2015-12-20 15:28:48

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details). Therefore label it as xserver_exec_t.

This makes the following AVC appear:

denied { execute_no_trans } for pid=927 comm="X"
path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
scontext=system_u:system_r:xserver_t
tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
---
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.te | 3 +++
2 files changed, 5 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 71b307c2fbea..397993fb4944 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)

/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/xorg-server/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/xorg-server/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)

/usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2ba7a7415e2a..8dc7c83e491c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
allow xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xserver_t, xkb_var_lib_t)

+# Run Xorg.wrap
+can_exec(xserver_t, xserver_exec_t)
+
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xserver_t)

--
2.6.4


2015-12-20 15:28:49

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux

On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:

* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)

Label all these files but sftp-server as bin_t.
---
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/services/ssh.fc | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 77d6a180285a..fed2613768ba 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 8168244583d0..fd6c2184a0c1 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)

-/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

--
2.6.4

2015-12-20 15:28:50

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files

On Arch Linux, OpenSSH unit files are:
/usr/lib/systemd/system/sshdgenkeys.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd at .service
/usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
/lib/systemd/system/ssh.service
/lib/systemd/system/ssh at .service
/lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd at .service
/usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.
---
policy/modules/services/ssh.fc | 4 ++++
policy/modules/services/ssh.te | 6 ++++++
2 files changed, 10 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index fd6c2184a0c1..027c8a87a902 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

+/usr/lib/systemd/system/ssh.* -- gen_context(system_u:object_r:sshd_unit_t,s0)
+/usr/lib/systemd/system/sshdgenkeys.* -- gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 06fe64fde790..1c683b73a3ff 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -47,6 +47,12 @@ type sshd_tmp_t;
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)

+type sshd_keygen_unit_t;
+init_unit_file(sshd_keygen_unit_t)
+
+type sshd_unit_t;
+init_unit_file(sshd_unit_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
--
2.6.4

2016-01-05 18:38:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] Label OpenSSH files correctly on Arch Linux

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
>
> * sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
> * ssh-askpass (symlink to x11-ssh-askpass)
> * ssh-keysign
> * ssh-pkcs11-helper
> * x11-ssh-askpass (from x11-ssh-askpass package)
>
> Label all these files but sftp-server as bin_t.
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> policy/modules/services/ssh.fc | 3 ++-
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 77d6a180285a..fed2613768ba 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -234,6 +234,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
> /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 8168244583d0..fd6c2184a0c1 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
> /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
> /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
>
> -/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> +/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>
> /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2016-01-05 18:38:37

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] Label Xorg server binary correctly on Arch Linux

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, /usr/bin/Xorg is only a shell script which executes
> /usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
> /usr/lib/xorg-server/Xorg.
>
> Even though Xorg.wrap is not a full X server, it reads X11 configuration
> files, uses the DRM interface to detect KMS, etc. (cf.
> http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
> for more details). Therefore label it as xserver_exec_t.
>
> This makes the following AVC appear:
>
> denied { execute_no_trans } for pid=927 comm="X"
> path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
> scontext=system_u:system_r:xserver_t
> tcontext=system_u:object_r:xserver_exec_t tclass=file
>
> Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.
> ---
> policy/modules/services/xserver.fc | 2 ++
> policy/modules/services/xserver.te | 3 +++
> 2 files changed, 5 insertions(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 71b307c2fbea..397993fb4944 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -70,6 +70,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
> /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
> +/usr/lib/xorg-server/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
> +/usr/lib/xorg-server/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
> /usr/sbin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 2ba7a7415e2a..8dc7c83e491c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
> allow xserver_t xkb_var_lib_t:lnk_file read;
> can_exec(xserver_t, xkb_var_lib_t)
>
> +# Run Xorg.wrap
> +can_exec(xserver_t, xserver_exec_t)
> +
> # VNC v4 module in X server
> corenet_tcp_bind_vnc_port(xserver_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2016-01-05 18:38:45

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] Label OpenSSH systemd unit files

On 12/20/2015 10:28 AM, Nicolas Iooss wrote:
> On Arch Linux, OpenSSH unit files are:
> /usr/lib/systemd/system/sshdgenkeys.service
> /usr/lib/systemd/system/sshd.service
> /usr/lib/systemd/system/sshd at .service
> /usr/lib/systemd/system/sshd.socket
>
> On Debian jessie, the unit files are:
> /lib/systemd/system/ssh.service
> /lib/systemd/system/ssh at .service
> /lib/systemd/system/ssh.socket
>
> On Fedora 22, the unit files are:
> /usr/lib/systemd/system/sshd-keygen.service
> /usr/lib/systemd/system/sshd.service
> /usr/lib/systemd/system/sshd at .service
> /usr/lib/systemd/system/sshd.socket
>
> Use a pattern which matches every sshd unit and introduce an other type
> for ssh-keygen units.
> ---
> policy/modules/services/ssh.fc | 4 ++++
> policy/modules/services/ssh.te | 6 ++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index fd6c2184a0c1..027c8a87a902 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
> /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
> /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>
> +/usr/lib/systemd/system/ssh.* -- gen_context(system_u:object_r:sshd_unit_t,s0)
> +/usr/lib/systemd/system/sshdgenkeys.* -- gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
> +
> /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
>
> /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 06fe64fde790..1c683b73a3ff 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -47,6 +47,12 @@ type sshd_tmp_t;
> files_tmp_file(sshd_tmp_t)
> files_poly_parent(sshd_tmp_t)
>
> +type sshd_keygen_unit_t;
> +init_unit_file(sshd_keygen_unit_t)
> +
> +type sshd_unit_t;
> +init_unit_file(sshd_unit_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com