From 8413f99a48f4a4a49fb9a8ad0f5d542dc9f583c9 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Fri, 22 Nov 2024 17:37:50 +0100 Subject: [PATCH 01/35] allow process and capabilities for self Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/processes.cil | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 internal/pkg/selinux/policy/selinux/common/processes.cil diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil new file mode 100644 index 0000000000..dec3975688 --- /dev/null +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -0,0 +1,124 @@ +; Query procfs about self +(allow any_p self (fs_classes (ro))) +; All but ptrace, set* will be guarded by transitions +(allow any_p self (process ( + dyntransition + execheap + execmem + execstack + fork + getattr + getcap + getpgid + getsched + getsession + getrlimit + noatsecure + rlimitinh + setcap + setcurrent + setexec + setfscreate + setkeycreate + setpgid + setrlimit + setsched + setsockcreate + share + sigchld + siginh + sigkill + signal + signull + sigstop + transition +))) + +; Pseudo devices +(allow any_p null_device_t (fs_classes (rw))) + +; All caps, except sys_boot and sys_modules +(allow any_p self (capability ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +(allow any_p self (cap_userns ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +; All but mac_admin, mac_override and syslog +(allow any_p self (capability2 ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) +(allow any_p self (cap2_userns ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) + +; Enable (e)BPF for all processes +(allow any_p self (bpf (map_create map_read map_write prog_load prog_run))) From 1fb4e37248f14859e86631d5a4b50087c2441fea Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Fri, 22 Nov 2024 18:13:27 +0100 Subject: [PATCH 02/35] allow modprobe Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/file_contexts | 1 + internal/pkg/selinux/policy/policy.33 | Bin 27068 -> 29696 bytes .../selinux/policy/selinux/services/udev.cil | 18 +++++++++++++++--- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts index 6e34ca45f8..8e8f10a6fa 100644 --- a/internal/pkg/selinux/policy/file_contexts +++ b/internal/pkg/selinux/policy/file_contexts @@ -4,6 +4,7 @@ /etc/cni(/.*)? system_u:object_r:cni_conf_t:s0 /opt/cni(/.*)? system_u:object_r:cni_plugin_t:s0 /usr/sbin(/.*)? system_u:object_r:sbin_exec_t:s0 +/lib/modules(/.*)? system_u:object_r:module_t:s0 /usr/lib/udev(/.*)? system_u:object_r:udev_exec_t:s0 /etc/kubernetes(/.*)? system_u:object_r:k8s_conf_t:s0 /opt/containerd(/.*)? system_u:object_r:containerd_plugin_t:s0 diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 7a1c7a28279fa21697ffa4c450583ce828d3d848..c60c068994b828506eab6a6542ded19b73f0e49b 100644 GIT binary patch delta 4313 zcmY+HPi$0G6vpqP1t~4i21};}Y@t&SL52#I(sp>$>3@P0NV`B=ItmB_6gHCJ!VC*d zG|>dSYom!VaiP(qE?i*TuyIGCE=*jwRAVCUGzQ1>d%fSwqmzciopaCm&i9>j-s`>Z zquakmU)G;#YK)w_?(EmE-}f-O>i^ldExPt``~HUL%F5QlnTF{4O7*$>QM9~r;P6be zb-lS>wqLuI{4C$NaP!(le{H{xEwf$?HTe45DdDi1@H)fxL*|T;L z`^n7t&R~~Z$vt8At$ly@oN}jJk@Nbu|FyX`cQ*J`T*VzTn>gcci(6|pSh(A4mfbav z%0wFIoI95|H5(uja{-&6d(8$M_K9E$Xm_v`QTV~`=6$`uS*>=~Sk_M8XlD~6wrq*WEQv9R1 z9?>mA3ArL`OQu)n-FzAs^isUyUP%zU+p8+8qvE8utjn7~Tur+Uq7PYzv<{8-l2_Go zJ`kz}8})qH;QYc+e+S=bPGBh5{@tOz3RuJ{-)TmXFMBS$@F0F@p5q}Wyh#!Ag9~o_ zcSHFmk}TRmxBq?UPzRyaH;5W+zkRs#Af*N>>)aBYl1T>~`zaBg9!$c&Fr42CChS`DC2wGKFS;1jzo=k-lVi zshfeV^08GK_EVuW7?X1BI+aXW>KbHG2SAswGFP&}XC2s@0HmOh*gqWU?*On0f!A=! z_Y`Le=t&~u@oO@@z}mbjV~3Q%LfxIoeviU}rT|3uPp zR3+eJ_Sh56$gN~t(As1er<3BkEo4bP{=u>SW|D{d@5h}R$RC=oBR)2Vpo)k#YAm7% z=7gI_o03eWkO`{PY{b!BzZ~atd?}6zEKdF1_*w-_iVh&DiC~Hdv8wxIW|^Y0{PEH7 zvj~*XH085*af3GBH5ng9AFDG zOsf`f4rZ{31ZGh4NNyzQ=rc*+N>)2`o%bcDveR@Rm}ruqJ?SkI&Z_5EVt=jfbKrME#hzjh}5|6$ATWC?g`inkWv@DhdP$*$tWPK*1^=|1k9bPIR>pE{)$lnV$xj2%NX~f0V468~{_> zF1Ss}B|9z=TSZ~3aKAX2n+A{)!>A-L*`NtKd|VH046P-ppF(UPli^1n z-hZwbUCfVsz$474qGFLmxu{FFU4QInn{z9-rq1s4pI_b_mHb~9dVEyP`JZ0h`x$g^^c-Zs{*k)h1|z ziu6xPKlTq=kv0lEBpoq``2c;;r)*pvjACNQz|%v9!N4bFd;to6F1{MdVc)QUGsDGW zvoH&$8?+kWjt|O&G^Am7gT06BR_ZDZIS7%xl3W!fvYN?mBY!)6aw5Dm;^6ZULodS_ zHx`xvk}yhW4XYrV zT54iY02{kU&5;&pQC+wQDT%;cw~$R;C(puJwHJb#gh~TdWYSVml8-#c;DtR)~;ORFP*;B$T17dZz89{kmyV8E@xCa>ezlEwe0g zZoM!~I|hT&)*wMA0`H`EbZBy04>tjH(C2LyzotixEM$E;7|NFE_(#UX$C-~1% zt*qthuqdM{a)|RZ1g>Na>>9UX%$8!6r%^UDGvIfp!L(=N%kk(OpE3KSAL6~>>$a1) ztlz8z34}JZuG3{e>doDVnwpgnq!`vSvnn@;j}HGn9wD75tP0&ssr5CYVM5MlKj(8# zs`qZX(~`AMxoshqzJkI&#|$!cz2s#5|LsKasS^s=q~g!c3{FkNO^x<4Lg&=It0vWZ z7{Ya+jYr}+Ug2I3$Q@EjiA3bdlL=xeY@nE{J>RIsSs3=?9k+R^(S)y#m^vSJ$wSty zWEguVqsO?Anyw6|8*X;deX~l0!ZGsAqdk^=EpjvRUb*bc8u($dq%#v4S<|GqNYaGY zr?%qVskqLXR+y}m-CitO(}_s3;l1Q~>i%goA`27fZvH==*bwkHhT;4+%;rs#!|Pm~ zQ_F2W1wYl_l>2$Zu;~$%n{Vd&N;#+%a(J#_#+WqaWCD~dnLzbkb2atP;7cK@Gf;gC sX_a5QIkV7(L)BJc`n*YK131H6(tQUCw| diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 883b076ddc..dec59fa03b 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -11,6 +11,14 @@ (filecon "/usr/lib/udev/rules.d(/.*)?" any (system_u object_r udev_rules_t (systemLow systemLow))) (filecon "/usr/lib/udev(/.*)?" any udev_exec_t) +(type modprobe_exec_t) +(call system_f (modprobe_exec_t)) +(filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) + +(type module_t) +(call system_f (module_t)) +(filecon "/lib/modules(/.*)?" any (system_u object_r module_t (systemLow systemLow))) + (type udev_t) (call service_p (udev_t udev_exec_t)) @@ -34,9 +42,13 @@ (type tpm_device_t) (call protected_device_f (tpm_device_t)) -(type modprobe_exec_t) -(call system_f (modprobe_exec_t)) -(filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) +; If modprobe is called by machined or kernel do a transition to udev context which has module permissions (allow udev_t modprobe_exec_t (file (execute execute_no_trans))) (typetransition kernel_t modprobe_exec_t process udev_t) (typetransition init_t modprobe_exec_t process udev_t) + +(allow kernel_t module_t (system (module_load module_request))) +(allow udev_t module_t (fs_classes (ro))) +(allow udev_t module_t (system (module_load module_request))) +(allow udev_t self (capability (sys_module))) +(allow udev_t self (cap_userns (sys_module))) From d58a95a020eca2cb9e4425e1a320cc96fbf3388b Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 18:46:40 +0100 Subject: [PATCH 03/35] /sys/module and its access permissions Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/policy.33 | Bin 29696 -> 30203 bytes .../selinux/policy/selinux/immutable/fs.cil | 4 ++++ .../selinux/policy/selinux/services/cri.cil | 3 +++ .../policy/selinux/services/machined.cil | 3 +++ .../selinux/services/system-containerd.cil | 3 +++ .../selinux/policy/selinux/services/udev.cil | 3 +++ 6 files changed, 16 insertions(+) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index c60c068994b828506eab6a6542ded19b73f0e49b..1b5077984941f46b5f8b8e82a9964336edc4f239 100644 GIT binary patch delta 8733 zcmYjWX>45Ab-s@rlaxq_8cP}u_u(Q+Hc64gRk9WiMQWjCS|VkQWNyPDXDE>(ITUB; zC@$Jz5dX+hx3v!fwEYts4Uj}>0RsVoB!z1iMmGdb>LP*B)UIuy0URWVv$ROu#$wNR z=Y5Y)1L|Ggd+u4j^PO|=<7|KE{NK-EHGg8I#d5e#-QxM-H?P zIBB`q-saqr_4Zo%c6Wt*slC&AO5SMicUI-&_S*V2m2~t6|JHJ;L@NEv@?tuXgNAyE zc2qg-GS*RBe^Gy@+~WFjVq;#*Nus_OloUYecP+^L;kh&;@0MJ?$ZTxZE~=) zD{|VmzMjslCKuAHiH&r6Gm#7FQbHCwk2ojfbDec{Cw-z@>sB(YzQ9V8yxv*u%*&5E zYpPm(VhajWB3G_6(^7uC%bAh0y`l2-z4T%t2hV$D=6J27Iu4XCX4aPyxhkETlb3pG zdMccZEcXn^3##V3J$1F`eVfv`#Z+SB&T;{+Yx1j}-kMI|`qEY| zeGfc&SSKG>kD8n=neVM}o|Hf6?Q(9&H+mbLars{FDd!0(?Q4_UJr#1Y??CjJPswsN zW4Q({AMwp6w{jVhGa}FSbyvrHt9R0y>&g|Ivn%pOUt85#-|9wYQxg-=na5u2kJc^u zmTc+@902VnWV}Cox!WhOzLa%2zU-SNtHGN`ee=rNPh~dm*a$#`K6#}-Tjru z`sK2S1zfx;zwfW9TJfz}mu#)YrE}o;z<_Tpv#^q0%q2FFx)$I3!t(mkS}w7+oK-S| zOpEfuKx_y2~TiVRg~-ez4qVfrcrNx-pre`uCkc9tws(Q z1Rc{4TS>rxbtxnH)o79Y<6~D zd(fpJQV2loQ6U6>)m*nuA26n*({y?=Kyt6jD3Xr+^hE1LM5NlRGN3oB<3_azWk+>f zspBdA?4ohr?9+J|fww?F$Fh2|IzMX8Tjf}TChh?`(<+A)Bi(SgTvHDeB6dEn4qr6^ zj5R3iCE`GzNDV7ayE;#L{?(Z}=sc#|aY7_L0|KWZJtOWjRiEZln4K;o=R1;qOc$WOUAcOg>6o-3UVL}Y5+9NI=?fNR|`RN z#g0*4=RL*)Z;}R4kkr85T67H(jy45}UZL;IfIuo^6HWXO1~EpW-LbrWI$DJ_GV{DS zNM-WN)75!6OhO?yhg^pN(U6W!Sl^TpgCna;H-(LiKIsrI6~S$?_*YPqmi|tuy)Wfs|*!^O>8E}F%Lr!8V*1P@@O)Y zXOW;&viX3wQah@Ey)Vek9s);Ld-iNqaHZKj)}bUe1p8dUD)}&W(yno z-JD>40$G6$UpVO-8Qdgi-1I)hC!Z~8a7HE^cgyV z5@TdA#vCIZgcJ^u(I{Is!X|Zr>3|GvVXvzvYTEVV7h?UR&d<51pviDv`iEOv;R&%v z*z^!%kKUgjZq<%bX?JQ|F}OgNp?%!dj&RvUV2N%*CgjRMF>!_rvBkLz?|FW(e2_iUlE?4#rcX6xd!(AK3u&%sQ}fUD<&=T!B1dWqhD2=^4_@Q4eZ?Ifc85 zP2nzt1mpTpcoCTOSk!I0z0Dv8@c=e7fcV(gfF;QhR|MdY9(xvpR;z!fIOv`#uj#wu zl*vzd8G?5N79cYkxQ2o(IJbKZMU>1s_7ePF}erOmA83F=JmGp1OrqpwiUlfFg@$lBb9kXynBdF|kN z`{H%YTr0S!ia>Uf8ez~OG(%n)qxu%aL<6#?Tmx{FMFYbm0F1F)1eH<;U8hrKGUc7V zFu?l*+CQQJ+u$|N4mjsB^1-n0M8;lrXPLNw6L!?|91NmY5Tr8PGi*8NMHU`1QY4#j zBPEoFPO=i|r3?^w(nSD!6}<}&Z7u$Fr^^!E&+q~#s-uj-)Edr3pqLpF@t;D07ZjtTF}b;7_e39UiszN zVF^ASwnq&*uU;o2*sBJtevFA_P;WG+bRHytPRbxx3hQOae6Op8$v`63wzl^$}gnv*IqAi=I66klO%@7lT=opY@C(GNu&~ zpLQdLL-ZOEP!W{+Q6~#A&(;7G=@9m^G=QAdQ?0i+2$2U^CY$SNR6rSoRHvnYb#DjqJSb{deI=rVHqC>84GTL?XCJ@zT^6*8VKS|5&82IuubP7 zk2H}hfSS!>bhpNf;62lX5Q#eMDu*iVr8?%l-N|pp+w>fs@^nFtRSM{64?eLkg3I&? zHh3-~Wu#G917~dLo!8wMP!znk;7X+9LV+L!bQWkbPY8%;!kBhBn=<5*oPdEj*8r3v zeP~7C2OWab1Qo$Bu(;8eU6Kf8jj?VXf+7$Yii&+FII58b(1OVoke3btMP>)6Q2%A0 z9u$#vF0TcG4XhkQM$RBL93veZ0|{0#_R>Jy_g7X#Nu8(&RyFi9#gHj=UsL6kE7i)+ z67}kU!8aXnH|_%)@e?~}B#SU6jtGm%gll9VaMy4P*JT(R zbX@~ADTH~ptDvd(oB*xq9F)>&+;M^PIYkc1WNo2g&fPf zzK0rOyFy}ETaah;d-O;mT338%AuuKq3ATSbD>4yzZlcMFN$}~~J;*qIhGaNi6)4t` zynj971f=a+i*zRg(m7csA6^g3_+$m10emq6kpRBq!9c#FEB`VPmUs2}50hc1T>f*i zWgos=q4HBuE@RiM23adS1Nhsx)r8jztLfieiBDXKgOoT#iRGsXI-V~)1NfTH>cBUb zR>#M#ME!Lu>D0=TlPxkdSSJ5ERVumbH4?oRelZ@9``3dUzRlsG!c4i-E00`@ycjQc z`U-=9d@g>luvjL48?SJ8mI5&S+O;557SLgjJC?IIC?!ibXv%I_;f8?x-HnIo#LsWI z1_Dxh({&^umv3^b+}oY~+RaM82hSE1%KzTH;PiiU`00>?Rmn_++-F${zTkAFfJLk< zAa74aWM?TXmD5KgG!vF5rW@t{Tv$Fk-E5z)PS?ww>9G8Ix>bIx&*L+7^5$$<7G@eH zn+nTc%tY+-t(khOr)0M9JT==SlZiUH=l=dTv&s?G{}Y|>Q#}oHb+Vlf%j8^(!V6|R zKUXiW>5hNY6+9of&jB5uoDa)NqREx~E1kjKw-XWjtek&TvMMn#-z+~*hUJU%5jmvm zZ_GDZpTOV;^EFnsJK138mXdY$`GaJsyqpZV<9caYsFytpVfo|5u>2tTket;qY^^U8 zY(dxkg&HgWj>;ZUx!~dMDFaDQ9O|<+rJN`GrE)k&Z}-f^u6`A-q3N6A&o; zQMyLq(Q20Rr7A1`*ixg+XsYfm)oTcKa$leL{k^4#eOBEntYi1&ts2aI^SN8^21;<# zGG%gQwMzbIwY>qq>46Zl{}<{RGX}Ib+mg5)b{vVUhKfv)ysvvI*QW68m;Q^z@Spym z2iSkxcC;e|CPMEUQry=lD>Mk zN&Y?)hLrqQ=8Sxj*;lOJ1&fnal5JGU*EjdcGaDhfy|G{Za$`=l?w69gRr0Yu+wX>? z{_cJ!Al)0yvZ=rQS!SPnNmn8D-Me!#zj;88ZJxmI8d5+$xZ5nUdDyOhYZKZl<(>BijTo{~u62&BFiy delta 8051 zcmZ8mYfN0%5k40%#s&;)gLfAeb}bc;IWu!+zWHX(UHrud#+82yxT|C~?HL}p_5#iOxE8u~tJZEzcRQC~xO z#UXwcxo9FDSzcV3iziIEC_UKV?(;e%W@6JTbF-;PdIK-+aBQS5rS6MhBbOH^9UD{2 z@fp)v8Qp5w;@`-72ORsUSac;BPhT=k)>3n0v$2mNjg`g(J z7roM0W(4S+Mz1g85R4~M>8ZuVSkm;Tnp{n##wcxXYBtW%P*b3@%^{pzjz*T_%Q1Kl z@9uW&0g>oZVm6X?^XfP~(-bxi(x**zU8fyV3tcHos*qRjb?mG#?2*(`bRm|Gq}TJt ze(G;NWbCHLnwxzC4#9XLo{q#W#-fq*7G7?oTg{zY!w!MvC5Ew-7lx>*rN-Og*pk$4 z;FO+b!kBVJdCyG(sFi8O^l@D=Hn9BpH&( zz4U5pr@O}?5lctek9EA_Ay-?8Q9*TWoyJj`Xse^Xjsm*cR&R_kOl9q zcN7@s>1ao}ce}%GJhh~W2V&RI108O|Pmgu9c!Lg^g;+8XTQrk+l5N$wyB)jBOG(a7 z4zKJX->z08MkjZb9XaKYSXh~kEh2?rce7(7F`Kg3J?~gOzcjP5$hC$*chZer<(YQJ z?n-JJ_!jZfoMV}lmXk};KCVlWM&=4@{^DEt8+6 zDBaac&vtn-Q599Yc^?Nrw$qwds!H2lPzCLSi*uVC9NvbA3+K-&PX;`b|GW= z@#UZz)iT9O$TMqQQ&@mU5{37r zs?=r*d=sVsVDTSVxGjI+^Dbo^)C|bs+z2mWRGfCHy_|ofAi!g%LN?(LcrU@ziT$1o zkQGmWfSf+5rgao%R(kA02k~xZe@|BPXWnc9R)lW zWe5p1AjF|+8AO3duQSP9Cdc?mv5`6(0i=qJLY@k`TQgaX4gyEcTDB0Vq#Zg!QP9%4 zE?^)a0SR`FT6W;KPzL@<+P8D~>}y6li1t!tDWDw*GH_y?*ZmwsJAWjNIN+Eik6ep9 z_*SXcGrE4HKp`V@*tY;+F4DdO8(WYhE90v;Qeq8pAtF}(3Bh;J6bzy91D?!L2XF{p z+91w?pJ*QI`Q!BYp!UtrkVNgcPzwNv4F|CV;i*u1wH7P~Ra0myxj*Odw=`cb&11!0J{gIwSU z4?PQ%hUZ8yk`2#wvfmHa9L56NK`$BPEu6$ZA%rU-VlM835Hg3CCs-amW`B>j8F`ZO z23hLNJ>49g5m!44saL=zfgVzaY&ZdPH*E3y zL%%W!$JbCU1ydl20#12v|J^&wy55*%H z0$0U8z1~~H%nGY6D_E4HzLvNg5%?Mb!!{rQRE)W-+verXN^Rwja0oV~;^34JAIX7z zyc~g}T*Vpv!qLKS!=j9AiUNehTR0>Yho}XCyZJkv=)!!+IsnLH9nBDSL>JD-1g`T5>~5fwVfN|*GwD+(g6l(#eizSiWbg^(>Pe5axpXZ zvkb})_9e)m+8eYR58#oDV{(n*Sx}JmQ>srp!FF=Vb;Of_CvqZaE?o>t(qiF>$bfaS zjsvAbfzI-(j)+cL5y7Uwhjlb1Ach9jpo}JV1aDq0=8m}mwn)9;0J({f+Yb8Zh~I3ay#0;8Tu%M|(+|LBvxS{I(h8O%3Q-BCYZ#YeR3 zh#lIJ7LZ6F$LUhHJJn8`jBs5V17H%uB0LERY!_WnPpS;M3?(z4F-CinCJ|zCWida) z3<0ndqmU7YVARQc=77bAP8~9WK~r(&M9LL5>n!=OY7E==32+sB(B@*yayu{Z}ig07z}%V8)DG%H3lh#)21lPWW5w^2kR ztV3NP9g5*U%pWm?Xe4@+xugS*N+ZI2t-N~d)WcD+59Vt2XZTwuHr8P5wTT8HF$AJX zErZ|!Y0p{{%R&GmgPx*aV)^*f{E+~FVkZZNz5{NRIQxr4Mt6>T^d0OZhG2}u$sCE6 zvOw5Uc94WshI=o>aKga`aupoC5RLCHMjOZlKu){4H@AH11hV6tRaq=cHXeC{# z09`rZt$`x~Ntr6M!;PvLIozOMov6`tmn0yW5LblH^yu;m8F_fh#95^$2F4f3B>KrQ@n60BKk zzL`zhD6fa$kvM_5@D+#&!kg7*8(~By*+*uj&xF46F0*zp&=OX_Y0ZQZCO)96v!F(* z4$(uW>)nWVt-Z~QJM`9R?_p>N^KrDe3b&m{Nc@l&OwpIEb(*}#%l&TB#t#if!a$-$ zA6}idJ?!S9Wy0izxTyQTLQ^L(gnV&MKfX8M|0EzUGVp_aHOm?Vkjg;daxelCXB*B` z(SXo-T`y3+Z>Gz^v!{4 zVK9yaK>X4YQ0TbZ_l8qH*SuGOYd#gd#_u2A6k2*dT*=V8#!z0 zT{cI-yY64HS*|}!y1)q!+AM#%WG1bMyzvk2nxXw zOCg75M>bo>xJ?^56kv(hMvCR}-)p*oQSB2vKQ&q;0G4Ng+m3D84J({vmW}zSS>vh@z8(9{PfVchw8_-=`l85K`-(155{ZgoiPu+ zJ?^9DS$^Y$pH^7@;6y-=mnJH-ooB4^FB4VNGVdW@q>9&lG!pUAzu3;B{9MgG{f2cP zne@=-k!pG}=Am7a6?B64@0|?j@d<1E1CKeZyLGBU%N?8Yv7V2Mr`6?cAQ) zMz^Ls)IJ@co6{aznD%Rbo|vxG=lqUG#JMTz(_=Vl`g=c*2@Ke~ZE|AC=AE z91oqGG4;MN!*ZneotH`4`WnF+aV|I>%$9)WLDQ6sx8;c<**>8||E6e`d9Q zF8=2%b%~y3(QmQZo3j-(H0Po0xd7c_wS5c;++Lci(qTR|SE)y&@y~N^E$f>1Q-s|= zKJV48U7oL^>ztD3=L35Di1+ba8?VIp+`0I>OpnAmBaadZHw`B0jcj_5XE%853jOiC zn|_|yLVrr+(wm8-{|ZW5g+lm;fAtfO>Z+byp_h|Bga3ZMR87~Hy00zg)8Ci8w8&%r z@)RELU;dOPQw5a1;Gr8A3h4VhV*AAl-Bi3%Nb8br3MC6^XVP6{o~6&h*GF1PZKDgx z35ukO_>AkzRo7A;EnJ&&v(Zg-G*wE!O%@r&RJ2@5pYY1H)Hr3*#k890qK{L>bU0n2 npBH!xCO6TeX*VBRM9-ziVIi9%A|t(xdR9v4`ihI@SC;+ Date: Sun, 24 Nov 2024 19:09:37 +0100 Subject: [PATCH 04/35] allow execution of libraries Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/file_contexts | 1 + internal/pkg/selinux/policy/policy.33 | Bin 30203 -> 30277 bytes .../selinux/policy/selinux/services/cri.cil | 2 +- .../policy/selinux/services/machined.cil | 11 ++++++----- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts index 8e8f10a6fa..07285e128b 100644 --- a/internal/pkg/selinux/policy/file_contexts +++ b/internal/pkg/selinux/policy/file_contexts @@ -3,6 +3,7 @@ /sbin(/.*)? system_u:object_r:sbin_exec_t:s0 /etc/cni(/.*)? system_u:object_r:cni_conf_t:s0 /opt/cni(/.*)? system_u:object_r:cni_plugin_t:s0 +/usr/lib(/.*)? system_u:object_r:lib_exec_t:s0 /usr/sbin(/.*)? system_u:object_r:sbin_exec_t:s0 /lib/modules(/.*)? system_u:object_r:module_t:s0 /usr/lib/udev(/.*)? system_u:object_r:udev_exec_t:s0 diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 1b5077984941f46b5f8b8e82a9964336edc4f239..8f9dfec725d331be62ec7b5e9777b4e0b7ac0117 100644 GIT binary patch delta 4295 zcmY*cOKe-$5xrNx*ph5h{zQ+69Z4Z6*Oo0&vL#CvB~lXguYUfpMP*B}Y&x;2q>d$_ z?jmK1qCoRm6rL^;WKkF>5Cn(=CjyFe)h^sckOFmqCg?7U1VI6(4GJ_tjKF5*Jl^xj z=t1D+dvj;boHH}`@!R|MuV2_Zj}F)VVNaDY*NpzlwzffgS;pI1?KARR+spP@dC>NR zeNOfr$=R&@^2nrJl@E`+XIJDGM}KB7$k#{X_M9AS@380PN9`HAEbp}c%C2p7b!4o) zC@;mQ?V_4KzI8wTy0zEj*IhkwyZwo+kGs~b{pr@!@k(o-mf7w}dsSZRp0Zcu)9yK& zlVd$Ux0mF0Prp~IxPGGlR{!z0c4c)rdn0>MKJR(6YPP}{dF#ZP{DN699cnYDW@){+ zUNnoQQSTR$O=d-}L1&XPDO0EG8*ShC_a7^+o0rUzsn&I!I) zd9$k5Nw)|0TZ?N6^@Zz!jriqI-&#GAKBxw}6o~w(FA)KnMYnt2%$q8#3x9qDuieg5 z;$%1v&z`euFnxiO{bs+PCAfyo31@S`TnMsX(w((>AIyPWG668nzCE(I=x1nNG>X{^ zG7l*}%~W1HdEg*0RlxqsLLTh)xLAlADXk^i-_niD$zI0n@b@Xi6k-x%gX#5|f0!&- z;N2lN`%lP6{qYGz>T@1P%oO#hX;3yB^uF1qV(A5ak$Kuo`s?3U8ddtL#w%tkGYKyW zD7*pK6a+;vpoU6!L0(9Bk(}cRc!rcERFYOjP1=l_?M09Bb|T!-sv0vg_#`Jl?W#mq ztE>>I9|-56^DYF_${IC$g8i_gt`%kXVV`mKNPsb*4Z8qbQUfrPRC}{6r8^sxvtlgp z+N=8A8920tZesDlC+pyt);#k8o*%fq@H6e!(3n+@xGiP(_m-_4p^v0xFsg)J4T=Cn z5jfUP1xXLa{NiTIBj}`am{AH?xbVf+21qKJGgl~--@XJ78%^9N{4qtr1heKW?JE## zNXdDB@PJ<>6c5R=5kV}3GuxVt{AX~j4vt;Maw!?}P&KG@t(qhpo_0ayRx(kI8uR4i zfTqAN%GV$T2e(fQNs!H`ZhhexLH~^RhSHna4AZ@gZ$|usx!Ar1T&O zJz8+E5f>D3zLfVL`}Q~jQe~>aKW8S^R2HP`*q8UyLwe+&3~(bBiI(osiRHM72M1j(^f;gd;Yd{im{HG1x@ zjGb)+ND_*61SUN_@pIsIO#B+i!2WDrlH(L1!snWueUI4h)O+^apUL!dZs zWN~~d+Mp=*IDhcLxL5~$_Q7~Gg2R>v>0xs?APv3c5|`9OIEv({2>OL8gDjFL&rd|_ zcIbN;qA4=@-9*eoX_I|0zyT@$n21(`u15Lq#9U*lM3&#PjJ+~>_6%b1Rjtc(1sJiL zU9;ehY~@c6&-C}iWSb)Ss6s0w3zhP4(vy}cFOS4nnoyhSp=DTh$bs|mkiN+ki8k6o z^TB|HbAquNgf^%wo?@_ZZ&+G0Lm*D>PIaF_OOR05kZ7#SE0I+OY@D>PVav9g_8_i2 zKkY^Fkc5MLo_Gk(wcMVLE+IpDM@bMR&=XCQzRNPJ)v_ZEBa;e4DpCw)i?T^!dTJR- zvXs#pR0Xe=2_?*`bihT@5t@~SHBVXCFdTAn_VTYE#$@|UA_54d`H~651!jy$r^_vj8B!vN1f zmu5Tbp#c+?TeI;-u*A{?nb@d5GvxoXF+Jt4ntItiHxj`%7A?Y(n~d&&#>OASlHuzCaZ1vy7vJEKwhA ztyEBRz{$*jON+nC|D|(eK9$~Lg=04x}mCb9iwb@enqA}kA+9)~U delta 4460 zcmY*cTWp(E5}rS4L)wNWrZ>|TQW`s@aho`4(< z`>^${R$6J1D48~os zzvs++^UXJNjz9QU@YAi}t-EcTKiyO#a#ifV)+YvoCv`m08a%C663+#f^~c1X;5WMC z(4}Be|8!^~SkR9Sy&cTy^~1jn=JodBWN=Oow08vO^|AJR@Pxk6{^#J*T31It2rlSf zlas+&Gu^p%EBQ*G6Gt2L#jZq9Fst2bpLZ<>!Iib#(b^z*N~gOgf+c;qI~P2o-*?Xh zMLlxt_rXPd{a8wCdS2Z-Wf1HX&R;jVI{mbZUJ*P{HvM7E2%UPL~4qMOI z_XT^l*!p*g|I3Iyd_OPqGU#nG@{Boak|Mm>L;Iq=L6Gu)%O%*~Q}MG8e(G%fhxE@f zY|lmsYGq4}uJ*RZ7UZHd*mv?rk%&E=*q=_@?s+-t*3F_fd!t(bcvt0xe%Bk1Hkt7; zZ;+R~3}9Wpc~@upF2|5X!Co{QLS%Qq){VA4YY$QBhkgAenDGU|pYtBUoxwDeVsRH` zpL<`D6ZUMt+9F{u(?W_KoeW8|%4c5~e6Q?vK2e1Qd(8g>E&vcRKv9-LKK0#4VkIDn zx#;CuAbH5Gn;ntNAH=gbSc6a$5PO*&9P>T=RIh1MFyt&|zLG^meomLuK=`l^tR1On z_oAF}xi^W_M5NcP%`iYjmJK=HTZN=SA5ZmcK?ycj-s+81=l)^Ix!p!eUBt48*mqK2 z5n?4L{Wi7xQqkbR8G=9?OnsYd3rR&1Cs>~t`YAsZv*j=UhL%>HjPz&Oh}Kr zt{tsPuBK{@4SBx-$&m~=-R|Fm%e1YfKI4FTK$;sE$U-At#buCr!0gZ-N9+NCP-xMb z9E4bfHz3}mtuaXuj~dkf4a77x7|X(7!W*C&eSytM)H(cz(S;VFhVC(0GSGrta7<$Y z=of>rD3F5=so&=smi?y9>B~+&zGnLObli+1a>_?8SYxi)L&+>s<1j@$79TE&9=x$LAOwyl z*n8oLt_}6O$;`2hW}zV*M152QWD%frI>`IBwEEQmWw*DFNXq6k%DT_|6~g96tq2gY zOpztm4(MH`i!2^=j!HJ$hQdkvkU?M(VZ&h9OKB%0@hcl14=CHC9vl?N_w%CPKDx65 z*n9lfz(qpA0r6t}NX15T!<}=0K*(@E<@Y0B>Jgy`6E-`&4SbPj*pOQcO+Qie{o%Mx zg{2S+FjCL(b;A3?drlkJ6VsTCg;b#Ee7`79QvYsz5-aldvE7kkYi%1jsBoFENsr1Ik{rb^JwjaHTSeS5|jY*agK3ERm^#01QhdrWt&b&9-2o&;{Jl7{&C;*1?H0 zmr*2MBVflN(Is7BDzjC`J5r$lU{7_n7zv~pqmlJ0%2N)U9YJ+ko`{y98uEfRB^L+f zVCVpjd6`wGrEyvN_N?8PVa%s2y&VTZ`+-bCa=l zsDc9y*$@n}p`x2DjY{_V^<>VfSP0FK3&}&Qev1onz!h^u_mOzGWd{H!1&Q~Zjd;(Z z>DA+vn>+{iUyjEcKn_{g*N*p>^49BkA%+DLwAR*j_6eTo71E}Dz^K=yW17<&+3@5* ziyU%3GlqXCyb|n|-C+e_Z~pb{)B|?j7edsK4vEwkrefn5MnoL5;!sO@`~84!!kr0X zX9>}9t@a)R0aW@*=$)xfcR%5T)Sl^N3k*0u5s00L?78v!bX?z@?st=qA_Zd4h;E&U zYkDSG0tl8JjB%twH&~l)(zw3!9H_0Dg!lmf_Mk0vI+=v7nLO|jE0U!D$%-FsI}x!n zv*-xIPbpyF)J2|LBR8&5O==K(=`&yTs}p&xPl=^akMK{vU}N{ZjAI=dV>8|-_k|V1 z-3tflC6gDDq*HA671KK>I_(E#<*>w01q5NzkOl$jx!Kb$+v@J%O>?_VKFVaOie>1V znIq_fP9`N=jf5;9AlXMi>K?2yDRf+qY4_Qa2R9uq*_s_3x*L$Ch J=-aDTe*vSrSiArL diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index bd12aaa8c2..6224c87d74 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -16,7 +16,7 @@ (call pod_p (pod_t)) ; TODO: What if container is started not from containerd_state_t? (typetransition pod_containerd_t containerd_state_t process pod_t) -(allow pod_t containerd_state_t (file (entrypoint execute_no_trans))) +(allow pod_t containerd_state_t (file (entrypoint execute execute_no_trans))) (type etcd_t) (call pod_p (etcd_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index f0087b8f61..d94ed21a49 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -25,11 +25,12 @@ (allow init_t service_p (process (transition))) (allow init_t service_exec_f (file (execute))) -; TODO: allow execute for libraries -; (type lib_exec_t) -; (call system_f (lib_exec_t)) -; (filecon "/usr/lib/libc.so" file (system_u object_r lib_exec_t (systemLow systemLow))) -; (allow service_p lib_exec_t (file (execute))) +; Libraries must also pass the exceutable check to be used +; Allow their use by all host services +(type lib_exec_t) +(call system_f (lib_exec_t)) +(filecon "/usr/lib(/.*)?" any (system_u object_r lib_exec_t (systemLow systemLow))) +(allow service_p lib_exec_t (file (execute))) ; Should not occur unless misconfigured by machined (type unconfined_service_t) From 340814bc4ad7c75a437ea0e23c4c3a716ad40ce9 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:29:12 +0100 Subject: [PATCH 05/35] classmaps: do not enable relabeling/execution by classes Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/classmaps.cil | 64 +++++-------------- 1 file changed, 15 insertions(+), 49 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index fa8a848049..e8f8da4773 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -1,39 +1,5 @@ ; Access to all file classes -(classmap fs_classes (full rw ro)) -(classmapping fs_classes full (filesystem ( - associate - getattr - mount - quotaget - quotamod - relabelfrom - relabelto - remount - unmount - watch -))) -(classmapping fs_classes full (file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (dir ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write - add_name remove_name reparent rmdir search -))) -(classmapping fs_classes full (lnk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (chr_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (blk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (sock_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (fifo_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) +(classmap fs_classes (rw ro)) ; rw is full without SELinux management (classmapping fs_classes rw (filesystem ( associate @@ -46,26 +12,26 @@ watch ))) (classmapping fs_classes rw (file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (dir ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write add_name remove_name reparent rmdir search ))) (classmapping fs_classes rw (lnk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (chr_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (blk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (sock_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (fifo_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) ; ro is rw without write and configure (classmapping fs_classes ro (filesystem ( @@ -75,26 +41,26 @@ watch ))) (classmapping fs_classes ro (file ( - append create execmod execute getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm + append create execmod getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (dir ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm search ))) (classmapping fs_classes ro (lnk_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (chr_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (blk_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (sock_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (fifo_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) ; Netlink socket access From 32a9abc206b9f87b483eb46ac8a0928b767141d6 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:31:27 +0100 Subject: [PATCH 06/35] allow executers to read executables Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/machined.cil | 3 +++ internal/pkg/selinux/policy/selinux/services/udev.cil | 1 + 2 files changed, 4 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index d94ed21a49..10e32b8852 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -24,6 +24,7 @@ (allow init_t service_p (process (transition))) (allow init_t service_exec_f (file (execute))) +(allow init_t service_exec_f (fs_classes (ro))) ; Libraries must also pass the exceutable check to be used ; Allow their use by all host services @@ -31,6 +32,7 @@ (call system_f (lib_exec_t)) (filecon "/usr/lib(/.