Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2642077pxu; Mon, 14 Dec 2020 07:31:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJyvNfmZOvnxKvv7/pB1DPwZFSWI+moo3GhrT4nuh2Yu+HBDV/6g2mg3Xrx1J4kUufkMPIvm X-Received: by 2002:a17:906:2b50:: with SMTP id b16mr9453856ejg.255.1607959895414; Mon, 14 Dec 2020 07:31:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607959895; cv=none; d=google.com; s=arc-20160816; b=En11ggxYmmho+WxaQtsxbUXTD3/J+I9Own5qUT0cs9+/mak/lTDlZk+7kXGi8804r2 rt5p0F2jkAAY8wfsCaCX6UtGvGbYysbEkhYOtwhbLzdBFiPIC3IqCiGdCy8Cx05iUQFy CvSw9+jL1evkfBZSx6rMSHcESjIcc6s4UtX8R9K8GfCLf8E7l445KshTw//nYeBaKGYf ZdPfBwYU4SQGYBMbChjHDNVY/5uuCA/h9LBA/IZU3CwE2KrpfEE9y7xqFNC32eICaNgM lfqctc/frDgk7vhwHjxImG+0R8FOZKaQFxIaAP5Q97Hlc1nFLMrMqxJkGALshxZ4AqgH xJHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=; b=VYnpQ5b71C+/JkWQd6KYFLmuseVOJo+9JLOTgL3BDIKFK+TZchUe7mu4W4R5pJ27gJ 2JxvXsAlN9G4Lo4BDX1gy2Cvmvw18bI6BnPtsOSzUwpbWxCtmk/ORtzmzuo/HSle5N2r 1KnEwBWjwan1n+MBC7sUaD5VdXRgVQxRCr34ygYp5I3D94F9crVhRCWMC7vH2Z8Z6R3O 3NKZZry9uoIOHXiyXzL+5wE6rSdqfJjk+RBzcm30Gjzm+ebPH/iTuZIsqh3xyJEQSTqu Fr8uiVT5a2t40vtLC+kzKWccwIu4meRwx4mXgHwwVNYz49Fxg5InS8Yca2HXwgiTEM9h 3aaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=O5DmWmzy; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v17si5157741edr.428.2020.12.14.07.31.30; Mon, 14 Dec 2020 07:31:35 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=O5DmWmzy; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725871AbgLNPOR (ORCPT + 16 others); Mon, 14 Dec 2020 10:14:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726618AbgLNPOI (ORCPT ); Mon, 14 Dec 2020 10:14:08 -0500 Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99B7CC0613D3 for ; Mon, 14 Dec 2020 07:13:28 -0800 (PST) Received: by mail-qk1-x734.google.com with SMTP id h4so10949548qkk.4 for ; Mon, 14 Dec 2020 07:13:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=; b=O5DmWmzyk4+Ej4tG5t/G7e4vioOqciNZiqyTJIXhNeiA4mGMnI2xDNyU7BF/juBWh1 RQGg0Ma02s54CVYbTvIUwzVOBFUfMwvh5mwIT6n4Gll3TMOkxJck9Ueqo+zEcoYwN7EZ 5whCKAw8d26n+xydB8y1LkBS9ihz40Y7OevHA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=; b=N3qp/0v9mlixEfyp2B3QInimgUyZP7PYuVxxghy86njoUsXRzHialHDqZmfiZc0KHR 2+RC7d3c9gpvRt4xhc6IxawhXT/E+4FB2s7Nzfz6FUiEImMWfC1YfoLfkIgJUYGX+dIc HZe5P1zF73XfxMpK4+3kKuADGqNe84XNW57OJOydAkEX9EeClJT7o7gh7C8JqoZxMrzo aMtyPf1wNLep5jnuqjkzx950r/wdSTH3Gb93mSYL5jHAGNf2UFOMFWfeTRx2w4Lt2eI+ EgAAHJK3KVGmSbg3i5ZK2YrQUyE0M+EvtxPUGsgNbsPyv8NCqBD6e7wTHq0xPNyjrLfP sv1g== X-Gm-Message-State: AOAM5335+Mp1VtVQBZuuJbKE3Dk6JisZw0W95rnXonul23zu8PlGRO0l OV7jifYGBSChWEAomOEDwNDT/G6nUmwHNA== X-Received: by 2002:a37:60f:: with SMTP id 15mr31017068qkg.211.1607958807553; Mon, 14 Dec 2020 07:13:27 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id e10sm13946642qte.48.2020.12.14.07.13.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Dec 2020 07:13:27 -0800 (PST) Subject: Re: lockdown class To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <2911391.mirxchbQ87@liv> From: Chris PeBenito Message-ID: <4f69f374-3a67-55a2-3704-5cafd3719bf0@ieee.org> Date: Mon, 14 Dec 2020 10:13:25 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <2911391.mirxchbQ87@liv> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/11/20 2:01 AM, Russell Coker wrote: > allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity; > allow udev_t udev_t:lockdown confidentiality; > > I've seen access that caused the above to be generated from audit2allow. > > /var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc: denied > { confidentiality } for pid=253 comm="systemd-udevd" lockdown_reason="use of > tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1 > > Above is the only log entry I've got for that from my previous testing (I > haven't been able to reproduce whatever it was that caused the > systemd_modules_load_t to get that audited). > > https://www.paul-moore.com/blog/d/2020/03/linux_v56.html > > I've read the above blog post and I'm still not sure exactly how we are to use > it. Do I allow this for systemd_modules_load_t because loading modules is an > integrity issue? Do I allow it for udev_t because changing device names etc > allows universal MITM attacks? The SELinux check mirrors the lockdown LSM checks but the policy's granularity, instead of the single granularity (system-wide)that lockdown LSM has. If you had the lockdown LSM running too and set to the integrity level, the systemd_modules_load_t would have been denied by lockdown instead of getting to SELinux's check. The udev access to tracefs in would be allowed by the lockdown LSM and go to SELinux's check. Effectively you could reimplement the lockdown LSM in SELinux like this: bool lockdown_integrity false; bool lockdown_confidentiality false; if (!lockdown_integrity && !lockdown_confidentiality) { allow domain self:lockdown integrity; } if (!lockdown_confidentiality) { allow domain self:lockdown confidentiality; } -- Chris PeBenito