selinuxproject / refpolicy Goto Github PK

SELinux Reference Policy v2

Home Page: https://github.com/SELinuxProject/refpolicy/wiki

License: GNU General Public License v2.0

Makefile 16.56% M4 14.58% sed 0.86% Python 66.56% Shell 1.29% Awk 0.14%

access-control policy rbac security security-hardening security-policy selinux

refpolicy's Introduction

1) Reference Policy make targets:

General Make targets:

install-src		Install the policy sources into
			/etc/selinux/NAME/src/policy, where NAME is defined in
			the Makefile.  If not defined, the TYPE, as defined in
			the Makefile, is used.  The default NAME is refpolicy.
			A pre-existing source policy will be moved to
			/etc/selinux/NAME/src/policy.bak.

conf			Regenerate policy.xml, and update/create modules.conf
			and booleans.conf.  This should be done after adding
			or removing modules, or after running the bare target.
			If the configuration files exist, their settings will
			be preserved.  This must be ran on policy sources that
			are checked out from the CVS repository before they can
			be used.

clean			Delete all temporary files, compiled policies,
			and file_contexts.  Configuration files are left intact.

bare			Do the clean make target and also delete configuration
			files, web page documentation, and policy.xml.

html			Regenerate policy.xml and create web page documentation
			in the doc/html directory.

Make targets specific to modular (loadable modules) policies:

base			Compile and package the base module.  This is the
			default target for modular policies.

modules			Compile and package all Reference Policy modules
			configured to be built as loadable modules.

MODULENAME.pp		Compile and package the MODULENAME Reference Policy
			module.

all			Compile and package the base module and all Reference
			Policy modules configured to be built as loadable
			modules.

install			Compile, package, and install the base module and
			Reference Policy modules configured to be built as
			loadable modules.

load			Compile, package, and install the base module and
			Reference Policy modules configured to be built as
			loadable modules, then insert them into the module
			store.

validate		Validate if the configured modules can successfully
			link and expand.

install-headers		Install the policy headers into /usr/share/selinux/NAME.
			The headers are sufficient for building a policy
			module locally, without requiring the complete
			Reference Policy sources.  The build.conf settings
			for this policy configuration should be set before
			using this target.

build-interface-db	Build the policy interface database with
			'sepolgen-ifgen'.  This database is required for
			reference style policy generation by
			'audit2allow --reference'.

Make targets specific to monolithic policies:

policy			Compile a policy locally for development and testing.
			This is the default target for monolithic policies.

install			Compile and install the policy and file contexts.

load			Compile and install the policy and file contexts, then
			load the policy.

enableaudit		Remove all dontaudit rules from policy.conf.

relabel			Relabel the filesystem.

checklabels		Check the labels on the filesystem, and report when
			a file would be relabeled, but do not change its label.

restorelabels		Relabel the filesystem and report each file that is
			relabeled.


2) Reference Policy Build Options (build.conf)

TYPE			String.  Available options are standard, mls, and mcs.
			For a type enforcement only system, set standard.
			This optionally enables multi-level security (MLS) or
			multi-category security (MCS) features.  This option
			controls enable_mls, and enable_mcs policy blocks.

NAME			String (optional).  Sets the name of the policy; the
			NAME is used when installing files to e.g.,
			/etc/selinux/NAME and /usr/share/selinux/NAME.  If not
			set, the policy type (TYPE) is used.

DISTRO			String (optional).  Enable distribution-specific policy.
			Available options are redhat, gentoo, and debian.
			This option controls distro_redhat, distro_gentoo, and
			distro_debian build option policy blocks.

MONOLITHIC		Boolean.  If set, a monolithic policy is built,
			otherwise a modular policy is built.

DIRECT_INITRC		Boolean.  If set, sysadm will be allowed to directly
			run init scripts, instead of requiring the run_init
			tool.  This is a build option instead of a tunable since
			role transitions do not work in conditional policy.
			This option controls direct_sysadm_daemon policy
			blocks.

OUTPUT_POLICY		Integer.  Set the version of the policy created when
			building a monolithic policy.  This option has no effect
			on modular policy.

