[refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

[refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

[Nicolas Iooss]

On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details).  Therefore label it as xserver_exec_t.

This makes the following AVC appear:

    denied  { execute_no_trans } for  pid=927 comm="X"
    path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
    scontext=system_u:system_r:xserver_t
    tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
---
 policy/modules/services/xserver.fc | 2 ++
 policy/modules/services/xserver.te | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 71b307c2fbea..397993fb4944 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2ba7a7415e2a..8dc7c83e491c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 allow xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xserver_t, xkb_var_lib_t)
 
+# Run Xorg.wrap
+can_exec(xserver_t, xserver_exec_t)
+
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xserver_t)
 
-- 
2.6.4

[refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux

[Nicolas Iooss]

On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:

* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)

Label all these files but sftp-server as bin_t.
---
 policy/modules/kernel/corecommands.fc | 1 +
 policy/modules/services/ssh.fc        | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 77d6a180285a..fed2613768ba 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 8168244583d0..fd6c2184a0c1 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
-/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
-- 
2.6.4

[refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files

[Nicolas Iooss]

On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd at .service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh at .service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd at .service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
---
 policy/modules/services/ssh.fc | 4 ++++
 policy/modules/services/ssh.te | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index fd6c2184a0c1..027c8a87a902 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
+/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 06fe64fde790..1c683b73a3ff 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -47,6 +47,12 @@ type sshd_tmp_t;
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
 
+type sshd_keygen_unit_t;
+init_unit_file(sshd_keygen_unit_t)
+
+type sshd_unit_t;
+init_unit_file(sshd_unit_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
-- 
2.6.4

[refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

[Christopher J. PeBenito]

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, /usr/bin/Xorg is only a shell script which executes
> /usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
> /usr/lib/xorg-server/Xorg.
> 
> Even though Xorg.wrap is not a full X server, it reads X11 configuration
> files, uses the DRM interface to detect KMS, etc. (cf.
> http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
> for more details).  Therefore label it as xserver_exec_t.
> 
> This makes the following AVC appear:
> 
>     denied  { execute_no_trans } for  pid=927 comm="X"
>     path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
>     scontext=system_u:system_r:xserver_t
>     tcontext=system_u:object_r:xserver_exec_t tclass=file
> 
> Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
> ---
>  policy/modules/services/xserver.fc | 2 ++
>  policy/modules/services/xserver.te | 3 +++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 71b307c2fbea..397993fb4944 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  
>  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
> +/usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
>  
>  /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 2ba7a7415e2a..8dc7c83e491c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>  allow xserver_t xkb_var_lib_t:lnk_file read;
>  can_exec(xserver_t, xkb_var_lib_t)
>  
> +# Run Xorg.wrap
> +can_exec(xserver_t, xserver_exec_t)
> +
>  # VNC v4 module in X server
>  corenet_tcp_bind_vnc_port(xserver_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux

[Christopher J. PeBenito]

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
> 
> * sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
> * ssh-askpass (symlink to x11-ssh-askpass)
> * ssh-keysign
> * ssh-pkcs11-helper
> * x11-ssh-askpass (from x11-ssh-askpass package)
> 
> Label all these files but sftp-server as bin_t.
> ---
>  policy/modules/kernel/corecommands.fc | 1 +
>  policy/modules/services/ssh.fc        | 3 ++-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 77d6a180285a..fed2613768ba 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
>  /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 8168244583d0..fd6c2184a0c1 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
>  /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
>  /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
>  
> -/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
>  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files

[Christopher J. PeBenito]

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH unit files are:
>     /usr/lib/systemd/system/sshdgenkeys.service
>     /usr/lib/systemd/system/sshd.service
>     /usr/lib/systemd/system/sshd at .service
>     /usr/lib/systemd/system/sshd.socket
> 
> On Debian jessie, the unit files are:
>     /lib/systemd/system/ssh.service
>     /lib/systemd/system/ssh at .service
>     /lib/systemd/system/ssh.socket
> 
> On Fedora 22, the unit files are:
>     /usr/lib/systemd/system/sshd-keygen.service
>     /usr/lib/systemd/system/sshd.service
>     /usr/lib/systemd/system/sshd at .service
>     /usr/lib/systemd/system/sshd.socket
> 
> Use a pattern which matches every sshd unit and introduce an other type
> for ssh-keygen units.
> ---
>  policy/modules/services/ssh.fc | 4 ++++
>  policy/modules/services/ssh.te | 6 ++++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index fd6c2184a0c1..027c8a87a902 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
>  /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
> +/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
> +/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +
>  /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>  
>  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 06fe64fde790..1c683b73a3ff 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -47,6 +47,12 @@ type sshd_tmp_t;
>  files_tmp_file(sshd_tmp_t)
>  files_poly_parent(sshd_tmp_t)
>  
> +type sshd_keygen_unit_t;
> +init_unit_file(sshd_keygen_unit_t)
> +
> +type sshd_unit_t;
> +init_unit_file(sshd_unit_t)
> +
>  ifdef(`enable_mcs',`
>  	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com