Not sure about patch 5/7 if this is wanted/needed. It just seems like a good
idea to combine the rights as the dontaudit interface itself is meant to, well,
ignore certain behavior of applications. With the move to /sys/fs/selinux, these
applications would otherwise also need the dontaudit rules against the sysfs
parts, so I thought that making them part of the same dontaudit interface makes
sense.
Sven Vermeulen (7):
Get grub2-install to work properly
Support /sys/devices/system/cpu/online
Mark f2fs as a xattr-enabled file system
The security_t file system can be at /sys/fs/selinux
Dontaudit access on security_t file system at /sys/fs/selinux
Support named file transition for fixed_disk_device_t
Alsasound init script writes asound.state file
policy/modules/admin/bootloader.fc | 2 ++
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 61 +++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 7 +++++
policy/modules/kernel/domain.te | 2 ++
policy/modules/kernel/filesystem.te | 1 +
policy/modules/kernel/selinux.if | 8 +++++
policy/modules/kernel/storage.if | 7 ++++-
policy/modules/system/init.te | 4 +++
9 files changed, 92 insertions(+), 1 deletion(-)
--
1.8.1.5
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/bootloader.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..2626ebf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,3 +7,5 @@
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
1.8.1.5
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
to grant most domains read access to this file. As we don't want them to have
read access on sysfs_t by default, create a new type (cpu_online_t) and assign
it to the file, and grant domains read access to the file.
This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep their
context.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
policy/modules/kernel/devices.te | 7 +++++++
policy/modules/kernel/domain.te | 2 ++
4 files changed, 35 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
ifdef(`distro_redhat',`
# originally from named.fc
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..49f0acb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
########################################
## <summary>
+## Read cpu online hardware state information
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read /sys/devices/system/cpu/online
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
+ allow $1 cpu_online_t:file read_file_perms;
+
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Unconfined access to devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0b1a871..0d7790c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
dev_node(cpu_device_t)
#
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
# Type for /dev/crash
#
type crash_device_t;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..ea5cdee 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1c66416..9949d77 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
--
1.8.1.5
Because it is no longer a top-level file system, we need to enhance some of the
interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also means
getattr on the sysfs_t file system as well as search privileges in sysfs_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 49f0acb..a0a2a0d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3855,6 +3855,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 81440c5..9623a80 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
--
1.8.1.5
Second part of the support of security_t under /sys/fs/selinux - when asked not
to audit getting attributes on the selinux file system, have this propagate to
the sysfs parts as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a0a2a0d..2a4a3ca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3871,6 +3871,24 @@ interface(`dev_getattr_sysfs_fs',`
allow $1 sysfs_t:filesystem getattr;
')
+#######################################
+## <summary>
+## Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access from
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:filesystem getattr;
+')
+
########################################
## <summary>
## Search the sysfs directories.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 9623a80..a62ac8f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
# (/selinux) is already a selinuxfs
dontaudit $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/storage.if | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..64c4cd0 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional filename of the block device to be created
+## </summary>
+## </param>
#
interface(`storage_dev_filetrans_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
- dev_filetrans($1, fixed_disk_device_t, blk_file)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
')
########################################
--
1.8.1.5
The alsasound init script writes updates into alsa state files, such as
/var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a97372a..08dd000 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -578,6 +578,10 @@ ifdef(`distro_suse',`
')
optional_policy(`
+ alsa_write_lib(initrc_t)
+')
+
+optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
--
1.8.1.5
Is this support upstreamed? I don't see it in my 3.10 kernel tree.
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 1c66416..9949d77 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
> +fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The grub2-install application runs a few grub2-* commands. Two of those,
> grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
>
> Mark those two applications as bootloader_exec_t (as is the case with the "grub"
> legacy command in the past) allows the commands to continue.
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/bootloader.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index 7a6f06f..2626ebf 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -7,3 +7,5 @@
> /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
>
> /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
> to grant most domains read access to this file. As we don't want them to have
> read access on sysfs_t by default, create a new type (cpu_online_t) and assign
> it to the file, and grant domains read access to the file.
>
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep their
> context.
Adding permissions to all domains shouldn't be taken lightly, so I'll have to do some additional research.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
> policy/modules/kernel/devices.te | 7 +++++++
> policy/modules/kernel/domain.te | 2 ++
> 4 files changed, 35 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
> /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
>
> /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
>
> ifdef(`distro_redhat',`
> # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..49f0acb 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
>
> ########################################
> ## <summary>
> +## Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read /sys/devices/system/cpu/online
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> + gen_require(`
> + type cpu_online_t;
> + ')
> +
> + allow $1 cpu_online_t:file read_file_perms;
> +
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Unconfined access to devices.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 0b1a871..0d7790c 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
> dev_node(cpu_device_t)
>
> #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
> # Type for /dev/crash
> #
> type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..ea5cdee 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
> # create child processes in the domain
> allow domain self:process { fork sigchld };
>
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> # Use trusted objects in /dev
> dev_rw_null(domain)
> dev_rw_zero(domain)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/kernel/storage.if | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index 1700ef2..64c4cd0 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
> ## Domain allowed access.
> ## </summary>
> ## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Optional filename of the block device to be created
> +## </summary>
> +## </param>
> #
> interface(`storage_dev_filetrans_fixed_disk',`
> gen_require(`
> type fixed_disk_device_t;
> ')
>
> - dev_filetrans($1, fixed_disk_device_t, blk_file)
> + dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
> ')
>
> ########################################
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The alsasound init script writes updates into alsa state files, such as
> /var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/init.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index a97372a..08dd000 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
> ')
>
> optional_policy(`
> + alsa_write_lib(initrc_t)
> +')
> +
> +optional_policy(`
> amavis_search_lib(initrc_t)
> amavis_setattr_pid_files(initrc_t)
> ')
Shouldn't this be handled by alsa_t?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Aug 26, 2013 at 2:57 PM, Christopher J. PeBenito
<[email protected]> wrote:
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index a97372a..08dd000 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
>> ')
>>
>> optional_policy(`
>> + alsa_write_lib(initrc_t)
>> +')
>> +
>> +optional_policy(`
>> amavis_search_lib(initrc_t)
>> amavis_setattr_pid_files(initrc_t)
>> ')
>
> Shouldn't this be handled by alsa_t?
>
It is the /etc/init.d/alsasound init script itself that is writing
into /var/lib/alsa, for instance:
for ossfile in /proc/asound/card*/pcm*/oss; do
[ -e "${ossfile}" ] || continue
local device=${ossfile##/proc/asound/} ; device=${device%%/oss}
device="$(echo "${device}" | sed -e 's,/,_,g')"
mkdir -p "${alsastatedir}/oss/"
cp "${ossfile}" "${alsastatedir}/oss/${device}"
done
Here, ${alsastatedir} = /var/lib/alsa.
It does seem however that the asound.state itself is handled by
alsactl (and thus through alsa_t). Shall I update the description to
explain that it is for restoring OSS state information instead?
Wkr,
Sven Vermeulen