Commit Graph

5299 Commits

Author SHA1 Message Date
Nicolas Iooss
4b02c2230d
authlogin: label utempter correctly on Debian
When starting tmux on Debian, the following audit log appears:

    type=AVC msg=audit(1567781766.314:820): avc:  denied  {
    execute_no_trans } for  pid=6686 comm=746D75783A20736572766572
    path="/usr/lib/x86_64-linux-gnu/utempter/utempter" dev="vda1"
    ino=545302 scontext=sysadm_u:sysadm_r:sysadm_screen_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=0

/usr/lib/x86_64-linux-gnu/utempter/utempter is indeed labeled as
system_u:object_r:lib_t, which is wrong.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:43:23 +02:00
Nicolas Iooss
de99bc36dd
apt: allow preventing shutdown by calling a systemd-logind D-Bus method
Since apt 1.8.1 (more precisely since commit
60cc44d160),
apt calls D-Bus method "Inhibit" of interface
"org.freedesktop.login1.Manager" in order to prevent a shutdown from
happening while installing software.

The call from apt to systemd-logind was already allowed through
unconfined_dbus_send(apt_t), but not the reply, which triggered the
following audit log:

    type=USER_AVC msg=audit(1567780304.196:651): pid=287 uid=105
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_return
    dest=:1.137 spid=290 tpid=29557
    scontext=system_u:system_r:systemd_logind_t
    tcontext=sysadm_u:sysadm_r:apt_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:38:59 +02:00
Nicolas Iooss
4f5f923171
apt: allow transition from apt_t to dpkg_t with NNP
On a Debian 10 virtual machine, when running "apt-get update", the
following messages are logged to audit.log, several times:

    type=AVC msg=audit(1567717969.162:1639): avc:  denied  {
    nnp_transition } for  pid=5538 comm="apt-config"
    scontext=sysadm_u:sysadm_r:apt_t tcontext=sysadm_u:sysadm_r:dpkg_t
    tclass=process2 permissive=0

    type=SELINUX_ERR msg=audit(1567717969.162:1639):
    op=security_bounded_transition seresult=denied
    oldcontext=sysadm_u:sysadm_r:apt_t
    newcontext=sysadm_u:sysadm_r:dpkg_t

    type=SYSCALL msg=audit(1567717969.162:1639): arch=c000003e
    syscall=59 success=yes exit=0 a0=55ebb33d7780 a1=55ebb33ed610
    a2=7ffedd210980 a3=0 items=0 ppid=5537 pid=5538 auid=1000 uid=100
    gid=65534 euid=100 suid=100 fsuid=100 egid=65534 sgid=65534
    fsgid=65534 tty=(none) ses=45 comm="dpkg" exe="/usr/bin/dpkg"
    subj=sysadm_u:sysadm_r:apt_t key=(null)

    type=PROCTITLE msg=audit(1567717969.162:1639):
    proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573

According to strace, this occurs when sub-commands like "apt-config
shell MASTER_KEYRING APT::Key::MasterKeyring" execute
"/usr/bin/dpkg --print-foreign-architectures".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:36:25 +02:00
Nicolas Iooss
e399c7f642
Label programs in /usr/bin like /usr/sbin
Some recent modifications added patterns in .fc files for programs in
/usr/sbin without adding the patterns for /usr/bin. On Arch Linux, where
/usr/sbin is a symlink to /usr/bin, such patterns are never matched.

Add the missing patterns.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 22:28:09 +02:00
Nicolas Iooss
3edba7f505
portage: really make consoletype module optional
All callers of consoletype_exec() put it in an optional_policy() block
but portage. This makes consoletype module mandatory when module portage
is loaded, even when consoletype is not installed.

Fix this issue by introducing an optional_policy() block.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 22:13:41 +02:00
Nicolas Iooss
b8f2c55109
cups: use ([^/]+/)? to match a subdirectory of CUPS configuration
It seems that /opt/brother/Printers/ only has one level of directories
before a directory named "inf", according to several websites. For
example:

* https://www.linuxquestions.org/questions/slackware-14/trying-to-add-driver-for-brother-hl-l2300d-4175535636/
* https://forums.opensuse.org/showthread.php/531271-Brother-printer-driver-installs-but-can-t-print/page2

