From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 19 Dec 2016 15:50:03 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: References: <1482021787.10349.1.camel@trentalancia.net> Message-ID: <1482159003.3800.8.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. Thanks for getting back on this... On Sun, 18/12/2016 at 17.30 -0500, Chris PeBenito wrote: > On 12/17/16 19:43, Guido Trentalancia via refpolicy wrote: > > > > This patch adds missing permissions in the kernel module that > > prevent > > to run it without the unconfined module. > > I will need more clarification on these rules, especially all the > new? > root_t access.??The only thing that should normally be root_t is /. Here are some of the most relevant permission denied errors that have been generated: type=AVC msg=audit(1482156395.264:6): avc:??denied??{ getattr } for??pid=1 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482156395.264:7): avc:??denied??{ execute } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482156395.264:8): avc:??denied??{ read } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482156395.264:9): avc:??denied??{ open } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482156395.264:9): avc:??denied??{ execute_no_trans } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 As you can see, it is trying to execute a /bin/umount executable file that is labeled root_t (this is before switching to the new root, so it's in the initramfs). This is from the following two dracut initramfs modules: 98selinux/selinux-loadpolicy.sh 99base/init.sh Eventually, no relabeling is done by dracut after loading the policy. If you need to see other parts of the log, please let me know and I'll post them. I have also prepared two other patches that depend on this: a patch for init and a patch for shutdown. > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++ > > ?policy/modules/kernel/files.if??????|??131 > > ++++++++++++++++++++++++++++++++++++ > > ?policy/modules/kernel/filesystem.if |???18 ++++ > > ?policy/modules/kernel/kernel.if?????|???18 ++++ > > ?policy/modules/kernel/kernel.te?????|???34 +++++++++ > > ?policy/modules/kernel/terminal.if???|???20 +++++ > > ?6 files changed, 277 insertions(+) > > > > diff -pru a/policy/modules/kernel/devices.if > > b/policy/modules/kernel/devices.if > > --- a/policy/modules/kernel/devices.if 2016-08-14 > > 21:24:48.932381791 +0200 > > +++ b/policy/modules/kernel/devices.if 2016-12-18 > > 01:11:02.888132347 +0100 > > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic > > > > ?######################################## > > ?## > > +## Set the attributes on generic > > +## block devices. > > +## > > +## > > +## > > +## Domain. > > +## > > +## > > +# > > +interface(`dev_setattr_generic_blk_files',` > > + gen_require(` > > + type device_t; > > + ') > > + > > + allow $1 device_t:blk_file setattr; > > +') > > + > > +######################################## > > +## > > ?## Dontaudit setattr on generic block devices. > > ?## > > ?## > > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic > > > > ?######################################## > > ?## > > +## Set the attributes for generic > > +## character device files. > > +## > > +## > > +## > > +## Domain. > > +## > > +## > > +# > > +interface(`dev_setattr_generic_chr_files',` > > + gen_require(` > > + type device_t; > > + ') > > + > > + allow $1 device_t:chr_file setattr; > > +') > > + > > +######################################## > > +## > > ?## Dontaudit setattr for generic character device files. > > ?## > > ?## > > @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',` > > > > ?######################################## > > ?## > > +## Mount a filesystem on sysfs. > > +## > > +## > > +## > > +## Domain allow access. > > +## > > +## > > +# > > +interface(`dev_mounton_sysfs',` > > + gen_require(` > > + type device_t; > > + ') > > + > > + allow $1 sysfs_t:dir mounton; > > +') > > + > > +######################################## > > +## > > ?## Associate a file to a sysfs filesystem. > > ?## > > ?## > > diff -pru a/policy/modules/kernel/files.if > > b/policy/modules/kernel/files.if > > --- a/policy/modules/kernel/files.if 2016-08-30 > > 13:58:35.862542184 +0200 > > +++ b/policy/modules/kernel/files.if 2016-12-17 > > 23:34:25.007517608 +0100 > > @@ -1784,6 +1784,25 @@ interface(`files_list_root',` > > > > ?