|
Hi SELinux experts, I have come up with some patches for the latest refpolicy-2.20091117 and would like to ask for opinions about whether they make sense or not. Please help review when convenient, any comment is greatly welcomed! Best regards, Harry 搜索本应是彩色的,快来体验新一代搜索引擎-必应,精美图片每天换哦! 立即试用! |
crond_t would require necessary privilege to execute the /bin/hostname
program, otherwise we will run into below error messages during system boots up:
type=1400 audit(1264604461.360:50): avc: denied { getattr } for pid=2435 comm="logcheck.sh" path="/bin/hostname" dev=sda1 ino=73500 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=1400 audit(1264604461.407:51): avc: denied { execute } for pid=2435 comm="logcheck.sh" name="hostname" dev=sda1 ino=73500 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=1400 audit(1264604461.453:52): avc: denied { read } for pid=2435 comm="logcheck.sh" name="hostname" dev=sda1 ino=73500 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=1400 audit(1264604461.499:53): avc: denied { open } for pid=2435 comm="logcheck.sh" name="hostname" dev=sda1 ino=73500 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/services/cron.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -229,6 +229,8 @@ userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
+hostname_domtrans(crond_t)
+
ifdef(`distro_debian',`
# pam_limits is used
allow crond_t self:process setrlimit;
crond_t would require necessary privilege to manage and execute bin_t files,
otherwise we will run into below error messages during system boots up:
type=1400 audit(1264604461.068:44): avc: denied { getattr } for pid=2429 comm="bash" path="/usr/bin/run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=1400 audit(1264604461.114:45): avc: denied { execute } for pid=2429 comm="bash" name="run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=1400 audit(1264604461.159:46): avc: denied { read } for pid=2429 comm="bash" name="run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=1400 audit(1264604461.203:47): avc: denied { open } for pid=2429 comm="bash" name="run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=1400 audit(1264604461.248:48): avc: denied { execute_no_trans } for pid=2429 comm="bash" path="/usr/bin/run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=1400 audit(1264604461.296:49): avc: denied { ioctl } for pid=2429 comm="run-parts" path="/usr/bin/run-parts" dev=sda1 ino=115396 scontext=system_u:system_r:crond_t:s0-s15:c0.c255 tcontext=system_u:object_r:bin_t:s0 tclass=file
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/services/cron.te | 3 ++
1 file changed, 3 insertions(+)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -195,6 +195,9 @@ corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
corecmd_read_bin_symlinks(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_manage_bin_files(crond_t)
+
domain_use_interactive_fds(crond_t)
files_read_usr_files(crond_t)
quotaon will try to mmap a low area of the address space, which is explicitly
prohibited by the neverallow rule defined in kernel/domain.te:
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
So we use a dontaudit rule here to suppress below error message:
type=1400 audit(1263999798.212:5): avc: denied { mmap_zero } for pid=2011 comm="quotaon" scontext=system_u:system_r:quota_t:s0-s15:c0.c255 tcontext=system_u:system_r:quota_t:s0-s15:c0.c255 tclass=memprotect
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/admin/quota.te | 1 +
1 file changed, 1 insertion(+)
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -24,6 +24,7 @@ files_type(quota_flag_t)
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
+dontaudit quota_t self:memprotect { mmap_zero} ;
# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
If /sbin/init is to run mingetty against console rather than any tty device such as:
0:2345:respawn:/sbin/mingetty console
#1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
Where "console=ttyS0, 115200n8" or the like is specified in kernel bootparams.
This would require getty_t having necessary privilege in order to use the console.
Otherwise /sbin/mingetty will fail to domain transition to local_login_t
and /sbin/init will end up respawning /sbin/mingetty forever:
INIT: Id "0" respawning too fast: disabled for 5 minutes
INIT: no more processes left in this runlevel
INIT: Id "0" respawning too fast: disabled for 5 minutes
...(repeated)...
If we remove the "term_dontaudit_use_console(getty_t)", we can see the reason
why /sbin/mingetty fails to execuate /bin/login:
type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process
For system that needs loging in through serial console, the term_use_console()
interface should be called for the getty_t domain. However, please do note that
/dev/console is not regarded as a secure device and many domains won't have even
the read permission against it, so please remember to log in from ssh after system
properly boots up.
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/getty.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -86,7 +86,7 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_user_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
initrc_t would require necessary privilege to create /dev/loop*, otherwise
we will run into below error message during system boots up:
type=1400 audit(1264337970.536:5): avc: denied { create } for pid=1012 comm="MAKEDEV" name="loop0-" scontext=system_u:system_r:initrc_t:s0-s15:c0.c255 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c255 tclass=blk_file
Note, the security label of /dev/loop* is s15 whereas initrc_t is s0, so we
have to grant mls_file_upgrade() privilege for it too.