*)?" any (system_u object_r lib_exec_t (systemLow systemLow))) (allow service_p lib_exec_t (file (execute))) +(allow service_p lib_exec_t (fs_classes (ro))) ; Should not occur unless misconfigured by machined (type unconfined_service_t) @@ -44,6 +46,7 @@ ; Typically machined executes LVM, cryptsetup and similar utilities ; They are short-running, come from the rootfs and do not accept user input, so can be started in init_t domain (allow init_t sbin_exec_t (file (execute execute_no_trans))) +(allow init_t sbin_exec_t (fs_classes (ro))) ; Access kernel module parameters (allow init_t sys_module_t (fs_classes (rw))) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index c8a1991cb8..8a1544289f 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -44,6 +44,7 @@ ; If modprobe is called by machined or kernel do a transition to udev context which has module permissions (allow udev_t modprobe_exec_t (file (execute execute_no_trans))) +(allow udev_t modprobe_exec_t (fs_classes (ro))) (typetransition kernel_t modprobe_exec_t process udev_t) (typetransition init_t modprobe_exec_t process udev_t) From ac7426cfc6b6d7bd7c550d9bca80d575aed8d611 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:41:39 +0100 Subject: [PATCH 07/35] classmaps: add process Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/classmaps.cil | 35 +++++++++++++++++++ .../policy/selinux/common/processes.cil | 35 ++----------------- 2 files changed, 37 insertions(+), 33 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index e8f8da4773..faacd7749f 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -96,3 +96,38 @@ (classmapping netlink_classes full (netlink_scsitransport_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) (classmapping netlink_classes full (netlink_rdma_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) (classmapping netlink_classes full (netlink_crypto_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) + +; Everything except ptrace +(classmap process_classes (full)) +(classmapping process_classes full (process ( + dyntransition + execheap + execmem + execstack + fork + getattr + getcap + getpgid + getsched + getsession + getrlimit + noatsecure + rlimitinh + setcap + setcurrent + setexec + setfscreate + setkeycreate + setpgid + setrlimit + setsched + setsockcreate + share + sigchld + siginh + sigkill + signal + signull + sigstop + transition +))) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index dec3975688..f27112f488 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -1,38 +1,7 @@ ; Query procfs about self (allow any_p self (fs_classes (ro))) -; All but ptrace, set* will be guarded by transitions -(allow any_p self (process ( - dyntransition - execheap - execmem - execstack - fork - getattr - getcap - getpgid - getsched - getsession - getrlimit - noatsecure - rlimitinh - setcap - setcurrent - setexec - setfscreate - setkeycreate - setpgid - setrlimit - setsched - setsockcreate - share - sigchld - siginh - sigkill - signal - signull - sigstop - transition -))) +; Allow all process actions but ptrace, set* will be guarded by transitions +(allow any_p self (process_classes (full))) ; Pseudo devices (allow any_p null_device_t (fs_classes (rw))) From 994669f80bdeee99cc74251cd5f9117561c507d8 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:41:59 +0100 Subject: [PATCH 08/35] allow managing child processes via procfs, signals etc Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/common/processes.cil | 4 ++++ internal/pkg/selinux/policy/selinux/services/cri.cil | 5 +++++ .../selinux/policy/selinux/services/system-containerd.cil | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index f27112f488..eefc408153 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -91,3 +91,7 @@ ; Enable (e)BPF for all processes (allow any_p self (bpf (map_create map_read map_write prog_load prog_run))) + +; Allow init to manage processes +(allow init_t service_p (fs_classes (rw))) +(allow init_t service_p (process_classes (full))) diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 6224c87d74..48ddf7cb2b 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -6,9 +6,14 @@ (call system_socket_f (pod_containerd_socket_t)) (typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t) +; Transition to pod contexts (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition))) (allow pod_containerd_t pod_p (process (transition))) +; Manage procfs & processes +(allow pod_containerd_t pod_p (fs_classes (rw))) +(allow pod_containerd_t pod_p (process_classes (full))) + ; Access overlayfs parameters (allow pod_containerd_t sys_module_t (fs_classes (ro))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 687fcc1cae..010a80906b 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -13,9 +13,14 @@ (call system_socket_f (sys_containerd_socket_t)) (typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t) +; Transition to system container contexts (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition))) (allow sys_containerd_t system_container_p (process (transition))) +; Manage procfs & processes +(allow sys_containerd_t system_container_p (fs_classes (rw))) +(allow sys_containerd_t system_container_p (process_classes (full))) + ; Access overlayfs parameters (allow sys_containerd_t sys_module_t (fs_classes (ro))) From dd5103cf3ef626a34a5e2610c07718e461fe44f5 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:50:14 +0100 Subject: [PATCH 09/35] classmaps: remove extras from fs_classes (ro) Signed-off-by: Dmitry Sharshakov --- .../selinux/policy/selinux/common/classmaps.cil | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index faacd7749f..4c864c2a3d 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -41,26 +41,26 @@ watch ))) (classmapping fs_classes ro (file ( - append create execmod getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (dir ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm search ))) (classmapping fs_classes ro (lnk_file ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (chr_file ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (blk_file ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (sock_file ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (fifo_file ( - execmod getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) ; Netlink socket access From f9a2f350964b01fe1f79ed4bc63483685027a893 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Sun, 24 Nov 2024 19:50:41 +0100 Subject: [PATCH 10/35] kubelet state access Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/kubelet.cil | 1 + internal/pkg/selinux/policy/selinux/services/machined.cil | 3 +++ 2 files changed, 4 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil index d451bf6e61..2259e26a61 100644 --- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil +++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil @@ -13,3 +13,4 @@ (type kubelet_state_t) (call system_f (kubelet_state_t)) +(allow init_t kubelet_state_t (fs_classes (rw))) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index 10e32b8852..b91018718a 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -50,3 +50,6 @@ ; Access kernel module parameters (allow init_t sys_module_t (fs_classes (rw))) + +; Configure kubelet +(allow init_t kubelet_state_t (fs_classes (rw))) From ac59735abbc93b6b5ca7d7618ca3ffe1cee19956 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Mon, 25 Nov 2024 12:49:38 +0100 Subject: [PATCH 11/35] add unlabeled devices to common device typeattribute Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/common/typeattributes.cil | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index 9288c081a2..cb3f5ce66e 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -36,8 +36,9 @@ (typeattributeset protected_device_f ARG1) ) +(typeattributeset common_device_f device_t) + (typeattribute device_f) -(typeattributeset device_f device_t) (typeattributeset device_f common_device_f) (typeattributeset device_f protected_device_f) From 00190eeaa1a8a0753b213b4eb3aa7d6e5445055b Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 17:35:54 +0100 Subject: [PATCH 12/35] allow all to query SELinux status on fs Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/policy.33 | Bin 30277 -> 31093 bytes .../policy/selinux/services/selinux.cil | 1 + 2 files changed, 1 insertion(+) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 8f9dfec725d331be62ec7b5e9777b4e0b7ac0117..c7a3de4684160585c87fef209f61d20d4e8be5ba 100644 GIT binary patch delta 3427 zcmY+GPi$0G6vpq+S_7SGi@=l=!<3<&hPD<{w4HX^X*<)uly(MiR4AojSYS7rkPsuW zBq+Er(QsYs5)%_clm)JIp?eo38bb&R6IoCtMiUmsdVc4=^QPo&?z`{YbH4MP@0|O7 ze3uf)w81G}$pajqy&pG&yKgmWb~>z`1yJy@}viEtN-#Yk0 zwyXQGTagDdS*MrXvVLw9S0#BG!oFV~Jk>GS{kWdJe%ae7>~-Vv)XufKB)0zk;FTBg zT6VAK>1O8|s;(&t>Rhip01$i%aGR{w{fD{!-c@(rHR3}~SLDgc`dPJ_l=ER9tRc?b zoTPMpXjt;f4^207Xk5$zyk6Ky_-jKw^6A!4wh_NX5flIGQ12S1Ro5D*DQpyo)g|A_ ziTo`mP;X)X&y6)~1|pjlHyDRGf4O5PWxjaCh)=DrU3fCf!!?*X1we+j1>#Ph7E1iErFi-SHUZNp~{NoDYo>dN7IKf;CLi4fps>fl9I8H?zv6%ZVig^ zw49#3_k=(2R^DfzlrI*h!+P;hFgasAEljLrx2W<{d*mJveb zl*|hM$9S%df>xz)TU@hv38N@F=O-q5RckP-Me~;?`Z_t$Ezf4n5?k^wP~PC(e><_S zPE7s1i4JWXqu19J_gCmrXS$iG`; zgnUudHc4X~41OtQGf>7GrNaHoQCQZN^sZ9wHBw|Rt>2NsoDx(ND71$TGqC~s2sT>c zrC1&e4<$@&nB68b|8ePHj;^fL?R=~k0-CyEJQIOqaw)(5eu)dAelnY4 zQ?|d$?Rug{#n^d(!&V-uUYgtb#& zAR4Mn>i&({3p!(ArRL?hBEZ=HKAUFxNPyaGV)`gKK0TMxIlx^JnyEC`uT33CxHwnp z!U2`Ap-1k94LES3(SDx$WQMj-Rm;@i;!wZhfPM3d7|j6_nspG-`FP*29loIBA2nGo zPP^$%(r=0b(NZBoyQMfp!3n9UYjD!lksuD zYiOS?r<5=RRwJnzgTZH@wp>o>FB>qdXk7Ao%3mmFbdnLp5+OnBTC`+$2_8&W+uin9 zhfF>aT=#d%t5TM+N=7?|VopWH#E<>3(g-#M{aPj8P7($U;P#ixI*{>GrEMq2fCzoS z4GH{R>C+}5fC(M#S%nzeCVF(B{-hg8(vm?l7L(CrgwhNK8m(^Lw?CN{_xypF2_Rb8 v0dXkG9;YFZTSvnb2d+Vcr%Gf=g%z&<_h?%Zf6A<+>{G|&`v0bMERp#izr>_N delta 2446 zcmYjTO-Ni<6h5QYVvX^qF{4aqX7cYXPDh73pnRH~HroCs5}XGvgeLPxjO&-q4Obcvt6g zJlOu#e3SR$TcdqM9XYudlQ*sTiB$D!XCsF9YOa3u23B(COoV18t z$#1JECxb;f6m}(6o5@HSWSNmQQ1?^Z;A+md0(a<+pAp=QojQZ;O@5S&@k#Py$yQ1^ zHhCizAI9Y@ZTSV}C{JB-q0Y}zp~#p7(sFOnEd!%<(rWC|u1C^H8dX)(>+<(u`a|xX z`#RDm(9U@PYP9E5iwNB&_R~415A|o{QPTL|xo`}dxB|XKElIQM*Hxp>6sA${vQ5FC z&Q~P)lliC#>C#6A8XXXEduB4wxSIwvOFmo@hl&R=7NgDJK4;cn<24a8>tYI^t zZ*n;s9JWAfwjKcu+Zf6DAbYQY^RQkAVzz$z4{?kPvR|TieNM4&EF}9VbxY1)6a#@N z#Rj9!B92H7oW@L&5mvbB?Qhdr-y&ry5BPy_!35&tYfcEDA+WLwp)Q#a4gTxeta#xC?Hcr2Q+w|^crLD9D_;C(B^E~IE!^604iSNsg2NC!K?-JIE{$_sG0Q)W< zxd6-nmc}^|2iAbHp z|G9Y3i(sx0fWtCLc&`u{#~!k40F<2Zk|7va?QSFft?(tUErmP4KR1@bX0*W<#tZyp z>6<}Zt$J7S#^C3jqGLn@_tpl7#h`S=!(xnI7D3~=<>(c_=%JemO(ONv>M0mHXtSPM z>%6~=e*bmZ*~DGgMESz{eeZ5Y8o6E8ot~A{-H=R6h7cp>e5)NL&&e7?of|9rrk?>_ z4{&cOEP1C(K{J>!Jyb;Kpcv3S))JqWV*EoXcLBtK741i$)IQ?i^}`{kpc`m(tkJ}L za((}bcC+RxP{G$0{?NS0VDlcY+6mDwotu(S_*@``Rpr@gXb`_Vd5szEn=@-ssV}u= zGzr6pUV92Nu5VJ*s{5$K=6tYre;9Q_y_{skyZ}SCS##y2=zdVXE%Be19b-of2Tuon zuM+WQ+MZ7Yw6PA`tT;Vj0UcoGA%9z`nH`K1bLQwq@G8sz5>!NhHnub0)qouAquW9S z!k}Qo@FzDW&Af!r>a=Z{r^+g7(Af+|v{j+9N(Q8wXyw#=g*ti$VAOTUWmpry!X}Tc z_nT@k#VudubtjE-kVS7Hf_fNb>Yy2*0pAb!&LCrxpRU)0>&sP4ic&SiUsO|r$cs6K zZz$HDAF81)*PO&joJS i)PHO^rj<~R5(ooTJOhDP`^gTwAuhNwG9K@{0q1`~E*SR! diff --git a/internal/pkg/selinux/policy/selinux/services/selinux.cil b/internal/pkg/selinux/policy/selinux/services/selinux.cil index 43b823538d..37aa67d143 100644 --- a/internal/pkg/selinux/policy/selinux/services/selinux.cil +++ b/internal/pkg/selinux/policy/selinux/services/selinux.cil @@ -14,3 +14,4 @@ setcheckreqprot validate_trans ))) +(allow any_p selinuxfs_t (fs_classes (ro))) From 2cbff0229b3f8376bc0c668588967e85d3f1bc56 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 18:09:36 +0100 Subject: [PATCH 13/35] allow reading udev rule files Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/policy.33 | Bin 31093 -> 31189 bytes .../selinux/policy/selinux/services/udev.cil | 3 +++ 2 files changed, 3 insertions(+) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index c7a3de4684160585c87fef209f61d20d4e8be5ba..bf5a6902dda5c245788f46b7265d70c22be70ef2 100644 GIT binary patch delta 130 zcmezRiSg=Z#tqBO8E0)?VIIuLoz0NJz{9}EprQR^^Dhfg79NlQ7es(zGQaHsunJzN zigUIrd00UzI42i)eFv*$he#=GPWOJm0+!>R>=3Y*BZGkzD8tRP`DZ{DBUqemb4-w= FIsgj9Bwqjk delta 53 zcmV-50LuT>^8xkp0kEex0g|(*H&X$#2RRf3lP5jEv-3Tu43noy@Ux>!