######################################## > > ?## > > +## Delete symbolic links in the > > +## root directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_delete_root_symlinks',` > > + gen_require(` > > + type root_t; > > + ') > > + > > + allow $1 root_t:lnk_file delete_lnk_file_perms; > > +') > > + > > +######################################## > > +## > > ?## Do not audit attempts to write to / dirs. > > ?## > > ?## > > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f > > > > ?######################################## > > ?## > > +## Delete character device nodes in > > +## the root directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_delete_root_chr_files',` > > + gen_require(` > > + type root_t; > > + ') > > + > > + allow $1 root_t:chr_file delete_chr_file_perms; > > +') > > + > > +######################################## > > +## > > ?## Delete files in the root directory. > > ?## > > ?## > > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',` > > > > ?######################################## > > ?## > > +## Execute files in the root directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_exec_root_files',` > > + gen_require(` > > + type root_t; > > + ') > > + > > + allow $1 root_t:file exec_file_perms; > > +') > > + > > +######################################## > > +## > > ?## Remove entries from the root directory. > > ?## > > ?## > > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry', > > > > ?######################################## > > ?## > > +## Manage the root directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_manage_root_dir',` > > + gen_require(` > > + type root_t; > > + ') > > + > > + allow $1 root_t:dir manage_dir_perms; > > +') > > + > > +######################################## > > +## > > +## Get the attributes of a rootfs > > +## file system. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_getattr_rootfs',` > > + gen_require(` > > + type root_t; > > + ') > > + > > + allow $1 root_t:filesystem getattr; > > +') > > + > > +######################################## > > +## > > ?## Associate to root file system. > > ?## > > ?## > > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',` > > ?') > > > > ?######################################## > > +## > > +## Get the attributes of the > > +## etc_runtime directories. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_getattr_etc_runtime_dirs',` > > + gen_require(` > > + type etc_runtime_t; > > + ') > > + > > + allow $1 etc_runtime_t:dir getattr; > > +') > > + > > +######################################## > > +## > > +## Mount a filesystem on the > > +## etc_runtime directories. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_mounton_etc_runtime_dirs',` > > + gen_require(` > > + type etc_runtime_t; > > + ') > > + > > + allow $1 etc_runtime_t:dir mounton; > > +') > > + > > +######################################## > > ?## > > ?## Do not audit attempts to set the attributes of the > > etc_runtime files > > ?## > > diff -pru a/policy/modules/kernel/filesystem.if > > b/policy/modules/kernel/filesystem.if > > --- a/policy/modules/kernel/filesystem.if 2016-11-05 > > 22:59:46.649875204 +0100 > > +++ b/policy/modules/kernel/filesystem.if 2016-12-17 > > 22:50:22.936435441 +0100 > > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files', > > > > ?######################################## > > ?## > > +## Delete tmpfs symbolic links. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`fs_delete_tmpfs_symlinks',` > > + gen_require(` > > + type tmpfs_t; > > + ') > > + > > + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; > > +') > > + > > +######################################## > > +## > > ?## Create, read, write, and delete > > ?## auto moutpoints. > > ?## > > diff -pru a/policy/modules/kernel/kernel.if > > b/policy/modules/kernel/kernel.if > > --- a/policy/modules/kernel/kernel.if 2016-12-07 > > 13:39:08.669449296 +0100 > > +++ b/policy/modules/kernel/kernel.if 2016-12-17 > > 21:26:37.530603508 +0100 > > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d > > > > ?######################################## > > ?## > > +## Mount the directories in /proc. > > +## > > +## > > +## > > +## Domain. > > +## > > +## > > +# > > +interface(`kernel_mounton_proc_dirs',` > > + gen_require(` > > + type proc_t; > > + ') > > + > > + allow $1 proc_t:dir mounton; > > +') > > + > > +######################################## > > +## > > ?