This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.
Sven Vermeulen (7):
Run grub(2)-mkconfig in bootloader domain
New sudo manages timestamp directory in /var/run/sudo
xfce4-notifyd is an executable
Mark f2fs as a SELinux capable file system
Add in LightDM contexts
Add gfisk and efibootmgr as fsadm_exec_t
Add /var/lib/racoon as runtime directory for ipsec
policy/modules/admin/bootloader.fc | 1 +
policy/modules/admin/sudo.if | 3 ++-
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/kernel/filesystem.te | 1 +
policy/modules/services/xserver.fc | 7 +++++++
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/ipsec.fc | 2 ++
7 files changed, 16 insertions(+), 1 deletion(-)
--
2.0.4
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
---
policy/modules/admin/bootloader.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,4 +9,5 @@
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
2.0.4
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
policy/modules/admin/sudo.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..2ee052b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
#
# Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
+ auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
auth_use_nsswitch($1_sudo_t)
init_rw_utmp($1_sudo_t)
--
2.0.4
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c860d81..958fad7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -239,6 +239,7 @@ ifdef(`distro_gentoo',`
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0)
--
2.0.4
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb7..fd1e7fe 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -27,6 +27,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
--
2.0.4
---
policy/modules/services/xserver.fc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 3fe4eef..71b307c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -22,6 +22,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/lightdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -92,12 +94,16 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -107,6 +113,7 @@ ifndef(`distro_debian',`
/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--
2.0.4
---
policy/modules/system/fstools.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 3101274..d10368d 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -51,8 +51,10 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--
2.0.4
---
policy/modules/system/ipsec.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..0f1e351 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -31,6 +31,8 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
--
2.0.4
2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> [...]
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
> #
>
> # Use capabilities.
> - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> + allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
> allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> allow $1_sudo_t self:process { setexec setrlimit };
> allow $1_sudo_t self:fd use;
> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> auth_run_chk_passwd($1_sudo_t, $2)
> # sudo stores a token in the pam_pid directory
> auth_manage_pam_pid($1_sudo_t)
> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
This interface does not exist in refpolicy and the build fails because
of this. Gentoo policy defines it in authlogin.if and the definition
looks good to me:
https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
Thanks,
Nicolas
Good catch, I checked against the wrong repo :-( Thanks.
I've resent it with the interface added (although I got the mails
twice now, my git send-email-fu is not at its peak right now).
Wkr,
Sven Vermeulen
2014-11-22 20:55 GMT+01:00 Nicolas Iooss <[email protected]>:
> 2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
>> [...]
>> --- a/policy/modules/admin/sudo.if
>> +++ b/policy/modules/admin/sudo.if
>> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
>> #
>>
>> # Use capabilities.
>> - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
>> + allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
>> allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>> allow $1_sudo_t self:process { setexec setrlimit };
>> allow $1_sudo_t self:fd use;
>> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>> auth_run_chk_passwd($1_sudo_t, $2)
>> # sudo stores a token in the pam_pid directory
>> auth_manage_pam_pid($1_sudo_t)
>> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>
> This interface does not exist in refpolicy and the build fails because
> of this. Gentoo policy defines it in authlogin.if and the definition
> looks good to me:
> https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>
> Thanks,
>
> Nicolas
>
On Sat, Nov 22, 2014 at 10:19:47PM +0100, Sven Vermeulen wrote:
> Good catch, I checked against the wrong repo :-( Thanks.
>
> I've resent it with the interface added (although I got the mails
> twice now, my git send-email-fu is not at its peak right now).
>
> Wkr,
> Sven Vermeulen
>
> 2014-11-22 20:55 GMT+01:00 Nicolas Iooss <[email protected]>:
> > 2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> >> [...]
> >> --- a/policy/modules/admin/sudo.if
> >> +++ b/policy/modules/admin/sudo.if
> >> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
> >> #
> >>
> >> # Use capabilities.