-~^M8P`0yC LQDy Date: Wed, 27 Nov 2024 18:26:16 +0100 Subject: [PATCH 14/35] classmaps: add relabeling (squash with prev) Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/classmaps.cil | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index 4c864c2a3d..23582a4609 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -1,5 +1,23 @@ ; Access to all file classes -(classmap fs_classes (rw ro)) +(classmap fs_classes (relabelfrom relabelto rw ro)) +; relabelfrom +(classmapping fs_classes relabelfrom (filesystem (relabelfrom))) +(classmapping fs_classes relabelfrom (file (relabelfrom))) +(classmapping fs_classes relabelfrom (dir (relabelfrom))) +(classmapping fs_classes relabelfrom (lnk_file (relabelfrom))) +(classmapping fs_classes relabelfrom (chr_file (relabelfrom))) +(classmapping fs_classes relabelfrom (blk_file (relabelfrom))) +(classmapping fs_classes relabelfrom (sock_file (relabelfrom))) +(classmapping fs_classes relabelfrom (fifo_file (relabelfrom))) +; relabelto +(classmapping fs_classes relabelto (filesystem (relabelto))) +(classmapping fs_classes relabelto (file (relabelto))) +(classmapping fs_classes relabelto (dir (relabelto))) +(classmapping fs_classes relabelto (lnk_file (relabelto))) +(classmapping fs_classes relabelto (chr_file (relabelto))) +(classmapping fs_classes relabelto (blk_file (relabelto))) +(classmapping fs_classes relabelto (sock_file (relabelto))) +(classmapping fs_classes relabelto (fifo_file (relabelto))) ; rw is full without SELinux management (classmapping fs_classes rw (filesystem ( associate From 519060c7adf3bb0b0f3e9df0d46ce96663063710 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 18:26:27 +0100 Subject: [PATCH 15/35] device file access Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/machined.cil | 2 ++ internal/pkg/selinux/policy/selinux/services/udev.cil | 3 +++ 2 files changed, 5 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index b91018718a..1525eef6b1 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -53,3 +53,5 @@ ; Configure kubelet (allow init_t kubelet_state_t (fs_classes (rw))) + +(allow udev_t device_f (fs_classes (rw))) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index e7d4c20be3..495397c448 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -59,3 +59,6 @@ ; udev rules can set module parameters (allow udev_t sys_module_t (fs_classes (rw))) + +(allow udev_t device_t (fs_classes (relabelfrom))) +(allow udev_t device_f (fs_classes (rw relabelto))) From 17f675f912660a302bae77bdee437da2a85ed83d Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 18:28:36 +0100 Subject: [PATCH 16/35] allow read to service excutables Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/common/typeattributes.cil | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index cb3f5ce66e..2b986d8497 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -73,6 +73,7 @@ (roletype system_r process_label) (typeattributeset service_p process_label) (typeattributeset service_exec_f executable_label) + (allow process_label executable_label (fs_classes (ro))) (allow process_label executable_label (file (entrypoint execute execute_no_trans))) ) From e0e2d857287853b75f103b1352e51c0b79011b5d Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 18:33:12 +0100 Subject: [PATCH 17/35] udev run_t Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/udev.cil | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 495397c448..7102202aa1 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -62,3 +62,6 @@ (allow udev_t device_t (fs_classes (relabelfrom))) (allow udev_t device_f (fs_classes (rw relabelto))) + +; socket and runtime files +(allow udev_t run_t (fs_classes (rw))) From 664b5a5dae0c6a51e166165afaf8f5b70b65b46c Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 18:46:20 +0100 Subject: [PATCH 18/35] dashboard permissions Signed-off-by: Dmitry Sharshakov --- .../pkg/selinux/policy/selinux/services/dashboard.cil | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/dashboard.cil b/internal/pkg/selinux/policy/selinux/services/dashboard.cil index f0f26860c0..70650ad4f3 100644 --- a/internal/pkg/selinux/policy/selinux/services/dashboard.cil +++ b/internal/pkg/selinux/policy/selinux/services/dashboard.cil @@ -1,2 +1,11 @@ (type dashboard_t) (call service_p (dashboard_t init_exec_t)) + +; TTY +(allow dashboard_t device_t (fs_classes (rw))) +; machine ID and similar +(allow dashboard_t etc_t (fs_classes (ro))) + +; socket +(allow dashboard_t machine_socket_t (fs_classes (rw))) +(allow dashboard_t init_t (unix_stream_socket (connectto))) From a098a30719fdb14477ead2fc83514f032f7b905c Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 19:01:08 +0100 Subject: [PATCH 19/35] cmdline Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/common/processes.cil | 4 ++++ internal/pkg/selinux/policy/selinux/immutable/fs.cil | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index eefc408153..3eccac2b04 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -95,3 +95,7 @@ ; Allow init to manage processes (allow init_t service_p (fs_classes (rw))) (allow init_t service_p (process_classes (full))) + +; kernel cmdline +(allow system_p proc_cmdline_t (fs_classes (ro))) +(allow system_container_p proc_cmdline_t (fs_classes (ro))) diff --git a/internal/pkg/selinux/policy/selinux/immutable/fs.cil b/internal/pkg/selinux/policy/selinux/immutable/fs.cil index 3abe42cc65..c206d97695 100644 --- a/internal/pkg/selinux/policy/selinux/immutable/fs.cil +++ b/internal/pkg/selinux/policy/selinux/immutable/fs.cil @@ -52,6 +52,10 @@ (genfscon proc "/" procfs_t) (genfscon proc "/sysvipc" procfs_t) +(type proc_cmdline_t) +(call filesystem_f (proc_cmdline_t)) +(genfscon proc "/cmdline" (system_u object_r proc_cmdline_t (systemLow systemLow))) + (type proc_sysctl_t) (call filesystem_f (proc_sysctl_t)) (genfscon proc "/sys" (system_u object_r proc_sysctl_t (systemLow systemLow))) From 17a2d9b4cec44bb04ce87549ea3763e283ed0a73 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 19:01:34 +0100 Subject: [PATCH 20/35] allow apid socket comm Signed-off-by: Dmitry Sharshakov --- .../pkg/selinux/policy/selinux/services/system-containers.cil | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index c45640aac8..d18fa492ed 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -8,6 +8,10 @@ (call system_socket_f (apid_runtime_socket_t)) (allow apid_t apid_socket_t (sock_file (relabelto))) (allow apid_t apid_runtime_socket_t (sock_file (relabelto))) +(allow apid_t apid_runtime_socket_t (fs_classes (rw))) + +(allow apid_t machine_socket_t (fs_classes (rw))) +(allow apid_t init_t (unix_stream_socket (connectto))) (type trustd_t) (call system_container_p (trustd_t)) From fc3d3e6fbce6577024af2fd4e5100c3b37dc00d3 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 19:12:06 +0100 Subject: [PATCH 21/35] move installer cil Signed-off-by: Dmitry Sharshakov --- .../selinux/policy/selinux/services/system-containerd.cil | 5 ----- .../selinux/policy/selinux/services/system-containers.cil | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 010a80906b..0d929a099c 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -28,8 +28,3 @@ ; Possibly a service misconfigured by machined (type unconfined_container_t) (call system_container_p (unconfined_container_t)) - -; Talos installer -(type installer_t) -(call system_container_p (installer_t)) -(allow installer_t system_var_t (file (entrypoint execute_no_trans))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index d18fa492ed..e94b0ef838 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -1,3 +1,4 @@ +; apid (type apid_t) (call system_container_p (apid_t)) (allow apid_t init_exec_t (file (entrypoint execute))) @@ -13,6 +14,7 @@ (allow apid_t machine_socket_t (fs_classes (rw))) (allow apid_t init_t (unix_stream_socket (connectto))) +; trustd (type trustd_t) (call system_container_p (trustd_t)) (allow trustd_t init_exec_t (file (entrypoint execute))) @@ -21,3 +23,8 @@ (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) (allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) + +; Talos installer +(type installer_t) +(call system_container_p (installer_t)) +(allow installer_t system_var_t (file (entrypoint execute_no_trans))) From 2662b86ca6c53df0c78ee2fc0be984739015081c Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 19:28:22 +0100 Subject: [PATCH 22/35] work around /proc/sysrq-trigger ctx Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/immutable/fs.cil | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/immutable/fs.cil b/internal/pkg/selinux/policy/selinux/immutable/fs.cil index c206d97695..f196fcc20c 100644 --- a/internal/pkg/selinux/policy/selinux/immutable/fs.cil +++ b/internal/pkg/selinux/policy/selinux/immutable/fs.cil @@ -59,6 +59,8 @@ (type proc_sysctl_t) (call filesystem_f (proc_sysctl_t)) (genfscon proc "/sys" (system_u object_r proc_sysctl_t (systemLow systemLow))) +; It matches /sys, yet should not have the same context +(genfscon proc "/sysrq-trigger" procfs_t) (type securityfs_t) (call filesystem_f (securityfs_t)) From 12e210969972dfbcccc51c3a3166c2598dd81bda Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 19:47:20 +0100 Subject: [PATCH 23/35] allow sysctl for all Signed-off-by: Dmitry Sharshakov --- .../pkg/selinux/policy/selinux/common/typeattributes.cil | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index 2b986d8497..32a0d0002b 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -42,6 +42,11 @@ (typeattributeset device_f common_device_f) (typeattributeset device_f protected_device_f) +; By default, allow any process to access any device except special ones +(allow any_p common_device_f (fs_classes (rw))) +; CNI, containerd, many different services read sysctl parameters +(allow any_p proc_sysctl_t (fs_classes (ro))) + (typeattribute any_f) (typeattributeset any_f filesystem_f) (typeattributeset any_f common_f) From 7a3cc4a553e39675a173af261dba8df877d51d8d Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 20:08:43 +0100 Subject: [PATCH 24/35] containerd: more permissions Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/classmaps.cil | 10 ++++++++- .../selinux/policy/selinux/services/cri.cil | 5 +++-- .../selinux/services/system-containerd.cil | 21 ++++++++++++++++++- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index 23582a4609..9a0f39fc32 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -1,5 +1,5 @@ ; Access to all file classes -(classmap fs_classes (relabelfrom relabelto rw ro)) +(classmap fs_classes (relabelfrom relabelto mounton rw ro)) ; relabelfrom (classmapping fs_classes relabelfrom (filesystem (relabelfrom))) (classmapping fs_classes relabelfrom (file (relabelfrom))) @@ -18,6 +18,14 @@ (classmapping fs_classes relabelto (blk_file (relabelto))) (classmapping fs_classes relabelto (sock_file (relabelto))) (classmapping fs_classes relabelto (fifo_file (relabelto))) +; mounton +(classmapping fs_classes mounton (file (mounton))) +(classmapping fs_classes mounton (dir (mounton))) +(classmapping fs_classes mounton (lnk_file (mounton))) +(classmapping fs_classes mounton (chr_file (mounton))) +(classmapping fs_classes mounton (blk_file (mounton))) +(classmapping fs_classes mounton (sock_file (mounton))) +(classmapping fs_classes mounton (fifo_file (mounton))) ; rw is full without SELinux management (classmapping fs_classes rw (filesystem ( associate diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 48ddf7cb2b..c3883eb486 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -4,6 +4,7 @@ (type pod_containerd_socket_t) (call system_socket_f (pod_containerd_socket_t)) +; Shim and client sockets (typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t) ; Transition to pod contexts @@ -14,8 +15,8 @@ (allow pod_containerd_t pod_p (fs_classes (rw))) (allow pod_containerd_t pod_p (process_classes (full))) -; Access overlayfs parameters -(allow pod_containerd_t sys_module_t (fs_classes (ro))) +; Common rules for containerd accessing system +(typeattributeset containerd_p pod_containerd_t) (type pod_t) (call pod_p (pod_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 0d929a099c..7ddbb3ec26 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -11,6 +11,9 @@ (type sys_containerd_socket_t) (call system_socket_f (sys_containerd_socket_t)) +; Shim sockets +(typetransition sys_containerd_t run_t sock_file sys_containerd_socket_t) +; Client socket (typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t) ; Transition to system container contexts @@ -21,8 +24,24 @@ (allow sys_containerd_t system_container_p (fs_classes (rw))) (allow sys_containerd_t system_container_p (process_classes (full))) +(typeattribute containerd_p) +(typeattributeset containerd_p sys_containerd_t) + ; Access overlayfs parameters -(allow sys_containerd_t sys_module_t (fs_classes (ro))) +(allow containerd_p sys_module_t (fs_classes (ro))) + +; manage cgroups & namespaces +(allow containerd_p cgroup_t (fs_classes (rw))) +(allow containerd_p nsfs_t (fs_classes (rw))) + +; mounts +(allow containerd_p filesystem_f (filesystem (unmount remount mount))) + +; mounton for masking +(allow containerd_p any_f (fs_classes (mounton))) + +; logs +(allow sys_containerd_t system_t (fs_classes (rw))) ; Typically a system extension ; Possibly a service misconfigured by machined From 1c4d82ba88729ead111d03c5fd464a7d0e840b1d Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Wed, 27 Nov 2024 20:40:21 +0100 Subject: [PATCH 25/35] set initramfs context and allow rules requires kernel 6.8+ for userspace_initial_context capability Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/policy.33 | Bin 31189 -> 33687 bytes .../policy/selinux/common/typeattributes.cil | 1 + .../policy/selinux/immutable/preamble.cil | 1 + .../selinux/policy/selinux/immutable/sids.cil | 6 +++++- .../policy/selinux/services/machined.cil | 17 ++++++++++++++++- .../policy/selinux/services/selinux.cil | 2 +- 6 files changed, 24 insertions(+), 3 deletions(-) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index bf5a6902dda5c245788f46b7265d70c22be70ef2..2483018a29ad68f31b6460067bc1f115968e84ec 100644 GIT binary patch literal 33687 zcmbWA+m;*0b%wz)Ez>q*$>U?