From ddc6ac493cef7bb64c3d1904b2c660f61b931f59 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 15:53:46 -0400 Subject: [PATCH 01/14] init: allow systemd to use sshd pidfds Without this, a lengthy 2 minute delay can be observed SSHing into a system while pam_systemd tries to create a login session. May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1 Signed-off-by: Kenton Groombridge --- policy/modules/services/ssh.if | 19 +++++++++++++++++++ policy/modules/system/init.te | 4 ++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index dcbabf6b0a..4b5fd5d33f 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -535,6 +535,25 @@ interface(`ssh_signull',` allow $1 sshd_t:process signull; ') +######################################## +## +## Use PIDFD file descriptors from the +## ssh server. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_use_sshd_pidfds',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:fd use; +') + ######################################## ## ## Read a ssh server unnamed pipe. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8090198739..bc3a34d989 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -630,6 +630,10 @@ ifdef(`init_systemd',` fs_rw_rpc_named_pipes(initrc_t) ') + optional_policy(` + ssh_use_sshd_pidfds(init_t) + ') + optional_policy(` # for systemd --user: unconfined_search_keys(init_t) From cd781e783e8523331d69dca2cbcea4e46e058690 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 15:58:20 -0400 Subject: [PATCH 02/14] fail2ban: allow reading net sysctls type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge --- policy/modules/services/fail2ban.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index b85cb04294..954dd4dc64 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file) +kernel_read_net_sysctls(fail2ban_t) kernel_read_system_state(fail2ban_t) kernel_read_vm_overcommit_sysctl(fail2ban_t) kernel_search_fs_sysctls(fail2ban_t) From 03711caea1172b5931f5409d93e9ea95bc7d836d Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 15:59:55 -0400 Subject: [PATCH 03/14] dovecot: allow dovecot-auth to read SASL keytab Signed-off-by: Kenton Groombridge --- policy/modules/services/dovecot.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 11ffbb1772..9372198311 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -321,6 +321,10 @@ optional_policy(` postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + sasl_read_keytab(dovecot_auth_t) +') + optional_policy(` postgresql_unpriv_client(dovecot_auth_t) From ef28f7879aa2b56e5fda476f5ccfec4dd465ff8e Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:03:10 -0400 Subject: [PATCH 04/14] userdom: allow users to read user home dir symlinks This is to support user home directories primarily living in another directory with a symlink in /home that points to it. Signed-off-by: Kenton Groombridge --- policy/modules/system/userdomain.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 8987fd4e09..658ffee07b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',` # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) @@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + # full control of the home directory allow $2 user_home_t:file entrypoint; manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) From 3bad3696b8a16f1dc20726064cf585f491a7624b Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:14:04 -0400 Subject: [PATCH 05/14] postgres: add a standalone execmem tunable Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge --- policy/modules/services/postgresql.te | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 810fb0ed4d..7eec1b6651 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -18,6 +18,13 @@ gen_require(` # Declarations # +## +##

+## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT). +##

+## +gen_tunable(psql_allow_execmem, false) + ## ##

## Allow unprived users to execute DDL statement @@ -363,7 +370,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +tunable_policy(`allow_execmem || psql_allow_execmem',` allow postgresql_t self:process execmem; ') From ddf395d5d40a021a69c2fbd6bf68566c031ee75b Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:21:13 -0400 Subject: [PATCH 06/14] asterisk: allow binding to all unreserved UDP ports This is for RTP streaming. Signed-off-by: Kenton Groombridge --- policy/modules/services/asterisk.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 0c2f9a42d8..3cf98e59da 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_udp_bind_all_unreserved_ports(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_jabber_client_client_packets(asterisk_t) From 3dba91dd48427cc45d316f58d21d73ee8daf000d Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:31:46 -0400 Subject: [PATCH 07/14] bootloader: allow systemd-boot to manage EFI binaries systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge --- policy/modules/admin/bootloader.te | 4 ++++ policy/modules/kernel/files.if | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 84b243c0ce..5a7e1cd4da 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 472b5bb385..d83107e3cd 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2588,6 +2588,25 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') +######################################## +##

+## Read and memory map files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + ######################################## ## ## Create, read, write, and delete files From d917092a81e177f633f237ab3752054205ebbbe1 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:33:13 -0400 Subject: [PATCH 08/14] matrixd: add tunable for binding to all unreserved ports This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge --- policy/modules/services/matrixd.te | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7cc..5f092f31cb 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## gen_tunable(matrix_postgresql_connect, false) +## +##

+## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +##

+## +gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - + From 7876e515103f9e13b861132bb26c72e0a2821159 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:38:43 -0400 Subject: [PATCH 09/14] container: allow system container engines to mmap runtime files Signed-off-by: Kenton Groombridge --- policy/modules/services/container.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 096d6c23d4..9699ac36db 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes") allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch }; -allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch }; +allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch }; allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; From 472e0442e7683c7badf1dc2a324bec15820ac9fa Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:39:41 -0400 Subject: [PATCH 10/14] container: allow containers to getcap Signed-off-by: Kenton Groombridge --- policy/modules/services/container.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 9699ac36db..68aa97ae5c 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -286,7 +286,7 @@ corenet_port(container_port_t) dontaudit container_domain self:capability fsetid; dontaudit container_domain self:capability2 block_suspend; allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid }; -allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms }; +allow container_domain self:process { execstack execmem getattr getcap getsched getsession setsched setcap setpgid signal_perms }; allow container_domain self:dir rw_dir_perms; allow container_domain self:file create_file_perms; allow container_domain self:fifo_file manage_fifo_file_perms; From ef5954a0e9249c814ba84d1f2891212fd3457b52 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 16:41:28 -0400 Subject: [PATCH 11/14] systemd: allow systemd-sysctl to search tmpfs Signed-off-by: Kenton Groombridge --- policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index aa9198591b..623556ff43 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1725,6 +1725,7 @@ files_read_etc_files(systemd_sysctl_t) fs_getattr_all_fs(systemd_sysctl_t) fs_search_cgroup_dirs(systemd_sysctl_t) fs_search_ramfs(systemd_sysctl_t) +fs_search_tmpfs(systemd_sysctl_t) systemd_log_parse_environment(systemd_sysctl_t) From 11e729e273027a2b01ebbeea2b2f7bca32691e74 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 17:03:59 -0400 Subject: [PATCH 12/14] container, podman: various fixes Various fixes for containers and podman, mostly centered around quadlet and netavark updates. One particular change which may stand out is allowing podman_conmon_t to IOCTL container_file_t files. I wish I could know why this was hit, but I don't. The relevant AVC is: type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762 type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null) type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 Signed-off-by: Kenton Groombridge --- policy/modules/services/container.if | 36 ++++++++++++++++++++++++++++ policy/modules/services/podman.te | 16 +++++++++++-- policy/modules/system/init.if | 20 ++++++++++++++++ 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 268ebec46f..009fffc4a4 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -876,6 +876,24 @@ interface(`container_signal_all_containers',` allow $1 container_domain:process signal_perms; ') +######################################## +## +## Send signals to a system container. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_signal_system_containers',` + gen_require(` + attribute container_system_domain; + ') + + allow $1 container_system_domain:process signal; +') + ######################################## ## ## Create objects in /dev with an automatic @@ -1324,6 +1342,24 @@ interface(`container_manage_files',` manage_files_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## IOCTL container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_ioctl_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:file ioctl; +') + ######################################## ## ## Do not audit attempts to relabel diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index d929bb2535..78f8fc086a 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t) allow podman_t podman_conmon_t:process setsched; +kernel_rw_vm_overcommit_sysctl(podman_t) + +init_use_fds(podman_t) +init_setattr_stream_sockets(podman_t) +init_stream_connect(podman_t) + # for --network=host selinux_getattr_dirs(podman_t) selinux_mounton_dirs(podman_t) @@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0) ifdef(`init_systemd',` init_dbus_chat(podman_t) init_setsched(podman_t) + init_get_system_status(podman_t) init_start_system(podman_t) init_stop_system(podman_t) + init_reload(podman_t) # containers get created as systemd transient units init_get_transient_units_status(podman_t) @@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t) logging_send_syslog_msg(podman_user_t) -init_write_runtime_socket(podman_user_t) +init_stream_connect(podman_user_t) mount_exec(podman_user_t) @@ -191,7 +199,7 @@ ifdef(`init_systemd',` # podman conmon local policy # -allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; +allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource }; dontaudit podman_conmon_t self:capability net_admin; podman_domtrans(podman_conmon_t) @@ -199,8 +207,12 @@ podman_domtrans(podman_conmon_t) init_rw_inherited_stream_socket(podman_conmon_t) init_use_fds(podman_conmon_t) +container_signal_system_containers(podman_conmon_t) + container_read_system_container_state(podman_conmon_t) +container_ioctl_files(podman_conmon_t) + container_manage_runtime_files(podman_conmon_t) container_manage_runtime_fifo_files(podman_conmon_t) container_manage_runtime_sock_files(podman_conmon_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 4891301ada..b3f92eec7c 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1163,6 +1163,26 @@ interface(`init_rw_stream_sockets',` allow $1 init_t:unix_stream_socket rw_stream_socket_perms; ') +######################################## +## +## Allow the specified domain to set the +## attributes of init's unix domain stream +## sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_setattr_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket setattr; +') + ######################################## ## ## Do not audit attempts to search init keys. From 63d50bbaa387ed3d287a385748366b6df3923f4e Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 17:19:44 -0400 Subject: [PATCH 13/14] container, crio, kubernetes: minor fixes Signed-off-by: Kenton Groombridge --- policy/modules/services/container.te | 1 + policy/modules/services/crio.te | 1 + policy/modules/services/kubernetes.te | 3 +++ 3 files changed, 5 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 68aa97ae5c..095308a13f 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms; allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow spc_t self:netlink_generic_socket create_socket_perms; allow spc_t self:netlink_netfilter_socket create_socket_perms; +allow spc_t self:netlink_tcpdiag_socket nlmsg_read; allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms; allow spc_t self:perf_event { cpu kernel open read }; diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te index 3dd616f7a9..91306d80e2 100644 --- a/policy/modules/services/crio.te +++ b/policy/modules/services/crio.te @@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t) container_kill_all_containers(crio_conmon_t) container_read_all_container_state(crio_conmon_t) +container_signal_system_containers(crio_conmon_t) # for kubernetes debug pods container_use_container_ptys(crio_conmon_t) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 58292de852..3ba6662992 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t) container_manage_log_dirs(kubelet_t) container_manage_log_files(kubelet_t) container_manage_log_symlinks(kubelet_t) +container_watch_log_dirs(kubelet_t) container_watch_log_files(kubelet_t) container_log_filetrans(kubelet_t, { dir file }) @@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +kernel_dontaudit_getattr_proc(kubectl_t) + auth_use_nsswitch(kubectl_t) # not required, but convenient for using config commands From 27602a932b029ab3ab941e2a6eacfd18c0e81cc8 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 6 May 2024 17:46:06 -0400 Subject: [PATCH 14/14] various: various fixes Signed-off-by: Kenton Groombridge --- policy/modules/kernel/devices.if | 19 +++++++++++++++++++ policy/modules/services/kubernetes.te | 2 ++ policy/modules/system/authlogin.if | 3 +++ policy/modules/system/authlogin.te | 1 + policy/modules/system/raid.te | 3 ++- policy/modules/system/selinuxutil.te | 1 + 6 files changed, 28 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 35e14a021e..d8a5c97df5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',` delete_chr_files_pattern($1, device_t, lvm_control_t) ') +######################################## +## +## Do not audit attempts to read and write the +## Intel Management Engine Interface device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_rw_mei',` + gen_require(` + type mei_device_t; + ') + + dontaudit $1 mei_device_t:chr_file rw_chr_file_perms; +') + ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 3ba6662992..8396350261 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +dontaudit kubectl_t self:capability { sys_admin sys_resource }; + kernel_dontaudit_getattr_proc(kubectl_t) auth_use_nsswitch(kubectl_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 6b9d957d3a..899171aa2f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -91,6 +91,9 @@ interface(`auth_use_pam_systemd',` systemd_connect_machined($1) systemd_dbus_chat_logind($1) systemd_read_logind_state($1) + + # to read /etc/machine-id + files_read_etc_runtime_files($1) ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 3a5d1ac3eb..5d675bc155 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t) auth_read_shadow_history(chkpwd_t) auth_use_nsswitch(chkpwd_t) +auth_use_pam_systemd(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index c8db38261c..e5e649f6be 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t) # allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit mdadm_t self:capability sys_tty_config; +dontaudit mdadm_t self:capability { net_admin sys_tty_config }; dontaudit mdadm_t self:cap_userns sys_ptrace; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_rw_mei(mdadm_t) dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 7d664bed61..fb4dddc29a 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -511,6 +511,7 @@ seutil_domtrans_semanage(selinux_dbus_t) # allow semanage_t self:capability { audit_write dac_override }; +dontaudit semanage_t self:capability { sys_admin sys_resource }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };