Merge pull request #776 from pebenito/sechecker

Add initial sechecker configuration for CI.

.github/workflows/tests.yml

@@ -3,29 +3,35 @@ name: Build tests
 on: [push, pull_request]
 
 env:
-  # Minimum userspace version to build refpolicy.
-  SELINUX_USERSPACE_VERSION: checkpolicy-3.1
+  # Minimum versions to build refpolicy.
+  PYTHON_VERSION: "3.10"
+  SELINUX_USERSPACE_VERSION: checkpolicy-3.2
+  USERSPACE_SRC: "selinux-src"
+  # branch for sechecker
+  SECHECKER_VERSION: "4.4"
+  SETOOLS_SRC: "setools-src"
 
 jobs:
   lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     # This version should be the minimum required to run the fc checker
+    # or the standard Python version on Ubuntu.
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
-        python-version: 3.7
+        python-version: "${{env.PYTHON_VERSION}}"
 
     - name: Install dependencies
       run: |
         sudo apt-get update -q
         sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev
 
     - name: Checkout SELint
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         repository: SELinuxProject/selint
         ref: 'v1.5.0'
@@ -55,7 +61,7 @@ jobs:
         selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     strategy:
       fail-fast: false
@@ -118,13 +124,29 @@ jobs:
           - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout Reference Policy
+      uses: actions/checkout@v4
+
+    - name: Checkout SELinux userspace tools and libs
+      uses: actions/checkout@v4
+      with:
+        repository: SELinuxProject/selinux
+        ref: "${{env.SELINUX_USERSPACE_VERSION}}"
+        path: "${{env.USERSPACE_SRC}}"
+
+    - name: Checkout setools
+      uses: actions/checkout@v4
+      with:
+        repository: SELinuxProject/setools
+        ref: "${{env.SECHECKER_VERSION}}"
+        path: "${{env.SETOOLS_SRC}}"
 
     # This should be the minimum required Python version to build refpolicy.
+    # or the standard Python version on Ubuntu.
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
-        python-version: 3.5
+        python-version: "${{env.PYTHON_VERSION}}"
 
     - name: Install dependencies
       run: |
@@ -143,7 +165,6 @@ jobs:
       run: |
         echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
         echo "PYTHON=python" >> $GITHUB_ENV
-        echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV
         echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
         echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
         echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
@@ -152,21 +173,25 @@ jobs:
         echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
         echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
+        echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV
 
     - name: Build toolchain
       run: |
-        # Download current SELinux userspace tools and libraries
-        git clone https://github.com/SELinuxProject/selinux.git ${TEST_TOOLCHAIN_SRC} -b ${SELINUX_USERSPACE_VERSION}
         # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
-        sed -i -e 's/secilc//' ${TEST_TOOLCHAIN_SRC}/Makefile
+        sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile
         # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
-        sed -i -e 's/sepolicy//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Drop restorecond to break glib dependence
-        sed -i -e 's/ restorecond//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Drop sandbox to break libcap-ng dependence
-        sed -i -e 's/ sandbox//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Compile and install SELinux toolchain
-        make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${TEST_TOOLCHAIN_SRC} install
+        make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install
+
+    - name: Build setools
+      run: |
+        cd ${SETOOLS_SRC}
+        pip install .
 
     - name: Build refpolicy
       run: |
@@ -191,3 +216,14 @@ jobs:
         make install-docs
         make install-udica-templates
         make install-appconfig
+
+    # This skips some combinations to keep GitHub actions runtime lower by
+    # eliminating duplicate analyses.
+    - name: Validate security goals
+      run: |
+        if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then
+            policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename)
+            sechecker testing/sechecker.ini "${policy_file}"
+        else
+            echo "Skipped"
+        fi

policy/modules/admin/brctl.te

@@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t)
 
 optional_policy(`
 	xen_append_log(brctl_t)
-	xen_dontaudit_rw_unix_stream_sockets(brctl_t)
 ')

policy/modules/admin/consoletype.te

@@ -109,6 +109,4 @@ optional_policy(`
 	kernel_read_xen_state(consoletype_t)
 	kernel_write_xen_state(consoletype_t)
 	xen_append_log(consoletype_t)
-	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
-	xen_dontaudit_use_fds(consoletype_t)
 ')

policy/modules/admin/sblim.te

@@ -106,7 +106,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	xen_stream_connect(sblim_gatherd_t)
 	xen_stream_connect_xenstore(sblim_gatherd_t)
 ')
 

policy/modules/apps/uml.if

@@ -45,8 +45,8 @@ template(`uml_role',`
 	ps_process_pattern($3, uml_t)
 	allow $3 uml_t:process { ptrace signal_perms };
 
-	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
+	allow $2 { uml_ro_t uml_rw_t uml_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };

policy/modules/services/certbot.te

@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
 manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
 fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
 