<(@>H{$vT=kIfcs%kPowNuNaMr@fQSo zK=nAAr}O!g=I2y<(=455jC)XZnhn#VY&e(}Bc}hB>aBF%JL%4j=>B&7{Z>9d=}xlg z=%PTN4)gITQ$T4{EXMO<%oOmNPA1v74|`u%4fGg=Y{Q~=%I8C>)!g%f&daKWhC%L| zswEfVwLhZ^8Pi2SpLf$!BHy#yS#MMXrU2zd zZ$5-W6nATy&ogxMCDlxWMKMoHDZi$#i!myI-*2dv{02pU3pK#h znPkr9?N(u`R;!>>B%4X2rKTW#l#lzhwxy8CoNqx%LHB$M>dt5LEZ7B(rL1By$9ULf zcCwiFi(6x~gW!#(0l8FV?+hnF7m?l>i@4Z{Iq8WHaINT|Br7^NO{r)|^osE~ z>&@X9V`IZEA~F+%=%Dt}NqUqI^ZA`?l{!IZ;!)b`7H8RXn)fq=32qqt1=e7TD*qiQ zGSFbq;$#3Wly9Y{SvMV~(-Ct9o=&pf>7>ZV^X@d8&5LQqJcu;AGaDAih>gOJ&|7!5 znBnt~f??Q6`=fjeeW+Q2eA0^?fu1NlAy+yA=rFt(=eIR|DFH0^#mcm}16f!J{lR@1 z5rm$}-Eu`Z!{NA!5T=4Nh*_m!AkM|WgQ~7{TrnE6E_cbMP-fIvPCZR;(f>VFsfDk3 z!K~Clz=qAgtGdT|FYp!IFPl#^7rda#(doG8lNCriP{#h7^e7+DpO390Om-8 z4o>so5EtNkKXL(J-&YMhWwT;2?S+)LN+Y$>@NVV{=7L!&X2PzBfw%){F%Q-yH$gR^ z(_IDDao&d^5+>cflW9@Rp?y$6=JPvJ=y;F^&k3dq{wbI&I%M#7E7Zw+nwE;HLTw;L z!4~Nm>PMo@_a9W>=lLi@k$6b&L~4f`nGIxRy~Qv?$EY``c3PzUUOEdwN+=Gqbe5rb z^roz~xZTZ1qs2Tu8U`@5Q7_ITo21j;38IJOmdzJ=zYl^c;xp4rs`R>OR+42`pIV{j z*|b|G#kJIEBDfl56cB%G|hTv_zw8)Efyh%0_(lrs(1Y)mRsHnL&P}P%KUt zlU-GVR-yPv3&mMhy7-R9BG4!Z0a+?#rp)}vc42UvlzLdwQcb}y`PVY#UA(qIdS z4Hetnk~Tw#XblsylXRMn2y!f@En=WwnF%Z$!Qh1wFQ`nc(LuCn_VHv|<}^IQsH1Fj zluZTLDhx&kzgLYdn+}h6H6_YI3N(bHxD1s`*y={xU3bNw3?+sBTon>7N~hPl$T*&@ zmOF1Lj1+&8nGxj`)mRie>8v-)gM}x>biS)_a0XGbIzHJMjvxZIM<)pLctmP z;wFPlwR&ewEPiH-aaF*KkE_PIu#21)M<403ue%7Tq-kmm+$z>^qMlegd2jUDl|wG3 z{8SYWp;F`}`8YpHbuFU(3)vlk=pCiw^jP{@97!BdH;egvN*%Gj`@Qx=5yF70-zZUp zV7XVKVDhI`W8SqgvtU;j)`4doZgl^eO&gaC=0UiZRhz7Joax#x-+8la@qf2LE}!+s z_iO48HfZ$He6TAG(go#7RrW_ziuT%sGhfS1mRBe)RA{5Hvpl;6R!9=zx(ED_2Fimc zI!H2J)|jm|gE^!BgOFkk_tKp;Vj~@hMC?=!DJ??%JZ;=xedaKBI{NJf+tb@q<5W=+BJV z8-?RKJa_i7E*6GrY!$ofyXuK`Jsj?Ab#wVoBEe)-it-YtxYx|(cswbukn(w6jL{O9 z<6@?>g{Xs}n+1{Jl*#pcn%zo=!zTGqXIP={cRTCDr1wN1R_M`ip#$_ncUyMMtX|O21ENqV zRg8JTs?M1S5vJ2s{dAa*@;UwCs5C#;Dfa~Z0}{F%44pz3&ppY?1N(5+n;(xC!*FQH z>M$-+P8b%`a0(gDKu^+XIO>IhXiaoJN)vVI>rB+bc`3|>3+E8{^x~snC_N|@z%EIm z1RY$q^ZIJV;)5`RV%6L#a72AwHFh_}ui|P~Uqky) z`LQZ9I@ack#vKf*22J-LQ{7W+J%dCIls~C*5l5vQl{aXZg`I1uY5OD)wq2MS`^(>t z>#IB{1i*9=e25ts(7HFn&Peua)mT4s7Lgqz(N|cHiUz)5F`OgI8<-8mn4G8?S4m`; zhAVO0p#*XBAdDs!@I7Ou{mC>x!z|lL2o_4bR;kVL6`{sbo8$3-i|GcAg}+tMF`VGG zeA+o?C(%lbrRd}cLLXa&KJ4&k)tIB({l<&Ct?>fbly7a2m=?3f>)R$8HXVtA1n5OZ zipdAWI>PD9q`DPNw>DjTRcost5cQ^NEY#$r5W!vbi{m3371wY%(v63W9f!N(Pli#h zs$vByC9UolD%)DH)#3}1_J<>$32@+fF~(HbTxmy_tDJi4%T~c-DbK0Knk>)ze20&O zi%PXrchgyYD;F?>%E%8=>egGMj?pVR{(IF}$9CnOwpjCGS6w?Wo^PR+bK<)zF%*UN zk5psBrQ>3(b13b4?s1My9!0hfRb$!Ch|FENaCowQlQUhE;LhJDV?k#BgK9iG_nD^i zop0sgT#$iWOlHUI;>7Ug#_;<%SHlKy@XHMn`Lw_D-j(sxH#TVKPU2+uJBg<9_6C)H z*1L~{fJ!JNE86~!H=3us1mG01=`Pv(c3G^=+%*C6sHb=*#-#sf_a0V3qkfsU-Dx zN5{dv5Gfz&2GOh->%J%BLIT(2lN~DThzHI048JCPg5xpOI7v8*_s6^6Un3l#^^cph z20QQQY=Z6viBXFQgtk>s6m)QZF0=>}rZ4V+473k(g)mT2e zUUej2?7ZMvVXtiv%qRDKuaPU>_E;X2^F+Xd)~iqD{BN_8V@X}BNQQq|wpq+Ce!XVkfT<=Y*hoALWvliw#fzyw=7h^@d?*3){ zu*Rio35yKDC5CBp3|8BNY~$RfCXWa+fhYtq9*M?j%YT+mVT(Z@MLqdg&N3V_8Cql| z^khdka2UXXWavzba+hPF(kGGLU3w6=JLll&FANIeu7u9Ia{}}z>cOB9)hdpI-I>$`sxX&gN)m5IeUl=xgPuavm5<^o z@bE!|cKS+~NjzX~{BtE0PsQ6-0}MHd28QHds_2kyml>0*=#FFXUxYTvDh>zuHK<0f zus;Q!}@O#YZD}bQLQmQ0pM>CGf3QIKBuzX0d)4Os4wzBXFNFKf+OZ=f)d||#%;J>n3K5h zpw;zOcYt=#f&0v8h_nHtuBg_IQYACYN3j1a>I)BZ%wY~suIYuRT~@)=4JY<*N8_{( z$;1f8?#MIgD77@sK?Dp7nw(GXLX>GG-ea6BbkR3Ff;GbV*U>muwXRY+!YNOc7Aw;@ ztGef$Peu;6khCsFec9wB8)ef}6Qk}l>JmdM`6LR#h%3}&M-ykCcOr0*dvcnWeEdG@ zAt%`2cs1gf7>{W~jZE=u1Rv;OnA>zFOhuL!*! z!K*{U;DEo2;W*%mcgu~;NrV=j#tbhD{4|2X0AY%j%s`caBa5C!y0~dn1vuD3ydPLNGX1$hmtX5 ze?ICS&yW+}yct3J>FngF;7RVla1nI{Ap`Ua)O?} zPD@SPh`JE0+I}+y6=T)Ym3elN2u3x0Pi>0FB;i~62Uz^wUB>m;*>i1}zm|eu*S}{) z|2-jnRg2T#t9|$S541P!cYac}3vHMGM(zK)e)q!r^2aL`{0*&J9{Z7Ym3zSd`|c<}CYCrzu|AcuBFLd4XbnHv`HxQ8aT>nZ&(_B+9^9;#`=Cvu?^@NF0T!F*nb{2|qTXJw;(Jw00bz`mG$ zN^O{i2kRUkwqIcj`^-135NdGYy&1I{O!_2mG^H;7I1SxEBWC!gNEa8ndL79QMwC*l*ha{{s8 zHok4U)3y$=i|2wL+ZR1s5BP?4wO{!vK2QF!>}0gd;`>c`3VwT4a(a?3;UmG<^v^i>s_C=7 zIPbxya}l;P&)ClR@MhWJ!Lp-g>mMHMV{a(-jZf^GXJmOroRQmUUsW3$k#CVvIW6RT z)5J!W9iFXc#yUsg=RXcKudB5mYz=+<$GNM}4$As`Ode*PU^~Ywc`Wd$I7JVZ9Uh*q zcqTSIFYy8n@xmHmKJiuOI&@+^pij?*EY<@#$N1>YcI+vSnIG`I2Y_eiG;)_|qLY>0 z-VMBwpTYN7V&N%x7GGEO&w3!2nkM<-BJwKdGxi1AmA$@Rwb3(lfFqaV==o|bU3G$Zo&IM%Ekq1nh$BH=;buT$Yizv!8!O z+{eCW+1bxPpZyGDS9$V*fDe7_V&2F_wgqkb4?H{G!GBCN(Hm>G^@IP|AHZ>LNB_oQ zy@qG@0AJ8Q+wLRn&cRW6fEZuJ;2SkR*vR@J7Tkt6%ZrR&@5r&HLw>LI z;q#^6Dqh};?3Jn?-q;VIf9n|=c`oQ%E@Zdf$S1~OU2t5yt=&EN=$yC+`A74zFEadL zS;#uUKYt~B^bC&apij#}+rEb^rU{?+d3?h@2A__7a9*nDzaVVSi>{n!_B*c$<3i_C zog@$o&I9Bn`vdfC3uHGOp6$b|DG!QH=hA_s+SkmbT+lI1>~1>jL(Btt)ouLEZQ?PO z#rXlbj6)8zjI{0N#253*7T1BB4!&et6Ps6sLvBCRjacCL?GN?Ox`O|BtaAu!jp;n4 zEMxp{Njq*63)T;ESr6FA`2n3fAL85AEjoO^(&44ZZ})Zb`!&JErl{oh^9$(8KEtYM z9`K)7SN2=*?c2y`x!}`uh;i$deX@NF-o8=shE1&p_8TjCi<%}pSa!x9R%4NUHFmWR zXKjLK;t1P$uL#fHn_)-$KkG#z{Em9rBmGouzM*IP4ErMFW$lKC*VQKO@FnXU{vG4w zgjf&efxHo7S#eD)SclMjr=rPT!oG)1%>ywK_ITQN5mVL)xvt{vVpi=jbk?>9&(3ey z$oeNGRb(HvhKrF>HEM-UH7a*%}$GTl~|x1-RSj z=PSa;*6eevL-LR10_U3*4ze5PZCTXv_Cyi>|3y=iHykhc*vr+}lgM`Xyy580G~sR4 z{zL8O_*?!%(Ax+@J~yBGe6Mx{)BykX|nFXC+iwG);VV;wgtYu((})hQA&Lh zU#5djZdP*P!evMC{StdZk43l6Gw8>0itG;unxDwOUJSf3Gd{NB=X*6BY;jfi z;@SuOqi$5D5 zd4Y4j!Mx57_?Y#4sPz#(*@xhtvF)rk>|z_Cf5#?zThZLtQ-P%qe^Z_cK6)enc&|tt zL7(-Gc=tZ-Io+2tK7O*|?XVupT=qAvoy{k79M{CAZHhiuI{dKK$)RrBSzfLUjYG~1 zKBJt;9^N{{b}PGoG2mn04>}*zJd;c9Z@*Wjvn=F5<|@xaUJhfGUS-97T^T#xzZmeb zBQiQ((6jYMj( zmx=`Qj2)e0iEC&QkB5p=^jt^}Khi(r!>46OUifD&u94v%|AA-ALd-H2y%86dms|}T zzk=pfwaHQNx3L)erTH}JTNajU~Ag~9_(-E%KVTkyk~$n`z?F3 zaMmOU=b6?gYn4%#_OzYfo^R(_;KFAcD6P4GH>L-n5OlBKcHLu z0a=U#9mgQ+@=7PAkHJ5FWxEhNw5@0FOOf%4;P~*b^v^N^cT7Fgd8USwOU*MpSax<2 zoUb0qACSw}&fr)Ua*Jh$zI_ARS?B1%e#ly2{-J3dV#i-pJk$PN)y5X~=Nt0pJ>a^} zMIK-*d4QNQ4rd6+f=-AL(}z!DP;1-)`vm(TyqO>DYx>YM4t#o#!F5O2<6TM=Q5R|+ zI0rBt##+yewXTRk+vo>X{K^Z2aZ>Zo-orK}uFXF_?A(HWxJJXi#13*v-s|j_jDvrg zf7-SMdobYWhk3n56YpL}xb83x^q~npw)lEAFS2+peAs;A+qCiR&qdeT_^SDYAIBj2 zHy!v{*{G;_L*6H|}=#xE0@E`dV zd%S8Lyoerb7uH|%Of1+pkjwgfNgm+1!w+M8^8?&EM-R3Ubc{pWvCLe~f%t0dZ(ciy zi=gLM?_Ot3bX>C!ac;r?Jumuk`}Jt8e?8j&Ft1}Dn&uN>a=@4sSF2x!$T3-CYZSt!96CCT7JP*(0 z0dl+fAt%EF>jLWjlP#yrBo%2%gO+dB$+g zneAibZR-S|@fu3oehUwOtavz-O|gZ_9w*nKeNf&j@t%RbH!@CyRJO}lg9qyhU$Raz zJwpm_oh824t#ODW`!K$3KSvKMTc@>L!0p3~HGS-E|3P+i;?RVZ&Kd zY#01I$extGXFeIb((_)ee{5m?X`4RRM5d1&Jr;RQ6B}7B;I=6`G|exGANwk~*ZRRv zg01BzztHZ=IKPY5WzN&AAM9?OkSpvP(5%+VyU+|e6is9?|ExO!uDHWz{!sZ0dDVQf zhp~+0CCkFR_F?2*t$pv*va=_#{=xTJ#&sDy%cj@Szw;#XA{W=NO({Y8<~%!k9$WMcdUH z$B(ye;`k9);B9m`%Q8Q0I6Q)FoEuR)QQO5&Po6gyPtTf8ve7mjp6)b`-@)K}Vg!Bi zoTqX8O3x+^&)OTu&(&|@@R+J`+GOXs*L&gMSNFovKIfh|ycBXTIy{hmFC0Hx4PKjE zex&|999|T;*Ia&Q;5<5h;{H4wzp-^5j$aZx565pkoQLzBNG`w41%9I1R{WwJF?BT8 zt6L19wgn%3AZKH}l(#eTR8P+Df=u}9z3XfDf&2V@;J&a6E@?qLyr9STcR`2c!L{AQ zBLnIspk2udb!SZ+>-CXc=wiE%20Idl-;Z{qOTr!Mh1F@c3m52^AMw*~0_}oM7M^{) z&}06)F@uncqkK1Hh@a(C{YKwz_$Wm$(d@!EsDHgT>YmWhU-`m_3CHO!QLhWw@GNZo zJjaUq%Yu1qqP7e8EK&8VPezJ!Tw-i}nw?SjX)9yLnROEzeTUZ$j2x%fO=Og!Ur#dX zz38sV*oF*Eme26oAV2-MQcGJRV+cww-}^K-_rm6#rF+vB*}CwmBy**!Vb9X(8U4Zx z-xE5j!b%^%g=qY>!H){b9Z5Bi4+JaUS90&#u&e5JN20b1Zo;teQzk~(X(U;Y7kL{8 zJ*G}~Bx<{0vFIHdqpVH%L*ck1@j!i|Qoa7?uC+1oVi}J?E9KkSjl;gHZg<4PNLJ;r zIvcM|*ESBF^r9rRHmJ?)VNlUe&B#uJNC)NniY-p|j1WvQQQIZtk@T;N(?SX<1qe2!-Q;{FuGsBtga z0PHjuCTt6aHvR|(jj4CfJ55v#>RV51gZxhErsBgOz2n(9$S;C64r+7d^W1W*K~Fz_ z+&Ed=IJ7=VKZ^!=FP+g$x26nVgKf%1m_A$mGK-qE$8pAQo)bE%g7Ti#JHLE&|3TDF z)OO+eAKdB3PtT|M@p1XXRUUONM;dje-y?$3z3_>L^4D*SxhD7v5s5@?7lxIuus05i zue%eE(I@GC^-CU&Lthk%I}){B7#e=-SN~s-7Vo; zma)??lz&_Qv#(~4Z(~w}Lfj@MR0U5`baUn$J!tz!v;+ zDZn-y-))fhaw)(z{sHLQ{9jI5;L8?x$ugs;HUF1O0UF>zfChLFpaC8PXn-GdR2txb zn&8V8c;Gpy#zg!F0h-_l&;&<-CO85#!4F#C#^p2SXQ}VNs4<)`jqtq|xCCg#mjI1$ z3D5{XXn_m45r5eNmjI3UoxK+L#TNLb7WhLg@PlpmgB_J*8xFX$Y=L(!BWfhr|YU8IoJv9Gc+eYY~+pF@Rt-0244my-X zb*b7c7rhNQoSawia&!YuI8-g+LJgsrsIgS_T+564qLPHaC7AY7wFM`PxCc(XhQ@R{ z>vIJU+N9H2vqc$VTR7`<=nniZ^=Y2<2udhP`LX09QC+ImIO}tT+n}2`8~O=jjpMu| zl0h`XYx+sq0#5O|yi~gl2c;ycOI71+@^GNOM0Kg!hC@GfscM`~Qnr9oma0khX`Icu z@S07WO*%}lg|n{zpr9?Bi<(>|34iscTKAV~ieyG*|Eo|k!<&oHn4M04iV^D;gEUu68Hkd&&zy~SN##-vDx{I8q_bSo>TpHtb=k`bbFK0Xfpn+Ko?Yx ziYl+F8O=LYd$S_13dVg!byf`X!(up?O-4-rP1S38)jRIa59$8a>ie~_I_^%3+337L zpbpFN2~$96G+B(R$(Si%I-gF9aUb@+rW)um3fYE}-U**~tH!yj37ub5ooE>3zM)!k zAzu4)x{xtn^vkN7_j<*A&dgs`ov($vsIRkPoR13VeK~x~`yleYxL))|lfV?9a?-1Y zaERir&C04kH=kD>#oW6Yu|`1&Q)j~A0Fucf?4Ul(Ik0KZ>Xt@#a#02gY2sdLF( zRQs*MRC}$0PLXUbjn(R$3?G# zV~mXryNJk45Tb+H%cuEaIV`Iim!djBXW~)b>rPIK*{tjr2ou~e_zSGT7FGT`P-LLN zpvCC`Tqs}5Pl|3n%x5F!3_Kkdy_4yr99P|0F|Q`Gf_V^Weq%nI93eIeKSXcc`C^XG zLkfmrC-0BSG4!Ek3Cd|NaRhpj@Pu6L2%y98Vq9L=^tA-A+!rge$qmTDO6U*n%ZMQK zT<%sX!Wj<7F+!LM&LC!$hJiR20}oo_u+vMzTiW>99-SWZ35uhIW~RjGxq<%C(O zgMba2--+GhvKROY?pIV(%>^&0a&$7D^vMdO9Vlb}?!1_tY7A3+SCuKIN&pqopo5cg zIK&0`-cMWr*uAQOr(!-?%z7c^t<%U#X?QpD1#`hH6*FO1#6aAEv{(k~lAE9!(CLnW zbyW6Yh=fUZ?|3$uRM0+%kgB>Ng^mYh@SI?(;GcrYqC*CMFQQJXSzaqDhT1@if-TZB z)DK0Q@At*;RXHk9Bp%W`mfE34W&>GSZ!s*;G3pJfolWw7FQ11XB@~B6J}*!_dQ(#$s*)%+;C%YhdCB7ee4w66kS|aO?6?H8I*?##mUKH+Ez7a z6^ak;p*SyU7jJ1S0*!(Ykfl=Q+8k&-yTNz*dMp@(cvV~vkx$2IJ}mpn#$AQ& zVK6$ls+w9hA0D+eCCWkyG=!tL43$gR>L%M=ccq^UC58S%6%sB=rKI1;{u?SiHioldT|C1STGJ}@2PQ>tEL zhGI_46*jfeW|)wn+Va#JUA1?L=lP3zQn62Zt>ty<%0&V;%_>_Pw*K&efwajjj>u)m z6wJv+r7!!I%3swDL3axK9(4JDYN`f@#Pz|fkx#@5`WR}d3Ofp-G-xA0f>Q{xQ|x>= z3vGYb9;Yfskj20BO`CHzJ&;9~djF#}B=4h-Ag{J}r4lLG7RQW(WS#kBSU3mAfy#Re z?Ybeylo1y{*0-Gk8ftk-HMLrP{nAg`dYIi5$4?UjyX!_Db4obVpV&gd8T;ZUgUz&h z7fmdFYK!qyz>JTorn<0;oJ;OsdmcV=+i5QTuk}7Djq_m z$V&aL=hWS?j3KvtQYIvuyF--Xd4d`{Ua+^`EwA z^zw4hmImp9^0+GdBPvCEZNiza^(MKzFTLue8eJ#2m4TrCyD;tn7vUruETTZ zAM0UZsK!pQyS}cTRM*2{Ypa{f_eFxqs1)TTPH``p%kg+xKOvP>IT@oRFvpX*&K8mm zhHe)`f>Rz3SO;C^#c2H;Y+(9n@!k_K6>mOjEgsH{N0JbD5Vv?+k0zWO&>hc{yW>eM z6C7|frhV4zM%Xdy%T56cjl8IOpz5M{*?ERJBXTeWyjoW)GRLzvk5b<5y`XWawj3+7 z{wQzjyQq!AqMLdJ+ZR*`tUm9CX}p-j29BTA+$mPNalxky`nU$)^rQ!1yBr9>g2yS^ znR#GP&WdaKaM&at>I^IN?QUm%nDmASqzXM8E_8rC(c6}mnbiv#dO#E^CB~Q+ta#2$ zh%lX=>Sx1pR95tdqtfz7r`%KY4@l^8FmwuCJomV$5A4HPZ+SFc48x%%tHXGbbHcEg zg;U6I26~*&!ci|2L~E+^QJSbrU+1D0&P!o7JUEBIrxzauL+L@O0Cq_dHLvCP7!*{; zsl;NY_dVgn36Fxud8Jb;#!yA29)?U9x;|Hh;dp4PJ;3JLud|hK=F4*sGvrg)!B6#V zFt3pzg}(@diE1Eogk$dVNL+$~=k;$Wv~}N@gQoY7x!x)6J%dCIl)tI+5J#mP)-Pz7g`I1yY5OD)wq2MS`^(>tR!@0Q2!Pol z_z*KNVDH`xJ0sa2R8##_EFvu<(N9rQW`LuJ)kCT-c zOVP;@gg$l(ec0gx)s&;_{lj~b{y_XKN&`OL=`JgDS3Qj zsBCM&){8Gl+8>U%6X3w}VvMPmc<>Sd% z=TO@9+~ORYJc?|8R!wC)B{JJ`;qYYrCTF@R!JWNP#)8cLSJiZO-ZRar*01t#F33PG zCDSsyI5E7sHT*Wt)vy5^{C0~(IqSFHyE2~o$`%d1Nu0KSlV~chZBgkLz1v6#sDwhY zqV4Z^Q++DRMuGUzR){-5C;&4gw|*EK7Duk|m{7RPLbwzD;o6G`;4{!