selinuxproject / refpolicy Goto Github PK
View Code? Open in Web Editor NEWSELinux Reference Policy v2
Home Page: https://github.com/SELinuxProject/refpolicy/wiki
License: GNU General Public License v2.0
SELinux Reference Policy v2
Home Page: https://github.com/SELinuxProject/refpolicy/wiki
License: GNU General Public License v2.0
Container runtime support is currently missing in refpolicy. An issue was opened at container-selinux to bring the possibility to build it against refpolicy, but doing so presents some problems that need reworking. The idea to make container-selinux compatible with refpolicy was the originally proposed solution, but it may instead be wiser to begin work on a container module in refpolicy itself, as to avoid the many incompatibilities or to avoid rules deemed potentially too permissive in refpolicy, etc.
Either way, I am opening this issue to bring visibility on this, as overall support for container runtimes in refpolicy seems to be reaching high demand.
container-selinux issue: containers/container-selinux#113
Hi,
I have taken reference policy and compiled, but it gives the following error
** Libsepol. context_from_record: MLS is disabled, but MLS context "s0" found
Libsepol. context_from_record: could not create context structure**
This error when trying to get denial logs using **audit2allow -a -w**
and modules load time. Here I'm using the reference policy old version with required dependency packages and I tried all versions of the reference policy with a required dependence version of packages but I'm not succeeding.
Thanks in advance,
Hi,
I tried to compile refpolicy by 'make conf & make', but I met below errors. I am using the release version refpolicy-2.20210203.tar.bz2, I also tried the latest source code by refpolicy_master.zip. But both of them have this compile issue.
Note, I compile refpolicy in ubunut16.04 and already installed checkpolicy and policycoreutiles . Could you please give me some advices? Thank you in advance.
=============== compile error message=============================================
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1394:ERROR 'invalid policy capability name extended_socket_class' at token ';' on line 1394:
policycap extended_socket_class;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
#76 (SELinux ioctl allowlist) was (understandably) closed, as it would have required a large amount of effort and had a high risk of breakage.
That said, I would still like to be able to restrict the ioctls a process can use via SELinux. This can be done by means of an attribute. Types with that attribute are given xperm rules that block all ioctls. Any needed ioctls can be allowed by user-provided xperm rules.
I would be willing to write a PR for this, if upstream is interested.
Writing to /tmp
is often enough to execute code as the UID the daemon is running as, often root. This can bypass SELinux restrictions.
The style guide does not contain any information about the order (of kinds and names) in require blocks.
Is there a preferred order, should an order be followed, or is it indifferent?
Seems like currently the order for required kinds is mostly (but not completely):
attribute -> attribute_role -> type -> class -> role
p.s.:
My personal favourite order is
bool -> class -> role -> attribute_role -> attribute -> type
Hello,
While working on supporting the refpolicy on embedded systems generated using Buildroot, I stumbled upon a login issue where the login system gets blocked from accessing the shadow_t context.
I'm using a serial connexion handled by agetty and the util-linux login program.
The following logs are output when asked for a password :
buildroot login: root
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1611839506.969:51): avc: denied { noatsecure } for pid=76 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { rlimitinh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { siginh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839507.069:52): avc: denied { read } for pid=76 comm="login" name="shadow" dev="vda" ino=88 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file permissive=0
Password:
Then, no matter the password entered, the login fails.
One thing to note is that these logs are only output when building with "make enableaudit", so the messages are hidden by a noaudit rule by default.
Since this issue concerns the login process and accessing the shadow file, I'd rather get your opinion on that before trying to come-up with a patch.
Adding "auth_read_shadow(local_login_t)" to the policy allows to login, but this doesn't look like this is the right solution.
I'd therefore like have your inputs in that particular issue,
Thanks a lot,
Maxime
Since version 246 of systemd /usr/lib/systemd/systemd-udevd
has become a symlink to /usr/bin/udevadm
.
This means that udevd is now run in the udevadm_t domain, and that breaks things.
Original labels as reference:
/usr/bin/udevadm system_u:object_r:udevadm_exec_t:SystemLow
/usr/lib/systemd/systemd-udevd system_u:object_r:udev_exec_t:SystemLow
Trying to build refpolicy for debian by setting the following configuration:
