Commit Graph

4545 Commits

Author SHA1 Message Date
Jason Zaman
c149cf9fc3 Allow sysadm to map all non auth files
The idea and code are from perfinion. I support it, but we should
probably discuss it.
2017-09-13 18:40:24 -04:00
Luis Ressel
65bfd23fbb Grant all permissions neccessary for Xorg and basic X clients
Note that dev_rw_dri already has the permission, it was just forgotten
to add it to dev_manage_dri, too.
2017-09-13 18:40:24 -04:00
Chris PeBenito
3548e3b3fe Module version bumps. 2017-09-12 20:16:35 -04:00
Chris PeBenito
469766dde6 init: Move init_spec_daemon_domain implementation. 2017-09-12 19:35:31 -04:00
David Sugar
bc94acf133 Add init_spec_daemon_domain interface
We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option  to specify a context for the service being started.  The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each.  The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0)  [2]

We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t

We have created the following interface (in init.if) to meet our needs.  The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.

[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-12 19:34:26 -04:00
Luis Ressel
487de20913 logging: Various audit tools (auditctl, ausearch, etc) map their config and logs
Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().

Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
2017-09-12 19:29:34 -04:00
Luis Ressel
ec27acdf1f userdomain: man-db needs to map its 'index.db' cache 2017-09-12 19:29:34 -04:00
Luis Ressel
870bb5c789 miscfiles: Allow libfontconfig consumers to map the fonts cache 2017-09-12 19:29:34 -04:00
Luis Ressel
dfcdb40e6e kernel: Add map permission to the dev_{read, write}_sound* interfaces
sds already added it to dev_read_sound_mixer, but it's also needed in
the other interfaces.
2017-09-12 19:29:34 -04:00
Chris PeBenito
095ad7923a Several module version bumps. 2017-09-11 20:34:13 -04:00
Luis Ressel
bbab9e970d selinuxutil: Add map permissions neccessary for semanage 2017-09-11 20:31:23 -04:00
Luis Ressel
c695860748 files: Create files_map_usr_files interface 2017-09-11 20:31:23 -04:00
Luis Ressel
c772611817 userdomain: Add various interfaces granting the map permission 2017-09-11 20:31:23 -04:00
Luis Ressel
fa14c7d141 libraries: ldconfig maps its "aux-cache" during cache updates 2017-09-11 20:31:23 -04:00
Luis Ressel
14107ce1c0 modutils: libkmod mmap()s modules.dep and *.ko's
Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
2017-09-11 20:31:23 -04:00
Chris PeBenito
7025086a9c terminal: Rename term_create_devpts. 2017-09-11 20:03:58 -04:00
Nicolas Iooss
60382e9e53 init: allow systemd to relabel /dev and /run
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:

    avc:  denied  { relabelfrom } for  pid=1 comm="systemd"
    name="control" dev="tmpfs" ino=7027
    scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
    tclass=sock_file permissive=1

    avc:  denied  { relabelto } for  pid=1 comm="systemd" name="control"
    dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
    permissive=1

/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
2017-09-11 20:03:31 -04:00
Nicolas Iooss
ae40418b24 init: allow systemd to create /dev/pts as devpts_t
This is currently denied:

     avc:  denied  { create } for  pid=1 comm="systemd" name="pts"
     scontext=system_u:system_r:init_t
     tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
2017-09-11 20:03:31 -04:00
Chris PeBenito
cc6cb6c344 files: Move files_check_write_pid_dirs interface. 2017-09-11 19:35:54 -04:00
Christian Göttsche
ff0937af03 rkhunter: add interfaces for var_run and lock dir access check 2017-09-11 19:33:26 -04:00
David Sugar
c974aa56b1 Label /etc/rsyslog.d as syslog_conf_t
This is a minor update of the last attempt at this patch.

Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf).  Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable).  Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.

The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.

Dave Sugar
dsugar@tresys.com

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-11 18:57:29 -04:00
Chris PeBenito
fc044b53fd init: Module version bump for patch from Dave Sugar. 2017-09-08 19:33:43 -04:00
Chris PeBenito
46bf71752a init: Move fc lines. 2017-09-08 19:30:34 -04:00
David Sugar
bd515fd951 Label RHEL specific systemd binaries
Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
Now in the proper location.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-08 19:28:31 -04:00
Chris PeBenito
bf9da2ba78 Module version bump for patches from Nicolas Iooss. 2017-09-08 11:52:12 -04:00
Nicolas Iooss via refpolicy
69d400af3b terminal: /dev/pts exists in /dev filesystem
systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:

    avc:  denied  { associate } for  pid=1 comm="systemd" name="pts"
    scontext=system_u:object_r:devpts_t
    tcontext=system_u:object_r:device_t
    tclass=filesystem permissive=1
2017-09-08 11:43:48 -04:00
Nicolas Iooss
f23e6ee79c corecommands: label Arch Linux pacman's scripts as bin_t
On Arch Linux, the package manager uses hooks which execute scripts in
/usr/share/libalpm/scripts.
2017-09-08 11:42:08 -04:00
Chris PeBenito
a46fbbc2fb systemd: Whitespace fix. 2017-09-08 11:41:56 -04:00
Chris PeBenito
1fdac56605 systemd, udev: Module version bump. 2017-09-06 11:04:11 -04:00
David Sugar
8d21fda960 Separate read and write interface for tun_tap_device_t
The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access).  It is possible to open a tap device for only reading or only writing and this allows policy to match that use.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-09-06 10:59:34 -04:00
Russell Coker
b174a9abf6 udev and dhcpd
Allow udev to talk to init via dbus and get generic unit status.