Modify the pattern for /opt/brother/Printers/${MODEL_NAME}/inf in order
to only allow at most one level, with "([^/]+/)?".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 20:57:07 +02:00
Chris PeBenito
51c4812c23 INSTALL: Fix build requirements.
Closes #85.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-03 19:47:48 -04:00
Chris PeBenito
5d636c2d16 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-03 19:47:12 -04:00
Chris PeBenito
9d80ada777 Merge pull request #78 from fishilico/debian-dynamic-motd 2019-09-03 19:44:13 -04:00
Chris PeBenito
2fa4070b60 Merge pull request #63 from fishilico/systemd-privatedev 2019-09-03 19:39:18 -04:00
Chris PeBenito
f907287428 Merge pull request #79 from fishilico/corecommands-no-backslash-d 2019-09-03 19:34:47 -04:00
Chris PeBenito
05e9bc96f3 Merge pull request #80 from fishilico/typo-libraries-fc 2019-09-03 19:34:16 -04:00
Chris PeBenito
57562d974a Merge pull request #81 from fishilico/unnecessary-paren-java-fc 2019-09-03 19:33:43 -04:00
Chris PeBenito
39fd1ed486 Merge pull request #83 from fishilico/vagrant-devel 2019-09-03 19:30:48 -04:00
Chris PeBenito
dadf53bd6e Merge pull request #84 from fishilico/systemd-timesyncd-networkd 2019-09-03 19:30:13 -04:00
Dominick Grift
3228c2b997 domain: unconfined access to bpf
Signed-off-by: Dominick Grift <dac.override@gmail.com>
2019-09-03 19:25:41 -04:00
Nicolas Iooss
aa7e8d4091
ntp: allow systemd-timesyncd to read network status
systemd-timesyncd uses network_is_online() [1], which calls
sd_network_get_operational_state() [2], which reads
/run/systemd/netif/state [3]:

    r = parse_env_file(NULL, "/run/systemd/netif/state", "OPER_STATE", &s);

On a Debian virtual machine created with Vagrant,
/run/systemd/netif/state contains:

    # This is private data. Do not parse.
    OPER_STATE=routable
    DNS=192.168.121.1 172.28.128.1

systemd-timesyncd's access produces the following logs:

    type=AVC msg=audit(1567359197.660:323): avc:  denied  { read } for
    pid=230 comm="systemd-timesyn" name="state" dev="tmpfs" ino=24564
    scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

    type=AVC msg=audit(1567359197.660:324): avc:  denied  { open } for
    pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
    dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

    type=AVC msg=audit(1567359197.660:325): avc:  denied  { getattr }
    for  pid=230 comm="systemd-timesyn" path="/run/systemd/netif/state"
    dev="tmpfs" ino=24564 scontext=system_u:system_r:ntpd_t
    tcontext=system_u:object_r:systemd_networkd_var_run_t tclass=file
    permissive=1

Allow these accesses.

[1] https://github.com/systemd/systemd/blob/v242/src/timesync/timesyncd.c#L158
[2] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/network-util.c#L13
[3] https://github.com/systemd/systemd/blob/v242/src/libsystemd/sd-network/sd-network.c#L27

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 20:44:14 +02:00
Nicolas Iooss
82e7ff119f
Vagrantfile: add a Debian virtual machine
Configure a Debian 10 "buster" VM in order to use SELinux with
refpolicy.

This is useful in order to test refpolicy on a minimal Debian system,
for example to debug issues related to Debian patches such as the one
fixed in https://github.com/SELinuxProject/refpolicy/pull/78.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 18:58:29 +02:00
Nicolas Iooss
ea8a79e36a
Vagrantfile: build and install refpolicy on Fedora VM
Add provisioning commands that set-up refpolicy with the required build
configuration for Fedora.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 18:58:11 +02:00
Nicolas Iooss
e09bcff3d2
cups: add a slash to match /opt/brother/Printers/
The pattern /opt/brother/Printers(.*/)?inf(/.*)? matches the content of
directories such as /opt/brother/Printersinf/, which seems buggy. On
several systems, /opt/brother/Printers/ is a directory that contains
directories named as printer models.

Add a "/" before "(.*/)?" in order to make sure subdirectories of
/opt/brother/Printers named "inf" are matched by the pattern.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 16:07:41 +02:00
Nicolas Iooss
0db0cd3057
java: remove unnecessary parentheses in pattern
/usr/lib/jvm/java(.*/)bin(/.*)? uses misleading parentheses around
".*/". In some cases, a pattern with (.*/) is a mispelling to (.*/)?,
but not here (/usr/lib/jvm/javabin/ never exists).