$z1agm%sPRD z{T{%@INXDQ02BiO9i}oE*sKWMYV8ylWViK{YU-owvw=%V^Ngn*C$}Go5Ij;T)1sKs z$9M7=uuY>EH!qyJyat%-ElhaOp|?(LYU~ud>lO8|JHSko zd9P|*3*k5H4bD11geb&pG-Z8#+bMVn<&rA;vOc+$QNJ3DnV*wNQh#@J6x<7u%8_0W z%_n2M_hej1;Cg(rLxmmjp!uEQJ;EnA9#&10gtK^m-2VL<;Q+07w`mPp@91oT?iPvB z9uo*{r=Te4;Ql;l5fYSsIZM($P%`suBskg+&t&1q5xudeniYD5s|Oy4@f<-Mo$9no z<_3lBUf%DA?`rN8yEQ6F-Fi?CCT;c)R_AXtJ~hp(KX1DPv7A$WrkX}Za>_o9=dyIy zSN#~UUC=4~AT#Q~#VC5Ev|h_lIGu{~qC5?*$e4W>5r_(O^ApunKD%B#lAp9*@T{<3 zZV@b}xBae>C*JgVYtg(L#>C+{;H=jL=!%NZpk+#Y5i`rexB5S68(izSURk;U7aY@Y zKd_~$zpJT|Ei?W1OUwKJ^B(1dsoGTNl449_8ZO#(D;$NsRmuzR_@bM22V}WHGOU^{ z=2gF|XFYC08Lc8A9w%svesL-!Esoua4c=dpzW(7tx3-3*;%haYm_!P5r+seC+8-0( z$wK#M*~Dvw)in>C4%!~0x6=bn2P>l#EK=e|ciZYdlCX!2B#Qe`0%^g09O{_f;|ct9 zRNq5%-)l)BFYP6ItyVb1E6ia& zzR?XgrJqPfgwP2of^_#@(vyUhnGNy(NP?q-)cq1)4%YwQwv`P+PR5k(*8{QB%c}`E z$UQwNYd+pddI)+O9Is9{Jlv*+8e#opGG?GVE7$430KZK-R+^Vv*DEuw@Kl1KgBN9s z8w@@W_zy`}P#hF=F`G19-}TVOuh7$)(iN(BH^J9+|6?s4s{q0fzfbzN3}G@DA9u3G zw126M_<8~iW5cn&HZGe+oFr)1`qj#aDDTmvubgXxFEN4tAc5zLYGS1xB=B&9&jV1b z8B}hWR*_Jaz~fn7aKJZGI1aex-Et%IFA}tHX)@gD|7ik+0YVBbnSq#r6N?@tyw$pU;mECtSD=44))jLC65Tnn1%66rzL7zRE)N&nLR! zJ>Ihky7&7aKbXL^&lrsKEU)9udim)moneQ!y~l=g9!@P!yj+d(SVI1qbPaWryH)~& zev|ZsoS?6O3y3IkhPslZ9{fe}JXm-DO;loj<(~^WTN?vi_bD z{Wpa4idg=v+W&p!<`v*yQ~TzX`vT7Wv7Kp7a2|d9p9gQsqAvo!`H%m*sMYH)5$7#A zrfGhlMdLGq|A#F0ivA3LPYdcdBmRe-4;3vn577UD+M+M$hpV|hP-ceC7sNAkE<_yo zH2kD*^_K(=^ff=Y$VGZ+89^_*W9Ya8*zI;Gq8}^=Eu+{dvJ<>pRe)`DEUQ z!n`-{{JtK{j1P`^I8pf9M$G$&@JR}d(dxbR*=*>1oSGFl~{WbEB-aHp_odf23^8B*)G4O+bUert%)g~RD*Prq6Pt!T+e6->j|FN#_(Jcq#qX)}%RgzdI z@NZej57CEjqMru>Kc8s+i=8(jZzs_oYCZgI#V5Y)_(Bhk1?*xzFGhdEw;$G@dAr*A z<4XVJ2m1g%W_zI@#|v%y61=?|c_S|D56rc0Uz7#v9P(j9hE$Kc0t_lz>H z=^%@J9{zt9=ORWNYw+y3fP4L-ZF}Jl)-Che|M6jbhWLVKkHz=wOW4c$p>4k+UaUjf z)(J6UxmZ(72Y#H#kmWZ~7V^Ax!o0)?c?sD~lNowvWJiHWnfR1Ik8mun6Yp;o2?4R(zUPFHoe6MrYLCD+I3AQkASG6->EIAXqTMyX6 zIRW3cZ{SO|5qSVQ#3Q^}7TR8?kkR&nrg=mE=H~%LyJbgjYdzOF9J`~3ccLCH>*soF z{GWB6fd9^cILlYIV=mhfe(Zc7jSHC9*9BHLI3t807aXVL4eOsZ2%6}YvGxb(KO#8$CG=_D;NSWL$NqU$ z@qSJ#B@amWo9DV3<5%Ew7j;~diDpOsi5;y^Y;AmGaZX^~bWi)D#& z*G~%!M_1@awzxu`v5dsdFQKFTHa4{{kvGf(aL4brbtq(-C&KumWE@HY^055``=+|G zebJ|7WY1%t0qz(?M%xIVF&*$tA3GWjZ;lIO`E!&7ek=>{-zPHKAAo-&!kO24h9CP6 z^le}4hz^z858xr4_v?`kG~bNvU+MJPx2Yd@Lb1Z zxzZIljthA9KAGHtKJiKBdPwb?S8m>k4u2im_XYkvmUy{a@Qx(?ygbIbMK0T#b;@#~ zE9-~&GW;8|y2oM{`ysJx-+&+M8GhL75+hIR&tr*q+T;q_(YJ3BJN9$r_1b|R>`U0i zKE_!468Q(7wNKE?Jk{?~h(cUS%c59Xh-FGu`Gg>Btp zQ_Dr{(*pl=I#gXhgAjL)9sJ)oC!M1(FV8#J z;$e+NMtHML-_g#)Jfk=B!0AfCb;2`?d1HNnf3MNc$Faz38KFtU*e73&ZT#8$H25^l z16gaWlUG;t;lViM1oK1NHp-H?KqD!RbxXdr?BsLX5uTm*klngvuVs8>x2^GE;Mf;m z@|uFrSkK?pi*CyT+_peo&xO6L=S#ZjV0`prI&a12eTB;f>}a27tYZy7G)>|T+2QR$ zS;91tmp1l-j>q1S#2|iUJ(C+>6h3e_pL2s$9(*1_* zNc`G|@t-H)LGg|bFUK~#*>=cceEh-o!Y3blPj!4 zbY*$((}}M6KTMum+1~=kAMhpn4?bX@L?>?Z9N~Np+`jQz=d~4mbZ)ue!9IhHEF*ez zPG&8$AEMizN8KX3$3n;UrM=Fv@2_ycw=Bf6$I><&{X8f7_!9o(y$Wsf2EKg&8Ev~? zYbRtKvc@4J`%m=dwVS-**kP>U$ZPuK@Fz63qd6ICe&FAF2L5p5^EWuVaC|0dsln zvnf@*jPI{(fuCC^ z@NYW!iFwA3o(o^Ke()2wza@FCA9VYts9Rzd-J%Ef*lr`2V+S3Y&#U4Gf9ohZkjr+2 zhkFCfPvl`&S3U_H%gekU1RUPiJRf9aUVPPjBA0E%SjPymJ6Ay8zRlWa{Xm;%Om6!? zpRv$q|6uy)-1vpA-vQTi${lxZtS=uW^44c5&|zJ$e(+n%g}<3k?CW?$Z}wYcF%Q_q z{QoYQm%L#d@~6il@0#agaZ`3>AGeZmhsJHC+DIzi{=9~}DwIMxq2(|RC3m>=|M zJCbM2GrBbo$Y@;=?9*#JUEu2>3MkyB~E`SMc~8EY2<(NgDmDBTf7x* zLF`x-?BYBO-1>nB`{C!b+pwPBNc4#;_A%nZa^Z*JJ%}{9U3?`JFFmK4snVv>cA?L3 zUkTmDxii7>Rm^Ri^9hdclx*YpUJ3AhbbLGKEF9m)JPXIS8P3AdYlM~Tz8wR8rs~3# z3Sd-UeB8$2a)ohx8Fm|o3vR~oWwvb`?uHm=pMJQXb1NM71GmCauDc};_y2B1$Cs7B z+sCu-sGWu58{B8%_!8b(IKIMm77mxi=syd`SEtXy`F0CBzT$lroitW`4;uVTbzkvq zMPll((xqnxQ1=BNeIOTOU1x8NJkxcxHpqm(ev@?RHgKQ04cyCZa7hc|;j-?`wLypF z!KHTMkpXq{wk=tqw${Xv?rgT9i|sxdv?L6_AGM=P!X4_z9J8Vg7wDLO;6}ffZ-Y)2 zo`1a1-MV(nAmrk(Y=;c-({iSNzos2NO3}^LHhhEn_gkZ~c%r}hmZk}(DKS&83)t{1 z>~K@p_`XZd_e|9Ve3q!yePa(u^I&FdeVUz7_-7xCoo3%{Z1f#|FJt614R0f(6#dHr zM!gl?4H@?#LzCq*+|}owMY^@p8G_R5UsITyeQD3w+_b+nZIN9SRx?KD>tRpP=^1@X zmG2oHv9QvoSO1N_G57%?xg(1M`9QGxlCXO>hW$X@?#R@3!A%$ze&%b0RwK!R`~;?P z&_n8UN2az57E3O!8f9a`2ZiH~%mej_N_FSnT^nQ41vMRmR_fn1H4aPH&vY2csvfq= z#v9Y^8;4GMNfO!^w9o8e(4?O?a=330>7f3Rz#b=iLI|dqsqGT-NdEW5Ns{|ov58LN zPt8nsV_dpl$vm4rnb5zlY8-gK5ZsZe?Sj1r`RbPO#$=DEuW1aM?ty;P!aq&6M=`z! z&hSjt1vBuYHIv<#?_qViBl8G-q7(+{-}P|!ZH?2jeaZidLcVue2V1%Q* zub-dXrdBXQvIK7kx6cSDMPu~)kkyjeY8+1u>z^0LA7NRV4GKRJraLmVUC3su--;Mv zVt+cyraPxDWsL4FK|_L*)&uJ1=+lUz^fhcoJ4Da+4m+qi@@xTpFReTu)2 zHlAAlX1h`POUaZO^kQLH{fn-~Vd+zI<}vyt5wCx_+BozXp|~Sc+l8U)U-21ZLx29k zADx-U>67?h{i>yLq<{aiJrX0&NBUJzYptE z@{H-hK}JU`I6HPW-o_k{snZ=<9KZ*2#NURwdt=;z`rVPK?Si{5`puiHeK`It3qQp&CmSs88-=bEY!1yjifv)ops2+Ae7R^mex(Xk+`~ zazn0tvthFMZv&W_R^x(jqvPb1q17;ye_j8Jie``B$D{^@h|BZ|my|o;KqZUS@N-xy z!ZLjtetr-9u03?_-UC0_1JCxrm*Rnv#cF=c*baOTpJDlFqJ!z1;2fDY!4Cp>m!E78 ze7Of61z;F;CD(;ofL%C_-JpjHwE(;LwE(;D15s(BlkI^o_rPnG8AV<5-w6UVz=Hq{ z@E||~JP6PLKj^45zyUSEmwVuW=PZs%_zwa!!4aSdjsQ(?1ZaXE?13AX&y=5~z5}DC zaK1Fc&+UOrfJS@?&QdEXQk*(lHQ*$3)tRdSCs`v7 zM4ytWE>%}^B{=j^GS#JO6Ao}nrn*#J;lu`TD~R?|wGk)5--~lzgHbs4x57a|+c?{Ep`dM??YRybaKb}$gzF>F$n?2XJ*OH+=qjL zZi%D8J2;y*4IZ?Ovy77h4@C;f)L5# Date: Wed, 27 Nov 2024 19:16:39 +0100 Subject: [PATCH 26/35] allow unconfined access Signed-off-by: Dmitry Sharshakov --- .../pkg/selinux/policy/selinux/common/processes.cil | 10 ++++++++++ .../selinux/policy/selinux/common/typeattributes.cil | 5 ----- internal/pkg/selinux/policy/selinux/services/udev.cil | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index 3eccac2b04..fb8ed52dfe 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -99,3 +99,13 @@ ; kernel cmdline (allow system_p proc_cmdline_t (fs_classes (ro))) (allow system_container_p proc_cmdline_t (fs_classes (ro))) + +; By default, allow any process to access any device except special ones +(allow any_p common_device_f (fs_classes (rw))) +; CNI, containerd, many different services read and write sysctl parameters +(allow any_p proc_sysctl_t (fs_classes (rw))) +; Unconfined FS and files +(allow any_p unconfined_f (fs_classes (rw))) + +; Own sockets +(allow any_p self (unix_stream_socket (connectto))) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index 4b48f29fc2..9b31857712 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -42,11 +42,6 @@ (typeattributeset device_f common_device_f) (typeattributeset device_f protected_device_f) -; By default, allow any process to access any device except special ones -(allow any_p common_device_f (fs_classes (rw))) -; CNI, containerd, many different services read sysctl parameters -(allow any_p proc_sysctl_t (fs_classes (ro))) - (typeattribute any_f) (typeattributeset any_f filesystem_f) (typeattributeset any_f common_f) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 7102202aa1..0d5fe1d478 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -41,6 +41,7 @@ ; Typically client pods must not access TPM (type tpm_device_t) (call protected_device_f (tpm_device_t)) +; TODO: label and restrict block devices ; If modprobe is called by machined or kernel do a transition to udev context which has module permissions (allow udev_t modprobe_exec_t (file (execute execute_no_trans))) From 9712da2a88363004434e8db0d0234c74e6a1b811 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 08:41:46 +0100 Subject: [PATCH 27/35] allow anyone access to /proc and /proc/sys Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/common/processes.cil | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index fb8ed52dfe..876b639ffd 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -1,5 +1,8 @@ -; Query procfs about self -(allow any_p self (fs_classes (ro))) +; Query procfs about self, plus OOM adj and similar writes (controlled by other access control and caps) +; Also FIFO/socket writes for own stuff +(allow any_p self (fs_classes (rw))) +; Read process info +(allow any_p procfs_t (fs_classes (ro))) ; Allow all process actions but ptrace, set* will be guarded by transitions (allow any_p self (process_classes (full))) From df0be1885a42182043812d9449a70e7c5b48acf7 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 08:46:59 +0100 Subject: [PATCH 28/35] containerd: access shim sockets Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/cri.cil | 3 +++ .../selinux/policy/selinux/services/system-containerd.cil | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index c3883eb486..ed15e03713 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -15,6 +15,9 @@ (allow pod_containerd_t pod_p (fs_classes (rw))) (allow pod_containerd_t pod_p (process_classes (full))) +; Shim socket +(allow pod_containerd_t pod_containerd_socket_t (fs_classes (rw))) + ; Common rules for containerd accessing system (typeattributeset containerd_p pod_containerd_t) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 7ddbb3ec26..a817bcd46c 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -24,6 +24,9 @@ (allow sys_containerd_t system_container_p (fs_classes (rw))) (allow sys_containerd_t system_container_p (process_classes (full))) +; Shim sockets +(allow sys_containerd_t sys_containerd_socket_t (fs_classes (rw))) + (typeattribute containerd_p) (typeattributeset containerd_p sys_containerd_t) @@ -40,6 +43,9 @@ ; mounton for masking (allow containerd_p any_f (fs_classes (mounton))) +; Shim sockets +(allow containerd_p self (unix_stream_socket (connectto))) + ; logs (allow sys_containerd_t system_t (fs_classes (rw))) From 974195f68579f409805b8e4df7ee79e36a5d8398 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 08:55:25 +0100 Subject: [PATCH 29/35] containerd socket access Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/machined.cil | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index b715e4a062..0e02fc5a71 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -55,6 +55,12 @@ (allow udev_t device_f (fs_classes (rw))) +; Access containerd sockets for running containers +(allow init_t sys_containerd_socket_t (sock_file (write))) +(allow init_t sys_containerd_t (unix_stream_socket (connectto))) +(allow init_t pod_containerd_socket_t (sock_file (write))) +(allow init_t pod_containerd_t (unix_stream_socket (connectto))) + ; rootfs.sqsh (allow kernel_t rootfs_t (file (read))) From fdd039dc88fe42b61474c8951eceab24148c47e2 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 09:17:39 +0100 Subject: [PATCH 30/35] udev sysfs Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/udev.cil | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 0d5fe1d478..36090344bf 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -66,3 +66,6 @@ ; socket and runtime files (allow udev_t run_t (fs_classes (rw))) + +; manage properties from rules +(allow udev_t sysfs_t (fs_classes (rw))) From ac7d2dfe4503c9f8504446fb9bf7cfcde2a149a3 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Thu, 28 Nov 2024 14:28:15 +0100 Subject: [PATCH 31/35] machined permissions Signed-off-by: Dmitry Sharshakov --- .../policy/selinux/common/processes.cil | 2 ++ .../policy/selinux/services/machined.cil | 28 +++++++++++++++++++ .../selinux/services/system-containers.cil | 1 - 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil index 876b639ffd..9efaf06add 100644 --- a/internal/pkg/selinux/policy/selinux/common/processes.cil +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -109,6 +109,8 @@ (allow any_p proc_sysctl_t (fs_classes (rw))) ; Unconfined FS and files (allow any_p unconfined_f (fs_classes (rw))) +; Kernel threads can access anything +(allow kernel_t any_f (fs_classes (rw))) ; Own sockets (allow any_p self (unix_stream_socket (connectto))) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index 0e02fc5a71..cbf2be6080 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -61,6 +61,34 @@ (allow init_t pod_containerd_socket_t (sock_file (write))) (allow init_t pod_containerd_t (unix_stream_socket (connectto))) +; Allow access to any file for machined, for ls +(allow init_t any_f (fs_classes (rw))) + +; /dev/console +(allow init_t kernel_t (system (syslog_console syslog_mod syslog_read))) +(allow init_t self (capability2 (syslog))) +(allow init_t kernel_t (fd (use))) + +; labeling FS +(allow init_t tmpfs_t (fs_classes (relabelfrom))) +(allow init_t run_t (dir (relabelto))) +(allow init_t system_t (dir (relabelto))) +(allow init_t etc_t (dir (relabelto))) + +(allow init_t system_t (fs_classes (relabelfrom))) +(allow init_t system_var_t (dir (relabelto))) +(allow init_t etcd_pki_t (dir (relabelto))) +(allow init_t kube_apiserver_config_t (dir (relabelto))) +(allow init_t kube_scheduler_config_t (dir (relabelto))) +(allow init_t kube_apiserver_secret_t (dir (relabelto))) +(allow init_t kube_controller_manager_secret_t (dir (relabelto))) +(allow init_t kube_scheduler_secret_t (dir (relabelto))) + +(allow init_t trustd_runtime_socket_t (sock_file (relabelto))) + +(allow init_t run_t (fs_classes (relabelfrom))) +(allow init_t apid_runtime_socket_t (sock_file (relabelto))) + ; rootfs.sqsh (allow kernel_t rootfs_t (file (read))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index e94b0ef838..37976a8ef9 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -22,7 +22,6 @@ (type trustd_runtime_socket_t) (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) -(allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) ; Talos installer (type installer_t) From 665ff089eb2d90caf06244cb88f48a48b6291f96 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Mon, 30 Dec 2024 21:57:29 +0100 Subject: [PATCH 32/35] gen --- internal/pkg/selinux/policy/policy.33 | Bin 33687 -> 34387 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 2483018a29ad68f31b6460067bc1f115968e84ec..70282c48de4b20b09605e753faf2403f645b1d9d 100644 GIT binary patch literal 34387 zcmbWATbCrob?