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
 allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;

policy/modules/services/cockpit.if

@@ -46,7 +46,7 @@
 template(`cockpit_role_template',`
 
 	type $1_cockpit_tmpfs_t;
-	files_runtime_file($1_cockpit_tmpfs_t)
+	files_tmpfs_file($1_cockpit_tmpfs_t)
 	dev_filetrans($2, $1_cockpit_tmpfs_t, file)
 
 	allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };

policy/modules/services/cron.te

@@ -91,7 +91,6 @@ files_type(system_cron_spool_t)
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -459,6 +458,7 @@ allow system_cronjob_t cron_runtime_t:file manage_file_perms;
 files_runtime_filetrans(system_cronjob_t, cron_runtime_t, file)
 
 manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
 
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;

policy/modules/services/cups.fc

@@ -29,9 +29,6 @@
 /usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
 /usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
 /usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -55,9 +52,6 @@
 /usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
 /usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -80,7 +74,5 @@
 /run/cups(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)
 /run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
 /run/hp.*\.port	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
-/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
-/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
 /run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_runtime_t,s0)
 /var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)

policy/modules/services/cups.if

@@ -271,26 +271,6 @@ interface(`cups_write_log',`
 	allow $1 cupsd_log_t:file write_file_perms;
 ')
 
-########################################
-## <summary>
-##	Connect to ptal over an unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_stream_connect_ptal',`
-	gen_require(`
-		type ptal_t, ptal_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t)
-')
-
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of cupsd.
@@ -354,21 +334,21 @@ interface(`cups_admin',`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
 		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_runtime_t, cupsd_lpd_runtime_t;
-		type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t;
-		type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t;
+		type cupsd_runtime_t, cupsd_rw_etc_t;
+		type hplip_runtime_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type hplip_t;
 	')
 
 	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cups_pdf_t hplip_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t hplip_t })
 
 	init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)
 
 	files_list_etc($1)
-	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
+	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t })
 
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
@@ -380,5 +360,5 @@ interface(`cups_admin',`
 
 	files_list_runtime($1)
 	admin_pattern($1, { cupsd_config_runtime_t cupsd_runtime_t hplip_runtime_t })
-	admin_pattern($1, { ptal_runtime_t cupsd_lpd_runtime_t })
+	admin_pattern($1, cupsd_lpd_runtime_t)
 ')

policy/modules/services/cups.te

@@ -86,16 +86,6 @@ files_tmp_file(hplip_tmp_t)
 type hplip_var_lib_t;
 files_type(hplip_var_lib_t)
 
-type ptal_t;
-type ptal_exec_t;
-init_daemon_domain(ptal_t, ptal_exec_t)
-
-type ptal_etc_t;
-files_config_file(ptal_etc_t)
-
-type ptal_runtime_t alias ptal_var_run_t;
-files_runtime_file(ptal_runtime_t)
-
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
@@ -161,9 +151,6 @@ allow cupsd_t hplip_runtime_t:file read_file_perms;
 read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
 read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
 
-stream_connect_pattern(cupsd_t, ptal_runtime_t, ptal_runtime_t, ptal_t)
-allow cupsd_t ptal_runtime_t:sock_file setattr_sock_file_perms;
-
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 
 kernel_read_system_state(cupsd_t)
@@ -695,63 +682,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_runtime_files(hplip_t)
 ')
-
-########################################
-#
-# PTAL local policy
-#
-
-allow ptal_t self:capability { chown sys_rawio };
-dontaudit ptal_t self:capability sys_tty_config;
-allow ptal_t self:fifo_file rw_fifo_file_perms;
-allow ptal_t self:unix_stream_socket { accept listen };
-allow ptal_t self:tcp_socket create_stream_socket_perms;
-
-allow ptal_t ptal_etc_t:dir list_dir_perms;
-read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-
-manage_dirs_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_lnk_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_fifo_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_sock_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-files_runtime_filetrans(ptal_t, ptal_runtime_t, { dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(ptal_t)
-kernel_list_proc(ptal_t)
-kernel_read_proc_symlinks(ptal_t)
-
-corenet_all_recvfrom_netlabel(ptal_t)
-corenet_tcp_sendrecv_generic_if(ptal_t)
-corenet_tcp_sendrecv_generic_node(ptal_t)
-corenet_tcp_bind_generic_node(ptal_t)
-
-corenet_sendrecv_ptal_server_packets(ptal_t)
-corenet_tcp_bind_ptal_port(ptal_t)
-
-dev_read_sysfs(ptal_t)
-dev_read_usbfs(ptal_t)
-dev_rw_printer(ptal_t)
-
-domain_use_interactive_fds(ptal_t)
-
-files_read_etc_files(ptal_t)
-files_read_etc_runtime_files(ptal_t)
-
-fs_getattr_all_fs(ptal_t)
-fs_search_auto_mountpoints(ptal_t)
-
-logging_send_syslog_msg(ptal_t)
-
-miscfiles_read_localization(ptal_t)
-
-sysnet_read_config(ptal_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_user_home_content(ptal_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(ptal_t)
-')
-

policy/modules/services/docker.te

@@ -21,7 +21,7 @@ mls_trusted_object(dockerd_t)
 
 type dockerc_t;
 type dockerc_exec_t;
-container_engine_executable_file(dockerc_t)
+container_engine_executable_file(dockerc_exec_t)
 application_domain(dockerc_t, dockerc_exec_t)
 
 container_engine_domain_template(dockerd_user)