Merge pull request #778 from 0xC0ncord/various-20240506

Various fixes
SELinuxProject · May 13, 2024 · af26e63 · af26e63
2 parents eefc22e + 27602a9
commit af26e63
Show file tree

Hide file tree

Showing 22 changed files with 184 additions and 7 deletions.
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
@@ -225,6 +225,10 @@ ifdef(`init_systemd',`
 	fs_getattr_cgroup(bootloader_t)
 	init_read_state(bootloader_t)
 	init_rw_inherited_stream_socket(bootloader_t)
+
+	# for systemd-boot-update to manage EFI binaries
+	domain_obj_id_change_exemption(bootloader_t)
+	files_mmap_read_boot_files(bootloader_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',`
 	delete_chr_files_pattern($1, device_t, lvm_control_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write the
+##	Intel Management Engine Interface device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_mei',`
+	gen_require(`
+		type mei_device_t;
+	')
+
+	dontaudit $1 mei_device_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	dontaudit getattr raw memory devices (e.g. /dev/mem).

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
@@ -2588,6 +2588,25 @@ interface(`files_read_boot_files',`
 	read_files_pattern($1, boot_t, boot_t)
 ')
 
+########################################
+## <summary>
+##	Read and memory map files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_read_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files

diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
@@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t)
 corenet_sendrecv_generic_server_packets(asterisk_t)
 corenet_tcp_bind_generic_port(asterisk_t)
 corenet_udp_bind_generic_port(asterisk_t)
+corenet_udp_bind_all_unreserved_ports(asterisk_t)
 corenet_dontaudit_udp_bind_all_ports(asterisk_t)
 
 corenet_sendrecv_jabber_client_client_packets(asterisk_t)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
@@ -876,6 +876,24 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Send signals to a system container.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_signal_system_containers',`
+	gen_require(`
+		attribute container_system_domain;
+	')
+
+	allow $1 container_system_domain:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in /dev with an automatic
@@ -1324,6 +1342,24 @@ interface(`container_manage_files',`
 	manage_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	IOCTL container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_ioctl_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:file ioctl;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to relabel

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -286,7 +286,7 @@ corenet_port(container_port_t)
 dontaudit container_domain self:capability fsetid;
 dontaudit container_domain self:capability2 block_suspend;
 allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
-allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
+allow container_domain self:process { execstack execmem getattr getcap getsched getsession setsched setcap setpgid signal_perms };
 allow container_domain self:dir rw_dir_perms;
 allow container_domain self:file create_file_perms;
 allow container_domain self:fifo_file manage_fifo_file_perms;
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container
 filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes")
 
 allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch };
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
@@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
 allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
 allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow spc_t self:perf_event { cpu kernel open read };
 

diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
@@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
 
 container_kill_all_containers(crio_conmon_t)
 container_read_all_container_state(crio_conmon_t)
+container_signal_system_containers(crio_conmon_t)
 
 # for kubernetes debug pods
 container_use_container_ptys(crio_conmon_t)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
@@ -321,6 +321,10 @@ optional_policy(`
 	postfix_search_spool(dovecot_auth_t)
 ')
 
+optional_policy(`
+	sasl_read_keytab(dovecot_auth_t)
+')
+
 optional_policy(`
         postgresql_unpriv_client(dovecot_auth_t)
 

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
+kernel_read_net_sysctls(fail2ban_t)
 kernel_read_system_state(fail2ban_t)
 kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
@@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
 container_manage_log_dirs(kubelet_t)
 container_manage_log_files(kubelet_t)
 container_manage_log_symlinks(kubelet_t)
+container_watch_log_dirs(kubelet_t)
 container_watch_log_files(kubelet_t)
 container_log_filetrans(kubelet_t, { dir file })
 
@@ -617,6 +618,10 @@ userdom_use_user_terminals(kubectl_domain)
 # kubectl local policy
 #
 
+dontaudit kubectl_t self:capability { sys_admin sys_resource };
+
+kernel_dontaudit_getattr_proc(kubectl_t)
+
 auth_use_nsswitch(kubectl_t)
 
 # not required, but convenient for using config commands

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
@@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true)
 ## </desc>
 gen_tunable(matrix_postgresql_connect, false)
 