<8$j4;Rsd(d5i0*$x`5HMUNBuz4!5lBKp2#^kq>{51BR(GoFMqPSl zw7eGm;PZCA!}%8H6@LT2`^BHY%dhr}`}}`9^IsKp>#iYYMOReBjvf0RJ0mk|{?FMz z{rCNiM&pB<&3DVe?DpeoUs9#-uT`_U(ntA!bt8*!)t|r82lYYKJ=Jg2wOjUzR(sg* z4+mdT*L|vo#WbHz$29LzZI6q5S}^Y+)p60w4~kxQJnXal*Hmxi)Amtoa=`G{=ihIY z)1%g?829g07ofdzaLf{5>JMjw>2Saj(3+1%#h?RukEjMdX2Dx;*god-Vbyx=>5#!M zs}3~{bYE4is1U842}AIh&pPF_mABi)WWvgSuR2*U_jmd_E(UqO0N>xnx4Z)&-;3Kt zyFUz~=qiWpX%7k!+^umrEs)Ivs{MQf0AtLVO$)yMjq0bf;WV$fysWRY0V06juc%h^ zh9H0i8{O22crK>fwZc+cwSr9HY$AzPk^=QXIq1x#ErE=td^a8~a z)^IdMdFW+wG@EvYw+2WD#y6@4;7XM36O05|Bywji?4l>uWLWm5RbYzAb3uoYEa)(r zO3L-1@+-q!LJ2awzmDdXWC z&_YU#hxsxin4ZYoN_jZbp}6)CmVz>nS)?%$<6>g7t_vC0gr=m+T#7N6nKh76kMmoM ze@9hf;cGc$Rcbe&A@iH{@Sto5U15I3bfmSQ1yS~o2g43gfv^K+^xv8k;}gwciEpX0 z#7F^P3OC5$xa{>X0ls$<6QJ)=)u5@E3}@qZguF!X5BNL-jP5D-7+jER2BBAK54Ya!Nc%`)2OE(MU`4%IuRz9#H$*!g=ACvv2`9xB zdqqAe5Ik~IRGZyymHqx~njiF{8{CK&Isp#AI)-x+JOVc_D^;&ymG11EW} z>?j(y(P-E!+jodAgf|5kd36ta4=*0}M@l_f)pmdum@A-SAYr#-kBjZ1 zhRZ`2AnVDuTNQ4m;L(~UVn_Kn@8jfXOetdEuhj$;hT!g*0xzH}tl7cZxcGE5u3{P% zVbFfjKPblPSSw6M2ESKLHJkSicU2|Af(s;sp}6!EOGtH-bk{@aCsPTbKUD>Vi^A#E z7Ca6ni|x)Sg@MvfA~USKp_;N{Bb~G-WoURb98Y&;4$44ERL5rR!m+7qn=kVICR8v2 zc%3v&hib1C@KPZ*CAjkHO=#Cpr~?gB{-la|I98BHwThEsFvV8G4o5S9F^t%}B5~py zOp({q#_*hffGYN28eln=Hj17aYlU0`Uf5hxUP4ZtLs|8%{9xu_`qc`i(P%Why(V4pH=Z;Vi^iMk@Gt#yV9nW~hhN_5p;D_-YgjihWJw|C~(p(_^($TX>>Hl+U0 zfr6Ce7Kg+#cnWorsC1;?Qt@kgN4;x>ya!o6p_+=pE^)g%-bg2Gg*v`|7K^TA0lg!%qVP+4V*nb4WPXo=Bmf zjJ$Z0!p7RYi%lecVU2NBz=}_+rn0b!91jovtjoUEEJDeqr8RM_Si+e`Qt6cK{udVx zv6%8>RV;)`k(HE#@*vl>i1HVrI}9<}&jkI3kS%({~zZBz*TL$aE-0P~Fv~^hM+OOO>SvLE>TR~S& zI)l4a^+zi>+IiXC6$jyh@~kTP5tX7`8+Ybwm1KE`;zETs0y`;-TR=sSi0dBUBMejr zPYe)bysfd?)(GZ^{%ZlH5^m=^OT#bN1t!jZ~wctG@5474!I(QDmX zo3MUiQ970RaFzU`DBgJS>PxS_vT3s~NvzeE}maa+$hiqb4un)z!lITnf z+3v@29hN)!R2K_9HP(vF^<9mmvhMYE*1D$RCSTRtX;#L<2k4TS}m(NnxpY9mr_pm zeyDk=wCpS6PCwt(b`cweO*gd)(icQYUv=IM(O5Bu4IDqKxmGN6!vas~b}$XT=}M1| z)zVZ48y=@<=f;6KrTU| zqO}|x0fOi_m6(lnzb8(duqbGpOm%9-9ICKX)8Gk3SLdn_Tp!vh2Uy{Q>nlL{DA*o(SQQPs&Bam-yFib_DRyv`lDwhn%RJH$#Dn3RW{Tk{nQg>I#4 zd?kiyw0+cz@EqsCl5`%h!~iV`IIyJi`f9;qgAjyZ)m$r3ME#j+YHsph`PHtrhV;Sm zk}50O*QT?L84RKZO!psi-Ba9p28kFb|Dei69F=lV-JoF=GS^Ddwn=(OyHGXym%Sg( zukyeU9phQp5GycYYi@>~;p{i6seGnvB0GAbuduEN2ex1~93!h6m>ZC>I9@ZTgGeur zD{;)B>f+`>%*Ge6JwxW5(YQQ8E$cxD5-PZ@T$|#@1)6egiU(aTrZ-S5__czJp#-z# z)5bA5N_Jv2#UMuz`dBNBp@)A|O)0wF*?4icHeVf9<oBJ?lloRP!%DjNs@7V8A?gRJDO01Pp%CsWUko4KsF;S!fo?pkWE>t!Kbb~( zN);_oDS3UzP|?N^c+-Dk3 zcfOT}ae)SODViOlivz>WmFahJu7(bv;Fl{X%5i7s+?Dy%8!I?;CvmjWdVnyOP#5(WH6sSwWqApq2nJoUre*c^F;$B5!#7Tg{8kH=nw0Gk2d z{LUU7_^bm+0^2JsvW2*4N!bePIy`o={JtF=}jkZkJ()zn58X9HK0<~dh84sJgX zB50&iMny4ZjPJxT`c?}ILkM1%x@$Pw4uRGYucP_t+T3tzaT{QwyD)K~!)O)S)L1Jv z*J~OfJ3vj8Nqf3+FNEI64bD421S!a@G(~-VTPs)z<*F+3vOIYzqq;R%M}AH!3H`19 zVVD;zm3`eHnhXcJ@5#If;JSRWK}AN~-F(mRvfy!!CsorR;V9l2?0$a@cL3KPR&jNA z&giUy)(VRL78M9=tsp4yVE$Za;S!WiIZnbpy+r15U;RiwuF2xa5xJ35jSJnv)ddg8 zxQ@V&PIOu&bpt}Wmv=hxUCp&(vqmJTS$E6saF_hS;{1i?r>YruCcADyZ0D3WRa4JM zPT5EGxh%ugqkc?SEyxsl;2CjXVies{TI^*AoI&|{QJ#b;GH2U^2zUjuc~v##&!$%& z$q#ql@GP+FD+tTcUEgcuiZ{L9nr+U8QE^-coOinbSy8bWq)e%A#Ei4}R{craz*@%D z&e954V2s1#^qs2uyPA}}On?5Z@%8Ih|F?DswW;7m-o`PC2klx@427|I$cuY?wVAcL zM7cjF)28FuWZG%zT8}583^pYo_7kvKr#KOiHpkYK1dq#2uiQD9>8Y(=DgTje0YkTD0PsvN9Q~*GFUP~r(%V$)M z3MePQ{W2NDl#p3#ii5V35fqwWty2C(C;>R49I)jE#ng9`qEVu6*QILBsD8 zu;VvkCDDMovCjopJQZ(Uby4J}$;1c_#)=HHWKgD}JC0$$Fm05zA9k^8cv#^h;D5B< zKL(yO*LZ5aIPgnSlkB5nYJU zWM1Yu@kkRJq2v1rj81S19hpWPKxXeIV~GVi;z1E$DMcf8+ndR}71N6~;nR~A*ITVF z(xH0HgodYe@unwK&5@rWM145>Pm{5Dm}82WK+haswG+-+X~l{CJIOrlLsBt}ktBL0 z9i>*vc|7Ti4Nb+_c>8Nja zi=f5DfX9l_QPD5PxfX`KgJftWSVTC-Vm(z?+KxWINV9rd_Q4YBF1=J&GiEK-^UK?~huz0HgR~#xT+nX5;rXouES}Vi7YTln^g;mcik#jt+)AZ7`UPi>0lWbv)~LtpycLx%O-$&1?{|5*YaDNTMr z`2XYD*`<**exKTJJo{hw?(6eQtott{7MJzt`=!R&wZ{ZM&^7I)#?#OKmyT~Al38DB z{9obug|2XEv(^p$dqJ)D^kt;H`9Zb8|Bl|4cunmJ&o={4wQg^Yley49|FN>ze^8qX zl98zVGX0;QUAo@*INH!KQbzID>PHkKxe>h3-_d13z`uER30}Yn%-=Vf(FW$S{ynUI z=(((&@*!XZG}1Mm@w_9>m%uPXmSy+EAOu)Zh!#^tXvV00% z6+9aKpEcgrKg;%}l4^JX4>(N&@K4rwkfCMUZ5#zWvbx^5K9}=I99ZTr2-@r36jjkL znRKLg|UT4(oMmgIp423h?w`XAFu9|z6{Wn#?z3H@iEpOuX=XojBW z_3)tA{f>0u_H|j!9`OHp_8Brq{tf8_eoaqTyOM1H8Jc(S-&?KqKeR2|ec{AbweGcj zQS5e0xgP6cpEs4rF4lcC;p@@4oZ*+b;vi(SV z#mjX+ZR_;9pzX8h5j)4`_od1E)kXuzxf%VRiK}*m^*puzG1zx57`Z3(+Ik2htZ zh5@JJ9(L=sE+w{vPK^h-8Rj5~A;|ylYP~?iQ)=VmUrF#>RwS}*9B3Ro-;$lv4w-}= zADhQOVx#RG8r()E_St*orQoUTYT*~eXK)fvh^t?ZV7wEJNUlw-zAogS3AuIC& z@75jtZo~Uc;jCi&TUDIVmWvJ7@hW17_apq>bMa;9$KTm6Of$Z3djtN5HGXJz8=5VL zj#4E10`_BFvzLMY-xZhe7uv)q+A+7bH{^paAY1bb&Y)8;#9`!yyf)~?yLo1nvCuQZ(iB8EGycX+PU-+_Zo|y1Ry)M3B*+R4R zj*Z#B9#W2FTLO>c8!~^j#slw$M=$1`z07TBHf{TgxA$l+XAaO{UXagE)nDZ&!}+@S znqjUt{uFCrtHc4z92*9|a-{p7l2$Ae?9g+G^QIrY??J!zJ7}}6UzXH7mzd`GiEYGM zpI7-9ZD>H|mLV}M){+e{*K#HwFz>`M+YB(adGuu+q3b81O?v?{^jgfd-(lyTi`>i? z@s_oqjTmCx?JGar6VK%Otm~MD9ez@;1uv$7{`cyBasbnS4OpJU3gd@1%Wz-XMemJM zd?%mJCFeAL;)Z?vOMB8+YLWf8%pta%Z+$$z2lpv6TLhqXzwq! zZDNb@f28BCusxj# zbce1@1Nw45wAtS9HShq>o`_D#*^r@qfh$$h2F>21q0M_AzGnM>T<{B-50jj> z6rJGIdF3AV_8YaaH)NGw7kDmq#kx&VN}gc7V7JyIx?9-u!uPS6*K7R9(6)qsEp+kF zT(;0`8dx{Kr*zlE#vIRS+aBP{aTt2+7x4aeO&f8^a$_$@=`?;~ z8ZyUD$V&}Fyt3X|%RaI%`8Y;#4I4fyUZCyqdR_J-WJ|tEd|24(+{gEj^TIYhsbq3m z#eBzkWMUsD2HIA!6XVBE!J{}IJEirAOl(W=W%ySmLE5s!u)~nK>=1szQ~663&)L_A z6{a71u$+;J+vwLcljB*2&}P}fuYHQPc>&%wNxZd8&?7q`HjI554>^h3?`XF(kH1Ue z-dAL@?oxJh^`m$>a94JXx!ga26kgU7hQNQ;t$ue4atnSVLZRr4?>t< z_B+#n4Fkje0v^LN*LwLY&GcO4&s^-}K%ap}`vo>{9-o#34NvS1oeBm!v_Ep);d2#q z{SV7i=fM+ec_yU-*vCYWC&(5p(2U9bp9jKZ|8-?00HoW8k#>S=W0L z`{qJc`(aD}s<|)eU&>?1P3I@rJpJT3&|}}>x;1nyIlzl?vaW50OxLnyUGvDkZ2a)$ ze%jU-x(Hc?oGO|6XLW5zjE5|hAFnEZ!*sAwI{ENB7vG41j@j$cZBEw(Q zYr)ro-$nk3Em@D)wr!rZEOT(Cb1esa(DV>DEGu+mJntvI4-HR=9?o!}-!{Wq-aE)c zkRdjV&D)pvb(Mu2$VK7nM$H$whjrSNRap+eu-9Wh__b{tU4&j_55x!WmC$3FIX|(? z$tO)SYq_6mldu!%6h93cmY;GR3LfakcdQF?3}|bLckIW!|3MF9n&!9bJX3kXeZ-1u zf^TRBG0pOUX5-|V(Y(`dpQ3F$ga)rg9D7ta&#rx@JK^7&uZzAcXJl^wBCp0ah(FAA z&O@95r*-7Lm1|7XgFQI5U)2p?^SCdsMuzB-wVaDW^Aj~~%(cGIHT=u* z1U$B3bZ7gyFR?xR*ZtVDb^TpsKc)>lmK8GhzDd7h0yb>guv_EVmsS_KM-^|88*#>d z^r8IPFwf{Wv%K!U9z9`QWWqj6KYoornlExWuZ1q0`ymJ0Cz-OYrNp(7WN`-9CaYo~d;~yt4fx6Z<~-05teo(!3*c+ZZ(1W{{8fP+-gp>stQ5 z($CYFFKGCnrUCglE&*@*0l($*gT@c$bFnega9Ov$!@us&LPySlnd>|RIoqeWda(_V zOQQ?y9~-b=aJ_?V(9c}sB)_#z@kjgS4dJ;*@b@(;|FT`NFNZD^Tfk!*fp_~jdPhF+ zj(p4)c4azgTMqDLIiN@5!Io@?$jWxbwI1-~()+Ri#}Ih5%@D_o6CN#3dfiV9H!sXh z{oQzwmHUb9(1RS1&sWv! zFUrdK-pW2}8+b2?X~@&QgM7@_YqEa(3o!O^)-_-Bn+Ddhoudom#NG@~?qoXgQ`;5! zPslcGb#a}G971j(hhES_On^t*1M^xID|>q* zbd8SC`;#?J7hRbC2c;5O-WZT2{n2^Maf$ zAAH9$fgbCKy#xHoQ-q`ECEZzqKxi$n>-CV{eu%rw`oQYRi7GVaowJpAtOzGizN@ z`|R4;J;-5!^KXMT$uN8^WL2NLJ{j=%+R@zC;L$W=+lD8{qsb(=z$G__BW4 zgY3UtOS;WIWx0{p0Z(qjT8?St8}v6tGj`}bopx)wE$7mRr@9 z?qnzIDb_D`Xq%_)eDZ@NuHu8112O97!b^;TPWrJ8WX`(S0QAIlz3$Hvhq-^mQ(;^q z1n;5&do~T=e5=NJQ#n8IJduoV+DD+lZRBPh(Qp3+&$~4q^kO+9bITuHxSu`9b^>j| zqiDmfQht9`hH4N)6Y~z87Hl2^LA9>IEZK6lwvvV_Ys-U4>_oEso_mG-4}=8tb9DvYSsRZUz;{?dQU;u-dl+kmI-@b(4f7K zesIe6n#4EDmKf#S>~&!@J@gxf{hEHx+le8TC;1*Q*fzfD+yKjPKm3L*N#>l*f(LuR z_G~}ELo;}~vMYFLG@4=CrVYC?J;?tLg2BHY(Ld8%`rcEc5jn8;6f$7jF#5GFus7=t zA8~9!p4J7vV0~dr&Vk{@@+8k+@bdm#ci=I8d>{JpedHN9Wmm|}JVINVSD0Vc@?7$2 zuZsT}PhWmBgmeBX$(QyM^J8nRm+r(J#6O+kLyw-kA z8+MEREM)j-$Oqo>5$gqv_TLSGM8HWqUD(_B{Q#kxbz zmM!;^EKl|<`wRWH6YRnCXz8WmHv%rHSEek=WpH)P^y$Kw`+t_SGXv;TBAmncr6=ZO zsxEThIgB5(UWM_a*7R?~!!@Jn*#^TqJBGQQv@^9`{1oqbYw;Af@w}C^Gb7O_PZ=AA z{fU9=_`|@4DzOoA}VL>#!qSr`v z0f*%7)!o=50_sJzUC|13XGt9D6{lVBqPstLcSH=mf8Gr*0k@}@s>j7HR3Kx1Xi~ph zwF@{=c=G8?ubb>f3{1`r%H4oLeo~J0JCeJ>BNV;pwF}*V{^ep&Hc#YNy|`q=X(-Dy z>H;)03p!qGGrV8DcUQ+zA0|^;^%e@u+vPU zATOJ5ob;3iJ&>vGg2s|}xeT(j;FE&!K<0`1M5KB})k8~j(v2{kgH)YdsxMg|sR%+z*?IFkQmcAUh% zomNC9^^ZCj@6x<)Yup2wSJNj8`j-qmzBKWQ06dVX?Sj6$`P4&8bNo6tgPAAjlcc+= zmuvZn;4OmjtC6cyQ3F2@v2nd;H0Xg$Z5M>XB>ldghnMKQXrA7x{sQyjwd0NRUKBkZ z$V{X@QNm%~(c9X0DHW8EY{5&+ZBqh5(Hy-_J>N2Sn#Wbc+HV$^nvGLV#ILf|i!s=JRZy{YhtdcLHM8 zpq-?BJFSHZw>iT$`fvu#nP<;CEmTkHSWZim{BHBA;A4{BHQqSMFC=fAw9S;yGs}S{ zJ^%9I#>KYHL+Ydai%5{)PGC06EeV77Urj@%whM0hLjCJO^ckj^v@^9`5Z()V_nhyB zeLQJr4Ah0|e_+R-K0h6ohlkaVt9jPB6lvCpelrV17s2BX)h{#|a*6R*6BL=+E=;R_ zW?|#B^qM;J9DNe*7r!>MajJiqhQUnLg{h05*4Q}p34wSZ^E`bLW$OPRY>VCc8hdq7 zjA7E(>-a{yB%E!|7_;ukNA@(GnMIrtE>C>kYC-G>C^r9Zt1^&3!aC! z^f$NkXIuJDMFSbE! zXQN_Zy}x2$t^W~hcLTrQt{7N{Zvwtf|0CI!{?je}70Jw^&gp-oVqimmFtDLN7}(Gs z3~cCcHdHqB)3vGpbW4BGoYiv@`h$T@{V=ep9|kt{!@#Eg=9YfL@|n_es_*ns(|*2e z?BCncF9tTki-C>(Vqjx`b4$N~H^QH8=@$bV;TwBf`tRM+fB%;Lhqv@MxAbT0{iJe@ z)AfG3rH)L0sB^ujt+JQt4|U%EkiO`-qfCFO^ZxLP#{FykRXluntzUChnwkDk=Xlgs z$uj<^uJoVMcUt$;_BicR)jid!ur*aU+?VP5sVZ|a)r#b*eX8$is!UmAk%nLm6EBRsxH=IFRc2rXq^vpx(y~-%R&Jk@bk5jy~&;D!X!Ai;;99+ zh9{Y;$9AHu!Em&xlJTd>pAEdHc(MRlmthKXx&urtAkYCmmrshP?mZu-ny?0w*hXa; z8~BQwXH|doJAE5qQhn6|T3c%ghS3dpmiRi|409#AD_zuXm8t7gbuOPcPBzU|_bSZk z(pru9b^%OS&;>AIL8~wo_BlPxhRPbuk}fLt)?k)tJ{6jEJXh$QuN4-Q>HDebTt3Td z#dYW^%!+)11;aQl3FXFk(x@i`PeCY|>Z$6Sh838m#xm7YRm0RE(Xa0K%=CGxx($Z0 zOqEZ=tkQ!}R$*4xV)81?8lHPMz+BP7Dp~y1A6X6UQ&pj?isn(W_^Uq>5baadtuW0U zV6qJ`E4pS8fi11I#=8Wx3RAmO^lQ3Gl{1`1i|;DcR+GR~`NOG(_86zE!Bn}#sfM=0 HJly#Iw3UE7 literal 33687 zcmbWA+m;*0b%wz)Ez>q*$>U?<(@>H{$vT=kIfcs%kPowNuNaMr@fQSo zK=nAAr}O!g=I2y<(=455jC)XZnhn#VY&e(}Bc}hB>aBF%JL%4j=>B&7{Z>9d=}xlg z=%PTN4)gITQ$T4{EXMO<%oOmNPA1v74|`u%4fGg=Y{Q~=%I8C>)!g%f&daKWhC%L| zswEfVwLhZ^8Pi2SpLf$!BHy#yS#MMXrU2zd zZ$5-W6nATy&ogxMCDlxWMKMoHDZi$#i!myI-*2dv{02pU3pK#h znPkr9?N(u`R;!>>B%4X2rKTW#l#lzhwxy8CoNqx%LHB$M>dt5LEZ7B(rL1By$9ULf zcCwiFi(6x~gW!#(0l8FV?+hnF7m?l>i@4Z{Iq8WHaINT|Br7^NO{r)|^osE~ z>&@X9V`IZEA~F+%=%Dt}NqUqI^ZA`?l{!IZ;!)b`7H8RXn)fq=32qqt1=e7TD*qiQ zGSFbq;$#3Wly9Y{SvMV~(-Ct9o=&pf>7>ZV^X@d8&5LQqJcu;AGaDAih>gOJ&|7!5 znBnt~f??Q6`=fjeeW+Q2eA0^?fu1NlAy+yA=rFt(=eIR|DFH0^#mcm}16f!J{lR@1 z5rm$}-Eu`Z!{NA!5T=4Nh*_m!AkM|WgQ~7{TrnE6E_cbMP-fIvPCZR;(f>VFsfDk3 z!K~Clz=qAgtGdT|FYp!IFPl#^7rda#(doG8lNCriP{#h7^e7+DpO390Om-8 z4o>so5EtNkKXL(J-&YMhWwT;2?S+)LN+Y$>@NVV{=7L!&X2PzBfw%){F%Q-yH$gR^ z(_IDDao&d^5+>cflW9@Rp?y$6=JPvJ=y;F^&k3dq{wbI&I%M#7E7Zw+nwE;HLTw;L z!4~Nm>PMo@_a9W>=lLi@k$6b&L~4f`nGIxRy~Qv?$EY``c3PzUUOEdwN+=Gqbe5rb z^roz~xZTZ1qs2Tu8U`@5Q7_ITo21j;38IJOmdzJ=zYl^c;xp4rs`R>OR+42`pIV{j z*|b|G#kJIEBDfl56cB%G|hTv_zw8)Efyh%0_(lrs(1Y)mRsHnL&P}P%KUt zlU-GVR-yPv3&mMhy7-R9BG4!Z0a+?#rp)}vc42UvlzLdwQcb}y`PVY#UA(qIdS z4Hetnk~Tw#XblsylXRMn2y!f@En=WwnF%Z$!Qh1wFQ`nc(LuCn_VHv|<}^IQsH1Fj zluZTLDhx&kzgLYdn+}h6H6_YI3N(bHxD1s`*y={xU3bNw3?