UNK_PERMS		String.  Set the kernel behavior for handling of
			permissions defined in the kernel but missing from the
			policy.  The permissions can either be allowed (allow),
			denied (deny), or the policy loading can be rejected
			(reject).

UBAC			Boolean.  If set, the SELinux user will be used
			additionally for approximate role separation.

SYSTEMD			Boolean.  If set, systemd will be assumed to be the init
			process provider.

MLS_SENS		Integer.  Set the number of sensitivities in the MLS
			policy.  Ignored on standard and MCS policies.

MLS_CATS		Integer.  Set the number of categories in the MLS
			policy.  Ignored on standard and MCS policies.

MCS_CATS		Integer.  Set the number of categories in the MCS
			policy.  Ignored on standard and MLS policies.

QUIET			Boolean.  If set, the build system will only display
			status messages and error messages.  This option has no
			effect on policy.

WERROR			Boolean.  If set, the build system will treat warnings
			as errors.  If any warnings are encountered, the build
			will fail.


3) Reference Policy Files and Directories
All directories relative to the root of the Reference Policy sources directory.

Makefile		General rules for building the policy.

Rules.modular		Makefile rules specific to building loadable module
			policies.

Rules.monolithic	Makefile rules specific to building monolithic policies.

build.conf		Options which influence the building of the policy,
			such as the policy type and distribution.

config/appconfig-*	Application configuration files for all configurations
			of the Reference Policy (targeted/strict with or without
			MLS or MCS).  These are used by SELinux-aware programs.

config/local.users	The file read by load policy for adding SELinux users
			to the policy on the fly.

doc/html/*		This contains the contents of the in-policy XML
			documentation, presented in web page form.

doc/policy.dtd		The doc/policy.xml file is validated against this DTD.

doc/policy.xml		This file is generated/updated by the conf and html make
			targets.  It contains the complete XML documentation
			included in the policy.

doc/templates/*		Templates used for documentation web pages.

policy/booleans.conf	This file is generated/updated by the conf make target.
			It contains the booleans in the policy, and their
			default values.  If tunables are implemented as
			booleans, tunables will also be included.  This file
			will be installed as the /etc/selinux/NAME/booleans
			file.

policy/constraints	This file defines additional constraints on permissions
			in the form of boolean expressions that must be
			satisfied in order for specified permissions to be
			granted.  These constraints are used to further refine
			the type enforcement rules and the role allow rules.
			Typically, these constraints are used to restrict
			changes in user identity or role to certain domains.

policy/global_booleans	This file defines all booleans that have a global scope,
			their default value, and documentation.

policy/global_tunables	This file defines all tunables that have a global scope,
			their default value, and documentation.

policy/flask/initial_sids  This file has declarations for each initial SID.

policy/flask/security_classes  This file has declarations for each security class.

policy/flask/access_vectors  This file defines the access vectors.  Common
			prefixes for access vectors may be defined at the
			beginning of the file.  After the common prefixes are
			defined, an access vector may be defined for each
			security class.

policy/mcs		The multi-category security (MCS) configuration.

policy/mls		The multi-level security (MLS) configuration.

policy/modules/*	Each directory represents a layer in Reference Policy
			all of the modules are contained in one of these layers.

policy/modules.conf	This file contains a listing of available modules, and
			how they will be used when building Reference Policy. To
			prevent a module from  being used, set the module to
			"off".  For monolithic policies, modules set to "base"
			and "module" will be included in the policy.  For
			modular policies, modules set to "base"	will be included
			in the base module; those set to "module" will be
			compiled as individual loadable	modules.

policy/support/*	Support macros.

policy/users		This file defines the users included in the policy.

support/*		Tools used in the build process.


4) Building policy modules using Reference Policy headers:

The system must first have the Reference Policy headers installed, typically
by the distribution.  Otherwise, the headers can be installed using the
install-headers target from the full Reference Policy sources.

To set up a directory to build a local module, one must simply place a .te
file in a directory.  A sample Makefile to use in the directory is the
Makefile.example in the doc directory.  This may be installed in
/usr/share/doc, under the directory for the distribution's policy.
Alternatively, the primary Makefile in the headers directory (typically
/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
option.

