Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Build SECMARK rules for iptables and NFT, install them as
/usr/share/doc/$PKGNAME/netfilter_contexts{,.nft}.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t
files to avoid a crash. Related audit event:
type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc: denied { map } for pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Allow systemd-networkd to send and receive ICMPv6 Router Solicitation
and Router Advertisement packets (in reality all ICMP/ICMPv6 packets)
and DHCP client packets.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
`sysdig` is a tool that enables introspecting the system, debugging it,
etc. It uses a driver that creates `/dev/sysdig0`. Define a specific
label in order to be able to allow using it.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Debian 10, ``systemd --user`` runs some generators in
/usr/lib/systemd/user-environment-generators when a user session starts.
Here is what is logged in audit.log for a sysadm user.
type=AVC msg=audit(1586962888.516:65): avc: denied { getattr } for
pid=309 comm="(sd-executor)"
path="/usr/lib/systemd/user-environment-generators/90gpg-agent"
dev="vda1" ino=662897 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
type=AVC msg=audit(1586962888.516:66): avc: denied { map } for
pid=310 comm="30-systemd-envi"
path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
type=AVC msg=audit(1586962888.516:66): avc: denied
{ execute_no_trans } for pid=310 comm="(direxec)"
path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
permissive=1
Run these program without domain transition.
This follows a discussion that took place in
https://github.com/SELinuxProject/refpolicy/pull/224
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
During normal m4 parsing, m4 outputs a blank line for each define() call. This results in the first roughly 500 lines of the .tmp files for each module being largely blank lines. Adding divert() calls to the m4 generation for generated_definitions redirects this output, so the beginning of the actual policy appears near the top of the .tmp files.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Don't ignore port ranges. For example:
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
can be used to generate:
base -A selinux_new_input -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_input -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_server_packet_t:s0
base -A selinux_new_output -p udp --dport 10080:10082 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0
base -A selinux_new_output -p tcp --dport 10080:10083 -j SECMARK --selctx system_u:object_r:amanda_client_packet_t:s0
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Optionally generate Netfilter NFT tables. Sample output:
```#!/usr/sbin/nft -f
flush ruleset
table inet security {
secmark default_input_packet {
"system_u:object_r:server_packet_t:s0"
}
secmark default_output_packet {
"system_u:object_r:client_packet_t:s0"
}
secmark afs_bos_input {
"system_u:object_r:afs_bos_server_packet_t:s0"
}
secmark afs_bos_output {
"system_u:object_r:afs_bos_client_packet_t:s0"
}
...
chain INPUT {
type filter hook input priority 0; policy accept;
ct state new meta secmark set "default_input_packet"
ct state new udp dport 7007 meta secmark set "afs_bos_input"
...
ct state new ct secmark set meta secmark
ct state established,related meta secmark set ct secmark
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
ct state new meta secmark set "default_output_packet"
ct state new udp dport 7007 meta secmark set "afs_bos_output"
...
ct state new ct secmark set meta secmark
ct state established,related meta secmark set ct secmark
}
}
```
The labels are applied to TCP and/or UDP as needed. MCS and MLS are
not really handled.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
The various /bin/tpm2_* binaries use dbus to communicate
with tpm2-abrmd and also can directly access /dev/tpmrm0. This
seems like a way to help limit access to the TPM by running the
tpm_* binaries in their own domain.
I setup this domain because I have a process that needs to use
tpm2_hmac to encode something, but didn't want that domain to
have direct access to the TPM. I did some basic testing to verify
that the other tpm2_* binaries have basically the same access needs.
But it wasn't through testing of all the tpm2_* binaries.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
When testing issues in older versions of refpolicy (for example when
git-bisecting a regression), the newer policy modules are kept in
/usr/share/selinux/refpolicy/ and trigger errors when they fail to be
loaded by "semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp".
Avoid this situation by removed old modules from
/usr/share/selinux/refpolicy/ before running "make install".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>