> >> - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> >> + allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
> >> allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> >> allow $1_sudo_t self:process { setexec setrlimit };
> >> allow $1_sudo_t self:fd use;
> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >> auth_run_chk_passwd($1_sudo_t, $2)
> >> # sudo stores a token in the pam_pid directory
> >> auth_manage_pam_pid($1_sudo_t)
> >> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >
> > This interface does not exist in refpolicy and the build fails because
> > of this. Gentoo policy defines it in authlogin.if and the definition
> > looks good to me:
> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >
I do not see how /var/run/sudo is associated with pam
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b28f95b3/attachment.bin
2014-11-23 13:50 GMT+01:00 Dominick Grift <[email protected]>:
>> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>> >> auth_run_chk_passwd($1_sudo_t, $2)
>> >> # sudo stores a token in the pam_pid directory
>> >> auth_manage_pam_pid($1_sudo_t)
>> >> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>> >
>> > This interface does not exist in refpolicy and the build fails because
>> > of this. Gentoo policy defines it in authlogin.if and the definition
>> > looks good to me:
>> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>> >
>
> I do not see how /var/run/sudo is associated with pam
The authlogin.fc already contains the following:
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
I don't know if it is legacy, or because some PAM modules require a
more common access pattern. In any case, this file transition is only
to keep the application (and policy) running as-is -- without it,
users need to run "restorecon -R /var/run/sudo" every time their
system is started.
Wkr,
Sven Vermeulen
On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
> 2014-11-23 13:50 GMT+01:00 Dominick Grift <[email protected]>:
> >> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >> >> auth_run_chk_passwd($1_sudo_t, $2)
> >> >> # sudo stores a token in the pam_pid directory
> >> >> auth_manage_pam_pid($1_sudo_t)
> >> >> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >> >
> >> > This interface does not exist in refpolicy and the build fails because
> >> > of this. Gentoo policy defines it in authlogin.if and the definition
> >> > looks good to me:
> >> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >> >
> >
> > I do not see how /var/run/sudo is associated with pam
>
> The authlogin.fc already contains the following:
>
> /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
>
> I don't know if it is legacy, or because some PAM modules require a
> more common access pattern. In any case, this file transition is only
> to keep the application (and policy) running as-is -- without it,
> users need to run "restorecon -R /var/run/sudo" every time their
> system is started.
>
Yea, probably legacy. Just sayin' though ideally it should probably not be associated with pam_var_run_t in my view.
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b940c87b/attachment.bin
On 11/23/2014 9:40 AM, Dominick Grift wrote:
> On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
>> 2014-11-23 13:50 GMT+01:00 Dominick Grift
>> <[email protected]>:
>>>>>> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>>>>>> auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token
>>>>>> in the pam_pid directory auth_manage_pam_pid($1_sudo_t) +
>>>>>> auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>>>>>
>>>>> This interface does not exist in refpolicy and the build
>>>>> fails because of this. Gentoo policy defines it in
>>>>> authlogin.if and the definition looks good to me:
>>>>> https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>>>>>
>>>
>>>
>>>>>
I do not see how /var/run/sudo is associated with pam
>>
>> The authlogin.fc already contains the following:
>>
>> /var/run/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0)
>> /var/run/user(/.*)?
>> gen_context(system_u:object_r:var_auth_t,s0)
>> /var/(db|adm)/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0)
>> /var/lib/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0)
>>
>> I don't know if it is legacy, or because some PAM modules require
>> a more common access pattern. In any case, this file transition
>> is only to keep the application (and policy) running as-is --
>> without it, users need to run "restorecon -R /var/run/sudo" every
>> time their system is started.
>>
>
> Yea, probably legacy. Just sayin' though ideally it should probably
> not be associated with pam_var_run_t in my view.
I agree, but will take it for now, since something like it already
exists in the policy. If we can find a better solution, I'll take
that too.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com