selinuxproject / refpolicy Goto Github PK
View Code? Open in Web Editor NEWSELinux Reference Policy v2
Home Page: https://github.com/SELinuxProject/refpolicy/wiki
License: GNU General Public License v2.0
SELinux Reference Policy v2
Home Page: https://github.com/SELinuxProject/refpolicy/wiki
License: GNU General Public License v2.0
1) Reference Policy make targets: General Make targets: install-src Install the policy sources into /etc/selinux/NAME/src/policy, where NAME is defined in the Makefile. If not defined, the TYPE, as defined in the Makefile, is used. The default NAME is refpolicy. A pre-existing source policy will be moved to /etc/selinux/NAME/src/policy.bak. conf Regenerate policy.xml, and update/create modules.conf and booleans.conf. This should be done after adding or removing modules, or after running the bare target. If the configuration files exist, their settings will be preserved. This must be ran on policy sources that are checked out from the CVS repository before they can be used. clean Delete all temporary files, compiled policies, and file_contexts. Configuration files are left intact. bare Do the clean make target and also delete configuration files, web page documentation, and policy.xml. html Regenerate policy.xml and create web page documentation in the doc/html directory. Make targets specific to modular (loadable modules) policies: base Compile and package the base module. This is the default target for modular policies. modules Compile and package all Reference Policy modules configured to be built as loadable modules. MODULENAME.pp Compile and package the MODULENAME Reference Policy module. all Compile and package the base module and all Reference Policy modules configured to be built as loadable modules. install Compile, package, and install the base module and Reference Policy modules configured to be built as loadable modules. load Compile, package, and install the base module and Reference Policy modules configured to be built as loadable modules, then insert them into the module store. validate Validate if the configured modules can successfully link and expand. install-headers Install the policy headers into /usr/share/selinux/NAME. The headers are sufficient for building a policy module locally, without requiring the complete Reference Policy sources. The build.conf settings for this policy configuration should be set before using this target. build-interface-db Build the policy interface database with 'sepolgen-ifgen'. This database is required for reference style policy generation by 'audit2allow --reference'. Make targets specific to monolithic policies: policy Compile a policy locally for development and testing. This is the default target for monolithic policies. install Compile and install the policy and file contexts. load Compile and install the policy and file contexts, then load the policy. enableaudit Remove all dontaudit rules from policy.conf. relabel Relabel the filesystem. checklabels Check the labels on the filesystem, and report when a file would be relabeled, but do not change its label. restorelabels Relabel the filesystem and report each file that is relabeled. 2) Reference Policy Build Options (build.conf) TYPE String. Available options are standard, mls, and mcs. For a type enforcement only system, set standard. This optionally enables multi-level security (MLS) or multi-category security (MCS) features. This option controls enable_mls, and enable_mcs policy blocks. NAME String (optional). Sets the name of the policy; the NAME is used when installing files to e.g., /etc/selinux/NAME and /usr/share/selinux/NAME. If not set, the policy type (TYPE) is used. DISTRO String (optional). Enable distribution-specific policy. Available options are redhat, gentoo, and debian. This option controls distro_redhat, distro_gentoo, and distro_debian build option policy blocks. MONOLITHIC Boolean. If set, a monolithic policy is built, otherwise a modular policy is built. DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly run init scripts, instead of requiring the run_init tool. This is a build option instead of a tunable since role transitions do not work in conditional policy. This option controls direct_sysadm_daemon policy blocks. OUTPUT_POLICY Integer. Set the version of the policy created when building a monolithic policy. This option has no effect on modular policy. UNK_PERMS String. Set the kernel behavior for handling of permissions defined in the kernel but missing from the policy. The permissions can either be allowed (allow), denied (deny), or the policy loading can be rejected (reject). UBAC Boolean. If set, the SELinux user will be used additionally for approximate role separation. SYSTEMD Boolean. If set, systemd will be assumed to be the init process provider. MLS_SENS Integer. Set the number of sensitivities in the MLS policy. Ignored on standard and MCS policies. MLS_CATS Integer. Set the number of categories in the MLS policy. Ignored on standard and MCS policies. MCS_CATS Integer. Set the number of categories in the MCS policy. Ignored on standard and MLS policies. QUIET Boolean. If set, the build system will only display status messages and error messages. This option has no effect on policy. WERROR Boolean. If set, the build system will treat warnings as errors. If any warnings are encountered, the build will fail. 3) Reference Policy Files and Directories All directories relative to the root of the Reference Policy sources directory. Makefile General rules for building the policy. Rules.modular Makefile rules specific to building loadable module policies. Rules.monolithic Makefile rules specific to building monolithic policies. build.conf Options which influence the building of the policy, such as the policy type and distribution. config/appconfig-* Application configuration files for all configurations of the Reference Policy (targeted/strict with or without MLS or MCS). These are used by SELinux-aware programs. config/local.users The file read by load policy for adding SELinux users to the policy on the fly. doc/html/* This contains the contents of the in-policy XML documentation, presented in web page form. doc/policy.dtd The doc/policy.xml file is validated against this DTD. doc/policy.xml This file is generated/updated by the conf and html make targets. It contains the complete XML documentation included in the policy. doc/templates/* Templates used for documentation web pages. policy/booleans.conf This file is generated/updated by the conf make target. It contains the booleans in the policy, and their default values. If tunables are implemented as booleans, tunables will also be included. This file will be installed as the /etc/selinux/NAME/booleans file. policy/constraints This file defines additional constraints on permissions in the form of boolean expressions that must be satisfied in order for specified permissions to be granted. These constraints are used