SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* lockdown class
@ 2020-12-11  7:01 Russell Coker
  2020-12-14 15:13 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-12-11  7:01 UTC (permalink / raw)
  To: selinux-refpolicy

allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity;
allow udev_t udev_t:lockdown confidentiality;

I've seen access that caused the above to be generated from audit2allow.

/var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc:  denied  
{ confidentiality } for  pid=253 comm="systemd-udevd" lockdown_reason="use of 
tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1

Above is the only log entry I've got for that from my previous testing (I 
haven't been able to reproduce whatever it was that caused the 
systemd_modules_load_t to get that audited).

https://www.paul-moore.com/blog/d/2020/03/linux_v56.html

I've read the above blog post and I'm still not sure exactly how we are to use 
it.  Do I allow this for systemd_modules_load_t because loading modules is an 
integrity issue?  Do I allow it for udev_t because changing device names etc 
allows universal MITM attacks?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: lockdown class
  2020-12-11  7:01 lockdown class Russell Coker
@ 2020-12-14 15:13 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-12-14 15:13 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 12/11/20 2:01 AM, Russell Coker wrote:
> allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity;
> allow udev_t udev_t:lockdown confidentiality;
> 
> I've seen access that caused the above to be generated from audit2allow.
> 
> /var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc:  denied
> { confidentiality } for  pid=253 comm="systemd-udevd" lockdown_reason="use of
> tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
> 
> Above is the only log entry I've got for that from my previous testing (I
> haven't been able to reproduce whatever it was that caused the
> systemd_modules_load_t to get that audited).
> 
> https://www.paul-moore.com/blog/d/2020/03/linux_v56.html
> 
> I've read the above blog post and I'm still not sure exactly how we are to use
> it.  Do I allow this for systemd_modules_load_t because loading modules is an
> integrity issue?  Do I allow it for udev_t because changing device names etc
> allows universal MITM attacks?

The SELinux check mirrors the lockdown LSM checks but the policy's granularity, 
instead of the single granularity (system-wide)that lockdown LSM has.

If you had the lockdown LSM running too and set to the integrity level, the 
systemd_modules_load_t would have been denied by lockdown instead of getting to 
SELinux's check.  The udev access to tracefs in would be allowed by the lockdown 
LSM and go to SELinux's check.

Effectively you could reimplement the lockdown LSM in SELinux like this:

bool lockdown_integrity false;
bool lockdown_confidentiality false;

if (!lockdown_integrity && !lockdown_confidentiality) {
	allow domain self:lockdown integrity;
}

if (!lockdown_confidentiality) {
	allow domain self:lockdown confidentiality;
}


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-11  7:01 lockdown class Russell Coker
2020-12-14 15:13 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git