Larger projects can set up a structure of layers, just as in Reference
Policy, by creating policy/modules/LAYERNAME directories.  Each layer also
must have a metadata.xml file which is an XML file with a summary tag and
optional desc (long description) tag.  This should describe the purpose of
the layer.

Metadata.xml example:

<summary>ABC modules for the XYZ components.</summary>

Make targets for modules built from headers:

MODULENAME.pp		Compile and package the MODULENAME local module.

all			Compile and package the modules in the current
			directory.

load			Compile and package the modules in the current
			directory, then insert them into the module store.

refresh			Attempts to reinsert all modules that are currently
			in the module store from the local and system module
			packages.

xml			Build a policy.xml from the XML included with the
			base policy headers and any XML in the modules in
			the current directory.

refpolicy's People

Contributors

Stargazers

Watchers

Forkers

pebenito garyttierney avd26 mpalmi msgpo ypcs jefferyq bigon yuvalturg pevik kaymccormick konstantinous fishilico jeremysolt alexminder benjaminlefoul sgnls jjmcdn onokatio dsugar100 wonder93 fengxingwei369 bauen1 gitstashpop wenhuizhang bachradsusi cgzones kbc1992 surfndez msuarezd androidacy-user leairdcj privacytoolkit eric-ch acidburn0zzz stephensmalley dburgener pdmorrow topimiettinen bluca megaparanoik fajs dsommers tbt294 mcsim85 expeditioneer marshalljmiller bradeales yizhao1 dahchanson jpds atenart itsintern deepak-rawat bootlin vantier galaxy4public 0xc0ncord rbramwell jonathanprecise dschadlich minimaxwell efourd sule01u krissn bartzjegr copperii global-localhost global19 global19-atlassian-net capashenn xwsong schaffung koncpa x539 maage coolscripting binary-reverser classicvalues brushless-glitch ekmixon pedrxd besser82 saaloni vmojzis azurecloudmonk dweomer maxbrodeururbas sitedata pcmoore aoscloud hbakken jaormx abeltrano gvanuxem bmeister69 crazyherozk tormath1 mcjix ulaset

refpolicy's Issues

Reference policy gives following error when trying to get audit denial logs and modules load time

Hi,
I have taken reference policy and compiled, but it gives the following error
** Libsepol. context_from_record: MLS is disabled, but MLS context "s0" found
Libsepol. context_from_record: could not create context structure**
This error when trying to get denial logs using **audit2allow -a -w** and modules load time. Here I'm using the reference policy old version with required dependency packages and I tried all versions of the reference policy with a required dependence version of packages but I'm not succeeding.

Thanks in advance,

Proposal: add an attribute to remove default ioctl access

#76 (SELinux ioctl allowlist) was (understandably) closed, as it would have required a large amount of effort and had a high risk of breakage.

That said, I would still like to be able to restrict the ioctls a process can use via SELinux. This can be done by means of an attribute. Types with that attribute are given xperm rules that block all ioctls. Any needed ioctls can be allowed by user-provided xperm rules.

I would be willing to write a PR for this, if upstream is interested.

tmp/all_interfaces.conf keeps content of previous builds

Is there a reason why tmp/all_interfaces.conf keeps the content of old builds.

refpolicy/Rules.modular

Lines 139 to 145 in dd04789

 $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror) 

 @test -d $(tmpdir) || mkdir -p $(tmpdir) 

 @echo "divert(-1)" > $@ 

 $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp 

 $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ 

 @echo "divert" >> $@

In particular line 142 appends to the temporary file.

context xterm

xterm has a context system_u system_r xdm_t, please tell me how to correctly change this context so that it works in the context of the user. 1. create a module similar terminal.te? 2. through a command chcon 3.through the context of executable files.

Add option -E to setfiles calls in the future

Since SELinuxProject/selinux@5447c84 was applied, we might want to add the flag -E to setfiles calls in the future, when the containing SELinux release is broadly available.

Provide barebones versions of existing domains

Currently, domain adds more permissions than are actually needed.

It would be nice to have a type (barebones_domain?) that includes exactly the permissions needed to run a program that does nothing, and no more. Similarly, there would be a barebones_daemon with the minimum permissions for a daemon that just immediately exits, and so on.

