From: Laurent Bigonville <[email protected]>
---
networkmanager.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/networkmanager.fc b/networkmanager.fc
index 2a3cca4..a1fb3c3 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -13,6 +13,7 @@
/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
+/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policykit.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policykit.fc b/policykit.fc
index 4d43b85..1d76c72 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -5,6 +5,7 @@
/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
nm-dispatcher.action executable is labeled as
NetworkManager_initrc_exec_t and will be executed by the system dbus
---
dbus.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dbus.te b/dbus.te
index ad29d6f..2ed2d6e 100644
--- a/dbus.te
+++ b/dbus.te
@@ -148,6 +148,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
cups.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/cups.fc b/cups.fc
index 6f7a1cd..14db0e1 100644
--- a/cups.fc
+++ b/cups.fc
@@ -31,6 +31,7 @@
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
pcscd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pcscd.te b/pcscd.te
index b7b82ab..5e44a7b 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -21,7 +21,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
# Local policy
#
-allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:capability { dac_override dac_read_search fsetid };
allow pcscd_t self:process signal;
allow pcscd_t self:fifo_file rw_fifo_file_perms;
allow pcscd_t self:unix_stream_socket { accept listen };
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
nm-openvpn-service is started in the networkmanager_t context, if it's
compiled with gnutls instead openssl, the library will read
/proc/sys/crypto/fips_enabled
---
networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/networkmanager.te b/networkmanager.te
index ebaea1d..e96e750 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -83,6 +83,7 @@ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_
can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+kernel_read_crypto_sysctls(NetworkManager_t)
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
virt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/virt.te b/virt.te
index 18b1cc6..333e53b 100644
--- a/virt.te
+++ b/virt.te
@@ -768,6 +768,7 @@ virt_manage_images(virsh_t)
virt_manage_config(virsh_t)
virt_stream_connect(virsh_t)
+kernel_read_crypto_sysctls(virsh_t)
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
dbus.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/dbus.te b/dbus.te
index 2ed2d6e..c418ebb 100644
--- a/dbus.te
+++ b/dbus.te
@@ -57,6 +57,7 @@ ifdef(`enable_mls',`
#
allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability2 block_suspend;
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
cups.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/cups.te b/cups.te
index 501f6e3..cf3046f 100644
--- a/cups.te
+++ b/cups.te
@@ -135,6 +135,7 @@ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
--
1.7.10.4
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> nm-dispatcher.action executable is labeled as
> NetworkManager_initrc_exec_t and will be executed by the system dbus
> ---
> dbus.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/dbus.te b/dbus.te
> index ad29d6f..2ed2d6e 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -148,6 +148,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_initrc_domtrans(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_read_lib(system_dbusd_t)
> ')
>
This is a better solution (which i am about to commit instead):
> From 3629eb16814fa4ea3542892508250dd1b5e00c9d Mon, 17 Dec 2012 21:16:33 +0100
> From: Dominick Grift <[email protected]>
> Date: Mon, 17 Dec 2012 21:16:23 +0100
> Subject: [PATCH] Changes to the dbus policy module
>
>
> System bus needs to be able to transition to init script domain on any
> init script file type instead of only the generic init script file type
>
> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/dbus.te b/dbus.te
> index ad29d6f..4f75f33 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -1,4 +1,4 @@
> -policy_module(dbus, 1.18.6)
> +policy_module(dbus, 1.18.7)
>
> gen_require(`
> class dbus all_dbus_perms;
> @@ -125,7 +125,7 @@
>
> init_use_fds(system_dbusd_t)
> init_use_script_ptys(system_dbusd_t)
> -init_domtrans_script(system_dbusd_t)
> +init_all_labeled_script_domtrans(system_dbusd_t)
>
> init_use_fds(system_dbusd_t)
> init_use_script_ptys(system_dbusd_t)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> dbus.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/dbus.te b/dbus.te
> index 2ed2d6e..c418ebb 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
> #
>
> allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability2 block_suspend;
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
I am not confident about this.
Do you stil have the avc denial of this event?
