We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().
Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
This is a minor update of the last attempt at this patch.
Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
Dave Sugar
dsugar@tresys.com
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
Now in the proper location.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:
avc: denied { associate } for pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1
The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
- drop libustr-dev from package list, as the SELinux userland tools dropped this build dependency
- switch to container based build environments
- drop unnecessary make flags
Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree. This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:
$ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
/usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t
Make such files labeled as bin_t again.
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:
avc: denied { module_load } for pid=1 comm="systemd"
scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
tclass=system permissive=1
[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836
/* init_module */
if (file == NULL)
return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
SYSTEM__MODULE_LOAD, NULL);
In this code, both source and target SIDs are current_sid().