This would be useful for those who want a strict default-deny policy, since it ensures that access is not accidentally granted.

"make tags" fails on Debian

I tried to create a ctags file with make ctags and got this message:

make: Circular tags <- tags dependency dropped.
ctags-exuberant: Warning: cannot open source file "policy/modules/*/*.{if,te}" : No such file or directory
root@debian:/home/guest/refpolicy_custom# su guest

It works good when I substitute this pattern with "policy/modules//.if policy/modules//.te" in the Makefile. Also, ctags can parse the *.{if,te} pattern from the command line.

Allow system_dbusd_t read/write privilege to tun_tap_device_t

I'm working on the OpenVPN 3 Linux project which is a brand new OpenVPN client which makes heavy use of D-Bus to solve a lot of challenges the current OpenVPN 2.x generation has on modern Linux systems.

OpenVPN 3 Linux depends heavily on D-Bus, where multiple daemons serve very specific task and the IPC happens over D-Bus. One challenge we have on SELinux enabled systems (in particular Fedora and RHEL) is that SELinux does not allow the dbus-daemon to pass a FD from one D-Bus service to another one when the FD is tied to /dev/net/tun.

Currently we ship our own SELinux policy to resolve this issue, which can be seen here in openvpn3.te.

The policy we wrote attempted to be a generic as possible (with the filename being the exception), as this doesn't look like an OpenVPN only related issue, but something which could hit anyone wanting to pass a FD to a tun device over D-Bus.

If this looks like a reasonable solution which could be applied to the the SELinux reference policy, I'm happy to submit a pull-request for it.

unconfined domains aren't allowed to fully use dbus

Originally reported to Red Hat since it was seen on modern Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1647920

Seems to be a general refpolicy issue though.

The basic issue is that a domain with unconfined_domain(my_domain_t) will be allowed to send messages over dbus without issue. However the responses will often be rejected because there is no rule allowing the other domain to send_msg to my_domain_t.

Example AVC where thinlinc_webaccess_t is unconfined:

type=USER_AVC msg=audit(1541681954.605:398): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.730 spid=1 tpid=5844 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

It looks like this bug was fixed here:

TresysTechnology/refpolicy-contrib@6bef7a1

But then reverted because of security issues here:

TresysTechnology/refpolicy-contrib@bc14741

Does anyone have any reference for those security problems?

If unconfined domains cannot use dbus by default, then this should be clearly documented for unconfined_domain(), and there should be some information on how to enable dbus for such domains. Explicitly listing every other domain (or using equivalent macros such as init_dbus_chat()) defeats the whole purpose of unconfined_domain().

What risk am I taking by adding this and allowing full dbus communication to my domain:

allow { dbusd_session_bus_client dbusd_system_bus_client } thinlinc_webaccess_t:dbus send_msg;

ipsec_mgmt_t needs to be able to drop privileges

StrongSwan supports switching users after startup. However, SELinux currently blocks this, as ipsec_mgmt_t is not allowed CAP_SETUID or CAP_SETGID.

Of course, running StrongSwan as an unprivileged user (with capabilities) would be preferable, but isn’t supported well.

Use SELinux ioctl whitelist

Currently, ioctls are not whitelisted. Whitelisting them would significantly improve security.

How to properly handle optional parameters in file context?

Some parameters such as httpd_nutups_cgi_script_t is defined as optional in nut.te but httpd_nutups_cgi_script_exec_t is unconditionally used in nut.fc resulting in the following build failure when validating file context without services/apache:

Validating targeted file_contexts.
env LD_LIBRARY_PATH="/tmp/instance-1/output-1/host/lib:/tmp/instance-1/output-1/host/usr/lib" /tmp/instance-1/output-1/host/sbin/setfiles -q -c /tmp/instance-1/output-1/target/etc/selinux/targeted/policy/policy.33 file_contexts
libsepol.context_from_record: type httpd_nutups_cgi_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_nutups_cgi_script_exec_t to sid
invalid context system_u:object_r:httpd_nutups_cgi_script_exec_t

This issue is raised in nut but also in all packages that can optionally share content through apache such collectd, cvs, git, etc. What is the proper way of fixing this?