diff --git a/build.conf b/build.conf
index a2f1a9b5..08e380aa 100644
--- a/build.conf
+++ b/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = debian
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
@@ -46,7 +46,7 @@ DIRECT_INITRC = n
# Systemd
# Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
# Build monolithic policy. Putting y here
# will build a monolithic policy.
make conf && make produce the error
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy policy/flask/security_classes policy/flask/initial_sids policy/flask/access_vectors policy/context_defaults support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/mls policy/mcs policy/policy_capabilities > tmp/pre_te_files.conf
python3 -t -t -E -W error support/genclassperms.py policy/flask/access_vectors policy/flask/security_classes > tmp/generated_definitions.conf
test -f policy/booleans.conf && gawk -f support/set_bools_tuns.awk policy/booleans.conf >> tmp/generated_definitions.conf || true
m4 -E -E support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/modules/kernel/corecommands.if policy/modules/kernel/corenetwork.if policy/modules/kernel/devices.if policy/modules/kernel/domain.if policy/modules/kernel/files.if policy/modules/kernel/filesystem.if policy/modules/kernel/kernel.if policy/modules/kernel/mcs.if policy/modules/kernel/mls.if policy/modules/kernel/selinux.if policy/modules/kernel/terminal.if policy/modules/kernel/ubac.if policy/modules/services/abrt.if policy/modules/services/accountsd.if policy/modules/admin/acct.if policy/modules/services/acpi.if policy/modules/apps/ada.if policy/modules/services/afs.if policy/modules/services/aiccu.if policy/modules/admin/aide.if policy/modules/services/aisexec.if policy/modules/admin/alsa.if policy/modules/admin/amanda.if policy/modules/services/amavis.if policy/modules/admin/amtu.if policy/modules/admin/anaconda.if policy/modules/services/apache.if policy/modules/services/apcupsd.if policy/modules/system/application.if policy/modules/admin/apt.if policy/modules/services/arpwatch.if policy/modules/services/asterisk.if policy/modules/roles/auditadm.if policy/modules/system/authlogin.if policy/modules/services/automount.if policy/modules/services/avahi.if policy/modules/apps/awstats.if policy/modules/admin/backup.if policy/modules/admin/bacula.if policy/modules/admin/bcfg2.if policy/modules/services/bind.if policy/modules/services/bird.if policy/modules/services/bitlbee.if policy/modules/admin/blueman.if policy/modules/services/bluetooth.if policy/modules/services/boinc.if policy/modules/admin/bootloader.if policy/modules/admin/brctl.if policy/modules/services/bugzilla.if policy/modules/services/cachefilesd.if policy/modules/apps/calamaris.if policy/modules/services/callweaver.if policy/modules/services/canna.if policy/modules/services/ccs.if policy/modules/apps/cdrecord.if policy/modules/services/certmaster.if policy/modules/services/certmonger.if policy/modules/admin/certwatch.if policy/modules/admin/cfengine.if policy/modules/services/cgmanager.if policy/modules/services/cgroup.if policy/modules/admin/chkrootkit.if policy/modules/apps/chromium.if policy/modules/services/chronyd.if policy/modules/services/cipe.if policy/modules/services/clamav.if policy/modules/system/clock.if policy/modules/services/clockspeed.if policy/modules/services/clogd.if policy/modules/services/cmirrord.if policy/modules/services/cobbler.if policy/modules/services/collectd.if policy/modules/services/colord.if policy/modules/services/comsat.if policy/modules/services/condor.if policy/modules/services/consolekit.if policy/modules/admin/consoletype.if policy/modules/services/corosync.if policy/modules/services/couchdb.if policy/modules/services/courier.if policy/modules/services/cpucontrol.if policy/modules/apps/cpufreqselector.if policy/modules/services/cron.if policy/modules/services/ctdb.if policy/modules/services/cups.if policy/modules/services/cvs.if policy/modules/services/cyphesis.if policy/modules/services/cyrus.if policy/modules/system/daemontools.if policy/modules/services/dante.if policy/modules/roles/dbadm.if policy/modules/services/dbskk.if policy/modules/services/dbus.if policy/modules/services/dcc.if policy/modules/services/ddclient.if policy/modules/admin/ddcprobe.if policy/modules/services/denyhosts.if policy/modules/services/devicekit.if policy/modules/services/dhcp.if policy/modules/services/dictd.if policy/modules/services/dirmngr.if policy/modules/services/distcc.if policy/modules/services/djbdns.if policy/modules/services/dkim.if policy/modules/admin/dmesg.if policy/modules/admin/dmidecode.if policy/modules/services/dnsmasq.if policy/modules/services/dnssectrigger.if