From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc kernel and system patches
Date: Wed, 20 Jan 2021 15:36:46 +0100 [thread overview]
Message-ID: <ypjlwnw7lloh.fsf@defensec.nl> (raw)
In-Reply-To: <YAgAyh7eG5zePmGE@xev> (Russell Coker's message of "Wed, 20 Jan 2021 21:07:06 +1100")
Russell Coker <russell@coker.com.au> writes:
> Lots of little patches that should be good to merge.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
> @@ -305,7 +305,6 @@ ifdef(`distro_debian',`
> /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
> /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
>
> -/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables'
>
> corecmd_search_bin($1)
> read_files_pattern($1, exec_type, exec_type)
> + allow $1 exec_type:file map;
create a corecmd_map_read_all_executables() instead. This macro name is
"read_all_executables" if you extend it with this rule then you
effectively do several things:
1. you make the name of the interface inaccurate because the rules no
longer reflect the name
2. you give all existing callers of this interface access to map
exec_file files.
3. Youre essentially shutting the door for just read access to exec_type
files because the interface name has already been taken for "read + map"
> ')
>
> ########################################
> Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20210120/policy/modules/kernel/devices.if
> @@ -4323,6 +4323,42 @@ interface(`dev_mount_sysfs',`
>
> ########################################
> ## <summary>
> +## remount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_remount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem remount;
> +')
> +
> +########################################
> +## <summary>
> +## unmount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_unmount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem unmount;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit getting the attributes of sysfs filesystem
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/domain.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/domain.if
> +++ refpolicy-2.20210120/policy/modules/kernel/domain.if
> @@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state
>
> ########################################
> ## <summary>
> -## Get the attributes of all domains of all domains.
> +## Get the attributes of all domains
> ## </summary>
> ## <param name="domain">
> ## <summary>
> Index: refpolicy-2.20210120/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210120/policy/modules/kernel/files.if
> @@ -5408,6 +5408,25 @@ interface(`files_delete_kernel_symbol_ta
>
> ########################################
> ## <summary>
> +## Delete a system.map in the /boot directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_kernel_symbol_table',`
> + gen_require(`
> + type boot_t, system_map_t;
> + ')
> +
> + allow $1 boot_t:dir list_dir_perms;
> + allow $1 system_map_t:file mounton;
mount != listing boot_t dirs (i know its semi-related but you might want
to mount on symbox table and not list boot_t and this will shut the door
on that)
instead you should probably imply getattr here:
allow $1 system_map_t:file { getattr mounton };
Would be even better to declare "mounton_file_perms" on a lower level
and use that
define(`mounton_file_perms',`{ getattr mounton }')
> +')
> +
> +########################################
> +## <summary>
> ## Search the contents of /var.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/selinux.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/selinux.if
> +++ refpolicy-2.20210120/policy/modules/kernel/selinux.if
> @@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',`
>
> ########################################
> ## <summary>
> +## Mount on the selinuxfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`selinux_mounton_fs',`
> + gen_require(`
> + type security_t;
> + ')
> +
> + allow $1 security_t:dir mounton;
getattr should probably be implied here
a mounton_dir_perms would be even better:
define(`mounton_dir_perms',`{ getattr mounton }')
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of the selinuxfs filesystem
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te
> +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te
> @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t)
> fs_xattr_type(devpts_t)
> fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>
> +# for systemd-nspawn
> +allow console_device_t devpts_t:filesystem associate;
I am a fairly big user of systemd_nspawn and i have never ever
encountered this. only pty devices should ever associate with devpts_t
filesystems AFAIK
> +
> #
> # devtty_t is the type of /dev/tty.
> #
> Index: refpolicy-2.20210120/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20210120/policy/modules/system/authlogin.te
> @@ -98,12 +98,13 @@ optional_policy(`
>
> allow chkpwd_t self:capability { dac_override setuid };
> dontaudit chkpwd_t self:capability sys_tty_config;
> -allow chkpwd_t self:process { getattr signal };
> +allow chkpwd_t self:process { getcap getattr signal };
>
> allow chkpwd_t shadow_t:file read_file_perms;
> files_list_etc(chkpwd_t)
>
> kernel_read_crypto_sysctls(chkpwd_t)
> +kernel_read_kernel_sysctls(chkpwd_t)
>
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> @@ -116,6 +117,7 @@ files_read_etc_files(chkpwd_t)
> files_dontaudit_search_var(chkpwd_t)
>
> fs_dontaudit_getattr_xattr_fs(chkpwd_t)
> +fs_read_tmpfs_symlinks(chkpwd_t)
>
> selinux_get_enforce_mode(chkpwd_t)
>
> Index: refpolicy-2.20210120/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20210120/policy/modules/system/fstools.te
> @@ -160,6 +160,8 @@ mount_exec(fsadm_t)
> # for /run/mount/utab
> mount_getattr_runtime_files(fsadm_t)
>
> +mount_rw_runtime_files(fsadm_t)
> +
> seutil_read_config(fsadm_t)
>
> userdom_use_user_terminals(fsadm_t)
> Index: refpolicy-2.20210120/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/init.if
> +++ refpolicy-2.20210120/policy/modules/system/init.if
> @@ -191,6 +191,24 @@ interface(`init_domain',`
>
> ########################################
> ## <summary>
> +## Allow a domain to be transitioned to from init_t with nnp_transition
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to transition
> +## </summary>
> +## </param>
> +#
> +interface(`init_nnp_domain',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow init_t $1:process2 nnp_transition;
> +')
This is redundant. In systems with systemd (ifdef init_systemd) this access is already allowed.
> +
> +########################################
> +## <summary>
> ## Create a domain which can be started by init,
> ## with a range transition.
> ## </summary>
> @@ -3029,6 +3047,24 @@ interface(`init_relabel_utmp',`
>
> ########################################
> ## <summary>
> +## Watch utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_watch_utmp',`
> + gen_require(`
> + type initrc_runtime_t;
> + ')
> +
> + allow $1 initrc_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> ## Create files in /var/run with the
> ## utmp file type.
> ## </summary>
> @@ -3248,6 +3284,24 @@ interface(`init_read_pid_pipes',`
> init_read_runtime_pipes($1)
> ')
>
> +######################################
> +## <summary>
> +## restart systemd units, for /run/systemd/transient/*
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_restart_units',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:service { start status stop };
> +')
i would probably create a private type for "runtime units"
but also in another patch you create another "restart_units" interface
and that has different permissions (probably best to associate
consistent permissions with interface names)
not where "restart_units" means something different somewhere else
> +
> ########################################
> ## <summary>
> ## Read init unnamed pipes.
> @@ -3575,6 +3629,24 @@ interface(`init_manage_all_unit_files',`
> ')
>
> ########################################
> +## <summary>
> +## stat systemd unit files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_all_unit_files',`
> + gen_require(`
> + attribute systemdunit;
> + ')
> +
> + allow $1 systemdunit:file getattr;
> +')
> +
> +########################################
> ## <summary>
> ## Allow unconfined access to send instructions to init
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/init.te
> +++ refpolicy-2.20210120/policy/modules/system/init.te
> @@ -239,7 +239,8 @@ ifdef(`init_systemd',`
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> allow init_t self:netlink_selinux_socket create_socket_perms;
> - allow init_t self:system { status reboot halt reload };
> + # why does kernel 4.9 make it need start and stop while 4.19 does not?
> + allow init_t self:system { start stop status reboot halt reload
> };
I would remove the above change. might have been a bug in 4.9, no need
to support bugs besides kernel 4.9 is old.
> # Until systemd is fixed
> allow init_t self:udp_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',`
>
> ifdef(`init_systemd',`
> allow initrc_t init_t:system { start status reboot halt reload };
> + allow init_t initrc_t:process2 nnp_transition;
this is dedundant. Should already be allowed
>
> manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> files_lock_filetrans(initrc_t, initrc_lock_t, file)
> @@ -1043,6 +1045,7 @@ ifdef(`init_systemd',`
> init_get_all_units_status(initrc_t)
> init_manage_var_lib_files(initrc_t)
> init_rw_stream_sockets(initrc_t)
> + init_stop_system(initrc_t)
>
> # Create /etc/audit.rules.prev after firstboot remediation
> logging_manage_audit_config(initrc_t)
> Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20210120/policy/modules/system/locallogin.te
> @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi
> auth_manage_pam_console_data(local_login_t)
> auth_domtrans_pam_console(local_login_t)
>
> -init_dontaudit_use_fds(local_login_t)
> +# if local_login_t can not inherit fd from init it takes ages to login
> +init_use_fds(local_login_t)
Yes i think youre right but i think this applies to all processes forked
by systemd. I believe that addressing rules associated with systemd
forked processes should probably be addressed on a lower level instead
for example:
init_domain is obviously systemd forked in a systemd system (init_domain
is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in
init_domain().
Howver local_login is not a direct fork of systemd (its not an
init_daemon) and instead its a indirect forked process of systemd (it
gets executed by a init domain but not by init itself)
I would create a type attribute "systemd_forked_type" and then associate
the forked related rules to that and then use that
i think these (or somthing like it):
allow $1 systemd_forked_type:fd use;
allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms;
These these can be removed:
https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662ff7efa2395572/policy/modules/system/init.if#L186
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.if#L149
etc
otherwise you end up with very decentralized policy which is hard to maintain.
>
> miscfiles_read_localization(local_login_t)
>
> Index: refpolicy-2.20210120/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20210120/policy/modules/system/logging.te
> @@ -515,7 +515,8 @@ ifdef(`init_systemd',`
> # for systemd-journal
> allow syslogd_t self:netlink_audit_socket connected_socket_perms;
> allow syslogd_t self:capability2 audit_read;
> - allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
> + allow syslogd_t self:capability { chown dac_read_search setgid setuid sys_ptrace audit_control };
> + allow syslogd_t self:cap_userns sys_ptrace;
> allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
>
> # remove /run/log/journal when switching to permanent storage
> @@ -533,6 +534,7 @@ ifdef(`init_systemd',`
>
> domain_getattr_all_domains(syslogd_t)
> domain_read_all_domains_state(syslogd_t)
> + domain_signull_all_domains(syslogd_t)
>
> init_create_runtime_dirs(syslogd_t)
> init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
> Index: refpolicy-2.20210120/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20210120/policy/modules/system/lvm.if
> @@ -247,3 +247,21 @@ interface(`lvm_admin',`
> files_search_tmp($1)
> admin_pattern($1, lvm_tmp_t)
> ')
> +
> +######################################
> +## <summary>
> +## Allow lvm_t to use a semaphore
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that created the semaphore
> +## </summary>
> +## </param>
> +#
> +interface(`lvm_use_sem',`
> + gen_require(`
> + type lvm_t;
> + ')
> +
> + allow lvm_t $1:sem all_sem_perms;
Thats not allowed like this generally
> +')
> Index: refpolicy-2.20210120/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20210120/policy/modules/system/lvm.te
> @@ -345,6 +345,8 @@ optional_policy(`
> ')
>
> optional_policy(`
> + apt_use_fds(lvm_t)
> +
> dpkg_script_rw_pipes(lvm_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/system/miscfiles.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20210120/policy/modules/system/miscfiles.fc
> @@ -14,6 +14,8 @@ ifdef(`distro_gentoo',`
> /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0)
> /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0)
> +/etc/letsencrypt(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0)
