2019-01-11 10:30:50

by Russell Coker

[permalink] [raw]
Subject: [PATCH] some little stuff

Tiny and I think they are all obvious.

Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t

mount_rw_runtime_files(bootloader_t)

+selinux_getattr_fs(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)

Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
# Local policy
#

-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
# systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
+++ refpolicy-2.20180701/policy/modules/services/dhcp.te
@@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)

logging_send_syslog_msg(dhcpd_t)

+miscfiles_read_generic_certs(dhcpd_t)
miscfiles_read_localization(dhcpd_t)

sysnet_read_dhcp_config(dhcpd_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -333,6 +333,7 @@ optional_policy(`

optional_policy(`
xserver_domtrans_xauth(sshd_t)
+ xserver_link_xdm_keys(sshd_t)
')

########################################
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`

########################################
## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_link_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key link;
+')
+
+########################################
+## <summary>
## Read and write the mesa shader cache.
## </summary>
## <param name="domain">
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")

+# for writing to ~/.local/share/sddm/xorg-session.log
+xdg_manage_data(xauth_t)
+
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
allow xserver_t xauth_home_t:file read_file_perms;

Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')

+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
@@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#

-allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;

allow systemd_nspawn_t systemd_journal_t:dir search;

Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)

optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(groupadd_t)
')

@@ -546,6 +550,10 @@ optional_policy(`
')

optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(useradd_t)
')



2019-01-12 20:04:47

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] some little stuff

On 1/11/19 5:30 AM, Russell Coker wrote:
> Tiny and I think they are all obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
> @@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t
>
> mount_rw_runtime_files(bootloader_t)
>
> +selinux_getattr_fs(bootloader_t)
> seutil_read_bin_policy(bootloader_t)
> +seutil_read_file_contexts(bootloader_t)
> seutil_read_loadpolicy(bootloader_t)
> seutil_dontaudit_search_config(bootloader_t)
>
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
> # Local policy
> #
>
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };

I didn't merge this because it seems peculiar. There is no process
ptrace permission and also because it doesn't seem like it should be
allowed to ptrace anyway.

> # systemctl asks for net_admin
> dontaudit logrotate_t self:capability net_admin;
> allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
> +++ refpolicy-2.20180701/policy/modules/services/dhcp.te
> @@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)
>
> logging_send_syslog_msg(dhcpd_t)
>
> +miscfiles_read_generic_certs(dhcpd_t)
> miscfiles_read_localization(dhcpd_t)
>
> sysnet_read_dhcp_config(dhcpd_t)
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -333,6 +333,7 @@ optional_policy(`
>
> optional_policy(`
> xserver_domtrans_xauth(sshd_t)
> + xserver_link_xdm_keys(sshd_t)
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20180701/policy/modules/services/xserver.if
> @@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`
>
> ########################################
> ## <summary>
> +## Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_link_xdm_keys',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:key link;
> +')
> +
> +########################################
> +## <summary>
> ## Read and write the mesa shader cache.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
> xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
> xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
>
> +# for writing to ~/.local/share/sddm/xorg-session.log
> +xdg_manage_data(xauth_t)
> domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
> allow xserver_t xauth_home_t:file read_file_perms;
>
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -337,6 +337,10 @@ optional_policy(`
> networkmanager_dbus_chat(systemd_hostnamed_t)
> ')
>
> +optional_policy(`
> + unconfined_dbus_send(systemd_hostnamed_t)
> +')

This comment:

https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615

makes me rethink all dbus sends to unconfined domains, especially
unconfined_t. This here isn't all confined domains, but I want more
consideration for the perm.


> #########################################
> #
> # hw local policy
> @@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
> dev_rw_sysfs(systemd_logind_t)
> dev_setattr_dri_dev(systemd_logind_t)
> dev_setattr_generic_usb_dev(systemd_logind_t)
> +dev_setattr_input_dev(systemd_logind_t)
> dev_setattr_kvm_dev(systemd_logind_t)
> dev_setattr_sound_dev(systemd_logind_t)
> dev_setattr_video_dev(systemd_logind_t)
> @@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
> # Nspawn local policy
> #
>
> -allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
> +allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
> allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
> allow systemd_nspawn_t self:capability2 wake_alarm;
> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> +allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
>
> allow systemd_nspawn_t systemd_journal_t:dir search;
>
> Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
> @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
> userdom_dontaudit_search_user_home_dirs(groupadd_t)
>
> optional_policy(`
> + apt_use_fds(groupadd_t)
> +')
> +
> +optional_policy(`
> dbus_system_bus_client(groupadd_t)
> ')
>
> @@ -546,6 +550,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + apt_use_fds(groupadd_t)
> +')
> +
> +optional_policy(`
> dbus_system_bus_client(useradd_t)
> ')
>
>


