Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp354494pxu;
        Fri, 11 Dec 2020 04:06:17 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyNx/iJymP5rc1hYXPUTVfn5kAL2G8cVbj6kisj7nMLes7nzwUTbP2z1+xWpbvOIFv6qCYB
X-Received: by 2002:aa7:c151:: with SMTP id r17mr8203251edp.106.1607688377484;
        Fri, 11 Dec 2020 04:06:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607688377; cv=none;
        d=google.com; s=arc-20160816;
        b=j+QWbCTndSEaeQSuNtmnIRHfE9tHJFeKSzCygYfIR9P9mzcX0U+O13aNxDI5sGaZHD
         tIj3hX+3woPnGCenEy59Y9XfIvHws34Jvm6RqAjFFQVLKp15ZtINf9vyENZBNtZcnBd+
         3WBZh8CyV6A8mxA+koGEGeEcfOPNjlLFZxkR8qmE9rGl17IR88vzuunTI+5xSIKZui9k
         TBb8xU1WbIiFWbPCmjOGN6y/SGj1TK1XNHjRT0VfjqprA3bOgtpsz91vnrCBmPGUDinm
         M6nPbYl502zrlqLtNKesNCIG/ZsDGdOBzV1sigeqPr7eGQYE1JIjZfBvLqBLSfQ6BPWe
         shIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=NF6kWrj/4j5tmk8y9QuEB4OQLYk+OG6az/o5mOMMkmY=;
        b=R0jXn9Nib8BtVQZUWv1Cfr7rzt67lpWsnRBtse6SHmLXetZxtSiOCxJkvBzX2FDzbY
         6DUA2swAUYqhjl1gRO0uMwV3vesld+LbdeW9kHl4KSMsSl/plhgZsjOzObOEUqnQq4iv
         DUdj2A1NKlw5oflHR6gA4Rybk3CE742qXZOqj2Icn0jBtmuvz6yx0fqnr6lzInjEF+cY
         5JKuz2+8iXBpe3gBaG2XHQNfreTTXftVqBKc/EnjheXL76G2X6XHJTvNkO2ff8gfTaN7
         4HSs+nNAevxREL4LXg7kVSn8/I5nI7FErTzn2JcXycRGiXtYfQsK9eWuU7XttPwvn9x9
         Basw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=V4LnmK99;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e26si506800edy.255.2020.12.11.04.06.11;
        Fri, 11 Dec 2020 04:06:16 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=V4LnmK99;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730331AbgLKHDO (ORCPT <rfc822;preetikerneldev@gmail.com>
        + 16 others); Fri, 11 Dec 2020 02:03:14 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60536 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725945AbgLKHCr (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 11 Dec 2020 02:02:47 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD382C0613CF
        for <selinux-refpolicy@vger.kernel.org>; Thu, 10 Dec 2020 23:02:07 -0800 (PST)
Received: from liv.coker.com.au (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id F40A1F87C
        for <selinux-refpolicy@vger.kernel.org>; Fri, 11 Dec 2020 18:02:02 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1607670123;
        bh=NF6kWrj/4j5tmk8y9QuEB4OQLYk+OG6az/o5mOMMkmY=; l=1099;
        h=From:To:Subject:Date:From;
        b=V4LnmK99AK+BtHu8dLhNY+FLiPima7SlC27MHzwUvYFAxKtq6bAWr5d7vGYtLB0qd
         XBaVhCeqLPoR35zlOUvoGDDEjQwa7xii/YGnbjRYBmQo8VgZbObSgccB8gXLue28iQ
         2rXLmhBZvHPyjQJK5pzkXyyVa2jA0yfGEd2vGIpE=
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: lockdown class
Date:   Fri, 11 Dec 2020 18:01:58 +1100
Message-ID: <2911391.mirxchbQ87@liv>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity;
allow udev_t udev_t:lockdown confidentiality;

I've seen access that caused the above to be generated from audit2allow.

/var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc:  denied  
{ confidentiality } for  pid=253 comm="systemd-udevd" lockdown_reason="use of 
tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1

Above is the only log entry I've got for that from my previous testing (I 
haven't been able to reproduce whatever it was that caused the 
systemd_modules_load_t to get that audited).

https://www.paul-moore.com/blog/d/2020/03/linux_v56.html

I've read the above blog post and I'm still not sure exactly how we are to use 
it.  Do I allow this for systemd_modules_load_t because loading modules is an 
integrity issue?  Do I allow it for udev_t because changing device names etc 
allows universal MITM attacks?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/