to further refine the type enforcement rules and the role allow rules. Typically, these constraints are used to restrict changes in user identity or role to certain domains. policy/global_booleans This file defines all booleans that have a global scope, their default value, and documentation. policy/global_tunables This file defines all tunables that have a global scope, their default value, and documentation. policy/flask/initial_sids This file has declarations for each initial SID. policy/flask/security_classes This file has declarations for each security class. policy/flask/access_vectors This file defines the access vectors. Common prefixes for access vectors may be defined at the beginning of the file. After the common prefixes are defined, an access vector may be defined for each security class. policy/mcs The multi-category security (MCS) configuration. policy/mls The multi-level security (MLS) configuration. policy/modules/* Each directory represents a layer in Reference Policy all of the modules are contained in one of these layers. policy/modules.conf This file contains a listing of available modules, and how they will be used when building Reference Policy. To prevent a module from being used, set the module to "off". For monolithic policies, modules set to "base" and "module" will be included in the policy. For modular policies, modules set to "base" will be included in the base module; those set to "module" will be compiled as individual loadable modules. policy/support/* Support macros. policy/users This file defines the users included in the policy. support/* Tools used in the build process. 4) Building policy modules using Reference Policy headers: The system must first have the Reference Policy headers installed, typically by the distribution. Otherwise, the headers can be installed using the install-headers target from the full Reference Policy sources. To set up a directory to build a local module, one must simply place a .te file in a directory. A sample Makefile to use in the directory is the Makefile.example in the doc directory. This may be installed in /usr/share/doc, under the directory for the distribution's policy. Alternatively, the primary Makefile in the headers directory (typically /usr/share/selinux/NAME/Makefile) can be called directly, using make's -f option. Larger projects can set up a structure of layers, just as in Reference Policy, by creating policy/modules/LAYERNAME directories. Each layer also must have a metadata.xml file which is an XML file with a summary tag and optional desc (long description) tag. This should describe the purpose of the layer. Metadata.xml example: <summary>ABC modules for the XYZ components.</summary> Make targets for modules built from headers: MODULENAME.pp Compile and package the MODULENAME local module. all Compile and package the modules in the current directory. load Compile and package the modules in the current directory, then insert them into the module store. refresh Attempts to reinsert all modules that are currently in the module store from the local and system module packages. xml Build a policy.xml from the XML included with the base policy headers and any XML in the modules in the current directory.
Hi,
I have taken reference policy and compiled, but it gives the following error
** Libsepol. context_from_record: MLS is disabled, but MLS context "s0" found
Libsepol. context_from_record: could not create context structure**
This error when trying to get denial logs using **audit2allow -a -w**
and modules load time. Here I'm using the reference policy old version with required dependency packages and I tried all versions of the reference policy with a required dependence version of packages but I'm not succeeding.
Thanks in advance,
#76 (SELinux ioctl allowlist) was (understandably) closed, as it would have required a large amount of effort and had a high risk of breakage.
That said, I would still like to be able to restrict the ioctls a process can use via SELinux. This can be done by means of an attribute. Types with that attribute are given xperm rules that block all ioctls. Any needed ioctls can be allowed by user-provided xperm rules.
I would be willing to write a PR for this, if upstream is interested.
Is there a reason why tmp/all_interfaces.conf
keeps the content of old builds.
Lines 139 to 145 in dd04789
In particular line 142 appends to the temporary file.
xterm has a context system_u system_r xdm_t, please tell me how to correctly change this context so that it works in the context of the user. 1. create a module similar terminal.te? 2. through a command chcon 3.through the context of executable files.
Since SELinuxProject/selinux@5447c84 was applied, we might want to add the flag -E
to setfiles
calls in the future, when the containing SELinux release is broadly available.
Currently, domain
adds more permissions than are actually needed.
It would be nice to have a type (barebones_domain
?) that includes exactly the permissions needed to run a program that does nothing, and no more. Similarly, there would be a barebones_daemon
with the minimum permissions for a daemon that just immediately exits, and so on.
This would be useful for those who want a strict default-deny policy, since it ensures that access is not accidentally granted.
I tried to create a ctags file with make ctags and got this message:
make: Circular tags <- tags dependency dropped.
ctags-exuberant: Warning: cannot open source file "policy/modules/*/*.{if,te}" : No such file or directory
root@debian:/home/guest/refpolicy_custom# su guest
It works good when I substitute this pattern with "policy/modules//.if policy/modules//.te" in the Makefile. Also, ctags can parse the *.{if,te} pattern from the command line.
I'm working on the OpenVPN 3 Linux project which is a brand new OpenVPN client which makes heavy use of D-Bus to solve a lot of challenges the current OpenVPN 2.x generation has on modern Linux systems.
OpenVPN 3 Linux depends heavily on D-Bus, where multiple daemons serve very specific task and the IPC happens over D-Bus. One challenge we have on SELinux enabled systems (in particular Fedora and RHEL) is that SELinux does not allow the dbus-daemon to pass a FD from one D-Bus service to another one when the FD is tied to /dev/net/tun
.
Currently we ship our own SELinux policy to resolve this issue, which can be seen here in openvpn3.te.
The policy we wrote attempted to be a generic as possible (with the filename being the exception), as this doesn't look like an OpenVPN only related issue, but something which could hit anyone wanting to pass a FD to a tun device over D-Bus.
If this looks like a reasonable solution which could be applied to the the SELinux reference policy, I'm happy to submit a pull-request for it.
Originally reported to Red Hat since it was seen on modern Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1647920
Seems to be a general refpolicy issue though.
