From 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Thu, 28 Sep 2023 23:55:56 +1000 Subject: mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker * Fixed the issues from the review Signed-off-by: Russell Coker * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker * fixed dontaudi_ typo Signed-off-by: Russell Coker * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker --------- Signed-off-by: Russell Coker Signed-off-by: Kenton Groombridge --- policy/modules/kernel/files.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if | 7 ++++++- policy/modules/services/mon.te | 30 ++++++++++++++++++++++++++---- policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te | 17 +++++++++++++++++ policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7..591aa64d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') +######################################## +## +## dontaudit getattr on tmpfs files +## +## +## +## Domain to not have stat on tmpfs files audited +## +## +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ######################################## ## ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e..8156ac08 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a91..777caea6 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## ## +## +## +## The class of the object to be created. +## +## ## ## ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') ######################################## diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a34987..bbf0496b 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + ######################################## # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + ######################################## # # Local policy @@ -161,9 +169,10 @@ optional_policy(` # # sys_ptrace is for reading /proc/1/maps etc -allow mon_local_test_t self:capability { sys_ptrace sys_admin }; +allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace sys_admin }; allow mon_local_test_t self:fifo_file rw_fifo_file_perms; -allow mon_local_test_t self:process getsched; +allow mon_local_test_t self:process { getsched sigkill sigstop signal }; +allow mon_local_test_t self:cap_userns sys_ptrace; can_exec(mon_local_test_t, mon_local_test_exec_t) @@ -184,8 +193,10 @@ dev_getattr_sysfs(mon_local_test_t) dev_read_urand(mon_local_test_t) dev_read_sysfs(mon_local_test_t) +domain_getattr_all_domains(mon_local_test_t) domain_read_all_domains_state(mon_local_test_t) +files_dontaudit_getattr_all_tmpfs_files(mon_local_test_t) files_read_usr_files(mon_local_test_t) files_search_mnt(mon_local_test_t) files_search_spool(mon_local_test_t) @@ -194,9 +205,18 @@ files_list_boot(mon_local_test_t) fs_search_auto_mountpoints(mon_local_test_t) fs_getattr_nfs(mon_local_test_t) fs_getattr_xattr_fs(mon_local_test_t) +fs_list_cgroup_dirs(mon_local_test_t) fs_list_hugetlbfs(mon_local_test_t) fs_list_tmpfs(mon_local_test_t) +fs_read_cgroup_files(mon_local_test_t) +fs_search_cgroup_dirs(mon_local_test_t) fs_search_nfs(mon_local_test_t) +fstools_domtrans(mon_local_test_t) + +# for selinux.monitor +selinux_get_enforce_mode(mon_local_test_t) +selinux_getattr_fs(mon_local_test_t) +seutil_search_default_contexts(mon_local_test_t) storage_getattr_fixed_disk_dev(mon_local_test_t) storage_getattr_removable_dev(mon_local_test_t) @@ -208,12 +228,14 @@ application_exec_all(mon_local_test_t) auth_use_nsswitch(mon_local_test_t) +fsdaemon_read_lib(mon_local_test_t) init_getattr_initctl(mon_local_test_t) logging_send_syslog_msg(mon_local_test_t) miscfiles_read_generic_certs(mon_t) miscfiles_read_localization(mon_local_test_t) +storage_raw_read_fixed_disk(mon_local_test_t) sysnet_read_config(mon_local_test_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index b21fab5f..32c80f71 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -108,7 +108,7 @@ tunable_policy(`smartmon_3ware',` storage_create_fixed_disk_dev(fsdaemon_t) storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t, blk_file) selinux_validate_context(fsdaemon_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 0e3a9896..b2d22e90 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -34,6 +34,7 @@ ifdef(`distro_gentoo',` # ipc_lock is for losetup allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config }; +dontaudit fsadm_t self:capability net_admin; allow fsadm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; @@ -123,6 +124,8 @@ files_manage_lost_found(fsadm_t) files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) +fs_getattr_cgroup(fsadm_t) +fs_getattr_dos_fs(fsadm_t) fs_rw_all_image_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) @@ -135,6 +138,8 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) +# for fstrim +files_manage_boot_dirs(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs @@ -145,6 +150,8 @@ mls_file_write_all_levels(fsadm_t) selinux_getattr_fs(fsadm_t) +storage_dev_filetrans_fixed_disk(fsadm_t, chr_file, "megaraid_sas_ioctl_node") +storage_manage_fixed_disk(fsadm_t) storage_raw_read_fixed_disk(fsadm_t) storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) @@ -157,6 +164,8 @@ term_use_console(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +# for systemd-fsckd to access /proc/1/environ +init_read_state(fsadm_t) init_rw_script_stream_sockets(fsadm_t) logging_send_syslog_msg(fsadm_t) @@ -199,6 +208,10 @@ optional_policy(` devicekit_append_inherited_log_files(fsadm_t) ') +optional_policy(` + fsdaemon_read_lib(fsadm_t) +') + optional_policy(` livecd_rw_tmp_files(fsadm_t) ') @@ -212,6 +225,10 @@ optional_policy(` munin_rw_tcp_sockets(fsadm_t) ') +optional_policy(` + mon_dontaudit_use_fds(fsadm_t) +') + optional_policy(` nis_use_ypbind(fsadm_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 713558ad..457fac07 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1043,7 +1043,7 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_files(initrc_t) storage_manage_fixed_disk(initrc_t) - storage_dev_filetrans_fixed_disk(initrc_t) + storage_dev_filetrans_fixed_disk(initrc_t, blk_file) storage_getattr_removable_dev(initrc_t) # readahead asks for these diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index f82dd8f8..82c4844d 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -190,7 +190,7 @@ storage_dontaudit_read_removable_device(lvm_t) # LVM(2) needs to create directories (/dev/mapper, /dev/) # and links from /dev/ to /dev/mapper/- # cjp: needs to create an interface here for fixed disk create -storage_dev_filetrans_fixed_disk(lvm_t) +storage_dev_filetrans_fixed_disk(lvm_t, blk_file) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index e10e3185..907facf8 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -73,7 +73,7 @@ fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -storage_dev_filetrans_fixed_disk(mdadm_t) +storage_dev_filetrans_fixed_disk(mdadm_t, blk_file) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) -- cgit v1.2.3-65-gdbad