2017-04-20 01:08:41

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 26/33] selinuxutil: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the SELinux utilities (selinuxutil) module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/selinuxutil.te | 45 +++++++++++++++++++++++++++++++----
1 file changed, 41 insertions(+), 4 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/system/selinuxutil.te 2017-02-04 19:30:19.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/system/selinuxutil.te 2017-04-20 00:27:50.508446073 +0200
@@ -9,6 +9,15 @@ gen_require(`
# Declarations
#

+## <desc>
+## <p>
+## Determine whether the SELinux
+## utilities can read the user
+## home directories and files.
+## </p>
+## </desc>
+gen_tunable(selinuxutil_enable_home_dirs, false)
+
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;

@@ -20,6 +29,8 @@ role system_r types run_init_t;
attribute_role semanage_roles;
roleattribute system_r semanage_roles;

+attribute_role sesearch_roles;
+
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -115,6 +126,12 @@ files_tmp_file(semanage_tmp_t)
type semanage_trans_lock_t;
files_type(semanage_trans_lock_t)

+type sesearch_t;
+type sesearch_exec_t;
+application_domain(sesearch_t, sesearch_exec_t)
+domain_interactive_fd(sesearch_t)
+role sesearch_roles types sesearch_t;
+
type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
@@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)

-# Handle pp files created in homedir and /tmp
-userdom_read_user_home_content_files(semanage_t)
+# Handle pp files created in /tmp
userdom_read_user_tmp_files(semanage_t)

ifdef(`distro_debian',`
@@ -516,6 +532,22 @@ ifdef(`distro_ubuntu',`
')
')

+tunable_policy(`selinuxutil_enable_home_dirs',`
+ # Handle pp files created in homedir
+ userdom_read_user_home_content_files(semanage_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(semanage_t)
+')
+
+########################################
+#
+# sesearch local policy
+#
+
+domain_use_interactive_fds(sesearch_t)
+
+selinux_getattr_fs(sesearch_t)
+
########################################
#
# Setfiles local policy
@@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t)
seutil_read_module_store(setfiles_t)

userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)

ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
@@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',`
')
')

+tunable_policy(`selinuxutil_enable_home_dirs',`
+ # for config files in a home directory
+ userdom_read_user_home_content_files(setfiles_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(setfiles_t)
+')
+
optional_policy(`
hotplug_use_fds(setfiles_t)
')


2017-04-20 13:54:16

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 26/33] selinuxutil: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the SELinux utilities (selinuxutil) module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

This second version removes misplaced unrelated bits under testing.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/selinuxutil.te | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)

--- a/policy/modules/system/selinuxutil.te 2017-02-04 19:30:19.000000000 +0100
+++ b/policy/modules/system/selinuxutil.te 2017-04-20 00:27:50.508446073 +0200
@@ -9,6 +9,15 @@ gen_require(`
# Declarations
#

+## <desc>
+## <p>
+## Determine whether the SELinux
+## utilities can read the user
+## home directories and files.
+## </p>
+## </desc>
+gen_tunable(selinuxutil_enable_home_dirs, false)
+
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;

@@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)

-# Handle pp files created in homedir and /tmp
-userdom_read_user_home_content_files(semanage_t)
+# Handle pp files created in /tmp
userdom_read_user_tmp_files(semanage_t)

ifdef(`distro_debian',`
@@ -516,6 +523,13 @@ ifdef(`distro_ubuntu',`
')
')

+tunable_policy(`selinuxutil_enable_home_dirs',`
+ # Handle pp files created in homedir
+ userdom_read_user_home_content_files(semanage_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(semanage_t)
+')
+
########################################
#
# Setfiles local policy
@@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t)
seutil_read_module_store(setfiles_t)

userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)

ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
@@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',`
')
')

+tunable_policy(`selinuxutil_enable_home_dirs',`
+ # for config files in a home directory
+ userdom_read_user_home_content_files(setfiles_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(setfiles_t)
+')
+
optional_policy(`
hotplug_use_fds(setfiles_t)
')