Commit Graph

5560 Commits

Author SHA1 Message Date
Daniel Burgener
70a1c1ede2 Add requires to interfaces that reference types or attributes without requiring them
Signed-off-by: Daniel Burgener <dburgener@tresys.com>
2020-01-16 09:59:56 -05:00
Chris PeBenito
f4dfd9e245 domain, snort: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-16 09:55:00 -05:00
Chris PeBenito
79066e932f Merge pull request #161 from stephensmalley/netlink 2020-01-16 09:54:06 -05:00
Stephen Smalley
5fd175fa45 Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed from the kernel in commit
d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue
support") circa Linux 3.5.  Consequently, kernels >= 3.5 should never
perform permission checks on these classes although they remained
defined in the SELinux kernel classmap until the netlink classes
were updated by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652
circa Linux v4.2.

Removing these class definitions would break legacy userspace that relies
upon stable values for the userspace security class definitions since it
will perturb those values by removing classes that preceded them.  dbus-daemon
in particular is known to break if its dbus class changes at runtime,
which could occur upon a policy reload that removes these classes.
Fixing this requires ensuring that dbus-daemon looks up the appropriate
class value on each use or upon policy reload, via userspace interfaces
such as selinux_check_access(), string_to_security_class(), and/or
selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function
that remaps the class value if needed.  Other userspace policy enforcers
are believed to have been updated in recent versions but older versions
may break upon such a change.

Hence, this change renames these classes with obsolete_ prefixes and
removes all rules referencing them from refpolicy, thereby preserving
the class numbering for subsequent classes while making it clear that
these classses are no longer meaningful for modern kernels.

This change does however create a potential compatibility break for
kernels < 3.5, since the policy will cease to define the kernel class
names and therefore the kernel will handle permission checks on the
class based on the handle_unknown setting in policy.  For most
Linux distributions, this will default to allow and therefore avoid
breaking userspace but will fail open.  For kernels < 2.6.33 (i.e.
the dynamic class/perm discovery support), the presence of a class
in policy with the same number but a different name than the kernel
class will cause the policy load to fail entirely.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 09:17:56 -05:00
Chris PeBenito
7af9eb3e91 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
Chris PeBenito
ff2e9eb803 Merge pull request #159 from stephensmalley/unused 2020-01-15 10:40:39 -05:00
Chris PeBenito
44aee2e8b2
Merge pull request #158 from fishilico/vagrant-provision-dhclient-ip
Vagrant: allow VirtualBox provisionning to use dhclient and ip
2020-01-14 16:34:04 -05:00
Chris PeBenito
de1c0e8a8f
Merge pull request #157 from fishilico/vagrant-unconfined-ssh-login
Vagrantfile: allow unconfined and sysadm SSH login
2020-01-14 16:33:46 -05:00
Stephen Smalley
f4459adf32 access_vectors: remove flow_in and flow_out permissions from packet class
These permissions were never used upstream; they were only added to the
kernel's classmap when the peer class was added for consistency with
Fedora SELinux policies by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f67f4f315f31e7907779adb3296fb6682e755342
and were removed from the
kernel's classmap in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47ac19ea429aee561f66e9cd05b908e8ffbc498a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:42:05 -05:00
Stephen Smalley
8486b8aa83 access_vectors: Remove entrypoint and execute_no_trans from chr_file
entrypoint and execute_no_trans permissions are only ever checked by the
kernel to regular files.  They were added to the chr_file class when
execmod was added (which can be checked on chr_file) to ensure that it
was assigned the same value as for the file class, since the kernel code
always checked FILE__EXECMOD. However, the policy definitions are not
necessary since the kernel and policy values have been decoupled ever
since dynamic class/perm support was introduced and further with the
move of execmod to the common definitions, they were not even needed
in the kernel.

These were removed from the kernel's classmap by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b424485abe2b16580a178b469917a7b6ee0c152a

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:42:05 -05:00
Stephen Smalley
161bda392e access_vectors: Remove unused permissions
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Nicolas Iooss
73f9c0c4ef Vagrant: allow VirtualBox provisionning to use dhclient and ip
When provisioning a Debian test virtual machine with VirtualBox (using
the main Vagrantfile), vagrant runs commands dhclient and ip from a ssh
session because of this directive:

    debian.vm.network "private_network", type: "dhcp"

This triggers:

    type=AVC msg=audit(1578749426.820:68): avc:  denied  { write } for
    pid=541 comm="dhclient" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:dhcpc_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749426.820:68):
    proctitle=2F7362696E2F6468636C69656E74002D34002D76002D69002D72002D
    7066002F72756E2F6468636C69656E742E657468312E706964002D6C66002F7661
    722F6C69622F646863702F6468636C69656E742E657468312E6C6561736573002D
    49002D6466002F7661722F6C69622F646863702F6468636C69656E74362E657468
    31

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { read } for
    pid=544 comm="ip" path="pipe:[14005]" dev="pipefs" ino=14005
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { write } for
    pid=544 comm="ip" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749427.868:69):
    proctitle=6970002D34006164647200666C757368006465760065746831006C61
    62656C0065746831