--
Chris PeBenito

2019-01-15 07:47:23

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] some little stuff

On Sunday, 13 January 2019 6:28:35 AM AEDT Chris PeBenito wrote:
> > Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> > +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> > @@ -337,6 +337,10 @@ optional_policy(`
> > networkmanager_dbus_chat(systemd_hostnamed_t)
> > ')
> >
> > +optional_policy(`
> > + unconfined_dbus_send(systemd_hostnamed_t)
> > +')
>
> This comment:
>
> https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615
>
> makes me rethink all dbus sends to unconfined domains, especially
> unconfined_t. This here isn't all confined domains, but I want more
> consideration for the perm.

That comment is about allowing all domains to send to unconfined_t. Allowing
specific domains like systemd_hostnamed_t to send to unconfined_t doesn't seem
like a problem. It doesn't seem likely that an attack via dbus would start
with a systemd domain, especially not one like systemd_hostnamed_t.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/




2019-01-15 08:36:57

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] some little stuff

Russell Coker <[email protected]> writes:

> On Sunday, 13 January 2019 6:28:35 AM AEDT Chris PeBenito wrote:
>> > Index: refpolicy-2.20180701/policy/modules/system/systemd.te
>> > ===================================================================
>> > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
>> > +++ refpolicy-2.20180701/policy/modules/system/systemd.te
>> > @@ -337,6 +337,10 @@ optional_policy(`
>> > networkmanager_dbus_chat(systemd_hostnamed_t)
>> > ')
>> >
>> > +optional_policy(`
>> > + unconfined_dbus_send(systemd_hostnamed_t)
>> > +')
>>
>> This comment:
>>
>> https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615
>>
>> makes me rethink all dbus sends to unconfined domains, especially
>> unconfined_t. This here isn't all confined domains, but I want more
>> consideration for the perm.
>
> That comment is about allowing all domains to send to unconfined_t. Allowing
> specific domains like systemd_hostnamed_t to send to unconfined_t doesn't seem
> like a problem. It doesn't seem likely that an attack via dbus would start
> with a systemd domain, especially not one like systemd_hostnamed_t.

Not completely accurate. The comment is not about "all" domains, its
about "all" domains that already have access to dbus. However I kind of
agree here that it's probably not worth it to go down this rabbit hole.

Even the normal dbus_chat interfaces are too broad (and that is
inevitable), and potentially allow for atleast some form of priv escalation
more often then not.

It just a dbus design issue IMHO.

This is also why i added that commit in the first place. I knew that it
was a (big) compromise but i just chose to add it anyway (without any
discussion, which was wrong). I still allow this access in DSSP2, I just
made a note about it in the README. There are just weak spots in the
policy such as DBUS and unconfined. As long as you are aware of them you
can to some extent anticipate that.

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

2019-01-16 23:19:41

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] some little stuff

On 1/15/19 2:47 AM, Russell Coker wrote:
> On Sunday, 13 January 2019 6:28:35 AM AEDT Chris PeBenito wrote:
>>> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
>>> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
>>> @@ -337,6 +337,10 @@ optional_policy(`
>>> networkmanager_dbus_chat(systemd_hostnamed_t)
>>> ')
>>>
>>> +optional_policy(`
>>> + unconfined_dbus_send(systemd_hostnamed_t)
>>> +')
>>
>> This comment:
>>
>> https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615
>>
>> makes me rethink all dbus sends to unconfined domains, especially
>> unconfined_t. This here isn't all confined domains, but I want more
>> consideration for the perm.
>
> That comment is about allowing all domains to send to unconfined_t. Allowing
> specific domains like systemd_hostnamed_t to send to unconfined_t doesn't seem
> like a problem. It doesn't seem likely that an attack via dbus would start
> with a systemd domain, especially not one like systemd_hostnamed_t.

It's applicable to confined domains sending messages to unconfined
domains. What compounds my concern is that there is no similar access
for confined users, so where is this coming from? (what's happening?)

--
Chris PeBenito