The basic issue is that a domain with unconfined_domain(my_domain_t)
will be allowed to send messages over dbus without issue. However the responses will often be rejected because there is no rule allowing the other domain to send_msg
to my_domain_t
.
Example AVC where thinlinc_webaccess_t
is unconfined:
type=USER_AVC msg=audit(1541681954.605:398): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.730 spid=1 tpid=5844 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
It looks like this bug was fixed here:
TresysTechnology/refpolicy-contrib@6bef7a1
But then reverted because of security issues here:
TresysTechnology/refpolicy-contrib@bc14741
Does anyone have any reference for those security problems?
If unconfined domains cannot use dbus by default, then this should be clearly documented for unconfined_domain()
, and there should be some information on how to enable dbus for such domains. Explicitly listing every other domain (or using equivalent macros such as init_dbus_chat()
) defeats the whole purpose of unconfined_domain()
.
What risk am I taking by adding this and allowing full dbus communication to my domain:
allow { dbusd_session_bus_client dbusd_system_bus_client } thinlinc_webaccess_t:dbus send_msg;
StrongSwan supports switching users after startup. However, SELinux currently blocks this, as ipsec_mgmt_t
is not allowed CAP_SETUID
or CAP_SETGID
.
Of course, running StrongSwan as an unprivileged user (with capabilities) would be preferable, but isnโt supported well.
Currently, ioctls are not whitelisted. Whitelisting them would significantly improve security.
Some parameters such as httpd_nutups_cgi_script_t
is defined as optional in nut.te
but httpd_nutups_cgi_script_exec_t
is unconditionally used in nut.fc
resulting in the following build failure when validating file context without services/apache
:
Validating targeted file_contexts.
env LD_LIBRARY_PATH="/tmp/instance-1/output-1/host/lib:/tmp/instance-1/output-1/host/usr/lib" /tmp/instance-1/output-1/host/sbin/setfiles -q -c /tmp/instance-1/output-1/target/etc/selinux/targeted/policy/policy.33 file_contexts
libsepol.context_from_record: type httpd_nutups_cgi_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_nutups_cgi_script_exec_t to sid
invalid context system_u:object_r:httpd_nutups_cgi_script_exec_t
This issue is raised in nut but also in all packages that can optionally share content through apache such collectd, cvs, git, etc. What is the proper way of fixing this?
Hello,
With the recent versions of systemd, there is a new userdb
component added.
libnss-systemd
is now trying to connect to a socket located in /run/systemd/userdb/
that meas that any domain (including a user one) that should resolve user/group id might try to connect to it.
There is also an optional daemon running
Fedora policy already has support for this that adds custom types.
The style guide does not contain any information about the order (of kinds and names) in require blocks.
Is there a preferred order, should an order be followed, or is it indifferent?
Seems like currently the order for required kinds is mostly (but not completely):
attribute -> attribute_role -> type -> class -> role
p.s.:
My personal favourite order is
bool -> class -> role -> attribute_role -> attribute -> type
Hello,
While working on supporting the refpolicy on embedded systems generated using Buildroot, I stumbled upon a login issue where the login system gets blocked from accessing the shadow_t context.
I'm using a serial connexion handled by agetty and the util-linux login program.
The following logs are output when asked for a password :
buildroot login: root
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1611839506.969:51): avc: denied { noatsecure } for pid=76 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { rlimitinh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { siginh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839507.069:52): avc: denied { read } for pid=76 comm="login" name="shadow" dev="vda" ino=88 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file permissive=0
Password:
Then, no matter the password entered, the login fails.
One thing to note is that these logs are only output when building with "make enableaudit", so the messages are hidden by a noaudit rule by default.
Since this issue concerns the login process and accessing the shadow file, I'd rather get your opinion on that before trying to come-up with a patch.
Adding "auth_read_shadow(local_login_t)" to the policy allows to login, but this doesn't look like this is the right solution.
I'd therefore like have your inputs in that particular issue,
Thanks a lot,
Maxime
Hello,
Running make install-headers
will always regenerate the interface templates
Generating interface templates into tmp/iftemplates
It's a bit annoying as you are usually running this target as root and you will end up with files owned by root in your build directory
Hi,
I tried to compile refpolicy by 'make conf & make', but I met below errors. I am using the release version refpolicy-2.20210203.tar.bz2, I also tried the latest source code by refpolicy_master.zip. But both of them have this compile issue.
Note, I compile refpolicy in ubunut16.04 and already installed checkpolicy and policycoreutiles . Could you please give me some advices? Thank you in advance.
=============== compile error message=============================================
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1394:ERROR 'invalid policy capability name extended_socket_class' at token ';' on line 1394:
policycap extended_socket_class;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
Container runtime support is currently missing in refpolicy. An issue was opened at container-selinux to bring the possibility to build it against refpolicy, but doing so presents some problems that need reworking. The idea to make container-selinux compatible with refpolicy was the originally proposed solution, but it may instead be wiser to begin work on a container module in refpolicy itself, as to avoid the many incompatibilities or to avoid rules deemed potentially too permissive in refpolicy, etc.
Either way, I am opening this issue to bring visibility on this, as overall support for container runtimes in refpolicy seems to be reaching high demand.
container-selinux issue: containers/container-selinux#113
With the introduction of systemd user support, access needs to be added to $1_systemd_t
for various applications if we want these to be run and transitioned properly. Other applications normally run by users such as window managers may also require such access. Instead of adding calls to myapp_run()
for each of these applications, I think an attribute for this kind of access may be more suitable.
