SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] yet more tiny stuff
@ 2019-01-21 22:59 Russell Coker
  2019-01-23 23:35 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2019-01-21 22:59 UTC (permalink / raw)
  To: selinux-refpolicy

I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.


Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service 
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/ 
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) 
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0

Index: refpolicy-2.20180701/policy/modules/apps/gpg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20180701/policy/modules/apps/gpg.te
@@ -184,11 +184,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cron_system_entry(gpg_t, gpg_exec_t)
-	cron_read_system_job_tmp_files(gpg_t)
-')
-
-optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
 ')
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_getattr_mtrr_dev(system_cronjob_t)
+dev_read_rand(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
 dev_read_sysfs(system_cronjob_t)
 # for checkarray to write to sync_action
@@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj
 mls_file_read_to_clearance(system_cronjob_t)
 
 init_domtrans_script(system_cronjob_t)
+init_read_generic_units_links(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
 init_use_script_fds(system_cronjob_t)
 
@@ -623,6 +625,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpg_exec(system_cronjob_t)
+')
+
+optional_policy(`
 	inn_manage_log(system_cronjob_t)
 	inn_manage_pid(system_cronjob_t)
 	inn_read_config(system_cronjob_t)
Index: refpolicy-2.20180701/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/init.if
+++ refpolicy-2.20180701/policy/modules/system/init.if
@@ -2962,6 +2962,25 @@ interface(`init_search_units',`
 
 ########################################
 ## <summary>
+##	Read systemd unit links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_generic_units_links',`
+	gen_require(`
+		type systemd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get status of generic systemd units.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat
 allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
-files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
+manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
+files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
 
 kernel_read_network_state(irqbalance_t)
 kernel_read_system_state(irqbalance_t)
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
 # Local policy
 #
 
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
 # systemctl asks for net_admin
 dontaudit logrotate_t self:capability net_admin;
 allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] yet more tiny stuff
  2019-01-21 22:59 [PATCH] yet more tiny stuff Russell Coker
@ 2019-01-23 23:35 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-01-23 23:35 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/21/19 5:59 PM, Russell Coker wrote:
> I think this should be self-explanatory.  I've added an audit trace for the
> sys_ptrace access that was previously rejected.
> 
> 
> Here is the audit log for sys_ptrace:
> type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
> type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
> type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
> type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
> 
> Index: refpolicy-2.20180701/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20180701/policy/modules/apps/gpg.te
> @@ -184,11 +184,6 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	cron_system_entry(gpg_t, gpg_exec_t)
> -	cron_read_system_job_tmp_files(gpg_t)
> -')
> -
> -optional_policy(`
>   	xserver_use_xdm_fds(gpg_t)
>   	xserver_rw_xdm_pipes(gpg_t)
>   ')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr
>   dev_getattr_all_blk_files(system_cronjob_t)
>   dev_getattr_all_chr_files(system_cronjob_t)
>   dev_getattr_mtrr_dev(system_cronjob_t)
> +dev_read_rand(system_cronjob_t)
>   dev_read_urand(system_cronjob_t)
>   dev_read_sysfs(system_cronjob_t)
>   # for checkarray to write to sync_action
> @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj
>   mls_file_read_to_clearance(system_cronjob_t)
>   
>   init_domtrans_script(system_cronjob_t)
> +init_read_generic_units_links(system_cronjob_t)
>   init_read_utmp(system_cronjob_t)
>   init_use_script_fds(system_cronjob_t)
>   
> @@ -623,6 +625,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	gpg_exec(system_cronjob_t)
> +')
> +
> +optional_policy(`
>   	inn_manage_log(system_cronjob_t)
>   	inn_manage_pid(system_cronjob_t)
>   	inn_read_config(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/init.if
> +++ refpolicy-2.20180701/policy/modules/system/init.if
> @@ -2962,6 +2962,25 @@ interface(`init_search_units',`
>   
>   ########################################
>   ## <summary>
> +##	Read systemd unit links
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_read_generic_units_links',`
> +	gen_require(`
> +		type systemd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Get status of generic systemd units.
>   ## </summary>
>   ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat
>   allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
>   
>   manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
> +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
>   
>   kernel_read_network_state(irqbalance_t)
>   kernel_read_system_state(irqbalance_t)
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
>   # Local policy
>   #
>   
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
>   # systemctl asks for net_admin
>   dontaudit logrotate_t self:capability net_admin;
>   allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-21 22:59 [PATCH] yet more tiny stuff Russell Coker
2019-01-23 23:35 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox