Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp354494pxu; Fri, 11 Dec 2020 04:06:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJyNx/iJymP5rc1hYXPUTVfn5kAL2G8cVbj6kisj7nMLes7nzwUTbP2z1+xWpbvOIFv6qCYB X-Received: by 2002:aa7:c151:: with SMTP id r17mr8203251edp.106.1607688377484; Fri, 11 Dec 2020 04:06:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607688377; cv=none; d=google.com; s=arc-20160816; b=j+QWbCTndSEaeQSuNtmnIRHfE9tHJFeKSzCygYfIR9P9mzcX0U+O13aNxDI5sGaZHD tIj3hX+3woPnGCenEy59Y9XfIvHws34Jvm6RqAjFFQVLKp15ZtINf9vyENZBNtZcnBd+ 3WBZh8CyV6A8mxA+koGEGeEcfOPNjlLFZxkR8qmE9rGl17IR88vzuunTI+5xSIKZui9k TBb8xU1WbIiFWbPCmjOGN6y/SGj1TK1XNHjRT0VfjqprA3bOgtpsz91vnrCBmPGUDinm M6nPbYl502zrlqLtNKesNCIG/ZsDGdOBzV1sigeqPr7eGQYE1JIjZfBvLqBLSfQ6BPWe shIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=NF6kWrj/4j5tmk8y9QuEB4OQLYk+OG6az/o5mOMMkmY=; b=R0jXn9Nib8BtVQZUWv1Cfr7rzt67lpWsnRBtse6SHmLXetZxtSiOCxJkvBzX2FDzbY 6DUA2swAUYqhjl1gRO0uMwV3vesld+LbdeW9kHl4KSMsSl/plhgZsjOzObOEUqnQq4iv DUdj2A1NKlw5oflHR6gA4Rybk3CE742qXZOqj2Icn0jBtmuvz6yx0fqnr6lzInjEF+cY 5JKuz2+8iXBpe3gBaG2XHQNfreTTXftVqBKc/EnjheXL76G2X6XHJTvNkO2ff8gfTaN7 4HSs+nNAevxREL4LXg7kVSn8/I5nI7FErTzn2JcXycRGiXtYfQsK9eWuU7XttPwvn9x9 Basw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=V4LnmK99; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e26si506800edy.255.2020.12.11.04.06.11; Fri, 11 Dec 2020 04:06:16 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=V4LnmK99; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730331AbgLKHDO (ORCPT + 16 others); Fri, 11 Dec 2020 02:03:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgLKHCr (ORCPT ); Fri, 11 Dec 2020 02:02:47 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD382C0613CF for ; Thu, 10 Dec 2020 23:02:07 -0800 (PST) Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id F40A1F87C for ; Fri, 11 Dec 2020 18:02:02 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1607670123; bh=NF6kWrj/4j5tmk8y9QuEB4OQLYk+OG6az/o5mOMMkmY=; l=1099; h=From:To:Subject:Date:From; b=V4LnmK99AK+BtHu8dLhNY+FLiPima7SlC27MHzwUvYFAxKtq6bAWr5d7vGYtLB0qd XBaVhCeqLPoR35zlOUvoGDDEjQwa7xii/YGnbjRYBmQo8VgZbObSgccB8gXLue28iQ 2rXLmhBZvHPyjQJK5pzkXyyVa2jA0yfGEd2vGIpE= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: lockdown class Date: Fri, 11 Dec 2020 18:01:58 +1100 Message-ID: <2911391.mirxchbQ87@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity; allow udev_t udev_t:lockdown confidentiality; I've seen access that caused the above to be generated from audit2allow. /var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc: denied { confidentiality } for pid=253 comm="systemd-udevd" lockdown_reason="use of tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1 Above is the only log entry I've got for that from my previous testing (I haven't been able to reproduce whatever it was that caused the systemd_modules_load_t to get that audited). https://www.paul-moore.com/blog/d/2020/03/linux_v56.html I've read the above blog post and I'm still not sure exactly how we are to use it. Do I allow this for systemd_modules_load_t because loading modules is an integrity issue? Do I allow it for udev_t because changing device names etc allows universal MITM attacks? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/