402 lines
16 KiB
INI
402 lines
16 KiB
INI
#
|
|
# SELinux Reference policy validation checks
|
|
#
|
|
# Note to users: This file is a good starting point for tightening your own
|
|
# policy. However, these checks are for the entire Reference Policy, i.e.,
|
|
# all modules are included in the policy. If you are using a subset of the
|
|
# modules, the best starting place is to review each of the checks and remove
|
|
# the types in the exempt lists that are not in your policy. Types that are
|
|
# in these lists but not in your policy will *NOT* cause sechecker to fail.
|
|
#
|
|
# Note to developers: In general, please avoid using attributes in the
|
|
# exempt lists. This will make it less likely for unexpected types to pass.
|
|
#
|
|
|
|
[PRIVILEGE-load_policy]
|
|
check_type = assert_te
|
|
desc = Verify only the load_policy program can load a SELinux policy update.
|
|
tclass = security
|
|
perms = load_policy
|
|
exempt_source = kernel_t # Kernel thread loading policy at boot
|
|
load_policy_t # SELinux policy loading tool
|
|
|
|
[PRIVILEGE-setbool]
|
|
check_type = assert_te
|
|
desc = Verify SELinux Booleans can be changed only by expected domains.
|
|
tclass = security
|
|
perms = setbool
|
|
exempt_source = cloud_init_t # VM configuration on initial boot
|
|
init_t
|
|
load_policy_t # Persist Boolean state across policy loads
|
|
puppet_t # Puppet can configure Booleans
|
|
secadm_t # Security admin role
|
|
semanage_t # SELinux management tool, including Booleans
|
|
sysadm_t # System admin role
|
|
|
|
[PRIVILEGE-setenforce]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains can change SELinux to permissive mode.
|
|
tclass = security
|
|
perms = setenforce
|
|
exempt_source = cloud_init_t # VM configuration on initial boot
|
|
secadm_t # Security admin role
|
|
sysadm_t # System admin role
|
|
|
|
[PRIVILEGE-CAP_SYS_MODULE]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains have CAP_SYS_MODULE (kernel module capability)
|
|
tclass = capability
|
|
perms = sys_module
|
|
exempt_source = init_t
|
|
kernel_t
|
|
kmod_t
|
|
spc_t
|
|
systemd_modules_load_t
|
|
udev_t
|
|
|
|
[PRIVILEGE-module_load]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains can directly load kernel modules
|
|
tclass = system
|
|
perms = module_load
|
|
# This list should match the above PRIVILEGE-CAP_SYS_MODULE exempt_source list.
|
|
exempt_source = init_t
|
|
kernel_t
|
|
kmod_t
|
|
spc_t
|
|
systemd_modules_load_t
|
|
udev_t
|
|
|
|
[PRIVILEGE-CAP_SYS_ADMIN]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains have CAP_SYS_ADMIN