+## <desc>
+##  <p>
+##  Determine whether Matrixd is allowed to bind all
+##  TCP ports. This is intended for more complex Matrix
+##	server configurations (e.g. Synapse workers) and may
+##	be used in lieu of manually labeling each port.
+##  </p>
+## </desc>
+gen_tunable(matrix_bind_all_unreserved_tcp_ports, false)
+
 type matrixd_t;
 type matrixd_exec_t;
 init_daemon_domain(matrixd_t, matrixd_exec_t)
@@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',`
 	postgresql_tcp_connect(matrixd_t)
 ')
 
+tunable_policy(`matrix_bind_all_unreserved_tcp_ports',`
+	corenet_tcp_bind_all_unreserved_ports(matrixd_t)
+')
+
 optional_policy(`
 	apache_search_config(matrixd_t)
 ')
- 
+
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
@@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 allow podman_t podman_conmon_t:process setsched;
 
+kernel_rw_vm_overcommit_sysctl(podman_t)
+
+init_use_fds(podman_t)
+init_setattr_stream_sockets(podman_t)
+init_stream_connect(podman_t)
+
 # for --network=host
 selinux_getattr_dirs(podman_t)
 selinux_mounton_dirs(podman_t)
@@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0)
 ifdef(`init_systemd',`
 	init_dbus_chat(podman_t)
 	init_setsched(podman_t)
+	init_get_system_status(podman_t)
 	init_start_system(podman_t)
 	init_stop_system(podman_t)
+	init_reload(podman_t)
 
 	# containers get created as systemd transient units
 	init_get_transient_units_status(podman_t)
@@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t)
 
 logging_send_syslog_msg(podman_user_t)
 
-init_write_runtime_socket(podman_user_t)
+init_stream_connect(podman_user_t)
 
 mount_exec(podman_user_t)
 
@@ -191,16 +199,20 @@ ifdef(`init_systemd',`
 # podman conmon local policy
 #
 
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
 dontaudit podman_conmon_t self:capability net_admin;
 
 podman_domtrans(podman_conmon_t)
 
 init_rw_inherited_stream_socket(podman_conmon_t)
 init_use_fds(podman_conmon_t)
 
+container_signal_system_containers(podman_conmon_t)
+
 container_read_system_container_state(podman_conmon_t)
 
+container_ioctl_files(podman_conmon_t)
+
 container_manage_runtime_files(podman_conmon_t)
 container_manage_runtime_fifo_files(podman_conmon_t)
 container_manage_runtime_sock_files(podman_conmon_t)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
@@ -18,6 +18,13 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
+## </p>
+## </desc>
+gen_tunable(psql_allow_execmem, false)
+
 ## <desc>
 ## <p>
 ## Allow unprived users to execute DDL statement
@@ -363,7 +370,7 @@ optional_policy(`
 	mta_getattr_spool(postgresql_t)
 ')
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`allow_execmem || psql_allow_execmem',`
 	allow postgresql_t self:process execmem;
 ')
 

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
@@ -535,6 +535,25 @@ interface(`ssh_signull',`
 	allow $1 sshd_t:process signull;
 ')
 
+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	ssh server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_use_sshd_pidfds',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read a ssh server unnamed pipe.

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
@@ -91,6 +91,9 @@ interface(`auth_use_pam_systemd',`
 	systemd_connect_machined($1)
 	systemd_dbus_chat_logind($1)
 	systemd_read_logind_state($1)
+
+	# to read /etc/machine-id
+	files_read_etc_runtime_files($1)
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
@@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t)
 
 auth_read_shadow_history(chkpwd_t)
 auth_use_nsswitch(chkpwd_t)
+auth_use_pam_systemd(chkpwd_t)
 
 logging_send_audit_msgs(chkpwd_t)
 logging_send_syslog_msg(chkpwd_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
@@ -1163,6 +1163,26 @@ interface(`init_rw_stream_sockets',`
 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to set the
+##	attributes of init's unix domain stream
+##	sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_setattr_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search init keys.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -630,6 +630,10 @@ ifdef(`init_systemd',`
 		fs_rw_rpc_named_pipes(initrc_t)
 	')
 
+	optional_policy(`
+		ssh_use_sshd_pidfds(init_t)
+	')
+
 	optional_policy(`
 		# for systemd --user:
 		unconfined_search_keys(init_t)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
@@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t)
 #
 
 allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
-dontaudit mdadm_t self:capability sys_tty_config;
+dontaudit mdadm_t self:capability { net_admin sys_tty_config };
 dontaudit mdadm_t self:cap_userns sys_ptrace;
 allow mdadm_t self:process { getsched setsched signal_perms };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t)
 dev_rw_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_rw_mei(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 # create links in /dev/md
 dev_create_generic_symlinks(mdadm_t)