## Get the attributes of files in /proc. > > ?## > > ?## > > diff -pru a/policy/modules/kernel/kernel.te > > b/policy/modules/kernel/kernel.te > > --- a/policy/modules/kernel/kernel.te 2016-12-07 > > 13:39:08.669449296 +0100 > > +++ b/policy/modules/kernel/kernel.te 2016-12-18 > > 01:19:46.891242628 +0100 > > @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton; > > ?# connections with invalidated labels: > > ?allow kernel_t unlabeled_t:packet send; > > > > +kernel_mounton_proc_dirs(kernel_t) > > ?kernel_request_load_module(kernel_t) > > > > ?# Allow unlabeled network traffic > > @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) > > ?corenet_raw_send_generic_node(kernel_t) > > ?corenet_send_all_packets(kernel_t) > > > > +dev_mounton_sysfs(kernel_t) > > ?dev_read_sysfs(kernel_t) > > ?dev_search_usbfs(kernel_t) > > ?# devtmpfs handling: > > @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t) > > ?dev_create_generic_chr_files(kernel_t) > > ?dev_delete_generic_chr_files(kernel_t) > > ?dev_mounton(kernel_t) > > +dev_delete_generic_symlinks(kernel_t) > > +dev_rw_generic_chr_files(kernel_t) > > +dev_setattr_generic_blk_files(kernel_t) > > +dev_setattr_generic_chr_files(kernel_t) > > +dev_getattr_fs(kernel_t) > > +dev_getattr_sysfs(kernel_t) > > > > ?# Mount root file system. Used when loading a policy > > ?# from initrd, then mounting the root filesystem > > ?fs_mount_all_fs(kernel_t) > > ?fs_unmount_all_fs(kernel_t) > > > > +fs_getattr_tmpfs(kernel_t) > > +fs_getattr_tmpfs_dirs(kernel_t) > > +fs_manage_tmpfs_dirs(kernel_t) > > +fs_manage_tmpfs_files(kernel_t) > > +fs_manage_tmpfs_sockets(kernel_t) > > +fs_delete_tmpfs_symlinks(kernel_t) > > + > > +selinux_getattr_fs(kernel_t) > > ?selinux_load_policy(kernel_t) > > > > +term_getattr_pty_fs(kernel_t) > > ?term_use_console(kernel_t) > > +term_use_generic_ptys(kernel_t) > > > > ?# for kdevtmpfs > > ?term_setattr_unlink_unallocated_ttys(kernel_t) > > @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t) > > ?domain_signal_all_domains(kernel_t) > > ?domain_search_all_domains_state(kernel_t) > > > > +files_getattr_rootfs(kernel_t) > > +files_manage_root_dir(kernel_t) > > +files_delete_root_files(kernel_t) > > +files_exec_root_files(kernel_t) > > +files_delete_root_symlinks(kernel_t) > > +files_delete_root_chr_files(kernel_t) > > ?files_list_root(kernel_t) > > ?files_list_etc(kernel_t) > > +files_getattr_etc_runtime_dirs(kernel_t) > > +files_mounton_etc_runtime_dirs(kernel_t) > > ?files_list_home(kernel_t) > > ?files_read_usr_files(kernel_t) > > > > @@ -343,6 +369,7 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > + logging_manage_generic_logs(kernel_t) > > ? logging_send_syslog_msg(kernel_t) > > ?') > > > > @@ -356,6 +383,12 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > + plymouthd_read_lib_files(kernel_t) > > + term_use_ptmx(kernel_t) > > + term_use_unallocated_ttys(kernel_t) > > +') > > + > > +optional_policy(` > > ? # nfs kernel server needs kernel UDP access. It is less > > risky and painful > > ? # to just give it everything. > > ? allow kernel_t self:tcp_socket create_stream_socket_perms; > > @@ -405,6 +438,7 @@ optional_policy(` > > ?optional_policy(` > > ? seutil_read_config(kernel_t) > > ? seutil_read_bin_policy(kernel_t) > > + seutil_domtrans_setfiles(kernel_t) > > ?') > > > > ?optional_policy(` > > diff -pru a/policy/modules/kernel/terminal.if > > b/policy/modules/kernel/terminal.if > > --- a/policy/modules/kernel/terminal.if 2016-11-05 > > 22:59:46.651875228 +0100 > > +++ b/policy/modules/kernel/terminal.if 2016-12-17 > > 21:40:10.502811148 +0100 > > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',` > > > > ?######################################## > > ?## > > +## Get the attributes of the > > +## /dev/pts directory. > > +## > > +## > > +## > > +## Domain. > > +## > > +## > > +# > > +interface(`term_getattr_pty_dirs',` > > + gen_require(` > > + type devpts_t; > > + ') > > + > > + allow $1 devpts_t:dir getattr; > > +') > > + > > +######################################## > > +## > > ?## Do not audit attempts to get the > > ?## attributes of the /dev/pts directory. > > ?## > > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',` > > > > ? allow $1 devpts_t:chr_file getattr; > > ?') > > + > > ?######################################## > > ?## > > ?## Do not audit attempts to get the attributes Regards, Guido