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> networkmanager.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.fc b/networkmanager.fc
> index 2a3cca4..a1fb3c3 100644
> --- a/networkmanager.fc
> +++ b/networkmanager.fc
> @@ -13,6 +13,7 @@
> /etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
> /etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
>
> +/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
> /usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
>
> /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> policykit.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policykit.fc b/policykit.fc
> index 4d43b85..1d76c72 100644
> --- a/policykit.fc
> +++ b/policykit.fc
> @@ -5,6 +5,7 @@
> /usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
> /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
> /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
> +/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
> /usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
>
> /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> cups.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/cups.fc b/cups.fc
> index 6f7a1cd..14db0e1 100644
> --- a/cups.fc
> +++ b/cups.fc
> @@ -31,6 +31,7 @@
> /usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
> /usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
>
> +/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
> /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
> /usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
> /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> pcscd.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/pcscd.te b/pcscd.te
> index b7b82ab..5e44a7b 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -21,7 +21,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
> # Local policy
> #
>
> -allow pcscd_t self:capability { dac_override dac_read_search };
> +allow pcscd_t self:capability { dac_override dac_read_search fsetid };
> allow pcscd_t self:process signal;
> allow pcscd_t self:fifo_file rw_fifo_file_perms;
> allow pcscd_t self:unix_stream_socket { accept listen };
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
This was merged, thanks
> nm-openvpn-service is started in the networkmanager_t context, if it's
> compiled with gnutls instead openssl, the library will read
> /proc/sys/crypto/fips_enabled
> ---
> networkmanager.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.te b/networkmanager.te
> index ebaea1d..e96e750 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -83,6 +83,7 @@ files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_
>
> can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>
> +kernel_read_crypto_sysctls(NetworkManager_t)
> kernel_read_system_state(NetworkManager_t)
> kernel_read_network_state(NetworkManager_t)
> kernel_read_kernel_sysctls(NetworkManager_t)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> virt.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/virt.te b/virt.te
> index 18b1cc6..333e53b 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -768,6 +768,7 @@ virt_manage_images(virsh_t)
> virt_manage_config(virsh_t)
> virt_stream_connect(virsh_t)
>
> +kernel_read_crypto_sysctls(virsh_t)
> kernel_read_system_state(virsh_t)
> kernel_read_network_state(virsh_t)
> kernel_read_kernel_sysctls(virsh_t)
On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
This was merged, thanks
> ---
> cups.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/cups.te b/cups.te
> index 501f6e3..cf3046f 100644
> --- a/cups.te
> +++ b/cups.te
> @@ -135,6 +135,7 @@ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
> manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> +read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
> logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
>
Le Mon, 17 Dec 2012 21:38:23 +0100,
grift <[email protected]> a ?crit :
> On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> > From: Laurent Bigonville <[email protected]>
> >
> > ---
> > dbus.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/dbus.te b/dbus.te
> > index 2ed2d6e..c418ebb 100644
> > --- a/dbus.te
> > +++ b/dbus.te
> > @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
> > #
> >
> > allow system_dbusd_t self:capability { sys_resource dac_override
> > setgid setpcap setuid }; +allow system_dbusd_t self:capability2
> > block_suspend; dontaudit system_dbusd_t self:capability
> > sys_tty_config; allow system_dbusd_t self:process { getattr
> > getsched signal_perms setpgid getcap setcap setrlimit }; allow
> > system_dbusd_t self:fifo_file rw_fifo_file_perms;
>
> I am not confident about this.
> Do you stil have the avc denial of this event?
time->Mon Dec 17 10:38:26 2012
type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355737106.427:178): avc: denied { block_suspend } for pid=3990 comm="host" capability=36 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2
This is indeed maybe not correct
Laurent
On Tue, 2012-12-18 at 09:31 +0100, Laurent Bigonville wrote:
> Le Mon, 17 Dec 2012 21:38:23 +0100,
> grift <[email protected]> a ?crit :
>
> > On Mon, 2012-12-17 at 20:58 +0100, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <[email protected]>
> > >
> > > ---
> > > dbus.te | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/dbus.te b/dbus.te
> > > index 2ed2d6e..c418ebb 100644
> > > --- a/dbus.te
> > > +++ b/dbus.te
> > > @@ -57,6 +57,7 @@ ifdef(`enable_mls',`
> > > #
> > >
> > > allow system_dbusd_t self:capability { sys_resource dac_override
> > > setgid setpcap setuid }; +allow system_dbusd_t self:capability2
> > > block_suspend; dontaudit system_dbusd_t self:capability
> > > sys_tty_config; allow system_dbusd_t self:process { getattr
> > > getsched signal_perms setpgid getcap setcap setrlimit }; allow
> > > system_dbusd_t self:fifo_file rw_fifo_file_perms;
> >
> > I am not confident about this.
> > Do you stil have the avc denial of this event?
>
> time->Mon Dec 17 10:38:26 2012
> type=SYSCALL msg=audit(1355737106.427:178): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=14 a3=7fb7f748ecd0 items=0 ppid=3971 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="host" exe="/usr/bin/host" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1355737106.427:178): avc: denied { block_suspend } for pid=3990 comm="host" capability=36 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=capability2
>
> This is indeed maybe not correct
>
> Laurent
What is "host"
can you do a ps auxZ | grep system_dbusd_t
Le Tue, 18 Dec 2012 09:44:37 +0100,
grift <[email protected]> a ?crit :
> What is "host"
$ whatis host
host (1) - DNS lookup utility
> can you do a ps auxZ | grep system_dbusd_t
$ ps auxZ | grep system_dbusd_t
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 message+ 3066 0.0 0.0 41632 2560 ? Ssl 09:06 0:01 /usr/bin/dbus-daemon --system
I'll try to figure out which component is calling this.
Laurent
On Tue, 2012-12-18 at 10:18 +0100, Laurent Bigonville wrote:
> Le Tue, 18 Dec 2012 09:44:37 +0100,
> grift <[email protected]> a ?crit :
>
> > What is "host"
>
> $ whatis host
> host (1) - DNS lookup utility
>
> > can you do a ps auxZ | grep system_dbusd_t
>
> $ ps auxZ | grep system_dbusd_t
> system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 message+ 3066 0.0 0.0 41632 2560 ? Ssl 09:06 0:01 /usr/bin/dbus-daemon --system
>
> I'll try to figure out which component is calling this.
>
> Laurent
Ok , turns out that this was actually due to the mislabeled nm
dispatcher.action program.
Now that it is correctly labeled NetworkManager_initc_exec_t and now
that system_dbusd_t can domain transition to initrc_t via any " init
script file type" this no longer happens for system_dbusd_t.
Instead we need to allow initrc_t the block suspend capability2
We also tried to label the action program NetworkManager_exec_t but that
caused many other denials and since the same program in a different
location was already also NetworkManager_initrc_exec_t we decided to
stick to that for the sake of uniformity and because we trust that the
decision to label it NetworkManager_initrc_exec_t was well thought out.
By the way, this also made me realize that dbus session domains probably
also should not need block suspend capability.
I ported that rule from Fedora earlier but i have commented it out
( push is pending ) because i would like to reproduce and see the avc
denial