policy/modules/services/dovecot.if policy/modules/admin/dphysswapfile.if policy/modules/admin/dpkg.if policy/modules/services/drbd.if policy/modules/services/dspam.if policy/modules/services/entropyd.if policy/modules/apps/evolution.if policy/modules/services/exim.if policy/modules/services/fail2ban.if policy/modules/admin/fakehwclock.if policy/modules/services/fcoe.if policy/modules/services/fetchmail.if policy/modules/services/finger.if policy/modules/services/firewalld.if policy/modules/apps/firewallgui.if policy/modules/admin/firstboot.if policy/modules/services/fprintd.if policy/modules/system/fstools.if policy/modules/services/ftp.if policy/modules/apps/games.if policy/modules/services/gatekeeper.if policy/modules/services/gdomap.if policy/modules/services/geoclue.if policy/modules/system/getty.if policy/modules/apps/gift.if policy/modules/services/git.if policy/modules/apps/gitosis.if policy/modules/services/glance.if policy/modules/services/glusterfs.if policy/modules/apps/gnome.if policy/modules/services/gnomeclock.if policy/modules/apps/gpg.if policy/modules/services/gpm.if policy/modules/services/gpsd.if policy/modules/services/gssproxy.if policy/modules/roles/guest.if policy/modules/services/hadoop.if policy/modules/services/hal.if policy/modules/services/hddtemp.if policy/modules/services/hostapd.if policy/modules/system/hostname.if policy/modules/system/hotplug.if policy/modules/services/howl.if policy/modules/admin/hwloc.if policy/modules/services/hypervkvp.if policy/modules/services/i18n_input.if policy/modules/services/icecast.if policy/modules/services/ifplugd.if policy/modules/services/imaze.if policy/modules/services/inetd.if policy/modules/system/init.if policy/modules/services/inn.if policy/modules/services/iodine.if policy/modules/system/ipsec.if policy/modules/system/iptables.if policy/modules/apps/irc.if policy/modules/services/ircd.if policy/modules/services/irqbalance.if policy/modules/system/iscsi.if policy/modules/services/isns.if policy/modules/services/jabber.if policy/modules/apps/java.if policy/modules/services/jockey.if policy/modules/admin/kdump.if policy/modules/admin/kdumpgui.if policy/modules/services/kerberos.if policy/modules/services/kerneloops.if policy/modules/services/keyboardd.if policy/modules/services/keystone.if policy/modules/admin/kismet.if policy/modules/services/ksmtuned.if policy/modules/services/ktalk.if policy/modules/admin/kudzu.if policy/modules/services/l2tp.if policy/modules/services/ldap.if policy/modules/apps/libmtp.if policy/modules/system/libraries.if policy/modules/apps/lightsquid.if policy/modules/services/likewise.if policy/modules/services/lircd.if policy/modules/apps/livecd.if policy/modules/services/lldpad.if policy/modules/apps/loadkeys.if policy/modules/system/locallogin.if policy/modules/apps/lockdev.if policy/modules/roles/logadm.if policy/modules/system/logging.if policy/modules/admin/logrotate.if policy/modules/admin/logwatch.if policy/modules/services/lpd.if policy/modules/services/lsm.if policy/modules/system/lvm.if policy/modules/services/mailman.if policy/modules/services/mailscanner.if policy/modules/apps/man2html.if policy/modules/apps/mandb.if policy/modules/admin/mcelog.if policy/modules/services/mediawiki.if policy/modules/services/memcached.if policy/modules/services/milter.if policy/modules/services/minidlna.if policy/modules/services/minissdpd.if policy/modules/system/miscfiles.if policy/modules/services/modemmanager.if policy/modules/system/modutils.if policy/modules/services/mojomojo.if policy/modules/services/mon.if policy/modules/services/mongodb.if policy/modules/services/monit.if policy/modules/apps/mono.if policy/modules/services/monop.if policy/modules/system/mount.if policy/modules/apps/mozilla.if policy/modules/services/mpd.if policy/modules/apps/mplayer.if policy/modules/admin/mrtg.if policy/modules/services/mta.if policy/modules/services/munin.if policy/modules/services/mysql.if policy/modules/services/nagios.if policy/modules/admin/ncftool.if policy/modules/services/nessus.if policy/modules/system/netlabel.if policy/modules/admin/netutils.if policy/modules/services/networkmanager.if policy/modules/services/nis.if policy/modules/services/nscd.if policy/modules/services/nsd.if policy/modules/services/nslcd.if policy/modules/services/ntop.if policy/modules/services/ntp.if policy/modules/services/numad.if policy/modules/services/nut.if policy/modules/services/nx.if policy/modules/services/oav.if policy/modules/services/obex.if policy/modules/services/oddjob.if policy/modules/services/oident.if policy/modules/services/openca.if policy/modules/services/openct.if policy/modules/services/openhpi.if policy/modules/apps/openoffice.if policy/modules/services/openvpn.if policy/modules/services/openvswitch.if policy/modules/services/pacemaker.if policy/modules/services/pads.if policy/modules/admin/passenger.if policy/modules/system/pcmcia.if policy/modules/services/pcscd.if policy/modules/services/pegasus.if policy/modules/services/perdition.if policy/modules/services/pingd.if policy/modules/services/pkcs.if policy/modules/services/plymouthd.if policy/modules/apps/podsleuth.if policy/modules/services/policykit.if policy/modules/services/polipo.if policy/modules/admin/portage.if policy/modules/services/portmap.if policy/modules/services/portreserve.if policy/modules/services/portslave.if policy/modules/services/postfix.if policy/modules/services/postfixpolicyd.if policy/modules/services/postgresql.if policy/modules/services/postgrey.if policy/modules/services/ppp.if policy/modules/admin/prelink.if policy/modules/services/prelude.if policy/modules/services/privoxy.if policy/modules/services/procmail.if policy/modules/services/psad.if policy/modules/apps/ptchown.if policy/modules/services/publicfile.if policy/modules/apps/pulseaudio.if policy/modules/admin/puppet.if policy/modules/services/pwauth.if policy/modules/services/pxe.if policy/modules/services/pyicqt.if policy/modules/services/pyzor.if policy/modules/apps/qemu.if policy/modules/services/qmail.if policy/modules/services/qpid.if policy/modules/services/quantum.if policy/modules/admin/quota.if policy/modules/services/rabbitmq.if policy/modules/services/radius.if policy/modules/services/radvd.if policy/modules/system/raid.if policy/modules/services/razor.if policy/modules/services/rdisc.if policy/modules/admin/readahead.if policy/modules/services/realmd.if policy/modules/services/redis.if policy/modules/services/remotelogin.if policy/modules/services/resmgr.if policy/modules/services/rgmanager.if policy/modules/services/rhcs.if policy/modules/services/rhgb.if policy/modules/services/rhsmcertd.if policy/modules/services/ricci.if policy/modules/admin/rkhunter.if policy/modules/services/rlogin.if policy/modules/services/rngd.if policy/modules/services/roundup.if policy/modules/services/rpc.if policy/modules/services/rpcbind.if policy/modules/admin/rpm.if policy/modules/services/rshd.if policy/modules/apps/rssh.if policy/modules/services/rsync.if policy/modules/services/rtkit.if policy/modules/services/rwho.if policy/modules/services/samba.if policy/modules/apps/sambagui.if policy/modules/admin/samhain.if policy/modules/services/sanlock.if policy/modules/services/sasl.if policy/modules/admin/sblim.if policy/modules/apps/screen.if policy/modules/roles/secadm.if policy/modules/admin/sectoolm.if policy/modules/system/selinuxutil.if policy/modules/services/sendmail.if policy/modules/services/sensord.if policy/modules/system/setrans.if policy/modules/services/setroubleshoot.if policy/modules/apps/seunshare.if policy/modules/services/shibboleth.if policy/modules/admin/shorewall.if policy/modules/admin/shutdown.if policy/modules/apps/sigrok.if policy/modules/apps/slocate.if policy/modules/services/slpd.if policy/modules/services/slrnpull.if policy/modules/services/smartmon.if policy/modules/services/smokeping.if policy/modules/admin/smoltclient.if policy/modules/services/smstools.if policy/modules/services/snmp.if policy/modules/services/snort.if policy/modules/admin/sosreport.if policy/modules/services/soundserver.if policy/modules/services/spamassassin.if policy/modules/services/speedtouch.if policy/modules/services/squid.if policy/modules/services/ssh.if policy/modules/services/sssd.if policy/modules/roles/staff.if policy/modules/kernel/storage.if policy/modules/services/stubby.if policy/modules/services/stunnel.if policy/modules/admin/su.if policy/modules/admin/sudo.if policy/modules/services/svnserve.if policy/modules/admin/sxid.if policy/modules/apps/syncthing.if policy/modules/roles/sysadm.if policy/modules/system/sysnetwork.if policy/modules/services/sysstat.if policy/modules/system/systemd.if policy/modules/services/systemtap.if policy/modules/admin/tboot.if policy/modules/services/tcpd.if policy/modules/services/tcsd.if policy/modules/apps/telepathy.if policy/modules/services/telnet.if policy/modules/services/tftp.if policy/modules/services/tgtd.if policy/modules/apps/thunderbird.if policy/modules/services/timidity.if policy/modules/admin/tmpreaper.if policy/modules/services/tor.if policy/modules/services/transproxy.if policy/modules/admin/tripwire.if policy/modules/services/tuned.if policy/modules/apps/tvtime.if policy/modules/admin/tzdata.if policy/modules/services/ucspitcp.if policy/modules/system/udev.if policy/modules/services/ulogd.if policy/modules/apps/uml.if policy/modules/system/unconfined.if