Handle this by adding attribute vagrant_provisioning_cmd_type to the
relevant domains, in the policy module specific to the Vagrant test
environments.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:45:18 +01:00
Nicolas Iooss
653b8a223b Vagrantfile: allow unconfined and sysadm SSH login
Since commit 210b64f10a ("Remove shell automatic domain transitions to
unconfined_t from various pam login programs"), setting ssh_sysadm_login
is mandatory in order to allow vagrant user to use SSH while using
unconfined_u or sysadm_u.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:42:20 +01:00
Nicolas Iooss
98a298f8a1 storage: introduce storage_raw_read_fixed_disk_cond
As adding attribute fixed_disk_raw_read to a type cannot occur in a
conditional statement, create a new interface that takes a tunable as
parameter to allow a dangerous access conditionally.

Signed-off-by: Nicolas Iooss <nicolas.iooss_git@polytechnique.org>
2020-01-12 21:57:17 +01:00
Nicolas Iooss
2de74b9ca1 systemd-logind: allow using BootLoaderEntries DBUS property
systemd-logind exposes several properties related to the bootloader. One
of them is BootLoaderEntries [1], which scans the disks using
util-linux's blkid in order to find the ESP (EFI System Partition) [2][3].

This triggers the following logs in audit.log (where /dev/sda1 is the
ESP, mounted on /boot):

    type=AVC msg=audit(1577692922.834:310): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1

    type=AVC msg=audit(1577692922.841:311): avc:  denied  { search } for
    pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:312): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:314): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:315): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:317): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:318): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 ioctlcmd=0x5401
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1"
    ino=5 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

As allowing read access to fixed disks (such as /dev/sda1 here) can be
considered as dangerous, add a conditional to allow the accesses.

[1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315
[2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118
[3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 20:51:45 +01:00
Chris PeBenito
e192a1e73f systemd, userdomain: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-11 10:29:49 -05:00
Chris PeBenito
ced5c5c71e Merge pull request #154 from pebenito/logind-user-tmp-rm 2020-01-11 10:29:27 -05:00
Chris PeBenito
79b987eea8 systemd, virt, netutils: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-08 14:06:37 -05:00
Chris PeBenito
fae8a1f4f2 Merge pull request #153 from fishilico/virt-leaseshelper
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-08 13:59:04 -05:00
Chris PeBenito
25b77fbde6 Merge pull request #148 from fishilico/systemd-efi-options
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-08 13:57:24 -05:00
Chris PeBenito
6b2d9e4e10 Merge pull request #147 from bauen1/netutils-mtr-fix
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-08 13:56:45 -05:00
Chris PeBenito
42145d226a systemd: Logind removes /run/user/* user temp files.
See systemd-user-runtime-dir stop.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-07 12:43:44 -05:00
Nicolas Iooss
a887c9628b
virt: allow more accesses to libvirt_leaseshelper
When using libvirt to manage virtual machines, libvirt_leaseshelper
wants to:

* read /etc/libnl/classid
* list the content of /sys/devices/system/node/ in order to read files
  such as /sys/devices/system/node/node0/meminfo
* use getsched

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-04 11:07:12 +01:00
Nicolas Iooss
c8af923318
systemd: allow reading options from EFI variable SystemdOptions
Since systemd 244, systemd can parse EFI variable
SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 like /proc/cmdline
in order to find options. systemd's NEWS file [1] states:

    systemd will also read configuration options from the EFI variable
    SystemdOptions. This may be used to configure systemd behaviour when
    modifying the kernel command line is inconvenient, but configuration
    on disk is read too late, for example for the options related to
    cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
    set the EFI variable.

In practice, all callers of log_parse_environment() read this EFI
variable, because:

* log_parse_environment() is a macro which is expanded to
  log_parse_environment_realm(LOG_REALM) [2].
* log_parse_environment_realm() calls proc_cmdline_parse() when being
  use in system daemons [3].
* proc_cmdline_parse() always calls systemd_efi_options_variable() [4].
* systemd_efi_options_variable() reads SystemdOptions variable [5].

For SELinux, this means that every domain with attribute
systemd_log_parse_env_type wants to read an EFI variable. Allow this
access.

[1] https://github.com/systemd/systemd/blob/v244/NEWS#L18-L23
[2] https://github.com/systemd/systemd/blob/v244/src/basic/log.h#L84
[3] https://github.com/systemd/systemd/blob/v244/src/basic/log.c#L1116
[4] https://github.com/systemd/systemd/blob/v244/src/basic/proc-cmdline.c#L122
[5] https://github.com/systemd/systemd/blob/v244/src/basic/efivars.c#L242

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-30 18:47:22 +01:00
bauen1
d6dabfb56e
netutils: allow mtr to communicate with mtr-packet 2019-12-30 13:53:28 +01:00
Chris PeBenito
cb5e78abe7 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-12-26 12:21:07 -05:00
Jason Zaman
66d7d802da virt: allow lvm_control access
type=AVC msg=audit(1563034372.505:40675): avc:  denied  { read write } for  pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563034372.505:40675): cwd="/"
type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
17f644c625 virt: Add unix socket for virtlogd/virtlockd
avc:  denied  { listen } for  pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
9fbd5741a4 chromium: allow dbus chat to inhibit power
Chromium will inhibit power saving when playing videos.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
c0e77208be dirmngr: accept unix stream socket
dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr

type=AVC msg=audit(1554175286.968:2720907): avc:  denied  { accept } for  pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
deb69b3b65 devicekit: udisks needs access to /run/mount/utab.lock
type=AVC msg=audit(1563073723.106:232): avc:  denied  { read } for  pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563073723.106:232): cwd="/"
type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
32b6f152a2 xserver: ICEauthority can be in /run/user
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Jason Zaman
bcab64fba4 udev: Allow udevadm access to udev_tbl_t
Signed-off-by: Jason Zaman <jason@perfinion.com>
2019-12-26 12:08:25 -05:00
Sugar, David
97635685d5 Fix indent to match the rest of the file (space -> tab)
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-12-26 12:00:32 -05:00
Sugar, David
99a7c5c197 Add interface to read efivarfs_t directory
I'm seeing the following denial when using 'efivars --list'.  This
interface grants access
2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc:  denied  { read } for  pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-12-26 12:00:32 -05:00
Chris PeBenito
335d9425c0 various: Module version bump. 2019-12-26 11:48:27 -05:00
Chris PeBenito
a29e7442ea Merge pull request #144 from fishilico/init-mount-kmsg 2019-12-26 11:41:54 -05:00
Chris PeBenito
9a5d515584 Merge pull request #143 from fishilico/sysadm-chat-hostnamed 2019-12-26 11:41:37 -05:00
Chris PeBenito
ce968cefbb Merge pull request #142 from fishilico/mount-search-bin 2019-12-26 11:41:31 -05:00
Chris PeBenito
3165b50515 Merge pull request #138 from bauen1/filesystem_bpf 2019-12-26 11:41:23 -05:00
Chris PeBenito
a36d1217b8 Merge pull request #136 from bauen1/ifupdown2-fcontext 2019-12-26 11:41:13 -05:00
Chris PeBenito
9c76cca828 Merge pull request #135 from bauen1/sudo-default-types 2019-12-26 11:41:07 -05:00
Chris PeBenito
9fb8494a37
Merge pull request #145 from fishilico/cryfs
Add policy for CryFS, encfs and gocryptfs
2019-12-26 11:37:12 -05:00
Chris PeBenito
c07134adcd
Merge pull request #146 from fishilico/vagrant-fixes
Allow using sysadm_u with Vagrantfile configuration
2019-12-26 11:36:18 -05:00
Chris PeBenito
5d02fc45ff
Merge pull request #141 from fishilico/check_fc_files-allow-arobas
testing/check_fc_files: allow @ character in file context patterns
2019-12-26 11:27:35 -05:00
Nicolas Iooss
7317bd64c0
Vagrantfile: add a specific SELinux policy module
When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:17:36 +01:00
Nicolas Iooss
d1f92dae04
Vagrantfile: remove sudo
The provisioning scripts are already run as root.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:12:34 +01:00
Nicolas Iooss
d82115ac48
Vagrantfile: fix configuration
"debian" needs to be used instead of "config" in the VM description.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:12:02 +01:00
Nicolas Iooss
358bcef0a4
Add policy for CryFS, encfs and gocryptfs
CryFS (https://www.cryfs.org/) is a software that can be run by non-root
users that have access to /dev/fuse. Its command is directly used to
mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command
"mount". Unmounting a mountpoint is done with "fusermount -u
mountpoint", /usr/bin/fusermount being a setuid-root program labeled
mount_exec_t.

EncFS (https://www.arg0.net/encfs) is a similar software that has been
considered insecure since a security audit in 2014 found vulnerabilities
that are not yet fixed (like https://github.com/vgough/encfs/issues/9).

gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that
has been inspired by EncFS.

Allow users with role sysadm to use all these projects.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:03:53 +01:00
Nicolas Iooss
50b9886061
init: allow systemd to mount over /dev/kmsg and /proc/kmsg
When spawning services such as systemd-timedated with systemd 244,
systemd now mounts an inaccessible directory on /dev/kmsg and
/proc/kmsg:

    type=AVC msg=audit(1576535711.579:363): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/dev/kmsg" dev="devtmpfs" ino=9055
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:kmsg_device_t tclass=chr_file
    permissive=1

    type=AVC msg=audit(1576535711.583:364): avc:  denied  { getattr }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

    type=AVC msg=audit(1576535711.589:365): avc:  denied  { mounton }
    for  pid=1497 comm="(imedated)"
    path="/run/systemd/unit-root/proc/kmsg" dev="proc" ino=4026532027
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:proc_kmsg_t tclass=file permissive=1

Running "findmnt" in the resulting mount namespace shows:

    |-/dev         dev                             devtmpfs   rw,...
    | `-/dev/kmsg  run[/systemd/inaccessible/chr]  tmpfs      ro,...

    |-/proc        proc                            proc       rw,...
    | `-/proc/kmsg run[/systemd/inaccessible/reg]  tmpfs      ro,...

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 17:29:58 +01:00