI builds.
2017-02-18 10:20:20 -05:00
cgzones
dd4cfd8a77 add admin_process_pattern macro
useful for MODULE_admin interfaces
2017-02-17 16:26:22 +01:00
Russell Coker
69215f0664 inherited file and fifo perms
The following patch defines new macros rw_inherited_fifo_file_perms and
rw_inherited_term_perms for the obvious reason.

I've had this in Debian for a while and some Debian policy relies on it.

I think it's appropriate to include this before including any policy that
relies on it because it's an obvious foundation for writing good policy.

We could have inherited perms macros for other object types, but terminals
and fifos are the main ones that get inherited.  The next best candidate
for such a macro is a sock_file, and that's largely due to systemd setting
programs stdout/stderr to unix domain sockets.
2017-02-12 13:55:25 -05:00
Stephen Smalley
4637cd6f89 refpolicy: drop unused socket security classes
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family.  Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-15 13:03:57 -05:00
Stephen Smalley
09ebf2b59a refpolicy: Define extended_socket_class policy capability and socket classes
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains.  Allowing access
by other domains to the new socket security classes is left to future
commits.

The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:07:42 -05:00
cgzones
d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
cgzones
00df10e2cb keep 2 empty lines in front of a new section 2016-12-02 16:20:26 +01:00
cgzones
e59709a8fe review
reintroduce unpriv_socket_class_set
remove introduced systemd permission sets
2016-12-02 16:16:45 +01:00
cgzones
901a905cbb update policy/support macros
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
2016-12-01 19:38:14 +01:00
Stephen Smalley
58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Nicolas Iooss
c4ea6cc594 Add ioctl and lock to manage_lnk_file_perms
manage_lnk_file_perms permission is expected to be larger than
write_lnk_file_perms and therefore include ioctl and lock.
2014-08-26 08:08:41 -04:00
Chris PeBenito
e5b14e7e3a Add optional file name to filetrans_pattern. 2011-11-02 08:48:25 -04:00
Chris PeBenito
6b63ed7481 Remove deprecated permission sets.
These were deprecated on or around October 9, 2007.
2011-10-14 10:24:18 -04:00
Chris PeBenito
dd49083624 Remove deprecated send_audit_msgs_pattern().
This was deprecated June 12, 2007.
2011-10-14 10:23:05 -04:00
Chris PeBenito
b928020970 Remove deprecated optional_policy usage.
This was deprecated July 25, 2006.
2011-10-14 10:22:16 -04:00
Chris PeBenito
9711c7bdb5 Add tun_socket ubac constraint and add tun_socket to socket_class_set. 2010-11-11 09:48:43 -05:00
Dominick Grift
6887b79031 obj_perm_sets: so that use_terminal interfaces also allow append.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-12 14:12:38 -04:00
Chris PeBenito
155635e33d Create_lnk_perms fix from Russell Coker.
Personally I'd rather dump all those old compatibility macros, make them all
just display a message indicating the new correct thing to do and abort the
build.  But if we are going to keep them then we need to update them and make
them work.

The attached patch adds write access to create_lnk_perms.
2010-06-28 09:33:17 -04:00
Chris PeBenito
a53c6c65a4 FTP patch from Dan Walsh. 2010-04-26 15:15:23 -04:00
Chris PeBenito
c9ab7707b3 add write to manage_lnk_file_perms. 2010-03-04 11:29:06 -05:00
Chris PeBenito
c8d563fcbc Permission set updates from Dan Walsh. 2009-11-25 10:52:16 -05:00
Chris PeBenito
7ca3f559d7 add open to search_dir_perms. 2009-10-22 09:13:04 -04:00
Chris PeBenito
d3cdc3d07c trunk: add open perm to sock_file. 2009-03-11 14:58:03 +00:00
Chris PeBenito
82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito
0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito
e87221cefe trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00
Chris PeBenito
cbe82b179b trunk: start adding open perm to obvious places. 2008-05-23 18:22:57 +00:00
Chris PeBenito
b34db7a8ec trunk: another pile of misc fixes. 2008-05-22 15:24:52 +00:00
Chris PeBenito
75da4b8ad3 trunk: Patch to fix leaky interface/template call depth calculator from Vaclav Ovsik. 2008-04-18 12:57:01 +00:00
Chris PeBenito
ce8a5299a8 trunk: 3 patches from dan. 2008-02-05 17:41:53 +00:00
Chris PeBenito
ef659a476e Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. 2007-10-09 17:29:48 +00:00
Chris PeBenito
016e5c5cdc trunk: 4 patches from dan. 2007-09-05 14:48:21 +00:00
Chris PeBenito
2d0c9cecaf trunk: several MLS enhancements. 2007-08-20 15:15:03 +00:00
Chris PeBenito
c040ea12b2 trunk: several support macro fixes. 2007-07-31 15:11:22 +00:00
Chris PeBenito
63acaf59d7 trunk: fix pipe permission set in domtrans_pattern(). 2007-07-26 19:41:15 +00:00
Chris PeBenito
d5b81a81ff trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern(). 2007-06-12 18:46:14 +00:00
Chris PeBenito
7f819d806d add missing rename_dir_perms 2007-05-03 13:15:48 +00:00
Chris PeBenito
f6ddd6b9b7 bools in modules fix to require the boolean in optionals that are part of the base module, and move bool declarations in the base module/monolithic 2007-03-30 12:43:15 +00:00
Chris PeBenito
c0868a7a3b merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Chris PeBenito
e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito
a9e03b3752 * add a macro for generating category declarations
* fix userdom_search_all_users_home_content() to use search_dir_perms;
* change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content()
2006-09-21 15:48:15 +00:00
Chris PeBenito
ea3c1f508a add helpers for printing warning and error messages 2006-07-25 17:27:00 +00:00