policy/modules/roles/unprivuser.if policy/modules/admin/updfstab.if policy/modules/services/uptime.if policy/modules/admin/usbmodules.if policy/modules/services/usbmuxd.if policy/modules/system/userdomain.if policy/modules/apps/userhelper.if policy/modules/admin/usermanage.if policy/modules/apps/usernetctl.if policy/modules/services/uucp.if policy/modules/services/uuidd.if policy/modules/services/uwimap.if policy/modules/services/varnishd.if policy/modules/admin/vbetool.if policy/modules/services/vdagent.if policy/modules/services/vhostmd.if policy/modules/services/virt.if policy/modules/apps/vlock.if policy/modules/apps/vmware.if policy/modules/services/vnstatd.if policy/modules/admin/vpn.if policy/modules/services/w3c.if policy/modules/services/watchdog.if policy/modules/services/wdmd.if policy/modules/roles/webadm.if policy/modules/apps/webalizer.if policy/modules/apps/wine.if policy/modules/apps/wireshark.if policy/modules/apps/wm.if policy/modules/system/xdg.if policy/modules/system/xen.if policy/modules/services/xfs.if policy/modules/roles/xguest.if policy/modules/services/xprint.if policy/modules/apps/xscreensaver.if policy/modules/services/xserver.if policy/modules/apps/yam.if policy/modules/services/zabbix.if policy/modules/services/zarafa.if policy/modules/services/zebra.if policy/modules/services/zosremote.if support/iferror.m4 >> tmp/all_interfaces.conf.tmp
sed -e s/dollarsstar/\$\*/g tmp/all_interfaces.conf.tmp >> tmp/all_interfaces.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/kernel/corecommands.te policy/modules/kernel/corenetwork.te policy/modules/kernel/devices.te policy/modules/kernel/domain.te policy/modules/kernel/files.te policy/modules/kernel/filesystem.te policy/modules/kernel/kernel.te policy/modules/kernel/mcs.te policy/modules/kernel/mls.te policy/modules/kernel/selinux.te policy/modules/kernel/terminal.te policy/modules/kernel/ubac.te support/fatal_error.m4 > tmp/all_te_files.conf
sed -r -f support/get_type_attr_decl.sed tmp/all_te_files.conf | LC_ALL=C sort > tmp/all_attrs_types.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf
sed -r -f support/comment_move_decl.sed tmp/all_te_files.conf > tmp/only_te_rules.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/users policy/constraints > tmp/post_te_files.conf
cat tmp/post_te_files.conf > tmp/all_post.conf
egrep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^portcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^netifcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^nodecon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibpkeycon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibendportcon tmp/all_te_files.conf >> tmp/all_post.conf || true
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 29847:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
I tried to create a ctags file with make ctags and got this message:
make: Circular tags <- tags dependency dropped.
ctags-exuberant: Warning: cannot open source file "policy/modules/*/*.{if,te}" : No such file or directory
root@debian:/home/guest/refpolicy_custom# su guest
It works good when I substitute this pattern with "policy/modules//.if policy/modules//.te" in the Makefile. Also, ctags can parse the *.{if,te} pattern from the command line.
I'm working on the OpenVPN 3 Linux project which is a brand new OpenVPN client which makes heavy use of D-Bus to solve a lot of challenges the current OpenVPN 2.x generation has on modern Linux systems.
OpenVPN 3 Linux depends heavily on D-Bus, where multiple daemons serve very specific task and the IPC happens over D-Bus. One challenge we have on SELinux enabled systems (in particular Fedora and RHEL) is that SELinux does not allow the dbus-daemon to pass a FD from one D-Bus service to another one when the FD is tied to /dev/net/tun
.
Currently we ship our own SELinux policy to resolve this issue, which can be seen here in openvpn3.te.
The policy we wrote attempted to be a generic as possible (with the filename being the exception), as this doesn't look like an OpenVPN only related issue, but something which could hit anyone wanting to pass a FD to a tun device over D-Bus.
If this looks like a reasonable solution which could be applied to the the SELinux reference policy, I'm happy to submit a pull-request for it.
Hello,
With the recent versions of systemd, there is a new userdb
component added.
libnss-systemd
is now trying to connect to a socket located in /run/systemd/userdb/
that meas that any domain (including a user one) that should resolve user/group id might try to connect to it.
There is also an optional daemon running
Fedora policy already has support for this that adds custom types.