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/init.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -345,6 +345,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_file_upgrade(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -477,6 +478,7 @@ ifdef(`distro_redhat',`
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
+ storage_tmpfs_filetrans_fixed_disk(initrc_t)
# readahead asks for these
auth_dontaudit_read_shadow(initrc_t)
insmod_t would require necessary privilege to operate /dev/console, otherwise
during boot up modprobe would throw out many error messages such as:
type=1400 audit(1263731962.260:4): avc: denied { read } for pid=960 comm="modprobe" name="console" dev=sda1 ino=244841 scontext=system_u:system_r:insmod_t:s0-s15:c0.c255 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/modutils.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -159,6 +159,8 @@ seutil_read_file_contexts(insmod_t)
userdom_use_user_terminals(insmod_t)
+term_use_console(insmod_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(insmod_t)
The mount_t domain should have enough privilege to create the lock file in
/var/lock, otherwise we will run into below error messages during boot up:
Mounting other filesystems:
mount: sysfs already mounted or /sys busy
mount: devpts already mounted or /dev/pts busy
can't create lock file /var/lock/mtab~2158: Permission denied (use -n flag to override)
type=1400 audit(1263998153.228:7): avc: denied { write } for pid=2006 comm="mount" name="lock" dev=sda1 ino=318296 scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=1400 audit(1263998153.228:8): avc: denied { add_name } for pid=2006 comm="mount" name="mtab~2006" scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=1400 audit(1263998153.228:9): avc: denied { create } for pid=2006 comm="mount" name="mtab~2006" scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=1400 audit(1263998153.232:10): avc: denied { write open } for pid=2006 comm="mount" name="mtab~2006" dev=sda1 ino=318422 scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=1400 audit(1263998153.232:11): avc: denied { link } for pid=2006 comm="mount" name="mtab~2006" dev=sda1 ino=318422 scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=1400 audit(1263998153.232:12): avc: denied { lock } for pid=2006 comm="mount" path="/var/lock/mtab~" dev=sda1 ino=318422 scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=1400 audit(1263998153.232:13): avc: denied { remove_name } for pid=2006 comm="mount" name="mtab~2006" dev=sda1 ino=318422 scontext=system_u:system_r:mount_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
From above AVC denied messages we can see that mount_t should have the ability
to manage var_lock_t.
Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/mount.te | 2 +++
1 file changed, 2 insertions(+)
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -80,6 +80,8 @@ files_read_isid_type_files(mount_t)
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
+files_manage_generic_locks(mount_t)
+
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
We should grant newrole_t enough privilege to use and relabel the /dev/console if we want to use newrole after logging in from serial console. However, if you never logs in from console but on tty or through ssh then this patch is not needed. Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx> --- policy/modules/system/selinuxutil.te | 3 ++ 1 files changed, 3 insertions(+) --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -260,6 +260,9 @@ term_relabel_all_user_ttys(newrole_t) term_relabel_all_user_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) +# allow newrole_t to use and relabel /dev/console +term_use_console(newrole_t) +term_relabel_console(newrole_t) auth_use_nsswitch(newrole_t) auth_domtrans_chk_passwd(newrole_t)
Explicitly specify the security context for /root directory to avoid it being labeled as default_t. Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx> --- policy/modules/system/userdomain.fc | 4 ++++ 1 file changed, 4 insertions(+) --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -2,3 +2,7 @@ HOME_DIR -d gen_context(system_u:object_ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) + +/root -d gen_context(system_u:object_r:user_home_dir_t,s0) +/root/.+ gen_context(system_u:object_r:user_home_t,s0) +
semanage_t would require necessary privilege to read the pp created in user
homedir or /tmp, otherwise following error messages would pop up when
updating a pp in permissive mode:
root@cp3020:/root> semodule -u authlogin.pp
type=1400 audit(1264599291.256:51): avc: denied { search } for pid=2360 comm="semodule" name="root" dev=sda1 ino=579361 scontext=root:secadm_r:semanage_t:s0-s15:c0.c255 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=1400 audit(1264599291.301:52): avc: denied { read } for pid=2360 comm="semodule" name="authlogin.pp" dev=sda1 ino=579366 scontext=root:secadm_r:semanage_t:s0-s15:c0.c255 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1264599291.347:53): avc: denied { open } for pid=2360 comm="semodule" name="authlogin.pp" dev=sda1 ino=579366 scontext=root:secadm_r:semanage_t:s0-s15:c0.c255 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1264599291.392:54): avc: denied { getattr } for pid=2360 comm="semodule" path="/root/authlogin.pp" dev=sda1 ino=579366 scontext=root:secadm_r:semanage_t:s0-s15:c0.c255 tcontext=root:object_r:user_home_t:s0 tclass=file
SELinux: 8192 avtab hash slots, 167322 rules.
SELinux: 8192 avtab hash slots, 167322 rules.
SELinux: 6 users, 13 roles, 3007 types, 105 bools, 16 sens, 256 cats
SELinux: 77 classes, 167322 rules
type=1403 audit(1264599325.456:55): policy loaded auid=4294967295 ses=4294967295
root@cp3020:/root>
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/selinuxutil.te | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -492,9 +492,8 @@ ifdef(`distro_ubuntu',`
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
- # read secadm tmp files
-',`
# Handle pp files created in homedir and /tmp
+ userdom_search_user_home_dirs(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
')
Add the types of /dev/console and /dev/pts/0 to securetty_types file, so that you can do newrole on these devices. Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx> --- config/appconfig-mcs/securetty_types | 2 ++ config/appconfig-mls/securetty_types | 2 ++ config/appconfig-standard/securetty_types | 2 ++ 3 files changed, 6 insertions(+) --- a/config/appconfig-mcs/securetty_types +++ b/config/appconfig-mcs/securetty_types @@ -1 +1,3 @@ user_tty_device_t +console_device_t +user_devpts_t --- a/config/appconfig-mls/securetty_types +++ b/config/appconfig-mls/securetty_types @@ -1 +1,3 @@ user_tty_device_t +console_device_t +user_devpts_t --- a/config/appconfig-standard/securetty_types +++ b/config/appconfig-standard/securetty_types @@ -1 +1,3 @@ user_tty_device_t +console_device_t +user_devpts_t
setfiles_t would require necessary privilege to read from /dev/console,
otherwise we will run into below error message during boot up:
type=1400 audit(1286905969.676:7): avc: denied { read } for pid=1960 comm="restorecon" name="console" dev=sda1 ino=522248 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c255 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
Signed-off-by: Harry Ciao<qingtao.cao@xxxxxxxxxxxxx>
---
policy/modules/system/selinuxutil.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -554,6 +554,8 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_ttys(setfiles_t)
+term_read_console(setfiles_t)
+
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
