[refpolicy] [PATCH 26/33] selinuxutil: curb on userdom permissions

[refpolicy] [PATCH 26/33] selinuxutil: curb on userdom permissions

[Guido Trentalancia]

This patch curbs on userdomain file read and/or write permissions
for the SELinux utilities (selinuxutil) module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/selinuxutil.te |   45 +++++++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 4 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/system/selinuxutil.te	2017-02-04 19:30:19.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/system/selinuxutil.te	2017-04-20 00:27:50.508446073 +0200
@@ -9,6 +9,15 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether the SELinux
+##	utilities can read the user
+##	home directories and files.
+##	</p>
+## </desc>
+gen_tunable(selinuxutil_enable_home_dirs, false)
+
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 
@@ -20,6 +29,8 @@ role system_r types run_init_t;
 attribute_role semanage_roles;
 roleattribute system_r semanage_roles;
 
+attribute_role sesearch_roles;
+
 #
 # selinux_config_t is the type applied to
 # /etc/selinux/config
@@ -115,6 +126,12 @@ files_tmp_file(semanage_tmp_t)
 type semanage_trans_lock_t;
 files_type(semanage_trans_lock_t)
 
+type sesearch_t;
+type sesearch_exec_t;
+application_domain(sesearch_t, sesearch_exec_t)
+domain_interactive_fd(sesearch_t)
+role sesearch_roles types sesearch_t;
+
 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
@@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
-# Handle pp files created in homedir and /tmp
-userdom_read_user_home_content_files(semanage_t)
+# Handle pp files created in /tmp
 userdom_read_user_tmp_files(semanage_t)
 
 ifdef(`distro_debian',`
@@ -516,6 +532,22 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# Handle pp files created in homedir
+	userdom_read_user_home_content_files(semanage_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(semanage_t)
+')
+
+########################################
+#
+# sesearch local policy
+#
+
+domain_use_interactive_fds(sesearch_t)
+
+selinux_getattr_fs(sesearch_t)
+
 ########################################
 #
 # Setfiles local policy
@@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t)
 seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
 
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
@@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# for config files in a home directory
+	userdom_read_user_home_content_files(setfiles_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')

[refpolicy] [PATCH v2 26/33] selinuxutil: curb on userdom permissions

[Guido Trentalancia]

This patch curbs on userdomain file read and/or write permissions
for the SELinux utilities (selinuxutil) module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

This second version removes misplaced unrelated bits under testing.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/selinuxutil.te |   28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

--- a/policy/modules/system/selinuxutil.te	2017-02-04 19:30:19.000000000 +0100
+++ b/policy/modules/system/selinuxutil.te	2017-04-20 00:27:50.508446073 +0200
@@ -9,6 +9,15 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether the SELinux
+##	utilities can read the user
+##	home directories and files.
+##	</p>
+## </desc>
+gen_tunable(selinuxutil_enable_home_dirs, false)
+
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 
@@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
-# Handle pp files created in homedir and /tmp
-userdom_read_user_home_content_files(semanage_t)
+# Handle pp files created in /tmp
 userdom_read_user_tmp_files(semanage_t)
 
 ifdef(`distro_debian',`
@@ -516,6 +523,13 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# Handle pp files created in homedir
+	userdom_read_user_home_content_files(semanage_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
@@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t)
 seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
 
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
@@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# for config files in a home directory
+	userdom_read_user_home_content_files(setfiles_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')