commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Thu Sep 28 13:55:56 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:30:52 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d
mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker <russell <AT> coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker <russell <AT> coker.com.au> --------- Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/kernel/files.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if | 7 ++++++- policy/modules/services/mon.te | 30 ++++++++++++++++++++++++++---- policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te | 17 +++++++++++++++++ policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7c..591aa64d6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') +######################################## +## <summary> +## dontaudit getattr on tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not have stat on tmpfs files audited +## </summary> +## </param> +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ######################################## ## <summary> ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e9..8156ac087 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a910..777caea69 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## </summary> ## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> ## <param name="filename" optional="true"> ## <summary> ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') ######################################## diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a349871..bbf0496b3 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + ######################################## # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + ######################################## # # Local policy @@ -161,9 +169,10 @@ optional_policy(` # # sys_ptrace is for reading /proc/1/maps etc -allow mon_local_test_t self:capability { sys_ptrace sys_admin }; +allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace sys_admin }; allow mon_local_test_t self:fifo_file rw_fifo_file_perms; -allow mon_local_test_t self:process getsched; +allow mon_local_test_t self:process { getsched sigkill sigstop signal }; +allow mon_local_test_t self:cap_userns sys_ptrace; can_exec(mon_local_test_t, mon_local_test_exec_t) @@ -184,8 +193,10 @@ dev_getattr_sysfs(mon_local_test_t) dev_read_urand(mon_local_test_t) dev_read_sysfs(mon_local_test_t) +domain_getattr_all_domains(mon_local_test_t) domain_read_all_domains_state(mon_local_test_t) +files_dontaudit_getattr_all_tmpfs_files(mon_local_test_t) files_read_usr_files(mon_local_test_t) files_search_mnt(mon_local_test_t) files_search_spool(mon_local_test_t) @@ -194,9 +205,18 @@ files_list_boot(mon_local_test_t) fs_search_auto_mountpoints(mon_local_test_t) fs_getattr_nfs(mon_local_test_t) fs_getattr_xattr_fs(mon_local_test_t) +fs_list_cgroup_dirs(mon_local_test_t) fs_list_hugetlbfs(mon_local_test_t) fs_list_tmpfs(mon_local_test_t) +fs_read_cgroup_files(mon_local_test_t) +fs_search_cgroup_dirs(mon_local_test_t) fs_search_nfs(mon_local_test_t) +fstools_domtrans(mon_local_test_t) + +# for selinux.monitor +selinux_get_enforce_mode(mon_local_test_t) +selinux_getattr_fs(mon_local_test_t) +seutil_search_default_contexts(mon_local_test_t) storage_getattr_fixed_disk_dev(mon_local_test_t) storage_getattr_removable_dev(mon_local_test_t) @@ -208,12 +228,14 @@ application_exec_all(mon_local_test_t) auth_use_nsswitch(mon_local_test_t) +fsdaemon_read_lib(mon_local_test_t) init_getattr_initctl(mon_local_test_t) logging_send_syslog_msg(mon_local_test_t) miscfiles_read_generic_certs(mon_t) miscfiles_read_localization(mon_local_test_t) +storage_raw_read_fixed_disk(mon_local_test_t) sysnet_read_config(mon_local_test_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index b21fab5fb..32c80f712 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -108,7 +108,7 @@ tunable_policy(`smartmon_3ware',` storage_create_fixed_disk_dev(fsdaemon_t) storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t, blk_file) selinux_validate_context(fsdaemon_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 0e3a98967..b2d22e90a 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -34,6 +34,7 @@ ifdef(`distro_gentoo',` # ipc_lock is for losetup allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config }; +dontaudit fsadm_t self:capability net_admin; allow fsadm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; @@ -123,6 +124,8 @@ files_manage_lost_found(fsadm_t) files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) +fs_getattr_cgroup(fsadm_t) +fs_getattr_dos_fs(fsadm_t) fs_rw_all_image_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) @@ -135,6 +138,8 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +# for fstrim +files_manage_boot_dirs(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs @@ -145,6 +150,8 @@ mls_file_write_all_levels(fsadm_t) selinux_getattr_fs(fsadm_t) +storage_dev_filetrans_fixed_disk(fsadm_t, chr_file, "megaraid_sas_ioctl_node") +storage_manage_fixed_disk(fsadm_t) storage_raw_read_fixed_disk(fsadm_t) storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) @@ -157,6 +164,8 @@ term_use_console(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +# for systemd-fsckd to access /proc/1/environ +init_read_state(fsadm_t) init_rw_script_stream_sockets(fsadm_t) logging_send_syslog_msg(fsadm_t) @@ -199,6 +208,10 @@ optional_policy(` devicekit_append_inherited_log_files(fsadm_t) ') +optional_policy(` + fsdaemon_read_lib(fsadm_t) +') + optional_policy(` livecd_rw_tmp_files(fsadm_t) ') @@ -212,6 +225,10 @@ optional_policy(` munin_rw_tcp_sockets(fsadm_t) ') +optional_policy(` + mon_dontaudit_use_fds(fsadm_t) +') + optional_policy(` nis_use_ypbind(fsadm_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 713558ad2..457fac072 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1043,7 +1043,7 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_files(initrc_t) storage_manage_fixed_disk(initrc_t) - storage_dev_filetrans_fixed_disk(initrc_t) + storage_dev_filetrans_fixed_disk(initrc_t, blk_file) storage_getattr_removable_dev(initrc_t) # readahead asks for these diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index f82dd8f8b..82c4844d0 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -190,7 +190,7 @@ storage_dontaudit_read_removable_device(lvm_t) # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>) # and links from /dev/<vg> to /dev/mapper/<vg>-<lv> # cjp: needs to create an interface here for fixed disk create -storage_dev_filetrans_fixed_disk(lvm_t) +storage_dev_filetrans_fixed_disk(lvm_t, blk_file) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index e10e31850..907facf8d 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -73,7 +73,7 @@ fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -storage_dev_filetrans_fixed_disk(mdadm_t) +storage_dev_filetrans_fixed_disk(mdadm_t, blk_file) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t)