> /etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20210120/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20210120/policy/modules/system/modutils.te
> @@ -33,7 +33,7 @@ ifdef(`init_systemd',`
> # insmod local policy
> #
>
> -allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> +allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
> allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> # for the radeon/amdgpu modules
> dontaudit kmod_t self:capability sys_admin;
> @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t)
> fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> fs_search_tracefs(kmod_t)
>
> +init_nnp_domain(kmod_t)
shouldnt be needed : kmod is a init_system_domain which is a
init_domain, and systemd can already nnp transition to all init_domain
if ifdef init_systemd is set
> init_rw_initctl(kmod_t)
> init_use_fds(kmod_t)
> init_use_script_fds(kmod_t)
> @@ -138,6 +139,8 @@ optional_policy(`
> dpkg_manage_script_tmp_files(kmod_t)
> dpkg_map_script_tmp_files(kmod_t)
> dpkg_read_script_tmp_symlinks(kmod_t)
> + apt_use_fds(kmod_t)
> + apt_use_ptys(kmod_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20210120/policy/modules/system/mount.te
> @@ -219,6 +219,14 @@ optional_policy(`
> samba_run_smbmount(mount_t, mount_roles)
> ')
>
> +optional_policy(`
> + ssh_rw_pipes(mount_t)
> +')
> +
> +optional_policy(`
> + xen_read_image_files(mount_t)
> +')
> +
> ########################################
> #
> # Unconfined mount local policy
> Index: refpolicy-2.20210120/policy/modules/system/raid.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/raid.fc
> +++ refpolicy-2.20210120/policy/modules/system/raid.fc
> @@ -11,6 +11,8 @@
> /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
> /usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
>
> +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0)
> +
> # Systemd unit files
> /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
> /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
> Index: refpolicy-2.20210120/policy/modules/system/raid.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/raid.te
> +++ refpolicy-2.20210120/policy/modules/system/raid.te
> @@ -54,6 +54,7 @@ dev_dontaudit_getattr_all_blk_files(mdad
> dev_dontaudit_getattr_all_chr_files(mdadm_t)
> dev_read_realtime_clock(mdadm_t)
>
> +domain_dontaudit_search_all_domains_state(mdadm_t)
> domain_use_interactive_fds(mdadm_t)
>
> files_read_etc_files(mdadm_t)
> @@ -90,6 +91,7 @@ userdom_dontaudit_use_user_terminals(mda
>
> optional_policy(`
> cron_system_entry(mdadm_t, mdadm_exec_t)
> + cron_rw_tmp_files(mdadm_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20210120/policy/modules/system/systemd.fc
> @@ -5,7 +5,6 @@
>
> /run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
>
> -/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
> /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
> /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
> /usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
> Index: refpolicy-2.20210120/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210120/policy/modules/system/systemd.te
> @@ -355,10 +355,11 @@ ifdef(`enable_mls',`
> #
>
> allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> -allow systemd_coredump_t self:capability { setgid setuid setpcap };
> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
> allow systemd_coredump_t self:process { getcap setcap setfscreate };
>
> manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
> +allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
>
> kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
> kernel_read_kernel_sysctls(systemd_coredump_t)
> @@ -376,6 +377,7 @@ files_read_etc_files(systemd_coredump_t)
> files_search_var_lib(systemd_coredump_t)
>
> fs_getattr_xattr_fs(systemd_coredump_t)
> +fs_search_tmpfs(systemd_coredump_t)
>
> selinux_getattr_fs(systemd_coredump_t)
>
> @@ -397,6 +399,8 @@ allow systemd_generator_t self:fifo_file
> allow systemd_generator_t self:capability dac_override;
> allow systemd_generator_t self:process setfscreate;
>
> +allow systemd_generator_t systemd_unit_t:file getattr;
> +
> corecmd_getattr_bin_files(systemd_generator_t)
>
> dev_read_sysfs(systemd_generator_t)
> @@ -407,6 +411,7 @@ files_read_etc_files(systemd_generator_t
> files_search_runtime(systemd_generator_t)
> files_list_boot(systemd_generator_t)
> files_read_boot_files(systemd_generator_t)
