From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 19 Dec 2016 15:50:03 +0100
Subject: [refpolicy] [PATCH] kernel: missing permissions for confined
 execution
In-Reply-To: <e8bf4383-7290-0075-0905-ba07d6650ad6@ieee.org>
References: <1482021787.10349.1.camel@trentalancia.net>
	<e8bf4383-7290-0075-0905-ba07d6650ad6@ieee.org>
Message-ID: <1482159003.3800.8.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

Thanks for getting back on this...

On Sun, 18/12/2016 at 17.30 -0500, Chris PeBenito wrote:
> On 12/17/16 19:43, Guido Trentalancia via refpolicy wrote:
> > 
> > This patch adds missing permissions in the kernel module that
> > prevent
> > to run it without the unconfined module.
> 
> I will need more clarification on these rules, especially all the
> new?
> root_t access.??The only thing that should normally be root_t is /.

Here are some of the most relevant permission denied errors that have
been generated:

type=AVC msg=audit(1482156395.264:6): avc:??denied??{ getattr } for??pid=1 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:7): avc:??denied??{ execute } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:8): avc:??denied??{ read } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:9): avc:??denied??{ open } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:9): avc:??denied??{ execute_no_trans } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

As you can see, it is trying to execute a /bin/umount executable file
that is labeled root_t (this is before switching to the new root, so
it's in the initramfs).

This is from the following two dracut initramfs modules:

98selinux/selinux-loadpolicy.sh
99base/init.sh

Eventually, no relabeling is done by dracut after loading the policy.

If you need to see other parts of the log, please let me know and I'll
post them.

I have also prepared two other patches that depend on this: a patch for
init and a patch for shutdown.

> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > ?policy/modules/kernel/files.if??????|??131
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/kernel/filesystem.if |???18 ++++
> > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > ?policy/modules/kernel/kernel.te?????|???34 +++++++++
> > ?policy/modules/kernel/terminal.if???|???20 +++++
> > ?6 files changed, 277 insertions(+)
> > 
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if	2016-08-14
> > 21:24:48.932381791 +0200
> > +++ b/policy/modules/kernel/devices.if	2016-12-18
> > 01:11:02.888132347 +0100
> > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
> > 
> > ?########################################
> > ?## <summary>
> > +##	Set the attributes on generic
> > +##	block devices.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_blk_files',`
> > +	gen_require(`
> > +		type device_t;
> > +	')
> > +
> > +	allow $1 device_t:blk_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Dontaudit setattr on generic block devices.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
> > 
> > ?########################################
> > ?## <summary>
> > +##	Set the attributes for generic
> > +##	character device files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_chr_files',`
> > +	gen_require(`
> > +		type device_t;
> > +	')
> > +
> > +	allow $1 device_t:chr_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Dontaudit setattr for generic character device files.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Mount a filesystem on sysfs.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allow access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`dev_mounton_sysfs',`
> > +	gen_require(`
> > +		type device_t;
> > +	')
> > +
> > +	allow $1 sysfs_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/files.if
> > b/policy/modules/kernel/files.if
> > --- a/policy/modules/kernel/files.if	2016-08-30
> > 13:58:35.862542184 +0200
> > +++ b/policy/modules/kernel/files.if	2016-12-17
> > 23:34:25.007517608 +0100
> > @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Delete symbolic links in the
> > +##	root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_symlinks',`
> > +	gen_require(`
> > +		type root_t;
> > +	')
> > +
> > +	allow $1 root_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Do not audit attempts to write to / dirs.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
> > 
> > ?########################################
> > ?## <summary>
> > +##	Delete character device nodes in
> > +##	the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_chr_files',`
> > +	gen_require(`
> > +		type root_t;
> > +	')
> > +
> > +	allow $1 root_t:chr_file delete_chr_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Delete files in the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Execute files in the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_exec_root_files',`
> > +	gen_require(`
> > +		type root_t;
> > +	')
> > +
> > +	allow $1 root_t:file exec_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Remove entries from the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
> > 
> > ?########################################
> > ?## <summary>
> > +##	Manage the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_manage_root_dir',`
> > +	gen_require(`
> > +		type root_t;
> > +	')
> > +
> > +	allow $1 root_t:dir manage_dir_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Get the attributes of a rootfs
> > +##	file system.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_rootfs',`
> > +	gen_require(`
> > +		type root_t;
> > +	')
> > +
> > +	allow $1 root_t:filesystem getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Associate to root file system.
> > ?## </summary>
> > ?## <param name="file_type">
> > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> > ?')
> > 
> > ?########################################
> > +## <summary>
> > +##	Get the attributes of the
> > +##	etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_etc_runtime_dirs',`
> > +	gen_require(`
> > +		type etc_runtime_t;
> > +	')
> > +
> > +	allow $1 etc_runtime_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Mount a filesystem on the
> > +##	etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_mounton_etc_runtime_dirs',`
> > +	gen_require(`
> > +		type etc_runtime_t;
> > +	')
> > +
> > +	allow $1 etc_runtime_t:dir mounton;
> > +')
> > +
> > +########################################
> > ?## <summary>
> > ?##	Do not audit attempts to set the attributes of the
> > etc_runtime files
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/filesystem.if
> > b/policy/modules/kernel/filesystem.if
> > --- a/policy/modules/kernel/filesystem.if	2016-11-05
> > 22:59:46.649875204 +0100
> > +++ b/policy/modules/kernel/filesystem.if	2016-12-17
> > 22:50:22.936435441 +0100
> > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
> > 
> > ?########################################
> > ?## <summary>
> > +##	Delete tmpfs symbolic links.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`fs_delete_tmpfs_symlinks',`
> > +	gen_require(`
> > +		type tmpfs_t;
> > +	')
> > +
> > +	allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Create, read, write, and delete
> > ?##	auto moutpoints.
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if	2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.if	2016-12-17
> > 21:26:37.530603508 +0100
> > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
> > 
> > ?########################################
> > ?## <summary>
> > +##	Mount the directories in /proc.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`kernel_mounton_proc_dirs',`
> > +	gen_require(`
> > +		type proc_t;
> > +	')
> > +
> > +	allow $1 proc_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Get the attributes of files in /proc.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > --- a/policy/modules/kernel/kernel.te	2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.te	2016-12-18
> > 01:19:46.891242628 +0100
> > @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> > ?# connections with invalidated labels:
> > ?allow kernel_t unlabeled_t:packet send;
> > 
> > +kernel_mounton_proc_dirs(kernel_t)
> > ?kernel_request_load_module(kernel_t)
> > 
> > ?# Allow unlabeled network traffic
> > @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> > ?corenet_raw_send_generic_node(kernel_t)
> > ?corenet_send_all_packets(kernel_t)
> > 
> > +dev_mounton_sysfs(kernel_t)
> > ?dev_read_sysfs(kernel_t)
> > ?dev_search_usbfs(kernel_t)
> > ?# devtmpfs handling:
> > @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> > ?dev_create_generic_chr_files(kernel_t)
> > ?dev_delete_generic_chr_files(kernel_t)
> > ?dev_mounton(kernel_t)
> > +dev_delete_generic_symlinks(kernel_t)
> > +dev_rw_generic_chr_files(kernel_t)
> > +dev_setattr_generic_blk_files(kernel_t)
> > +dev_setattr_generic_chr_files(kernel_t)
> > +dev_getattr_fs(kernel_t)
> > +dev_getattr_sysfs(kernel_t)
> > 
> > ?# Mount root file system. Used when loading a policy
> > ?# from initrd, then mounting the root filesystem
> > ?fs_mount_all_fs(kernel_t)
> > ?fs_unmount_all_fs(kernel_t)
> > 
> > +fs_getattr_tmpfs(kernel_t)
> > +fs_getattr_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_files(kernel_t)
> > +fs_manage_tmpfs_sockets(kernel_t)
> > +fs_delete_tmpfs_symlinks(kernel_t)
> > +
> > +selinux_getattr_fs(kernel_t)
> > ?selinux_load_policy(kernel_t)
> > 
> > +term_getattr_pty_fs(kernel_t)
> > ?term_use_console(kernel_t)
> > +term_use_generic_ptys(kernel_t)
> > 
> > ?# for kdevtmpfs
> > ?term_setattr_unlink_unallocated_ttys(kernel_t)
> > @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> > ?domain_signal_all_domains(kernel_t)
> > ?domain_search_all_domains_state(kernel_t)
> > 
> > +files_getattr_rootfs(kernel_t)
> > +files_manage_root_dir(kernel_t)
> > +files_delete_root_files(kernel_t)
> > +files_exec_root_files(kernel_t)
> > +files_delete_root_symlinks(kernel_t)
> > +files_delete_root_chr_files(kernel_t)
> > ?files_list_root(kernel_t)
> > ?files_list_etc(kernel_t)
> > +files_getattr_etc_runtime_dirs(kernel_t)
> > +files_mounton_etc_runtime_dirs(kernel_t)
> > ?files_list_home(kernel_t)
> > ?files_read_usr_files(kernel_t)
> > 
> > @@ -343,6 +369,7 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	logging_manage_generic_logs(kernel_t)
> > ?	logging_send_syslog_msg(kernel_t)
> > ?')
> > 
> > @@ -356,6 +383,12 @@ optional_policy(`
> > ?')
> > 
> > ?optional_policy(`
> > +	plymouthd_read_lib_files(kernel_t)
> > +	term_use_ptmx(kernel_t)
> > +	term_use_unallocated_ttys(kernel_t)
> > +')
> > +
> > +optional_policy(`
> > ?	# nfs kernel server needs kernel UDP access. It is less
> > risky and painful
> > ?	# to just give it everything.
> > ?	allow kernel_t self:tcp_socket create_stream_socket_perms;
> > @@ -405,6 +438,7 @@ optional_policy(`
> > ?optional_policy(`
> > ?	seutil_read_config(kernel_t)
> > ?	seutil_read_bin_policy(kernel_t)
> > +	seutil_domtrans_setfiles(kernel_t)
> > ?')
> > 
> > ?optional_policy(`
> > diff -pru a/policy/modules/kernel/terminal.if
> > b/policy/modules/kernel/terminal.if
> > --- a/policy/modules/kernel/terminal.if	2016-11-05
> > 22:59:46.651875228 +0100
> > +++ b/policy/modules/kernel/terminal.if	2016-12-17
> > 21:40:10.502811148 +0100
> > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Get the attributes of the
> > +##	/dev/pts directory.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`term_getattr_pty_dirs',`
> > +	gen_require(`
> > +		type devpts_t;
> > +	')
> > +
> > +	allow $1 devpts_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Do not audit attempts to get the
> > ?##	attributes of the /dev/pts directory.
> > ?## </summary>
> > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
> > 
> > ?	allow $1 devpts_t:chr_file getattr;
> > ?')
> > +
> > ?########################################
> > ?## <summary>
> > ?##	Do not audit attempts to get the attributes

Regards,

Guido