Such an attribute, staff_app_runner_domain
for example, would have all the necessary access granted by interface calls like chromium_run()
, and all that would be needed to ensure some domain has the same access to run applications would be to associate the staff_app_runner_domain
to it, such as staff_systemd_t
. That way, any application that can normally be run by staff_t
can also be run by staff_systemd_t
. Of course, explicitly allowing access to staff_t
or staff_systemd_t
can be used where appropriate.
I feel that this also has the advantage of making local policy development significantly easier to do, as one would not need to call the appropriate interfaces for every application that staff_t
can normally run to whatever local policy module is being written. On the contrary, as pointed out in earlier discussion, this may overcomplicate refpolicy somewhat.
Good day. I want to turn to society with this problem: I have Suse linux desktop 15.1. I configured SELinux refpolicy standard without UBAC, but I canโt log in user_u.
I did audit2allow several times, then I opened boolean, then I opened all the locks through โausearch โ m avc| grep permissive=0โ and โsemanage permissive โa system_tmpfiles_tโ.
At the moment, no locks through any shows. But when I turn on โsetenforce 1โ by root (sysadmin_r), I log out and when I try to log into the user (user_u), the screen locks and no errors are displayed. Please help in which direction to move. What is the error search technique?
This is due to missing service start
rules.
Currently check_fc_files
does not support the character @
in file contexts, like
/usr/lib/systemd/system/getty@\.service -- gen_context(system_u:object_r:getty_unit_t,s0)
# ./testing/check_fc_files.py
/root/workspace/selinux/selinux-policy-debian/policy/modules/system/getty.fc:8: unexpected characters @ in /usr/lib/systemd/system/getty@\.service
refpolicy/testing/check_fc_files.py
Line 155 in 0bfd138
@fishilico any reason not to support it?
I follow the wiki tutorial to create a custom tag, but the last tag used by the nginx process is init_t. Can you give me some advice
I'm building a monolitic refpolicy for an embedded device,
I would like to include a extra "local.te" generated from the AVCs via allow2audit:
cat /var/log/audit/audit.log | audit2allow >> local.te
How do I add it to my monolitic policy ?
Thanks!
There are multiple statements refering to initrc_t
in the init_systemd
block that only handles init_t
, are these meant to be for init_t
or should they be moved to the initrc_t
section ?
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L327
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L334
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L373
I have a Debian 10 libvirt/KVM host with a Debian 10 VM guest, if I run:
sudo virsh shutdown guest
...the guest does not shutdown. If I disable dontaudit
's, I see this within the guest's logs:
type=AVC msg=audit(1598187082.086:163): avc: denied { getattr } for pid=583 comm="powerbtn-acpi-s" path="/usr/share/acpi-support/policy-funcs" dev="sda1" ino=2888143 scontext=system_u:system_r:acpid_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Policy version on Debian/stable is:
ii selinux-policy-default 2:2.20190201-2 all Strict and Targeted variants of the SELinux policy
I installed the latest release version of the Refpolicy from DownloadRelease page. And now I have problems using userdom_unpriv_user_template macros. I made a module:
policy_module(userdom, 1.0.0)
userdom_unpriv_user_template(pluff)
And semodule -i userdom.pp
gives errors like:
Failed to resolve booleanif statement at ...
Failed to resolve typeattribute statement at ...
This happens because refpolicy doesn't declare necessary attributes, types, and booleans. But why is this so? When I used standard selinux this macros worked fine. What am I doing wrong?
XFixes 6.1, if accepted by upstream, will allow a client to cause the X Server to terminate. I currently intend to guard this by a x_server manage
check, but it should really be x_server destroy
. How can I handle this without breaking old policies?
Currently, there is no good way for third-party domains to log users in with pam_selinux.so
.
Being able to write user crontabs is enough to execute code as that user.
Allowing the following AVCs makes it work:
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability dac_override;
allow chrome_sandbox_t self:process setcap;
allow chrome_sandbox_t staff_t:file write;
#============= staff_t ==============
allow staff_t chrome_sandbox_t:process setsched;
Presumably similar rules would be needed for other user domains that can use rtkit.
Hello,
When building refpolicy with Python 3.8, make conf
fails with:
python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
File "support/sedoctool.py", line 269
if desc.data is not '':
^
SyntaxError: "is not" with a literal. Did you mean "!="?
make: *** [Makefile:403: conf.intermediate] Error 1
Could you please replace if desc.data is not '':
with if desc.data != '':
or if desc.data:
in support/sedoctool.py
?
Who do I report a security vulnerability in the reference policy to?
this is a replication of:
TL;DR
when xdm is started by OpenRC it additionally wants to
type=AVC msg=audit(1571776002.581:399): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0
type=AVC msg=audit(1571776002.729:400): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0
this does not occur if this is run by root: /etc/init.d/xdm start
the bug is fixed when this is allowed: allow xserver_t self:capability chown
I don't know if this can be added to the global policy for xserver:ย
https://github.com/SELinuxProject/refpolicy/blame/master/policy/modules/services/xserver.te#L636
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 28914:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
wenhui@wenhui:~/Downloads$ uname -a
Linux wenhui 4.18.0 #1 SMP Sun Aug 25 22:09:08 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux
Hello,
The udev module still references the udev_tbl_t
as being stored in /dev
, but these days, it's located in /run
. That prevents some applications (like pcscd) to work properly.
Red Hat went the way of removing the udev_tbl_t
type completely, see fedora-selinux/selinux-policy@382acd84f3
Would that be the road to go as well?