Moreover, using .* here is right, as the pattern matches the content of
subdirectories of /usr/lib/jvm/ which names are prefixed by java. More
precisely, the pattern matches for example:

- programs in /usr/lib/jvm/java-10-openjdk/bin
- programs in /usr/lib/jvm/java-8-openjdk/jre/bin

In the end, the pattern does not have any error, but the parentheses are
misleading. Remove them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 16:06:32 +02:00
Nicolas Iooss
6901075d7f
libraries: fix some misspellings in patterns
In libraries.fc:

- "(/.*?)" is very likely a misspelling for (/.*)?
- "sidecars/*" with "--" as file type is very likely a misspelling for
  sidecars/.+, in order to match files that are shared libraries.
- "/opt/netbeans(.*/)?jdk" matches "/opt/netbeansjdk", which is buggy.

In Apache NetBeans 11.1 downloaded from
https://netbeans.apache.org/download/nb111/nb111.html, there are files
such as profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
Several websites document installing NetBeans in directories such as
/opt/netbeans-11.1/, so the installed .so files are probably installed in
/opt/netbeans-11.1/profiler/lib/deployed/jdk16/linux-amd64/libprofilerinterface.so.
There is thus an issue with the current pattern:

    /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)*

This pattern requires "/linux/" in the path, not "/linux-amd64/".

As this pattern was introduced in 2007 by commit 02d968c581 ("trunk:
several fc updates from dan."), consider it as outdated and remove it.

If the .so files in /opt/netbeans/ really need a label such as
textrel_shlib_t, a file pattern will need to be written with less issues
than the one which is removed.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 15:47:57 +02:00
Nicolas Iooss
2da886dccf
corecommands: no longer use \d
In order to detect bugs like the one fixed by commit d938683bf4
("drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd"), forbid
the use of \d in the policy. This was actually only used to match

    /usr/share/apr-1/build/...

with

    /usr/share/apr(-\d)?/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
    /usr/share/apr(-\d)?/build/libtool --	gen_context(system_u:object_r:bin_t,s0)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 15:26:55 +02:00
Nicolas Iooss
f9deb94ba4
Check the .fc files for common typos
Writing .fc files without any mistake is quite hard. Sometimes a regular
expression pattern compiles fine but it does not match what is intended.

Add a script that detects some issues in .fc files. When this script is
used directly ("./testing/check_fc_files.py"), it checks the content of
policy/. The path to policy/ can also be provided by option -p.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 15:05:23 +02:00
Nicolas Iooss
58189f4965
entropyd: haveged service uses PrivateDevices=yes
On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:

    openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)

audit.log has:

    type=AVC msg=audit(1566048720.132:1338): avc:  denied  { search }
    for  pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
    scontext=system_u:system_r:entropyd_t
    tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0

With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 13:47:45 +02:00
Nicolas Iooss
c021287125
Allow Debian to generate a dynamic motd when users log in
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:

    $ cat /etc/update-motd.d/10-uname
    #!/bin/sh
    uname -snrvm

According to https://wiki.debian.org/motd, the script is executed
through run-parts:

    if (!system("/usr/bin/env -i
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    run-parts --lsbsysinit /etc/update-motd.d >
    /run/motd.dynamic.new"))
        rename("/run/motd.dynamic.new", "/run/motd.dynamic");

This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.

Allow relevant accesses for Debian-based systems.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-01 13:44:28 +02:00
Nicolas Iooss
83797144d1
Vagrantfile: upgrade VM to Fedora 30
Use the official Fedora cloud image as a base for the virtual machine.

Allow defining other virual machines by putting the configuration of
Fedora's one into a sub-level.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-31 16:17:08 +02:00
Chris PeBenito
6b11dcef89 Various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-31 06:55:57 -04:00
Chris PeBenito
b43aebcc2f Merge pull request #70 from fishilico/typo-dot-star-question-fc 2019-08-31 06:26:00 -04:00
Chris PeBenito
e88ca002eb Merge pull request #75 from fishilico/fc-escape-single-dot 2019-08-31 06:24:06 -04:00
Nicolas Iooss
a7e3407606
systemd: introduce an interface for services using PrivateDevices=yes
When a service is configured with PrivateDevices=yes, its /dev directory
has label tmpfs_t. This requires allowing more accesses in order for the
service to use /dev.