Some parameters such as httpd_nutups_cgi_script_t
is defined as optional in nut.te
but httpd_nutups_cgi_script_exec_t
is unconditionally used in nut.fc
resulting in the following build failure when validating file context without services/apache
:
Validating targeted file_contexts.
env LD_LIBRARY_PATH="/tmp/instance-1/output-1/host/lib:/tmp/instance-1/output-1/host/usr/lib" /tmp/instance-1/output-1/host/sbin/setfiles -q -c /tmp/instance-1/output-1/target/etc/selinux/targeted/policy/policy.33 file_contexts
libsepol.context_from_record: type httpd_nutups_cgi_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_nutups_cgi_script_exec_t to sid
invalid context system_u:object_r:httpd_nutups_cgi_script_exec_t
This issue is raised in nut but also in all packages that can optionally share content through apache such collectd, cvs, git, etc. What is the proper way of fixing this?
Since SELinuxProject/selinux@5447c84 was applied, we might want to add the flag -E
to setfiles
calls in the future, when the containing SELinux release is broadly available.
Who do I report a security vulnerability in the reference policy to?
this is a replication of:
TL;DR
when xdm is started by OpenRC it additionally wants to
type=AVC msg=audit(1571776002.581:399): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0
type=AVC msg=audit(1571776002.729:400): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0
this does not occur if this is run by root: /etc/init.d/xdm start
the bug is fixed when this is allowed: allow xserver_t self:capability chown
I don't know if this can be added to the global policy for xserver:
https://github.com/SELinuxProject/refpolicy/blame/master/policy/modules/services/xserver.te#L636
I installed the latest release version of the Refpolicy from DownloadRelease page. And now I have problems using userdom_unpriv_user_template macros. I made a module:
policy_module(userdom, 1.0.0)
userdom_unpriv_user_template(pluff)
And semodule -i userdom.pp
gives errors like:
Failed to resolve booleanif statement at ...
Failed to resolve typeattribute statement at ...
This happens because refpolicy doesn't declare necessary attributes, types, and booleans. But why is this so? When I used standard selinux this macros worked fine. What am I doing wrong?
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 28914:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
wenhui@wenhui:~/Downloads$ uname -a
Linux wenhui 4.18.0 #1 SMP Sun Aug 25 22:09:08 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux
Hello,
When building refpolicy with Python 3.8, make conf
fails with:
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
File "support/sedoctool.py", line 269
if desc.data is not '':
^
SyntaxError: "is not" with a literal. Did you mean "!="?
make: *** [Makefile:403: conf.intermediate] Error 1
Could you please replace if desc.data is not '':
with if desc.data != '':
or if desc.data:
in support/sedoctool.py
?
With the introduction of systemd user support, access needs to be added to $1_systemd_t
for various applications if we want these to be run and transitioned properly. Other applications normally run by users such as window managers may also require such access. Instead of adding calls to myapp_run()
for each of these applications, I think an attribute for this kind of access may be more suitable.
Such an attribute, staff_app_runner_domain
for example, would have all the necessary access granted by interface calls like chromium_run()
, and all that would be needed to ensure some domain has the same access to run applications would be to associate the staff_app_runner_domain
to it, such as staff_systemd_t
. That way, any application that can normally be run by staff_t
can also be run by staff_systemd_t
. Of course, explicitly allowing access to staff_t
or staff_systemd_t
can be used where appropriate.
I feel that this also has the advantage of making local policy development significantly easier to do, as one would not need to call the appropriate interfaces for every application that staff_t
can normally run to whatever local policy module is being written. On the contrary, as pointed out in earlier discussion, this may overcomplicate refpolicy somewhat.
The current refpolicy
CPE still points to tresys
, however this project moved over to selinuxproject
. Please add an updated entry to nvm.nist.gov.
Currently, domain
adds more permissions than are actually needed.
It would be nice to have a type (barebones_domain
?) that includes exactly the permissions needed to run a program that does nothing, and no more. Similarly, there would be a barebones_daemon
with the minimum permissions for a daemon that just immediately exits, and so on.
This would be useful for those who want a strict default-deny policy, since it ensures that access is not accidentally granted.
Is there a reason why tmp/all_interfaces.conf
keeps the content of old builds.
Lines 139 to 145 in dd04789
In particular line 142 appends to the temporary file.
Allowing the following AVCs makes it work:
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability dac_override;
allow chrome_sandbox_t self:process setcap;
allow chrome_sandbox_t staff_t:file write;
#============= staff_t ==============
allow staff_t chrome_sandbox_t:process setsched;
Presumably similar rules would be needed for other user domains that can use rtkit.