+sBTon>7N~hPl$T*&@ zmOF1Lj1+&8nGxj`)mRie>8v-)gM}x>biS)_a0XGbIzHJMjvxZIM<)pLctmP z;wFPlwR&ewEPiH-aaF*KkE_PIu#21)M<403ue%7Tq-kmm+$z>^qMlegd2jUDl|wG3 z{8SYWp;F`}`8YpHbuFU(3)vlk=pCiw^jP{@97!BdH;egvN*%Gj`@Qx=5yF70-zZUp zV7XVKVDhI`W8SqgvtU;j)`4doZgl^eO&gaC=0UiZRhz7Joax#x-+8la@qf2LE}!+s z_iO48HfZ$He6TAG(go#7RrW_ziuT%sGhfS1mRBe)RA{5Hvpl;6R!9=zx(ED_2Fimc zI!H2J)|jm|gE^!BgOFkk_tKp;Vj~@hMC?=!DJ??%JZ;=xedaKBI{NJf+tb@q<5W=+BJV z8-?RKJa_i7E*6GrY!$ofyXuK`Jsj?Ab#wVoBEe)-it-YtxYx|(cswbukn(w6jL{O9 z<6@?>g{Xs}n+1{Jl*#pcn%zo=!zTGqXIP={cRTCDr1wN1R_M`ip#$_ncUyMMtX|O21ENqV zRg8JTs?M1S5vJ2s{dAa*@;UwCs5C#;Dfa~Z0}{F%44pz3&ppY?1N(5+n;(xC!*FQH z>M$-+P8b%`a0(gDKu^+XIO>IhXiaoJN)vVI>rB+bc`3|>3+E8{^x~snC_N|@z%EIm z1RY$q^ZIJV;)5`RV%6L#a72AwHFh_}ui|P~Uqky) z`LQZ9I@ack#vKf*22J-LQ{7W+J%dCIls~C*5l5vQl{aXZg`I1uY5OD)wq2MS`^(>t z>#IB{1i*9=e25ts(7HFn&Peua)mT4s7Lgqz(N|cHiUz)5F`OgI8<-8mn4G8?S4m`; zhAVO0p#*XBAdDs!@I7Ou{mC>x!z|lL2o_4bR;kVL6`{sbo8$3-i|GcAg}+tMF`VGG zeA+o?C(%lbrRd}cLLXa&KJ4&k)tIB({l<&Ct?>fbly7a2m=?3f>)R$8HXVtA1n5OZ zipdAWI>PD9q`DPNw>DjTRcost5cQ^NEY#$r5W!vbi{m3371wY%(v63W9f!N(Pli#h zs$vByC9UolD%)DH)#3}1_J<>$32@+fF~(HbTxmy_tDJi4%T~c-DbK0Knk>)ze20&O zi%PXrchgyYD;F?>%E%8=>egGMj?pVR{(IF}$9CnOwpjCGS6w?Wo^PR+bK<)zF%*UN zk5psBrQ>3(b13b4?s1My9!0hfRb$!Ch|FENaCowQlQUhE;LhJDV?k#BgK9iG_nD^i zop0sgT#$iWOlHUI;>7Ug#_;<%SHlKy@XHMn`Lw_D-j(sxH#TVKPU2+uJBg<9_6C)H z*1L~{fJ!JNE86~!H=3us1mG01=`Pv(c3G^=+%*C6sHb=*#-#sf_a0V3qkfsU-Dx zN5{dv5Gfz&2GOh->%J%BLIT(2lN~DThzHI048JCPg5xpOI7v8*_s6^6Un3l#^^cph z20QQQY=Z6viBXFQgtk>s6m)QZF0=>}rZ4V+473k(g)mT2e zUUej2?7ZMvVXtiv%qRDKuaPU>_E;X2^F+Xd)~iqD{BN_8V@X}BNQQq|wpq+Ce!XVkfT<=Y*hoALWvliw#fzyw=7h^@d?*3){ zu*Rio35yKDC5CBp3|8BNY~$RfCXWa+fhYtq9*M?j%YT+mVT(Z@MLqdg&N3V_8Cql| z^khdka2UXXWavzba+hPF(kGGLU3w6=JLll&FANIeu7u9Ia{}}z>cOB9)hdpI-I>$`sxX&gN)m5IeUl=xgPuavm5<^o z@bE!|cKS+~NjzX~{BtE0PsQ6-0}MHd28QHds_2kyml>0*=#FFXUxYTvDh>zuHK<0f zus;Q!}@O#YZD}bQLQmQ0pM>CGf3QIKBuzX0d)4Os4wzBXFNFKf+OZ=f)d||#%;J>n3K5h zpw;zOcYt=#f&0v8h_nHtuBg_IQYACYN3j1a>I)BZ%wY~suIYuRT~@)=4JY<*N8_{( z$;1f8?#MIgD77@sK?Dp7nw(GXLX>GG-ea6BbkR3Ff;GbV*U>muwXRY+!YNOc7Aw;@ ztGef$Peu;6khCsFec9wB8)ef}6Qk}l>JmdM`6LR#h%3}&M-ykCcOr0*dvcnWeEdG@ zAt%`2cs1gf7>{W~jZE=u1Rv;OnA>zFOhuL!*! z!K*{U;DEo2;W*%mcgu~;NrV=j#tbhD{4|2X0AY%j%s`caBa5C!y0~dn1vuD3ydPLNGX1$hmtX5 ze?ICS&yW+}yct3J>FngF;7RVla1nI{Ap`Ua)O?} zPD@SPh`JE0+I}+y6=T)Ym3elN2u3x0Pi>0FB;i~62Uz^wUB>m;*>i1}zm|eu*S}{) z|2-jnRg2T#t9|$S541P!cYac}3vHMGM(zK)e)q!r^2aL`{0*&J9{Z7Ym3zSd`|c<}CYCrzu|AcuBFLd4XbnHv`HxQ8aT>nZ&(_B+9^9;#`=Cvu?^@NF0T!F*nb{2|qTXJw;(Jw00bz`mG$ zN^O{i2kRUkwqIcj`^-135NdGYy&1I{O!_2mG^H;7I1SxEBWC!gNEa8ndL79QMwC*l*ha{{s8 zHok4U)3y$=i|2wL+ZR1s5BP?4wO{!vK2QF!>}0gd;`>c`3VwT4a(a?3;UmG<^v^i>s_C=7 zIPbxya}l;P&)ClR@MhWJ!Lp-g>mMHMV{a(-jZf^GXJmOroRQmUUsW3$k#CVvIW6RT z)5J!W9iFXc#yUsg=RXcKudB5mYz=+<$GNM}4$As`Ode*PU^~Ywc`Wd$I7JVZ9Uh*q zcqTSIFYy8n@xmHmKJiuOI&@+^pij?*EY<@#$N1>YcI+vSnIG`I2Y_eiG;)_|qLY>0 z-VMBwpTYN7V&N%x7GGEO&w3!2nkM<-BJwKdGxi1AmA$@Rwb3(lfFqaV==o|bU3G$Zo&IM%Ekq1nh$BH=;buT$Yizv!8!O z+{eCW+1bxPpZyGDS9$V*fDe7_V&2F_wgqkb4?H{G!GBCN(Hm>G^@IP|AHZ>LNB_oQ zy@qG@0AJ8Q+wLRn&cRW6fEZuJ;2SkR*vR@J7Tkt6%ZrR&@5r&HLw>LI z;q#^6Dqh};?3Jn?-q;VIf9n|=c`oQ%E@Zdf$S1~OU2t5yt=&EN=$yC+`A74zFEadL zS;#uUKYt~B^bC&apij#}+rEb^rU{?+d3?h@2A__7a9*nDzaVVSi>{n!_B*c$<3i_C zog@$o&I9Bn`vdfC3uHGOp6$b|DG!QH=hA_s+SkmbT+lI1>~1>jL(Btt)ouLEZQ?PO z#rXlbj6)8zjI{0N#253*7T1BB4!&et6Ps6sLvBCRjacCL?GN?Ox`O|BtaAu!jp;n4 zEMxp{Njq*63)T;ESr6FA`2n3fAL85AEjoO^(&44ZZ})Zb`!&JErl{oh^9$(8KEtYM z9`K)7SN2=*?c2y`x!}`uh;i$deX@NF-o8=shE1&p_8TjCi<%}pSa!x9R%4NUHFmWR zXKjLK;t1P$uL#fHn_)-$KkG#z{Em9rBmGouzM*IP4ErMFW$lKC*VQKO@FnXU{vG4w zgjf&efxHo7S#eD)SclMjr=rPT!oG)1%>ywK_ITQN5mVL)xvt{vVpi=jbk?>9&(3ey z$oeNGRb(HvhKrF>HEM-UH7a*%}$GTl~|x1-RSj z=PSa;*6eevL-LR10_U3*4ze5PZCTXv_Cyi>|3y=iHykhc*vr+}lgM`Xyy580G~sR4 z{zL8O_*?!%(Ax+@J~yBGe6Mx{)BykX|nFXC+iwG);VV;wgtYu((})hQA&Lh zU#5djZdP*P!evMC{StdZk43l6Gw8>0itG;unxDwOUJSf3Gd{NB=X*6BY;jfi z;@SuOqi$5D5 zd4Y4j!Mx57_?Y#4sPz#(*@xhtvF)rk>|z_Cf5#?zThZLtQ-P%qe^Z_cK6)enc&|tt zL7(-Gc=tZ-Io+2tK7O*|?XVupT=qAvoy{k79M{CAZHhiuI{dKK$)RrBSzfLUjYG~1 zKBJt;9^N{{b}PGoG2mn04>}*zJd;c9Z@*Wjvn=F5<|@xaUJhfGUS-97T^T#xzZmeb zBQiQ((6jYMj( zmx=`Qj2)e0iEC&QkB5p=^jt^}Khi(r!>46OUifD&u94v%|AA-ALd-H2y%86dms|}T zzk=pfwaHQNx3L)erTH}JTNajU~Ag~9_(-E%KVTkyk~$n`z?F3 zaMmOU=b6?gYn4%#_OzYfo^R(_;KFAcD6P4GH>L-n5OlBKcHLu z0a=U#9mgQ+@=7PAkHJ5FWxEhNw5@0FOOf%4;P~*b^v^N^cT7Fgd8USwOU*MpSax<2 zoUb0qACSw}&fr)Ua*Jh$zI_ARS?B1%e#ly2{-J3dV#i-pJk$PN)y5X~=Nt0pJ>a^} zMIK-*d4QNQ4rd6+f=-AL(}z!DP;1-)`vm(TyqO>DYx>YM4t#o#!F5O2<6TM=Q5R|+ zI0rBt##+yewXTRk+vo>X{K^Z2aZ>Zo-orK}uFXF_?A(HWxJJXi#13*v-s|j_jDvrg zf7-SMdobYWhk3n56YpL}xb83x^q~npw)lEAFS2+peAs;A+qCiR&qdeT_^SDYAIBj2 zHy!v{*{G;_L*6H|}=#xE0@E`dV zd%S8Lyoerb7uH|%Of1+pkjwgfNgm+1!w+M8^8?&EM-R3Ubc{pWvCLe~f%t0dZ(ciy zi=gLM?_Ot3bX>C!ac;r?Jumuk`}Jt8e?8j&Ft1}Dn&uN>a=@4sSF2x!$T3-CYZSt!96CCT7JP*(0 z0dl+fAt%EF>jLWjlP#yrBo%2%gO+dB$+g zneAibZR-S|@fu3oehUwOtavz-O|gZ_9w*nKeNf&j@t%RbH!@CyRJO}lg9qyhU$Raz zJwpm_oh824t#ODW`!K$3KSvKMTc@>L!0p3~HGS-E|3P+i;?RVZ&Kd zY#01I$extGXFeIb((_)ee{5m?X`4RRM5d1&Jr;RQ6B}7B;I=6`G|exGANwk~*ZRRv zg01BzztHZ=IKPY5WzN&AAM9?OkSpvP(5%+VyU+|e6is9?|ExO!uDHWz{!sZ0dDVQf zhp~+0CCkFR_F?2*t$pv*va=_#{=xTJ#&sDy%cj@Szw;#XA{W=NO({Y8<~%!k9$WMcdUH z$B(ye;`k9);B9m`%Q8Q0I6Q)FoEuR)QQO5&Po6gyPtTf8ve7mjp6)b`-@)K}Vg!Bi zoTqX8O3x+^&)OTu&(&|@@R+J`+GOXs*L&gMSNFovKIfh|ycBXTIy{hmFC0Hx4PKjE zex&|999|T;*Ia&Q;5<5h;{H4wzp-^5j$aZx565pkoQLzBNG`w41%9I1R{WwJF?BT8 zt6L19wgn%3AZKH}l(#eTR8P+Df=u}9z3XfDf&2V@;J&a6E@?qLyr9STcR`2c!L{AQ zBLnIspk2udb!SZ+>-CXc=wiE%20Idl-;Z{qOTr!Mh1F@c3m52^AMw*~0_}oM7M^{) z&}06)F@uncqkK1Hh@a(C{YKwz_$Wm$(d@!EsDHgT>YmWhU-`m_3CHO!QLhWw@GNZo zJjaUq%Yu1qqP7e8EK&8VPezJ!Tw-i}nw?SjX)9yLnROEzeTUZ$j2x%fO=Og!Ur#dX zz38sV*oF*Eme26oAV2-MQcGJRV+cww-}^K-_rm6#rF+vB*}CwmBy**!Vb9X(8U4Zx z-xE5j!b%^%g=qY>!H){b9Z5Bi4+JaUS90&#u&e5JN20b1Zo;teQzk~(X(U;Y7kL{8 zJ*G}~Bx<{0vFIHdqpVH%L*ck1@j!i|Qoa7?uC+1oVi}J?E9KkSjl;gHZg<4PNLJ;r zIvcM|*ESBF^r9rRHmJ?)VNlUe&B#uJNC)NniY-p|j1WvQQQIZtk@T;N(?SX<1qe2!-Q;{FuGsBtga z0PHjuCTt6aHvR|(jj4CfJ55v#>RV51gZxhErsBgOz2n(9$S;C64r+7d^W1W*K~Fz_ z+&Ed=IJ7=VKZ^!=FP+g$x26nVgKf%1m_A$mGK-qE$8pAQo)bE%g7Ti#JHLE&|3TDF z)OO+eAKdB3PtT|M@p1XXRUUONM;dje-y?$3z3_>L^4D*SxhD7v5s5@?7lxIuus05i zue%eE(I@GC^-CU&Lthk%I}){B7#e=-SN~s-7Vo; zma)??lz&_Qv#(~4Z(~w}Lfj@MR0U5`baUn$J!tz!v;+ zDZn-y-))fhaw)(z{sHLQ{9jI5;L8?x$ugs;HUF1O0UF>zfChLFpaC8PXn-GdR2txb zn&8V8c;Gpy#zg!F0h-_l&;&<-CO85#!4F#C#^p2SXQ}VNs4<)`jqtq|xCCg#mjI1$ z3D5{XXn_m45r5eNmjI3UoxK+L#TNLb7WhLg@PlpmgB_J*8xFX$Y=L(!BWfhr|YU8IoJv9Gc+eYY~+pF@Rt-0244my-X zb*b7c7rhNQoSawia&!YuI8-g+LJgsrsIgS_T+564qLPHaC7AY7wFM`PxCc(XhQ@R{ z>vIJU+N9H2vqc$VTR7`<=nniZ^=Y2<2udhP`LX09QC+ImIO}tT+n}2`8~O=jjpMu| zl0h`XYx+sq0#5O|yi~gl2c;ycOI71+@^GNOM0Kg!hC@GfscM`~Qnr9oma0khX`Icu z@S07WO*%}lg|n{zpr9?Bi<(>|34iscTKAV~ieyG*|E Date: Tue, 31 Dec 2024 13:13:54 +0100 Subject: [PATCH 33/35] allow system processes to read and search all files Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/policy.33 | Bin 34387 -> 33223 bytes .../policy/selinux/common/processes.cil | 5 +++++ 2 files changed, 5 insertions(+) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 70282c48de4b20b09605e753faf2403f645b1d9d..28dcaf0b1d2d8915024fa9dee939ec23ead1b709 100644 GIT binary patch delta 2527 zcmY*aT}+#06h19b;)=G=u>w=u4oXS*tr%$wZ5gz*&}}VJ#%THN7_vcFy_i4K45NuR zTeieQj9$1Kqls5)H1on3jLF;ui6*$X#Kib>VKNi-a>k3{dEW1PJ5AH{^!v_x&Uw!B zob!Hn#d_;C>qi5j{?;m@GPTeFve3fqq4wIDE(;JHgaPO&AhSTS|atCBzb=8*3&N-a@|tjPY?{uUybZQ#A3VACQkD)@iI_v1+# zQ??2eh=x>W3S_;&HwajjEDR;kJeNP%PXiJ(YA)v3vo=MIN&8%P|js z63Z!&w)i+d6Ax|SZAsdKauB&J79!o2-jwLHvL&jr(MatN2H>BkJO#vdNX8XedDS&3uV2E$-p*Orhtn)!BWSG9pc zs7lo)gj^gB)&V)hfLi(6VXp%Q4r`}FNByY=GZ>0WQoRa{Vxb=0wlZy~Gty35KwzRV zNC^JSLip-YpLN^9A0Iu^ZwRr)I4+n#rE-(>XXp$al*16;Dy>yYX&4D|cBGBBMnVqs z0V2&Be!MplY%No>A!d0uP1BVrs1=cz<#24&&*w+G4kJH&fZgEIX7oY&a$~f+g!rqH z{ecYE{#UE1AUYx+4HX!4FIU7{4O2AU+O7;9<;UC3d#k|<)lVxvErirCns()Jr;ZyN(V zm`d}tR3GoALRKenP5Ox@ANeZSpmkNiw#;lXEu*$A^O{bA&mYsVK8&o^Hj2_42t6Dy zLAWFyVo0%ZK0n@853yrRp)1%nerx=+T4JDG<8_Ho<=Egv2q`a2oU0P0@t+g2e}qcz z%*Z~$a@opw)eZqzQ^QIqqec`lICw~3D_dft5cJrL43^}ebaur*Y^ zGj$uJSorgN7o6_qdlbZ$X@Mxu!I5T}Gt*10fQ81R*n;dyJ$+D=xe583>3P+Po|Ec2 zvGDUJ*Bn^8keaU2HWRG}azvM4Uf4EH&lG#Wg?SyQ+t1`vhJ9A?BC4`tcu@vb^WB*V zj-R^H2yL~9Wb~{fU>*N_YKzxr+w7j~3&@8R6`~y^cz1XcL1M{T!2lfgQ zNeuq280FqMS&ixjNXV^kTs?pae}FqTH_khAhERW<^Ect030zIE?l;%Y=PJoG63EQ# z249-@^M~_Zbjbr*LZTQ6+LH9mz(W~YpxLPDK)=4RciYe0jTbv delta 3875 zcmY*cOH7c%E+H8JVJMvaY|#>B*?alv@L``_~qX43Tb{^y?ao$q|- z+}j6ldw#s``Qmga{!TH`Ce>0I715J;zG#y+$Sdp6v1cV&`Fo%Iq5DLY6rd(q=i~Ka zzd_H-`slG|d@xCoP^bI7)_iyTt*I^b%MZS>e~B*9f~@Na@yp1M{hfSKFU^^? z_?G<;?U#K@z-G;0#Qq8$a_l4dBEc9kPGM9@4Q36afcz@tFaQTAM&)oMMw_&*j<_-$ z^i7h-1VJ*L;bll6$WT&45IUXtRE!mSlg1k{QUiiB{E zAB5X|$f{H}d>-Pb;UKqkHCMs88m&@Jnc?ZKaEUmJGk2}|DkLLo#JgR|67e4AbR;7l ztCd&&AabEtKJdSh#yW7jL`&jZQvWNz1<$s&+}YjHyh)c83B4>o)ECi`lycSxu+<$h z4!665{z-ujBgv(KA9Ys?VS94vjy3^_%}vP2ne{DE)lz{-jzz<*bsp>q2Z$&n1*G;+ z14u$qlneOt^Yv(b70Ri*s6S4MHQ$Mj6@%{G=s-0H(&(_aHpJ;zXbWMMLsLKxh)*j*pk&~i;7Fm~za#rY+3mxTDPSTXt(iwZzh3JoWV+YQ_&!$-T1;-Wf zAsE<}-AnL6B!TopZ_JkK+w3*aRaA6r$8M zg4s^w@8iKOs6v@e(g7DpFD<&wfUeWpp&B?ZQ^MOK6e(ELUz0$$SBniA5JgZ$A~x)y zk(2V1HJ?k=#L@kjELuTKB@<5wggT91$q9}4g7u5$(>(4ZI(*2{p67>&pbvRjjqz?G zY`O!3VZ@$C52}5try~N*7UI_!PEf!pnsTSxK4DSwMK7QLQ00vtXP9Wbdp)gn$O&gn zk;D&*Z`bVYZC!%zRp}b#2KnsGS$R54huxUqLW{m4)`&+XBr;5kL><1fvhSSb4|}h* zK{GnXFyAyqP%&(eU>~leq+s+?H-GMfdo5CB2+*>VN)!rrM(*U3m&f5OoJa6*~W(4guPs z%*Apk9AS1UymvEl8HxU2Z#7B$O{RYt)dF$q9M?rmaN{<^TC0d=Ms5I!BESjOP)(oB z6MU#2G=p7pY~b5+=UlA;Bx^1k{5%31q#=u#eIZ8*}dSL3BxN^PyHux)s zn!&D$xyV)V_|LmfUS!e+>iho+?1>*VFc@G&Dri<>VFH=1V?I8ZFO z4OBlF=}Qz6eBg@HPyy<8ZzM=t_c0Wd%Pbu$~RfcPf*F$%Q%92@xz;{0Re_KTnx7eWc#34PFw z8~5huPZf?>F1uj)wXx$k{OQ*N{H}6y{ zUcoxr_y>T5#Gf_XvrIGpM?D29HryYWPb#|Z)2z1H@s7JLbU|72bBN_Du=-20ie)!UF zd~?28l)bLu`QH3j6Np|2=8T^P;R_nkz@St|1|FbV5~x$11E>is_tV{lno^8E- Date: Tue, 31 Dec 2024 13:21:32 +0100 Subject: [PATCH 34/35] allow pipe communication with child processes Signed-off-by: Dmitry Sharshakov --- internal/pkg/selinux/policy/selinux/services/cri.cil | 2 ++ internal/pkg/selinux/policy/selinux/services/machined.cil | 4 ++++ .../pkg/selinux/policy/selinux/services/system-containerd.cil | 2 ++ 3 files changed, 8 insertions(+) diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index ed15e03713..4959116685 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -14,6 +14,8 @@ ; Manage procfs & processes (allow pod_containerd_t pod_p (fs_classes (rw))) (allow pod_containerd_t pod_p (process_classes (full))) +(allow pod_p pod_containerd_t (fd (use))) +(allow pod_p pod_containerd_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) ; Shim socket (allow pod_containerd_t pod_containerd_socket_t (fs_classes (rw))) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index cbf2be6080..e84f33bc7e 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -104,3 +104,7 @@ (typetransition initramfs_t init_exec_t process init_t) (allow initramfs_t init_t (process_classes (full))) (allow init_t initramfs_t (fd (use))) + +; Direct child processes +(allow system_p init_t (fd (use))) +(allow system_p init_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index a817bcd46c..86f3107105 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -23,6 +23,8 @@ ; Manage procfs & processes (allow sys_containerd_t system_container_p (fs_classes (rw))) (allow sys_containerd_t system_container_p (process_classes (full))) +(allow system_container_p sys_containerd_t (fd (use))) +(allow system_container_p sys_containerd_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) ; Shim sockets (allow sys_containerd_t sys_containerd_socket_t (fs_classes (rw))) From 47d517f499ee88b8a755edf4bd6ed8ab1a8fe332 Mon Sep 17 00:00:00 2001 From: Dmitry Sharshakov Date: Tue, 31 Dec 2024 13:23:50 +0100 Subject: [PATCH 35/35] gen --- internal/pkg/selinux/policy/policy.33 | Bin 33223 -> 33295 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 28dcaf0b1d2d8915024fa9dee939ec23ead1b709..f409cfe3b14350edc9451f2c3a6728ff99ff2dc5 100644 GIT binary patch delta 130 zcmX@!%+%k)w87khQFF3|#e5zihA0LO21X!cU|4+Jf{j~%A&G$($W7GZ-h9oDlaU7` z08_E~zC8yEk0669ObO%W=gupbSb9XiFl?Ue=D-b>gQ=c;Iq(M90;qY6n^y~AI0m!tJ_rG`13(A_vlm3D0tD?p{{geZMnDUb L4^r5(^HLly4$Twv