|
|
tclass = capability
|
|
perms = sys_admin
|
|
# CAP_SYS_ADMIN is a kitchen sink of privileges, which means many privileged domains need it.
|
|
exempt_source = acpi_t
|
|
acpid_t
|
|
afs_t
|
|
auditadm_sudo_t # Conditional access (allow_polyinstantiation)
|
|
automount_t
|
|
bluetooth_t
|
|
bootloader_t # Install bootloader
|
|
cachefilesd_t
|
|
cgclear_t # Move processes out of cgroups
|
|
cgconfig_t # Configure cgroups
|
|
cgmanager_t # Container cgroup manager
|
|
cgred_t # Move processes to cgroups based on configurable rules
|
|
chromium_sandbox_t
|
|
cockpit_session_t
|
|
container_engine_t
|
|
consoletype_t
|
|
container_t # Conditional access (container_use_sysadmin or container_use_host_all_caps)
|
|
corosync_t
|
|
crio_t
|
|
crond_t # Conditional access (allow_polyinstantiation)
|
|
cryfs_t
|
|
cupsd_t
|
|
devicekit_disk_t
|
|
devicekit_power_t
|
|
disk_munin_plugin_t
|
|
dmesg_t # Clear kernel printk buffer/set kernel log level
|
|
dockerd_t # Container engine (namespacing)
|
|
dockerd_user_t # Container engine (namespacing)
|
|
dphysswapfile_t # Configure swap files
|
|
entropyd_t # Add entropy to the system
|
|
fapolicyd_t
|
|
fsadm_t
|
|
fsdaemon_t
|
|
ftpd_t
|
|
getty_t # Configure tty devices
|
|
glusterd_t
|
|
gpm_t
|
|
hostname_t # Set hostname
|
|
hypervvssd_t
|
|
ifconfig_t
|
|
init_t
|
|
initrc_t
|
|
iscsid_t
|
|
kdump_t
|
|
kernel_t # Kernel threads have all caps
|
|
klogd_t
|
|
kubeadm_t
|
|
lircd_t
|
|
local_login_t # Conditional access (allow_polyinstantiation)
|
|
lvm_t # Configure logical volumes
|
|
mcelog_t # Decode and log CPU machine check exceptions
|
|
mdadm_t # Configure software RAID
|
|
modemmanager_t
|
|
mon_local_test_t
|
|
mount_t # (un)mount filesystems
|
|
nagios_checkdisk_plugin_t
|
|
newrole_t # Conditional access (allow_polyinstantiation)
|
|
nfsd_t
|
|
ntop_t
|
|
plymouthd_t
|
|
podman_t
|
|
podman_user_t
|
|
postgresql_t
|
|
pppd_t
|
|
quota_t # Configure filesystem quotas
|
|
remote_login_t # Conditional access (allow_polyinstantiation)
|
|
resmgrd_t
|
|
rlogind_t # Conditional access (allow_polyinstantiation)
|
|
rngd_t
|
|
rootlesskit_t # Container engine (namespacing)
|
|
rpcd_t
|
|
rpm_script_t # Package manager post-install scripts
|
|
rshd_t # Conditional access (allow_polyinstantiation)
|
|
secadm_sudo_t # Conditional access (allow_polyinstantiation)
|
|
seunshare_t # Create new flesystem namespaces
|
|
shorewall_t
|
|
smbd_t
|
|
smbmount_t # Mount SMB and CIFS filesystems
|
|
sosreport_t
|
|
spc_t
|
|
sshd_t # Conditional access (allow_polyinstantiation)
|
|
sssd_t
|
|
staff_sudo_t # Conditional access (allow_polyinstantiation)
|
|
sulogin_t
|
|
sysadm_t # System admin role
|
|
sysadm_sudo_t # Conditional access (allow_polyinstantiation)
|
|
syslogd_t
|
|
sysstat_t
|
|
systemd_generator_t
|
|
systemd_homework_t # Mount home directory images
|
|
systemd_hostnamed_t # Set hostname
|
|
systemd_logind_t
|
|
systemd_machine_id_setup_t
|
|
systemd_nspawn_t
|
|
systemd_sysctl_t
|
|
systemd_tmpfiles_t
|
|
systemd_user_runtime_dir_t
|
|
tuned_t
|
|
udev_t
|
|
user_sudo_t # Conditional access (allow_polyinstantiation)
|
|
vbetool_t
|
|
virtd_t # libvirt virtualization manager
|
|
virtd_lxc_t # libvirt LXC container engine (namespacing)
|
|
vmware_t # VMWare virtualization manager