Add support for userdb

Hello,

With the recent versions of systemd, there is a new userdb component added.

libnss-systemd is now trying to connect to a socket located in /run/systemd/userdb/ that meas that any domain (including a user one) that should resolve user/group id might try to connect to it.

There is also an optional daemon running

Fedora policy already has support for this that adds custom types.

StyleGuide: Order of require statements

The style guide does not contain any information about the order (of kinds and names) in require blocks.

Is there a preferred order, should an order be followed, or is it indifferent?

Seems like currently the order for required kinds is mostly (but not completely):

attribute -> attribute_role -> type -> class -> role

p.s.:
My personal favourite order is

bool -> class -> role -> attribute_role -> attribute -> type

login on embedded systems

Hello,

While working on supporting the refpolicy on embedded systems generated using Buildroot, I stumbled upon a login issue where the login system gets blocked from accessing the shadow_t context.

I'm using a serial connexion handled by agetty and the util-linux login program.

The following logs are output when asked for a password :

buildroot login: root
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1611839506.969:51): avc: denied { noatsecure } for pid=76 comm="agetty" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { rlimitinh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839506.969:51): avc: denied { siginh } for pid=76 comm="login" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:local_login_t tclass=process permissive=0
audit: type=1400 audit(1611839507.069:52): avc: denied { read } for pid=76 comm="login" name="shadow" dev="vda" ino=88 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file permissive=0
Password:

Then, no matter the password entered, the login fails.

One thing to note is that these logs are only output when building with "make enableaudit", so the messages are hidden by a noaudit rule by default.

Since this issue concerns the login process and accessing the shadow file, I'd rather get your opinion on that before trying to come-up with a patch.

Adding "auth_read_shadow(local_login_t)" to the policy allows to login, but this doesn't look like this is the right solution.

I'd therefore like have your inputs in that particular issue,

Thanks a lot,

Maxime

make install-headers always regenerate files

Hello,

Running make install-headers will always regenerate the interface templates

Generating interface templates into tmp/iftemplates

It's a bit annoying as you are usually running this target as root and you will end up with files owned by root in your build directory

base.conf:1394:ERROR 'invalid policy capability name extended_socket_class'

Hi,
I tried to compile refpolicy by 'make conf & make', but I met below errors. I am using the release version refpolicy-2.20210203.tar.bz2, I also tried the latest source code by refpolicy_master.zip. But both of them have this compile issue.
Note, I compile refpolicy in ubunut16.04 and already installed checkpolicy and policycoreutiles . Could you please give me some advices? Thank you in advance.
=============== compile error message=============================================
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1394:ERROR 'invalid policy capability name extended_socket_class' at token ';' on line 1394:
policycap extended_socket_class;

/usr/bin/checkmodule: error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1

smartctl is not able to update the hard drive database from the network

The current smartmon policy module which targets the smartctl package does not allow the "update-smart-drivedb" script (part of smartctl) to update the hard drive database from the network.

Fixed in the following proposed patches:

d7bd0fc
40919ac

Add support for container runtimes (podman, docker, etc) (or container-selinux support)

Container runtime support is currently missing in refpolicy. An issue was opened at container-selinux to bring the possibility to build it against refpolicy, but doing so presents some problems that need reworking. The idea to make container-selinux compatible with refpolicy was the originally proposed solution, but it may instead be wiser to begin work on a container module in refpolicy itself, as to avoid the many incompatibilities or to avoid rules deemed potentially too permissive in refpolicy, etc.

Either way, I am opening this issue to bring visibility on this, as overall support for container runtimes in refpolicy seems to be reaching high demand.

container-selinux issue: containers/container-selinux#113

Proposal: add an attribute for application execute and transition permissions

With the introduction of systemd user support, access needs to be added to $1_systemd_t for various applications if we want these to be run and transitioned properly. Other applications normally run by users such as window managers may also require such access. Instead of adding calls to myapp_run() for each of these applications, I think an attribute for this kind of access may be more suitable.