Trying to build refpolicy for debian by setting the following configuration:
diff --git a/build.conf b/build.conf
index a2f1a9b5..08e380aa 100644
--- a/build.conf
+++ b/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = debian
# Unknown Permissions Handling
# The behavior for handling permissions defined in the
@@ -46,7 +46,7 @@ DIRECT_INITRC = n
# Systemd
# Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
# Build monolithic policy. Putting y here
# will build a monolithic policy.
make conf && make produce the error
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy policy/flask/security_classes policy/flask/initial_sids policy/flask/access_vectors policy/context_defaults support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/mls policy/mcs policy/policy_capabilities > tmp/pre_te_files.conf
python3 -t -t -E -W error support/genclassperms.py policy/flask/access_vectors policy/flask/security_classes > tmp/generated_definitions.conf
test -f policy/booleans.conf && gawk -f support/set_bools_tuns.awk policy/booleans.conf >> tmp/generated_definitions.conf || true
m4 -E -E support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/modules/kernel/corecommands.if policy/modules/kernel/corenetwork.if policy/modules/kernel/devices.if policy/modules/kernel/domain.if policy/modules/kernel/files.if policy/modules/kernel/filesystem.if policy/modules/kernel/kernel.if policy/modules/kernel/mcs.if policy/modules/kernel/mls.if policy/modules/kernel/selinux.if policy/modules/kernel/terminal.if policy/modules/kernel/ubac.if policy/modules/services/abrt.if policy/modules/services/accountsd.if policy/modules/admin/acct.if policy/modules/services/acpi.if policy/modules/apps/ada.if policy/modules/services/afs.if policy/modules/services/aiccu.if policy/modules/admin/aide.if policy/modules/services/aisexec.if policy/modules/admin/alsa.if policy/modules/admin/amanda.if policy/modules/services/amavis.if policy/modules/admin/amtu.if policy/modules/admin/anaconda.if policy/modules/services/apache.if policy/modules/services/apcupsd.if policy/modules/system/application.if policy/modules/admin/apt.if policy/modules/services/arpwatch.if policy/modules/services/asterisk.if policy/modules/roles/auditadm.if policy/modules/system/authlogin.if policy/modules/services/automount.if policy/modules/services/avahi.if policy/modules/apps/awstats.if policy/modules/admin/backup.if policy/modules/admin/bacula.if policy/modules/admin/bcfg2.if policy/modules/services/bind.if policy/modules/services/bird.if policy/modules/services/bitlbee.if policy/modules/admin/blueman.if policy/modules/services/bluetooth.if policy/modules/services/boinc.if policy/modules/admin/bootloader.if policy/modules/admin/brctl.if policy/modules/services/bugzilla.if policy/modules/services/cachefilesd.if policy/modules/apps/calamaris.if policy/modules/services/callweaver.if policy/modules/services/canna.if policy/modules/services/ccs.if policy/modules/apps/cdrecord.if policy/modules/services/certmaster.if policy/modules/services/certmonger.if policy/modules/admin/certwatch.if policy/modules/admin/cfengine.if policy/modules/services/cgmanager.if policy/modules/services/cgroup.if policy/modules/admin/chkrootkit.if policy/modules/apps/chromium.if policy/modules/services/chronyd.if policy/modules/services/cipe.if policy/modules/services/clamav.if policy/modules/system/clock.if policy/modules/services/clockspeed.if policy/modules/services/clogd.if policy/modules/services/cmirrord.if policy/modules/services/cobbler.if policy/modules/services/collectd.if policy/modules/services/colord.if policy/modules/services/comsat.if policy/modules/services/condor.if policy/modules/services/consolekit.if policy/modules/admin/consoletype.if policy/modules/services/corosync.if policy/modules/services/couchdb.if policy/modules/services/courier.if policy/modules/services/cpucontrol.if policy/modules/apps/cpufreqselector.if policy/modules/services/cron.if policy/modules/services/ctdb.if policy/modules/services/cups.if policy/modules/services/cvs.if policy/modules/services/cyphesis.if policy/modules/services/cyrus.if policy/modules/system/daemontools.if policy/modules/services/dante.if policy/modules/roles/dbadm.if policy/modules/services/dbskk.if policy/modules/services/dbus.if policy/modules/services/dcc.if policy/modules/services/ddclient.if policy/modules/admin/ddcprobe.if policy/modules/services/denyhosts.if policy/modules/services/devicekit.if policy/modules/services/dhcp.if policy/modules/services/dictd.if policy/modules/services/dirmngr.if policy/modules/services/distcc.if policy/modules/services/djbdns.if policy/modules/services/dkim.if policy/modules/admin/dmesg.if policy/modules/admin/dmidecode.if policy/modules/services/dnsmasq.if policy/modules/services/dnssectrigger.if policy/modules/services/dovecot.if policy/modules/admin/dphysswapfile.if policy/modules/admin/dpkg.if policy/modules/services/drbd.if policy/modules/services/dspam.if policy/modules/services/entropyd.if policy/modules/apps/evolution.if policy/modules/services/exim.if policy/modules/services/fail2ban.if policy/modules/admin/fakehwclock.if policy/modules/services/fcoe.if policy/modules/services/fetchmail.if policy/modules/services/finger.if policy/modules/services/firewalld.if policy/modules/apps/firewallgui.if policy/modules/admin/firstboot.if policy/modules/services/fprintd.if policy/modules/system/fstools.if policy/modules/services/ftp.if policy/modules/apps/games.if policy/modules/services/gatekeeper.if policy/modules/services/gdomap.if policy/modules/services/geoclue.if policy/modules/system/getty.if policy/modules/apps/gift.if policy/modules/services/git.if policy/modules/apps/gitosis.if policy/modules/services/glance.if