Currently check_fc_files
does not support the character @
in file contexts, like
/usr/lib/systemd/system/getty@\.service -- gen_context(system_u:object_r:getty_unit_t,s0)
# ./testing/check_fc_files.py
/root/workspace/selinux/selinux-policy-debian/policy/modules/system/getty.fc:8: unexpected characters @ in /usr/lib/systemd/system/getty@\.service
refpolicy/testing/check_fc_files.py
Line 155 in 0bfd138
@fishilico any reason not to support it?
Currently, ioctls are not whitelisted. Whitelisting them would significantly improve security.
Hi, I'm encountering errors in the lockdown subsystem where kmod_t and udev_t forbid the use of tracefs. I've been able to skate without rules allowing confidentiality for these types up until last kernel update (Arch hardened x64, 5.10.12) at which point I'm seeing log errors that look like this:
AVC avc: denied {confidentiality} for pid=325 comm=systemd-udevd lockdown reason="use of tracefs" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=lockdown permissive=0
Could not create tracefs "filter" entry Could not create tracefs "id" entry Could not create tracefs "enable" entry
These are showing up practically thousands of times and making it impossible to read the log when it's needed to diagnose problems (after kernel or application panic for instance). Masking tracefs, which one would think prevents it from loading thereby attempts made to use it, doesn't help. If this is the way it is for a reason, can someone please enlighten me as to why, and if not is there anything that can be done?
XFixes 6.1, if accepted by upstream, will allow a client to cause the X Server to terminate. I currently intend to guard this by a x_server manage
check, but it should really be x_server destroy
. How can I handle this without breaking old policies?
Being able to write user crontabs is enough to execute code as that user.
Good day. I want to turn to society with this problem: I have Suse linux desktop 15.1. I configured SELinux refpolicy standard without UBAC, but I can’t log in user_u.
I did audit2allow several times, then I opened boolean, then I opened all the locks through “ausearch – m avc| grep permissive=0” and “semanage permissive –a system_tmpfiles_t”.
At the moment, no locks through any shows. But when I turn on “setenforce 1” by root (sysadmin_r), I log out and when I try to log into the user (user_u), the screen locks and no errors are displayed. Please help in which direction to move. What is the error search technique?
I'm building a monolitic refpolicy for an embedded device,
I would like to include a extra "local.te" generated from the AVCs via allow2audit:
cat /var/log/audit/audit.log | audit2allow >> local.te
How do I add it to my monolitic policy ?
Thanks!
This is due to missing service start
rules.
xterm has a context system_u system_r xdm_t, please tell me how to correctly change this context so that it works in the context of the user. 1. create a module similar terminal.te? 2. through a command chcon 3.through the context of executable files.
Earlier there were policy/ modules.conf was there which can be used to prevent a module from being used. Now I don't find this file.
This file contains a listing of available modules, and how they will be used when building Reference Policy. To prevent a module from being used, set the module to"off". For monolithic policies, modules set to "base" and "module" will be included in the policy. For modular policies, modules set to "base"will be included in the base module; those set to "module" will becompiled as individual loadable modules.
StrongSwan supports switching users after startup. However, SELinux currently blocks this, as ipsec_mgmt_t
is not allowed CAP_SETUID
or CAP_SETGID
.
Of course, running StrongSwan as an unprivileged user (with capabilities) would be preferable, but isn’t supported well.
is there anyway to completely disable booleans support in refpolicy ?
thanks.
I follow the wiki tutorial to create a custom tag, but the last tag used by the nginx process is init_t. Can you give me some advice
It seems that this repository underwent a reconfiguration for the Travis checks and now there are two CI checks defined. Both are Travis CI, but one (the newer) is working while the other one (the older) does not. Should the continuous-integration/travis-ci
check be decommissioned?
Hello,
Running make install-headers
will always regenerate the interface templates
Generating interface templates into tmp/iftemplates
It's a bit annoying as you are usually running this target as root and you will end up with files owned by root in your build directory
I have a Debian 10 libvirt/KVM host with a Debian 10 VM guest, if I run:
sudo virsh shutdown guest
...the guest does not shutdown. If I disable dontaudit
's, I see this within the guest's logs:
type=AVC msg=audit(1598187082.086:163): avc: denied { getattr } for pid=583 comm="powerbtn-acpi-s" path="/usr/share/acpi-support/policy-funcs" dev="sda1" ino=2888143 scontext=system_u:system_r:acpid_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Policy version on Debian/stable is:
ii selinux-policy-default 2:2.20190201-2 all Strict and Targeted variants of the SELinux policy
Originally reported to Red Hat since it was seen on modern Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1647920
Seems to be a general refpolicy issue though.
The basic issue is that a domain with unconfined_domain(my_domain_t)
will be allowed to send messages over dbus without issue. However the responses will often be rejected because there is no rule allowing the other domain to send_msg
to my_domain_t
.