> +files_read_config_files(systemd_generator_t)
> files_search_all_mountpoints(systemd_generator_t)
> files_list_usr(systemd_generator_t)
>
> @@ -414,6 +419,8 @@ fs_list_efivars(systemd_generator_t)
> fs_getattr_xattr_fs(systemd_generator_t)
>
> init_create_runtime_files(systemd_generator_t)
> +init_read_all_script_files(systemd_generator_t)
> +init_getattr_all_unit_files(systemd_generator_t)
> init_manage_runtime_dirs(systemd_generator_t)
> init_manage_runtime_symlinks(systemd_generator_t)
> init_read_runtime_files(systemd_generator_t)
> @@ -618,12 +625,17 @@ init_dbus_send_script(systemd_logind_t)
> init_get_all_units_status(systemd_logind_t)
> init_get_system_status(systemd_logind_t)
> init_read_utmp(systemd_logind_t)
> +init_restart_units(systemd_logind_t)
> init_service_start(systemd_logind_t)
> init_service_status(systemd_logind_t)
> init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> init_start_system(systemd_logind_t)
> init_stop_system(systemd_logind_t)
> +init_watch_utmp(systemd_logind_t)
> +
> +# for /run/systemd/transient/*
> +init_restart_units(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> @@ -880,6 +892,9 @@ allow systemd_nspawn_t self:capability {
> allow systemd_nspawn_t self:capability2 wake_alarm;
> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
> +allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
> +allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
> +allow systemd_nspawn_t self:udp_socket { create ioctl };
probably just create_socket_perms
>
> allow systemd_nspawn_t systemd_journal_t:dir search;
>
> @@ -916,6 +931,9 @@ dev_getattr_fs(systemd_nspawn_t)
> dev_manage_sysfs_dirs(systemd_nspawn_t)
> dev_mounton_sysfs_dirs(systemd_nspawn_t)
> dev_mount_sysfs(systemd_nspawn_t)
> +dev_remount_sysfs(systemd_nspawn_t)
> +dev_unmount_sysfs(systemd_nspawn_t)
> +dev_read_sysfs(systemd_nspawn_t)
> dev_read_rand(systemd_nspawn_t)
> dev_read_urand(systemd_nspawn_t)
>
> @@ -928,6 +946,7 @@ files_mounton_tmp(systemd_nspawn_t)
> files_read_kernel_symbol_table(systemd_nspawn_t)
> files_setattr_runtime_dirs(systemd_nspawn_t)
>
> +fs_getattr_cgroup(systemd_nspawn_t)
> fs_getattr_tmpfs(systemd_nspawn_t)
> fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> fs_mount_tmpfs(systemd_nspawn_t)
> @@ -951,6 +970,7 @@ init_write_runtime_socket(systemd_nspawn
> init_spec_domtrans_script(systemd_nspawn_t)
>
> miscfiles_manage_localization(systemd_nspawn_t)
> +udev_read_runtime_files(systemd_nspawn_t)
>
> # for writing inside chroot
> sysnet_manage_config(systemd_nspawn_t)
> @@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n
> # manage etc symlinks for /etc/localtime
> files_manage_etc_symlinks(systemd_nspawn_t)
> files_mounton_runtime_dirs(systemd_nspawn_t)
> + files_mounton_kernel_symbol_table(systemd_nspawn_t)
> files_search_home(systemd_nspawn_t)
>
> + files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
> + allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
> + fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
> + allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
> +
> fs_getattr_cgroup(systemd_nspawn_t)
> fs_manage_cgroup_dirs(systemd_nspawn_t)
> fs_manage_tmpfs_dirs(systemd_nspawn_t)
> @@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n
> selinux_getattr_fs(systemd_nspawn_t)
> selinux_remount_fs(systemd_nspawn_t)
> selinux_search_fs(systemd_nspawn_t)
> + selinux_mounton_fs(systemd_nspawn_t)
>
> init_domtrans(systemd_nspawn_t)
>
> @@ -1013,7 +1040,7 @@ optional_policy(`
> # systemd_passwd_agent_t local policy
> #
>
> -allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
> +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource };
> allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
> allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
>
> @@ -1024,14 +1051,19 @@ manage_sock_files_pattern(systemd_passwd
> manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
> init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
>
> +can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
> +
> kernel_read_system_state(systemd_passwd_agent_t)
> kernel_stream_connect(systemd_passwd_agent_t)
>
> dev_create_generic_dirs(systemd_passwd_agent_t)
> dev_read_generic_files(systemd_passwd_agent_t)
> +dev_read_sysfs(systemd_passwd_agent_t)
> +dev_write_sysfs_dirs(systemd_passwd_agent_t)
> dev_write_generic_sock_files(systemd_passwd_agent_t)
> dev_write_kmsg(systemd_passwd_agent_t)
>