policy/modules/services/glusterfs.if policy/modules/apps/gnome.if policy/modules/services/gnomeclock.if policy/modules/apps/gpg.if policy/modules/services/gpm.if policy/modules/services/gpsd.if policy/modules/services/gssproxy.if policy/modules/roles/guest.if policy/modules/services/hadoop.if policy/modules/services/hal.if policy/modules/services/hddtemp.if policy/modules/services/hostapd.if policy/modules/system/hostname.if policy/modules/system/hotplug.if policy/modules/services/howl.if policy/modules/admin/hwloc.if policy/modules/services/hypervkvp.if policy/modules/services/i18n_input.if policy/modules/services/icecast.if policy/modules/services/ifplugd.if policy/modules/services/imaze.if policy/modules/services/inetd.if policy/modules/system/init.if policy/modules/services/inn.if policy/modules/services/iodine.if policy/modules/system/ipsec.if policy/modules/system/iptables.if policy/modules/apps/irc.if policy/modules/services/ircd.if policy/modules/services/irqbalance.if policy/modules/system/iscsi.if policy/modules/services/isns.if policy/modules/services/jabber.if policy/modules/apps/java.if policy/modules/services/jockey.if policy/modules/admin/kdump.if policy/modules/admin/kdumpgui.if policy/modules/services/kerberos.if policy/modules/services/kerneloops.if policy/modules/services/keyboardd.if policy/modules/services/keystone.if policy/modules/admin/kismet.if policy/modules/services/ksmtuned.if policy/modules/services/ktalk.if policy/modules/admin/kudzu.if policy/modules/services/l2tp.if policy/modules/services/ldap.if policy/modules/apps/libmtp.if policy/modules/system/libraries.if policy/modules/apps/lightsquid.if policy/modules/services/likewise.if policy/modules/services/lircd.if policy/modules/apps/livecd.if policy/modules/services/lldpad.if policy/modules/apps/loadkeys.if policy/modules/system/locallogin.if policy/modules/apps/lockdev.if policy/modules/roles/logadm.if policy/modules/system/logging.if policy/modules/admin/logrotate.if policy/modules/admin/logwatch.if policy/modules/services/lpd.if policy/modules/services/lsm.if policy/modules/system/lvm.if policy/modules/services/mailman.if policy/modules/services/mailscanner.if policy/modules/apps/man2html.if policy/modules/apps/mandb.if policy/modules/admin/mcelog.if policy/modules/services/mediawiki.if policy/modules/services/memcached.if policy/modules/services/milter.if policy/modules/services/minidlna.if policy/modules/services/minissdpd.if policy/modules/system/miscfiles.if policy/modules/services/modemmanager.if policy/modules/system/modutils.if policy/modules/services/mojomojo.if policy/modules/services/mon.if policy/modules/services/mongodb.if policy/modules/services/monit.if policy/modules/apps/mono.if policy/modules/services/monop.if policy/modules/system/mount.if policy/modules/apps/mozilla.if policy/modules/services/mpd.if policy/modules/apps/mplayer.if policy/modules/admin/mrtg.if policy/modules/services/mta.if policy/modules/services/munin.if policy/modules/services/mysql.if policy/modules/services/nagios.if policy/modules/admin/ncftool.if policy/modules/services/nessus.if policy/modules/system/netlabel.if policy/modules/admin/netutils.if policy/modules/services/networkmanager.if policy/modules/services/nis.if policy/modules/services/nscd.if policy/modules/services/nsd.if policy/modules/services/nslcd.if policy/modules/services/ntop.if policy/modules/services/ntp.if policy/modules/services/numad.if policy/modules/services/nut.if policy/modules/services/nx.if policy/modules/services/oav.if policy/modules/services/obex.if policy/modules/services/oddjob.if policy/modules/services/oident.if policy/modules/services/openca.if policy/modules/services/openct.if policy/modules/services/openhpi.if policy/modules/apps/openoffice.if policy/modules/services/openvpn.if policy/modules/services/openvswitch.if policy/modules/services/pacemaker.if policy/modules/services/pads.if policy/modules/admin/passenger.if policy/modules/system/pcmcia.if policy/modules/services/pcscd.if policy/modules/services/pegasus.if policy/modules/services/perdition.if policy/modules/services/pingd.if policy/modules/services/pkcs.if policy/modules/services/plymouthd.if policy/modules/apps/podsleuth.if policy/modules/services/policykit.if policy/modules/services/polipo.if policy/modules/admin/portage.if policy/modules/services/portmap.if policy/modules/services/portreserve.if policy/modules/services/portslave.if policy/modules/services/postfix.if policy/modules/services/postfixpolicyd.if policy/modules/services/postgresql.if policy/modules/services/postgrey.if policy/modules/services/ppp.if policy/modules/admin/prelink.if policy/modules/services/prelude.if policy/modules/services/privoxy.if policy/modules/services/procmail.if policy/modules/services/psad.if policy/modules/apps/ptchown.if policy/modules/services/publicfile.if policy/modules/apps/pulseaudio.if policy/modules/admin/puppet.if policy/modules/services/pwauth.if policy/modules/services/pxe.if policy/modules/services/pyicqt.if policy/modules/services/pyzor.if policy/modules/apps/qemu.if policy/modules/services/qmail.if policy/modules/services/qpid.if policy/modules/services/quantum.if policy/modules/admin/quota.if policy/modules/services/rabbitmq.if policy/modules/services/radius.if policy/modules/services/radvd.if policy/modules/system/raid.if policy/modules/services/razor.if policy/modules/services/rdisc.if policy/modules/admin/readahead.if policy/modules/services/realmd.if policy/modules/services/redis.if policy/modules/services/remotelogin.if policy/modules/services/resmgr.if policy/modules/services/rgmanager.if policy/modules/services/rhcs.if policy/modules/services/rhgb.if policy/modules/services/rhsmcertd.if