Example AVC where thinlinc_webaccess_t
is unconfined:
type=USER_AVC msg=audit(1541681954.605:398): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.730 spid=1 tpid=5844 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
It looks like this bug was fixed here:
TresysTechnology/refpolicy-contrib@6bef7a1
But then reverted because of security issues here:
TresysTechnology/refpolicy-contrib@bc14741
Does anyone have any reference for those security problems?
If unconfined domains cannot use dbus by default, then this should be clearly documented for unconfined_domain()
, and there should be some information on how to enable dbus for such domains. Explicitly listing every other domain (or using equivalent macros such as init_dbus_chat()
) defeats the whole purpose of unconfined_domain()
.
What risk am I taking by adding this and allowing full dbus communication to my domain:
allow { dbusd_session_bus_client dbusd_system_bus_client } thinlinc_webaccess_t:dbus send_msg;
Hello,
The udev module still references the udev_tbl_t
as being stored in /dev
, but these days, it's located in /run
. That prevents some applications (like pcscd) to work properly.
Red Hat went the way of removing the udev_tbl_t
type completely, see fedora-selinux/selinux-policy@382acd84f3
Would that be the road to go as well?
There is multiple places where pipe is now used with m4.
As per:
#389 (comment)
intermediates are preferred.
After my testmakes below, I think there should be either no shell pipes at all (or at least any that can possibly fail), or there should be .SHELLFLAGS := -c -o -pipefail
. Otherwise failures can be hidden.
$ cat testmake
a: m4exit.m4
m4 $^ | sed -e s/1/2/
b: m4exit.m4
m4 $^ > tmp1
sed -e s/1/2/ tmp1
m4exit.m4:
echo "m4exit(\`1')" > $@
$ cat testmake-pipefail
.SHELLFLAGS := -c -o pipefail
a: m4exit.m4
m4 $^ | sed -e s/1/2/
b: m4exit.m4
m4 $^ > tmp1
sed -e s/1/2/ tmp1
m4exit.m4:
echo "m4exit(\`1')" > $@
Now without -o pipefail, using pipe does not fail:
$ make -f testmake -k a b
m4 m4exit.m4 | sed -e s/1/2/
m4 m4exit.m4 > tmp1
make: *** [testmake:6: b] Error 1
With -o pipefail, both examples fail as expected:
$ make -f testmake-pipefail -k a b
m4 m4exit.m4 | sed -e s/1/2/
make: *** [testmake-pipefail:4: a] Error 1
m4 m4exit.m4 > tmp1
make: *** [testmake-pipefail:6: b] Error 1
There is multiple cases where pipe is used.
regarding to m4 at least these:
Line 379 in 6c2f4bf
Line 388 in 6c2f4bf
Line 482 in 6c2f4bf
Line 498 in 6c2f4bf
Line 107 in 6c2f4bf
Line 111 in 6c2f4bf
Line 253 in 6c2f4bf
refpolicy/support/Makefile.devel
Line 180 in 6c2f4bf
Other substantial cases:
Line 508 in 6c2f4bf
Line 165 in 6c2f4bf
I introduced this issue at:
#389
But now I think it should have its own issue and maybe patch set if it is deemed something to be actioned upon as this has to do mostly with correctness and minimally regarding to speedup.
Currently, there is no good way for third-party domains to log users in with pam_selinux.so
.
Attempting to load the policy with systemd on gentoo results in errors, failing to generate binary policy file.
Conflicting type rules (scontext=dbadm_t tcontext=mysqld_initrc_exec_t tclass=process result=run_init_t), existing=initrc_t
The following shows the specific build configs:
diff --git a/build.conf b/build.conf
index a2f1a9b5..1e6a61c8 100644
--- a/build.conf
+++ b/build.conf
@@ -20,3 +20,3 @@ TYPE = standard
# used for the name.
-NAME = refpolicy
+NAME = systemdg
@@ -29,3 +29,3 @@ NAME = refpolicy
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = gentoo
@@ -44,3 +44,3 @@ UNK_PERMS = deny
# not work in conditional policy.
-DIRECT_INITRC = n
+DIRECT_INITRC = y
@@ -48,3 +48,3 @@ DIRECT_INITRC = n
# Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
diff --git a/config/local.users b/config/local.users
index 3f5dd1f5..94ea215b 100644
--- a/config/local.users
+++ b/config/local.users
@@ -18,2 +18,3 @@
# user jadmin roles { staff_r sysadm_r };
+user ilmostro roles { staff_r sysadm_r };
There are multiple statements refering to initrc_t
in the init_systemd
block that only handles init_t
, are these meant to be for init_t
or should they be moved to the initrc_t
section ?
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L327
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L334
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L373
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.