|
|
watchdog_t
|
|
xserver_t
|
|
zed_t # ZFS events daemon (filesystem event monitoring)
|
|
zfs_t # ZFS filesystem tools
|
|
|
|
[PRIVILEGE-CAP_SYS_RAWIO]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains can use CAP_SYS_RAWIO
|
|
tclass = capability
|
|
perms = sys_rawio
|
|
exempt_source = abrt_t # Conditional access (allow_raw_memory_access)
|
|
blkmapd_t
|
|
bootloader_t # Install bootloader, raw disk access
|
|
cdrecord_t # Burn optical media
|
|
container_t # Conditional access (container_use_host_all_caps)
|
|
cpucontrol_t
|
|
cupsd_t
|
|
devicekit_disk_t
|
|
disk_munin_plugin_t
|
|
dmidecode_t
|
|
fsadm_t
|
|
fsdaemon_t
|
|
hddtemp_t
|
|
hwclock_t
|
|
init_t
|
|
initrc_t
|
|
kernel_t # Kernel threads have all caps
|
|
kdump_t
|
|
klogd_t # Conditional access (allow_raw_memory_access)
|
|
lvm_t
|
|
mcelog_t # Conditional access (allow_raw_memory_access)
|
|
mount_t
|
|
munin_t
|
|
nagios_checkdisk_plugin_t
|
|
rasdaemon_t # Monitors ECC errors
|
|
resmgrd_t # Device resource manager
|
|
rpm_script_t # Package manager post-install scripts
|
|
smbmount_t
|
|
sosreport_t # Conditional access (allow_raw_memory_access)
|
|
spc_t
|
|
sysadm_t # System admin role
|
|
udev_t
|
|
vbetool_t # Conditional access (allow_raw_memory_access)
|
|
vmware_t
|
|
xdm_t
|
|
xserver_t
|
|
zfs_t
|
|
|
|
[PRIVILEGE-CAP_NET_ADMIN]
|
|
check_type = assert_te
|
|
desc = Verify only expected domains can use CAP_NET_ADMIN.
|
|
tclass = capability
|
|
perms = net_admin
|
|
exempt_source = arpwatch_t
|
|
asterisk_t
|
|
avahi_t
|
|
bird_t
|
|
blueman_t
|
|
bluetooth_t
|
|
brctl_t
|
|
cgred_t
|
|
chronyd_t # Conditional access (chronyd_hwtimestamp)
|
|
condor_startd_t
|
|
container_engine_t
|
|
container_t # Conditional access (container_use_host_all_caps)
|
|
crio_t
|
|
ctdbd_t
|
|
devicekit_disk_t
|
|
devicekit_power_t
|
|
dhcpc_t
|
|
dnsmasq_t
|
|
dockerd_t
|
|
dockerd_user_t
|
|
dpkg_script_t
|
|
drbd_t
|
|
fcoemon_t
|
|
firewalld_t
|
|
hostapd_t
|
|
hypervkvpd_t
|
|
hypervvssd_t
|
|
ifconfig_t
|
|
ifplugd_t
|
|
init_t
|
|
initrc_t
|
|
iodined_t
|
|
ipsec_t
|
|
ipsec_mgmt_t
|
|
ipsec_supervisor_t
|
|
iptables_t
|
|
iscsid_t
|
|
kernel_t
|
|
kismet_t
|
|
krb5kdc_t
|
|
kubeadm_t
|
|
kubelet_t
|
|
l2tpd_t
|
|
lldpad_t
|
|
lvm_t
|
|
minissdpd_t
|
|
modemmanager_t
|
|
ncftool_t
|
|
ndc_t
|
|
netlabel_mgmt_t
|
|
netutils_t
|
|
NetworkManager_t
|
|
nsd_t
|
|
ntop_t
|
|
openvpn_t
|
|
openvswitch_t
|
|
pegasus_t
|
|
podman_t
|
|
podman_user_t
|
|
portslave_t
|
|
pppd_t
|
|
pptp_t
|
|
psad_t
|
|
racoon_t
|
|
radvd_t
|
|
rkhunter_t
|
|
rootlesskit_t
|
|
rpm_script_t
|
|
setkey_t
|
|
shorewall_t
|
|
snmpd_t
|
|
snort_t
|
|
sosreport_t
|
|
spc_t
|
|
squid_t # Conditional access (squid_use_tproxy)
|
|
sssd_t
|
|
sysadm_t
|
|
syslogd_t # Conditional network config (logging_syslog_can_network)
|
|
system_cronjob_t
|
|
system_munin_plugin_t
|
|
systemd_cgroups_t
|
|
systemd_networkd_t
|
|
systemd_nspawn_t
|
|
systemd_sysctl_t
|
|
systemd_tmpfiles_t
|
|
traceroute_t
|
|
udev_t
|
|
ulogd_t
|
|
virt_bridgehelper_t
|
|
virtd_t
|
|
virtd_lxc_t
|
|
vpnc_t
|
|
watchdog_t
|
|
wireguard_t
|
|
wireshark_t
|
|
xm_t
|
|
zebra_t
|
|
|
|
[PRIVILEGE-setcurrent]
|
|
check_type = assert_te
|
|
desc = Verify only the expected domains can change their process label.