policy/modules/services/ricci.if policy/modules/admin/rkhunter.if policy/modules/services/rlogin.if policy/modules/services/rngd.if policy/modules/services/roundup.if policy/modules/services/rpc.if policy/modules/services/rpcbind.if policy/modules/admin/rpm.if policy/modules/services/rshd.if policy/modules/apps/rssh.if policy/modules/services/rsync.if policy/modules/services/rtkit.if policy/modules/services/rwho.if policy/modules/services/samba.if policy/modules/apps/sambagui.if policy/modules/admin/samhain.if policy/modules/services/sanlock.if policy/modules/services/sasl.if policy/modules/admin/sblim.if policy/modules/apps/screen.if policy/modules/roles/secadm.if policy/modules/admin/sectoolm.if policy/modules/system/selinuxutil.if policy/modules/services/sendmail.if policy/modules/services/sensord.if policy/modules/system/setrans.if policy/modules/services/setroubleshoot.if policy/modules/apps/seunshare.if policy/modules/services/shibboleth.if policy/modules/admin/shorewall.if policy/modules/admin/shutdown.if policy/modules/apps/sigrok.if policy/modules/apps/slocate.if policy/modules/services/slpd.if policy/modules/services/slrnpull.if policy/modules/services/smartmon.if policy/modules/services/smokeping.if policy/modules/admin/smoltclient.if policy/modules/services/smstools.if policy/modules/services/snmp.if policy/modules/services/snort.if policy/modules/admin/sosreport.if policy/modules/services/soundserver.if policy/modules/services/spamassassin.if policy/modules/services/speedtouch.if policy/modules/services/squid.if policy/modules/services/ssh.if policy/modules/services/sssd.if policy/modules/roles/staff.if policy/modules/kernel/storage.if policy/modules/services/stubby.if policy/modules/services/stunnel.if policy/modules/admin/su.if policy/modules/admin/sudo.if policy/modules/services/svnserve.if policy/modules/admin/sxid.if policy/modules/apps/syncthing.if policy/modules/roles/sysadm.if policy/modules/system/sysnetwork.if policy/modules/services/sysstat.if policy/modules/system/systemd.if policy/modules/services/systemtap.if policy/modules/admin/tboot.if policy/modules/services/tcpd.if policy/modules/services/tcsd.if policy/modules/apps/telepathy.if policy/modules/services/telnet.if policy/modules/services/tftp.if policy/modules/services/tgtd.if policy/modules/apps/thunderbird.if policy/modules/services/timidity.if policy/modules/admin/tmpreaper.if policy/modules/services/tor.if policy/modules/services/transproxy.if policy/modules/admin/tripwire.if policy/modules/services/tuned.if policy/modules/apps/tvtime.if policy/modules/admin/tzdata.if policy/modules/services/ucspitcp.if policy/modules/system/udev.if policy/modules/services/ulogd.if policy/modules/apps/uml.if policy/modules/system/unconfined.if policy/modules/roles/unprivuser.if policy/modules/admin/updfstab.if policy/modules/services/uptime.if policy/modules/admin/usbmodules.if policy/modules/services/usbmuxd.if policy/modules/system/userdomain.if policy/modules/apps/userhelper.if policy/modules/admin/usermanage.if policy/modules/apps/usernetctl.if policy/modules/services/uucp.if policy/modules/services/uuidd.if policy/modules/services/uwimap.if policy/modules/services/varnishd.if policy/modules/admin/vbetool.if policy/modules/services/vdagent.if policy/modules/services/vhostmd.if policy/modules/services/virt.if policy/modules/apps/vlock.if policy/modules/apps/vmware.if policy/modules/services/vnstatd.if policy/modules/admin/vpn.if policy/modules/services/w3c.if policy/modules/services/watchdog.if policy/modules/services/wdmd.if policy/modules/roles/webadm.if policy/modules/apps/webalizer.if policy/modules/apps/wine.if policy/modules/apps/wireshark.if policy/modules/apps/wm.if policy/modules/system/xdg.if policy/modules/system/xen.if policy/modules/services/xfs.if policy/modules/roles/xguest.if policy/modules/services/xprint.if policy/modules/apps/xscreensaver.if policy/modules/services/xserver.if policy/modules/apps/yam.if policy/modules/services/zabbix.if policy/modules/services/zarafa.if policy/modules/services/zebra.if policy/modules/services/zosremote.if support/iferror.m4 >> tmp/all_interfaces.conf.tmp
sed -e s/dollarsstar/\$\*/g tmp/all_interfaces.conf.tmp >> tmp/all_interfaces.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/kernel/corecommands.te policy/modules/kernel/corenetwork.te policy/modules/kernel/devices.te policy/modules/kernel/domain.te policy/modules/kernel/files.te policy/modules/kernel/filesystem.te policy/modules/kernel/kernel.te policy/modules/kernel/mcs.te policy/modules/kernel/mls.te policy/modules/kernel/selinux.te policy/modules/kernel/terminal.te policy/modules/kernel/ubac.te support/fatal_error.m4 > tmp/all_te_files.conf
sed -r -f support/get_type_attr_decl.sed tmp/all_te_files.conf | LC_ALL=C sort > tmp/all_attrs_types.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf
sed -r -f support/comment_move_decl.sed tmp/all_te_files.conf > tmp/only_te_rules.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/users policy/constraints > tmp/post_te_files.conf
cat tmp/post_te_files.conf > tmp/all_post.conf
egrep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^portcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^netifcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^nodecon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibpkeycon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibendportcon tmp/all_te_files.conf >> tmp/all_post.conf || true
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 29847:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1
The current refpolicy
CPE still points to tresys
, however this project moved over to selinuxproject
. Please add an updated entry to nvm.nist.gov.