This is related to https://github.com/SELinuxProject/refpolicy/pull/61

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-29 20:05:29 +02:00
Nicolas Iooss
d00eddb885
libraries: drop a pattern specific to Python 2.4
Apply comment https://github.com/SELinuxProject/refpolicy/pull/75#discussion_r318831927

    We don't support any systems that are so old they have Python 2.4.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-29 20:03:02 +02:00
Nicolas Iooss
d386950b0d
Fix use of buggy pattern (.*)?
The pattern "(.*)?" means "match anything including the nothing, or
nothing": the question mark is redundant. This is likely to be a
mispelling for "(/.*)?", which means "match a slash and anthing, or
nothing", or for ".*", or for other patterns.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-29 19:57:05 +02:00
Chris PeBenito
0b2ab72127 files: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-28 19:22:27 -04:00
Chris PeBenito
72693a37fc Merge pull request #72 from fishilico/files-usr-include-reduce-scope 2019-08-28 19:18:13 -04:00
Nicolas Iooss
f0cade07b2
Remove unescaped single dot from the policy
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-27 23:38:09 +02:00
Nicolas Iooss
c9602a0cac
files: reduce the scope of the pattern matching /usr/include
The pattern that matches /usr/include uses a dot, in order probably to
avoid calling m4's function include(). This also matches other paths
such as /usr/inclu/e. Such a side-effect can be avoided by inserting an
empty string which is removed by m4's preprocessing.

Mailing-list discussion: https://lore.kernel.org/selinux-refpolicy/CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com/t/#u

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-27 22:39:37 +02:00
Chris PeBenito
b0fb76565b rpcbind: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-27 00:36:40 -04:00
Chris PeBenito
373a1c090a Merge pull request #73 from fishilico/rpcbind-redundant-pid-fc 2019-08-27 00:36:18 -04:00
Chris PeBenito
68b74385a4 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-27 00:28:34 -04:00
Chris PeBenito
95c4192509 Merge pull request #64 from fishilico/haveged-unit 2019-08-27 00:20:24 -04:00
Chris PeBenito
7e5503155c Merge pull request #65 from fishilico/haveged-cmd-socket 2019-08-27 00:19:57 -04:00
Chris PeBenito
20f1151192 Merge pull request #66 from fishilico/ulogd-fix-context 2019-08-27 00:19:10 -04:00
Chris PeBenito
1106d0b692 Merge pull request #67 from fishilico/typo-monit-s9 2019-08-27 00:18:47 -04:00
Chris PeBenito
5c9d60245b Merge pull request #68 from fishilico/typo-java-fc 2019-08-27 00:18:24 -04:00
Chris PeBenito
de3e9befcc Merge pull request #69 from fishilico/typo-lib-adobe-fc 2019-08-27 00:17:46 -04:00
Chris PeBenito
f3b7aeb872 Merge pull request #71 from fishilico/typo-drbd-fc 2019-08-27 00:09:47 -04:00
Nicolas Iooss
6875a1b0a5
rpcbind: remove redundant file context for /run/rpc.statd.pid
There are two patterns that define file contexts for /run/rpc.statd.pid:

* in policy/modules/services/rpcbind.fc:

    /run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)

* in policy/modules/services/rpc.dc:

    /run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)

They coexist even though their labels differ because the first one uses
a unescaped dot. As it does not seem to exist other files matching the
first pattern, remove it in order to only keep the second one.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-22 21:49:28 +02:00
Nicolas Iooss
d938683bf4
drbd: fix pattern for /usr/lib/ocf/resource.d/linbit/drbd
In order to match /usr/lib/ocf/resource.d/linbit/drbd, the dot needs to
be escaped, not the d.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-21 23:03:01 +02:00
Nicolas Iooss
1b44cb6c2e
libraries: match a digit in Adobe Reader directories
Patterns using this have a small issue:

    /opt/Adobe/Reader.?/Reader/intellinux

The issue is that the dot can also match a slash. A bettern pattern
would be:

    /opt/Adobe/Reader[^/]?/Reader/intellinux

In this specific case, the intent is to match digits (like
/opt/Adobe/Reader9). Use [0-9] for this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-21 21:43:56 +02:00