Add correct labeling for dhcpd6.leases file.
2017-09-06 10:49:49 -04:00
Russell Coker
1ca7df474f systemd nspawn and backlight
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints.  Also allows systemd_nspawn_t to umount cgroup
filesystems.

Allows systemd_backlight_t to search /var/lib.
2017-09-06 10:46:28 -04:00
Krzysztof Nowicki
d9861c32ad Add policy for systemd GPT generator 2017-09-06 10:08:48 -04:00
Christian Göttsche
84ae1213dc update travis
- drop libustr-dev from package list, as the SELinux userland tools dropped this build dependency
 - switch to container based build environments
 - drop unnecessary make flags
2017-09-06 10:02:22 -04:00
Chris PeBenito
779075a859 Update contrib. 2017-08-31 21:36:23 -04:00
David Sugar
f8a4b8e28b Strip spaces from NAME
Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree.  This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
2017-08-31 21:19:32 -04:00
Chris PeBenito
91c8855bce dbus: move comments out of the file context definitions 2017-08-24 17:19:01 -04:00
Chris PeBenito
690d6ca905 Update contrib. 2017-08-19 12:03:11 -04:00
Chris PeBenito
42d109d30c Module version bump for fixes from Nicolas Iooss. 2017-08-19 12:02:58 -04:00
Nicolas Iooss
98170eaf55 Allow dhcpcd to use generic netlink and raw IP sockets
dhcpcd uses a raw IPv6 socket to receive router advertisement and
neighbor advertisement packets in
https://roy.marples.name/git/dhcpcd.git/tree/ipv6nd.c?h=dhcpcd-6.11.5
and uses NETLINK_GENERIC in
https://roy.marples.name/git/dhcpcd.git/tree/if-linux.c?h=dhcpcd-6.11.5
for some NetLink sockets.
2017-08-19 12:01:56 -04:00
Nicolas Iooss
179e3217b0 Add "/usr/(.*/)?bin(/.*)?" pattern back
Commit 2e7553db63 ("Create / to /usr equivalence for bin, sbin, and
lib, from Russell Coker.") removed from corecommands.fc:

    /usr/(.*/)?bin(/.*)?    gen_context(system_u:object_r:bin_t,s0)

Consequently files like /usr/x86_64-w64-mingw32/bin/objdump get labeled
as usr_t:

    $ matchpathcon /usr/x86_64-w64-mingw32/bin/objdump
    /usr/x86_64-w64-mingw32/bin/objdump system_u:object_r:usr_t

Make such files labeled as bin_t again.
2017-08-19 12:01:56 -04:00
Chris PeBenito
9f7cbe1427 Module version bump for patches from Nicolas Iooss. 2017-08-13 19:52:41 -04:00
Chris PeBenito
81aa9242aa logging: Move line. 2017-08-13 19:52:16 -04:00
Nicolas Iooss
28ad98572b corecommands: label dhcpcd hook scripts bin_t
dhcpcd executes scripts in /usr/lib/dhcpcd/:

    avc:  denied  { execute_no_trans } for  pid=608 comm="dhcpcd"
    path="/usr/lib/dhcpcd/dhcpcd-run-hooks" dev="vda1" ino=406981
    scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:lib_t
    tclass=file permissive=1
2017-08-13 19:51:19 -04:00
Nicolas Iooss
52109514d5 audit: allow reading /etc/localtime
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:

    avc:  denied  { read } for  pid=191 comm="auditctl" name="UTC"
    dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1
    avc:  denied  { open } for  pid=191 comm="auditctl"
    path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
    scontext=system_u:system_r:auditctl_t
    tcontext=system_u:object_r:locale_t tclass=file permissive=1

This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":

    [pid   635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
    "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
    ...
    [pid   635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
    such file or directory)
    [pid   635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
    [pid   635] lseek(4, -71, SEEK_CUR)     = 56
    [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
    [pid   635] close(4)                    = 0
    [pid   635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
    [pid   635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
    [pid   635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
    /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
    NULL, 0) = 81
    [pid   635] exit_group(0)               = ?

More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.

[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
2017-08-13 19:51:18 -04:00
Chris PeBenito
495e2c203b Remove complement and wildcard in allow rules.
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
Chris PeBenito
0ba1970b7c kernel: Module version bump for patch from Nicolas Iooss. 2017-08-08 20:02:22 -04:00
Nicolas Iooss
5cfe0def8b Add module_load permission to self when loading modules is allowed
When a program uses init_module() to load a module, the kernel checks
for system:load_module permission in the process type [1].
For example when systemd loads ip_tables modules (since
1d3087978a),
the following AVC denial gets reported:

    avc:  denied  { module_load } for  pid=1 comm="systemd"
    scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t
    tclass=system permissive=1

[1] The relevant kernel code is selinux_kernel_module_from_file() in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/hooks.c?h=v4.11#n3836

    /* init_module */
    if (file == NULL)
        return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
                    SYSTEM__MODULE_LOAD, NULL);

In this code, both source and target SIDs are current_sid().
2017-08-08 19:58:47 -04:00
Chris PeBenito
8067ed0181 .travis.yml: Use git tag instead of release tarball for selinux userspace. 2017-08-06 19:06:28 -04:00
Chris PeBenito
efa32d9b56 Remove deprecated interfaces older than one year old.
Additionally one deprecated attribute removed.
2017-08-06 17:03:17 -04:00