|
|
tclass = process
|
|
perms = setcurrent
|
|
exempt_source = chromium_t # Changes MCS level for each tab
|
|
kernel_t # When systemd loads the policy it has the kernel_t label and changes context to init_t
|
|
sepgsql_ranged_proc_t # Changes MCS level
|
|
|
|
[NONTRANQUILITY-systemd]
|
|
check_type = assert_te
|
|
desc = Verify dynamic transition allowed by PRIVILEGE-setcurrent test can only
|
|
go from kernel_t to init_t (systemd)
|
|
source = kernel_t
|
|
tclass = process
|
|
perms = dyntransition
|
|
# kernel_t -> kernel_t and kernel_t -> init_t
|
|
exempt_target = init_t kernel_t
|
|
|
|
[INTEGRITY-readonly-executables]
|
|
check_type = ro_execs
|
|
#
|
|
# This is an expensive check, but this security goal is important to verify.
|
|
# To tighten your policy, first try to remove entries from exempt_file, as it
|
|
# is very broad in terms of this check, as the type is simply ignored both for
|
|
# write checks and for execute checks.
|
|
#
|
|
# Next, try to remove entries from exempt_write_domain. These are domains that
|
|
# are accepted as able to write executables.
|
|
#
|
|
# If you don't have unconfined domains, you should remove the
|
|
# exempt_exec_domain option. The only purpose for this option is because all
|
|
# file types would be considered executable otherwise.
|
|
#
|
|
# When you have a failure on this test, first verify that the file type is
|
|
# supposed to be executable; if not, remove the exec access. If it is supposed
|
|
# to be executable, verify domains that have write access are legitimate
|
|
# writers. If the access is legitimate, e.g. by a package manager, add the
|
|
# domain to exempt_write_domain. If not, remove the write access.
|
|
#
|
|
desc = Enforce executable files (including libraries) are not writable
|
|
except from expected domains, such as package managers.
|
|
exempt_file = container_file_t # Container files don't distinguish executables.
|
|
container_ro_file_t # Container files don't distinguish executables.
|
|
gstreamer_orcexec_t # OIL Runtime Compiler code optimizer is used by pulseaudio
|
|
httpd_script_exec_type # Web admin can edit scripts
|
|
httpdcontent # Web admin can edit scripts, webalizer output, etc.
|
|
noxattrfs # Filesystem does not support xattrs; executable by users, can't distinguish executables
|
|
user_home_content_type # User home content, users can install apps in own home, write scripts, etc. JIT compiles, and libFFI use.
|
|
exempt_write_domain = cloud_init_t # Can conditionally manage all non-auth files (cloudinit_manage_non_security)
|
|
dpkg_t # Package manager
|
|
dpkg_script_t # Package manager
|
|
gcc_config_t # Gentoo compiler chooser
|
|
init_t # Systemd can create file mountpoints
|
|
ftpd_t # Can conditionally manage all non-auth files (allow_ftpd_full_access)
|
|
kernel_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
|
|
nfsd_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
|
|
nmbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
|
|
prelink_t # Prelinking executables
|
|
portage_t # Package manager
|
|
puppet_t # Can conditionally manage all non-auth files (puppet_manage_all_files)
|
|
rpm_t # Package manager
|
|
rpm_script_t # Package manager
|
|
sftpd_t # Can conditionally manage all non-auth files (sftpd_full_access)
|
|
smbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
|
|
systemd_tmpfiles_t # Can conditionally manage all non-auth files (systemd_tmpfiles_manage_all)
|
|
sysadm_t # Privileged admin domain
|
|
files_unconfined_type
|
|
# files_unconfined_type: Unconfined; can execute anything; muddies the water on what is
|
|
# intended to be executable by constrained domains.
|
|
exempt_exec_domain = files_unconfined_type
|