> +corecmd_search_bin(systemd_passwd_agent_t)
> files_read_etc_files(systemd_passwd_agent_t)
>
> fs_getattr_xattr_fs(systemd_passwd_agent_t)
> @@ -1040,6 +1072,7 @@ selinux_get_enforce_mode(systemd_passwd_
> selinux_getattr_fs(systemd_passwd_agent_t)
>
> term_read_console(systemd_passwd_agent_t)
> +term_use_unallocated_ttys(systemd_passwd_agent_t)
>
> auth_use_nsswitch(systemd_passwd_agent_t)
>
> @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t
>
> allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
>
> +allow systemd_rfkill_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
thats not a stream socket, do this instead:
- allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
+ allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
> +
> manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
> manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
> init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
> @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
questionable
> +
> kernel_getattr_proc(systemd_tmpfiles_t)
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> kernel_read_network_state(systemd_tmpfiles_t)
> @@ -1495,6 +1532,8 @@ systemd_dbus_chat_logind(systemd_user_ru
> seutil_read_file_contexts(systemd_user_runtime_dir_t)
> seutil_libselinux_linked(systemd_user_runtime_dir_t)
>
> +userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
> userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
> Index: refpolicy-2.20210120/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20210120/policy/modules/system/udev.te
> @@ -145,6 +145,7 @@ selinux_compute_access_vector(udev_t)
> selinux_compute_create_context(udev_t)
> selinux_compute_relabel_context(udev_t)
> selinux_compute_user_contexts(udev_t)
> +selinux_use_status_page(udev_t)
>
> storage_watch_fixed_disk(udev_t)
>
> @@ -351,6 +352,7 @@ optional_policy(`
>
> optional_policy(`
> raid_domtrans_mdadm(udev_t)
> + raid_read_mdadm_runtime_files(udev_t)
> ')
>
> optional_policy(`
> @@ -400,6 +402,10 @@ allow udevadm_t udev_runtime_t:dir watch
> dev_rw_sysfs(udevadm_t)
> dev_read_urand(udevadm_t)
>
> +fs_getattr_cgroup(udevadm_t)
> +fs_getattr_tmpfs(udevadm_t)
> +fs_search_cgroup_dirs(udevadm_t)
> +
> files_read_etc_files(udevadm_t)
> files_read_usr_files(udevadm_t)
>
> Index: refpolicy-2.20210120/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20210120/policy/modules/system/unconfined.if
> @@ -38,7 +38,7 @@ interface(`unconfined_domain_noaudit',`
>
> # Use most Linux capabilities
> allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
> - allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };
> + allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
> allow $1 self:fifo_file manage_fifo_file_perms;
>
> # Transition to myself, to make get_ordered_context_list happy.
> Index: refpolicy-2.20210120/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20210120/policy/modules/system/unconfined.te
> @@ -83,6 +83,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + certbot_run(unconfined_t, unconfined_r)
unconfined should be unconfined.
> +')
> +
> +optional_policy(`
> cron_unconfined_role(unconfined_r, unconfined_t)
> ')
>
> @@ -121,6 +125,7 @@ optional_policy(`
>
> optional_policy(`
> lvm_run(unconfined_t, unconfined_r)
> + lvm_use_sem(unconfined_t)
that lvm_use_sem should probably just be part of lvm_run()
ie "allow $1 lvm_t:semd rw_sem_perms;"
But in my personal view unconfined_t shouldnt run lvm with a domain
transition in the first place (defeats the purpose of the unconfined domain)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20210120/policy/modules/system/userdomain.if
> @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten
> ')
>
> read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
> + allow $1 user_home_t:file map;
read != map
and file != lnk_file
by generalizing interfaces you shut doors for fine grained access control
> + allow $1 user_home_t:lnk_file read_lnk_file_perms;
> files_search_home($1)
> ')
>
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-01-20 14:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 10:07 [PATCH] misc kernel and system patches Russell Coker
2021-01-20 14:36 ` Dominick Grift [this message]
2021-01-27 4:05 ` Russell Coker
2021-01-27 6:03 ` Dominick Grift
2021-01-27 8:53 ` Russell Coker
2021-01-27 11:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlwnw7lloh.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).