From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:08:41 +0200 (CEST) Subject: [refpolicy] [PATCH 26/33] selinuxutil: curb on userdom permissions Message-ID: <773759495.164534.1492650521782@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the SELinux utilities (selinuxutil) module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/system/selinuxutil.te | 45 +++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/system/selinuxutil.te 2017-02-04 19:30:19.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/system/selinuxutil.te 2017-04-20 00:27:50.508446073 +0200 @@ -9,6 +9,15 @@ gen_require(` # Declarations # +## +##

+## Determine whether the SELinux +## utilities can read the user +## home directories and files. +##

+##
+gen_tunable(selinuxutil_enable_home_dirs, false) + attribute can_write_binary_policy; attribute can_relabelto_binary_policy; @@ -20,6 +29,8 @@ role system_r types run_init_t; attribute_role semanage_roles; roleattribute system_r semanage_roles; +attribute_role sesearch_roles; + # # selinux_config_t is the type applied to # /etc/selinux/config @@ -115,6 +126,12 @@ files_tmp_file(semanage_tmp_t) type semanage_trans_lock_t; files_type(semanage_trans_lock_t) +type sesearch_t; +type sesearch_exec_t; +application_domain(sesearch_t, sesearch_exec_t) +domain_interactive_fd(sesearch_t) +role sesearch_roles types sesearch_t; + type setfiles_t alias restorecon_t, can_relabelto_binary_policy; type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) @@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -# Handle pp files created in homedir and /tmp -userdom_read_user_home_content_files(semanage_t) +# Handle pp files created in /tmp userdom_read_user_tmp_files(semanage_t) ifdef(`distro_debian',` @@ -516,6 +532,22 @@ ifdef(`distro_ubuntu',` ') ') +tunable_policy(`selinuxutil_enable_home_dirs',` + # Handle pp files created in homedir + userdom_read_user_home_content_files(semanage_t) +',` + userdom_dontaudit_read_user_home_content_files(semanage_t) +') + +######################################## +# +# sesearch local policy +# + +domain_use_interactive_fds(sesearch_t) + +selinux_getattr_fs(sesearch_t) + ######################################## # # Setfiles local policy @@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t) seutil_read_module_store(setfiles_t) userdom_use_all_users_fds(setfiles_t) -# for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) ifdef(`distro_debian',` # udev tmpfs is populated with static device nodes @@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',` ') ') +tunable_policy(`selinuxutil_enable_home_dirs',` + # for config files in a home directory + userdom_read_user_home_content_files(setfiles_t) +',` + userdom_dontaudit_read_user_home_content_files(setfiles_t) +') + optional_policy(` hotplug_use_fds(setfiles_t) ')