Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2642077pxu;
        Mon, 14 Dec 2020 07:31:35 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyvNfmZOvnxKvv7/pB1DPwZFSWI+moo3GhrT4nuh2Yu+HBDV/6g2mg3Xrx1J4kUufkMPIvm
X-Received: by 2002:a17:906:2b50:: with SMTP id b16mr9453856ejg.255.1607959895414;
        Mon, 14 Dec 2020 07:31:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607959895; cv=none;
        d=google.com; s=arc-20160816;
        b=En11ggxYmmho+WxaQtsxbUXTD3/J+I9Own5qUT0cs9+/mak/lTDlZk+7kXGi8804r2
         rt5p0F2jkAAY8wfsCaCX6UtGvGbYysbEkhYOtwhbLzdBFiPIC3IqCiGdCy8Cx05iUQFy
         CvSw9+jL1evkfBZSx6rMSHcESjIcc6s4UtX8R9K8GfCLf8E7l445KshTw//nYeBaKGYf
         ZdPfBwYU4SQGYBMbChjHDNVY/5uuCA/h9LBA/IZU3CwE2KrpfEE9y7xqFNC32eICaNgM
         lfqctc/frDgk7vhwHjxImG+0R8FOZKaQFxIaAP5Q97Hlc1nFLMrMqxJkGALshxZ4AqgH
         xJHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :to:subject:dkim-signature;
        bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=;
        b=VYnpQ5b71C+/JkWQd6KYFLmuseVOJo+9JLOTgL3BDIKFK+TZchUe7mu4W4R5pJ27gJ
         2JxvXsAlN9G4Lo4BDX1gy2Cvmvw18bI6BnPtsOSzUwpbWxCtmk/ORtzmzuo/HSle5N2r
         1KnEwBWjwan1n+MBC7sUaD5VdXRgVQxRCr34ygYp5I3D94F9crVhRCWMC7vH2Z8Z6R3O
         3NKZZry9uoIOHXiyXzL+5wE6rSdqfJjk+RBzcm30Gjzm+ebPH/iTuZIsqh3xyJEQSTqu
         Fr8uiVT5a2t40vtLC+kzKWccwIu4meRwx4mXgHwwVNYz49Fxg5InS8Yca2HXwgiTEM9h
         3aaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=O5DmWmzy;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v17si5157741edr.428.2020.12.14.07.31.30;
        Mon, 14 Dec 2020 07:31:35 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=O5DmWmzy;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725871AbgLNPOR (ORCPT <rfc822;preetikerneldev@gmail.com>
        + 16 others); Mon, 14 Dec 2020 10:14:17 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51878 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726618AbgLNPOI (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 14 Dec 2020 10:14:08 -0500
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99B7CC0613D3
        for <selinux-refpolicy@vger.kernel.org>; Mon, 14 Dec 2020 07:13:28 -0800 (PST)
Received: by mail-qk1-x734.google.com with SMTP id h4so10949548qkk.4
        for <selinux-refpolicy@vger.kernel.org>; Mon, 14 Dec 2020 07:13:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=;
        b=O5DmWmzyk4+Ej4tG5t/G7e4vioOqciNZiqyTJIXhNeiA4mGMnI2xDNyU7BF/juBWh1
         RQGg0Ma02s54CVYbTvIUwzVOBFUfMwvh5mwIT6n4Gll3TMOkxJck9Ueqo+zEcoYwN7EZ
         5whCKAw8d26n+xydB8y1LkBS9ihz40Y7OevHA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=fQ0ygsow+fa4VCL6Aj5VzpOJ/pkb2JK+JGAKVZz2e+E=;
        b=N3qp/0v9mlixEfyp2B3QInimgUyZP7PYuVxxghy86njoUsXRzHialHDqZmfiZc0KHR
         2+RC7d3c9gpvRt4xhc6IxawhXT/E+4FB2s7Nzfz6FUiEImMWfC1YfoLfkIgJUYGX+dIc
         HZe5P1zF73XfxMpK4+3kKuADGqNe84XNW57OJOydAkEX9EeClJT7o7gh7C8JqoZxMrzo
         aMtyPf1wNLep5jnuqjkzx950r/wdSTH3Gb93mSYL5jHAGNf2UFOMFWfeTRx2w4Lt2eI+
         EgAAHJK3KVGmSbg3i5ZK2YrQUyE0M+EvtxPUGsgNbsPyv8NCqBD6e7wTHq0xPNyjrLfP
         sv1g==
X-Gm-Message-State: AOAM5335+Mp1VtVQBZuuJbKE3Dk6JisZw0W95rnXonul23zu8PlGRO0l
        OV7jifYGBSChWEAomOEDwNDT/G6nUmwHNA==
X-Received: by 2002:a37:60f:: with SMTP id 15mr31017068qkg.211.1607958807553;
        Mon, 14 Dec 2020 07:13:27 -0800 (PST)
Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17])
        by smtp.gmail.com with ESMTPSA id e10sm13946642qte.48.2020.12.14.07.13.26
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 14 Dec 2020 07:13:27 -0800 (PST)
Subject: Re: lockdown class
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <2911391.mirxchbQ87@liv>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <4f69f374-3a67-55a2-3704-5cafd3719bf0@ieee.org>
Date:   Mon, 14 Dec 2020 10:13:25 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <2911391.mirxchbQ87@liv>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 12/11/20 2:01 AM, Russell Coker wrote:
> allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity;
> allow udev_t udev_t:lockdown confidentiality;
> 
> I've seen access that caused the above to be generated from audit2allow.
> 
> /var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc:  denied
> { confidentiality } for  pid=253 comm="systemd-udevd" lockdown_reason="use of
> tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
> 
> Above is the only log entry I've got for that from my previous testing (I
> haven't been able to reproduce whatever it was that caused the
> systemd_modules_load_t to get that audited).
> 
> https://www.paul-moore.com/blog/d/2020/03/linux_v56.html
> 
> I've read the above blog post and I'm still not sure exactly how we are to use
> it.  Do I allow this for systemd_modules_load_t because loading modules is an
> integrity issue?  Do I allow it for udev_t because changing device names etc
> allows universal MITM attacks?

The SELinux check mirrors the lockdown LSM checks but the policy's granularity, 
instead of the single granularity (system-wide)that lockdown LSM has.

If you had the lockdown LSM running too and set to the integrity level, the 
systemd_modules_load_t would have been denied by lockdown instead of getting to 
SELinux's check.  The udev access to tracefs in would be allowed by the lockdown 
LSM and go to SELinux's check.

Effectively you could reimplement the lockdown LSM in SELinux like this:

bool lockdown_integrity false;
bool lockdown_confidentiality false;

if (!lockdown_integrity && !lockdown_confidentiality) {
	allow domain self:lockdown integrity;
}

if (!lockdown_confidentiality) {
	allow domain self:lockdown confidentiality;
}


-- 
Chris PeBenito