Attempting to load the policy with systemd on gentoo results in errors, failing to generate binary policy file.
Conflicting type rules (scontext=dbadm_t tcontext=mysqld_initrc_exec_t tclass=process result=run_init_t), existing=initrc_t
The following shows the specific build configs:
diff --git a/build.conf b/build.conf
index a2f1a9b5..1e6a61c8 100644
--- a/build.conf
+++ b/build.conf
@@ -20,3 +20,3 @@ TYPE = standard
# used for the name.
-NAME = refpolicy
+NAME = systemdg
@@ -29,3 +29,3 @@ NAME = refpolicy
# Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = gentoo
@@ -44,3 +44,3 @@ UNK_PERMS = deny
# not work in conditional policy.
-DIRECT_INITRC = n
+DIRECT_INITRC = y
@@ -48,3 +48,3 @@ DIRECT_INITRC = n
# Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
diff --git a/config/local.users b/config/local.users
index 3f5dd1f5..94ea215b 100644
--- a/config/local.users
+++ b/config/local.users
@@ -18,2 +18,3 @@
# user jadmin roles { staff_r sysadm_r };
+user ilmostro roles { staff_r sysadm_r };
There is multiple places where pipe is now used with m4.
As per:
#389 (comment)
intermediates are preferred.
After my testmakes below, I think there should be either no shell pipes at all (or at least any that can possibly fail), or there should be .SHELLFLAGS := -c -o -pipefail
. Otherwise failures can be hidden.
$ cat testmake
a: m4exit.m4
m4 $^ | sed -e s/1/2/
b: m4exit.m4
m4 $^ > tmp1
sed -e s/1/2/ tmp1
m4exit.m4:
echo "m4exit(\`1')" > $@
$ cat testmake-pipefail
.SHELLFLAGS := -c -o pipefail
a: m4exit.m4
m4 $^ | sed -e s/1/2/
b: m4exit.m4
m4 $^ > tmp1
sed -e s/1/2/ tmp1
m4exit.m4:
echo "m4exit(\`1')" > $@
Now without -o pipefail, using pipe does not fail:
$ make -f testmake -k a b
m4 m4exit.m4 | sed -e s/1/2/
m4 m4exit.m4 > tmp1
make: *** [testmake:6: b] Error 1
With -o pipefail, both examples fail as expected:
$ make -f testmake-pipefail -k a b
m4 m4exit.m4 | sed -e s/1/2/
make: *** [testmake-pipefail:4: a] Error 1
m4 m4exit.m4 > tmp1
make: *** [testmake-pipefail:6: b] Error 1
There is multiple cases where pipe is used.
regarding to m4 at least these:
Line 379 in 6c2f4bf
Line 388 in 6c2f4bf
Line 482 in 6c2f4bf
Line 498 in 6c2f4bf
Line 107 in 6c2f4bf
Line 111 in 6c2f4bf
Line 253 in 6c2f4bf
refpolicy/support/Makefile.devel
Line 180 in 6c2f4bf
Other substantial cases:
Line 508 in 6c2f4bf
Line 165 in 6c2f4bf
I introduced this issue at:
#389
But now I think it should have its own issue and maybe patch set if it is deemed something to be actioned upon as this has to do mostly with correctness and minimally regarding to speedup.
Hi, I'm encountering errors in the lockdown subsystem where kmod_t and udev_t forbid the use of tracefs. I've been able to skate without rules allowing confidentiality for these types up until last kernel update (Arch hardened x64, 5.10.12) at which point I'm seeing log errors that look like this:
AVC avc: denied {confidentiality} for pid=325 comm=systemd-udevd lockdown reason="use of tracefs" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=lockdown permissive=0
Could not create tracefs "filter" entry Could not create tracefs "id" entry Could not create tracefs "enable" entry
These are showing up practically thousands of times and making it impossible to read the log when it's needed to diagnose problems (after kernel or application panic for instance). Masking tracefs, which one would think prevents it from loading thereby attempts made to use it, doesn't help. If this is the way it is for a reason, can someone please enlighten me as to why, and if not is there anything that can be done?
Earlier there were policy/ modules.conf was there which can be used to prevent a module from being used. Now I don't find this file.
This file contains a listing of available modules, and how they will be used when building Reference Policy. To prevent a module from being used, set the module to"off". For monolithic policies, modules set to "base" and "module" will be included in the policy. For modular policies, modules set to "base"will be included in the base module; those set to "module" will becompiled as individual loadable modules.
It seems that this repository underwent a reconfiguration for the Travis checks and now there are two CI checks defined. Both are Travis CI, but one (the newer) is working while the other one (the older) does not. Should the continuous-integration/travis-ci
check be decommissioned?
is there anyway to completely disable booleans support in refpolicy ?
thanks.
Writing to /tmp
is often enough to execute code as the UID the daemon is running as, often root. This can bypass SELinux restrictions.
Since version 246 of systemd /usr/lib/systemd/systemd-udevd
has become a symlink to /usr/bin/udevadm
.
This means that udevd is now run in the udevadm_t domain, and that breaks things.
Original labels as reference:
/usr/bin/udevadm system_u:object_r:udevadm_exec_t:SystemLow
/usr/lib/systemd/systemd-udevd system_u:object_r:udev_exec_t:SystemLow
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.