Such an attribute, staff_app_runner_domain for example, would have all the necessary access granted by interface calls like chromium_run(), and all that would be needed to ensure some domain has the same access to run applications would be to associate the staff_app_runner_domain to it, such as staff_systemd_t. That way, any application that can normally be run by staff_t can also be run by staff_systemd_t. Of course, explicitly allowing access to staff_t or staff_systemd_t can be used where appropriate.

I feel that this also has the advantage of making local policy development significantly easier to do, as one would not need to call the appropriate interfaces for every application that staff_t can normally run to whatever local policy module is being written. On the contrary, as pointed out in earlier discussion, this may overcomplicate refpolicy somewhat.

I have Suse linux 15.1. I want install refpolicy and selinux, but selinux-ready want program selinux-policy "check_packages: ERR. Package 'selinux-policy' not installed, please run 'zypper in selinux-policy' as root" I don`t have the oficial pakage. Haw I can run selinux? Help me please.

user_u

Good day. I want to turn to society with this problem: I have Suse linux desktop 15.1. I configured SELinux refpolicy standard without UBAC, but I can’t log in user_u.
I did audit2allow several times, then I opened boolean, then I opened all the locks through “ausearch – m avc| grep permissive=0” and “semanage permissive –a system_tmpfiles_t”.
At the moment, no locks through any shows. But when I turn on “setenforce 1” by root (sysadmin_r), I log out and when I try to log into the user (user_u), the screen locks and no errors are displayed. Please help in which direction to move. What is the error search technique?

Confined user dbus instances cannot activate services

This is due to missing service start rules.

check_fc_files: support of '@' character

Currently check_fc_files does not support the character @ in file contexts, like

/usr/lib/systemd/system/getty@\.service --      gen_context(system_u:object_r:getty_unit_t,s0)

# ./testing/check_fc_files.py 
/root/workspace/selinux/selinux-policy-debian/policy/modules/system/getty.fc:8: unexpected characters @ in /usr/lib/systemd/system/getty@\.service

refpolicy/testing/check_fc_files.py

Line 155 in 0bfd138

 invalid_characters = set(re.findall(r'[^-0-9A-Za-z_./()?+*%{}\[\]^|:~\\]', reduced_path)) 

@fishilico any reason not to support it?

spamassassin is not able to update its rules from the network

The current spamassassin policy module does not allow the spamassassin package to update its spam detection rules from the network using the "sa-update" script.

Fixed in the following proposed patches:

2acbe30
d7bd0fc
714531b

Create a custom tag

I follow the wiki tutorial to create a custom tag, but the last tag used by the nginx process is init_t. Can you give me some advice

nginx.zip

Add local.te to refpolicy

I'm building a monolitic refpolicy for an embedded device,
I would like to include a extra "local.te" generated from the AVCs via allow2audit:

cat /var/log/audit/audit.log | audit2allow >> local.te

How do I add it to my monolitic policy ?

Thanks!

Typos in init.te

There are multiple statements refering to initrc_t in the init_systemd block that only handles init_t, are these meant to be for init_t or should they be moved to the initrc_t section ?

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L327

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L334

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.te#L373

acpid_t blocks VM shutdown

I have a Debian 10 libvirt/KVM host with a Debian 10 VM guest, if I run:

sudo virsh shutdown guest

...the guest does not shutdown. If I disable dontaudit's, I see this within the guest's logs:

type=AVC msg=audit(1598187082.086:163): avc:  denied  { getattr } for  pid=583 comm="powerbtn-acpi-s" path="/usr/share/acpi-support/policy-funcs" dev="sda1" ino=2888143 scontext=system_u:system_r:acpid_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

Policy version on Debian/stable is:

ii  selinux-policy-default        2:2.20190201-2               all          Strict and Targeted variants of the SELinux policy

Hello! I configured the policy (refpolicy), included the type unconfined_t on the attribute mcs_constrained_type, but it still does not work (everyone has access to the files, even if they do not have that category.) What can be the reason? I will be very grateful for the advice.

userdom_unpriv_user_template macros is not working

I installed the latest release version of the Refpolicy from DownloadRelease page. And now I have problems using userdom_unpriv_user_template macros. I made a module:

policy_module(userdom, 1.0.0)

userdom_unpriv_user_template(pluff)

And semodule -i userdom.pp gives errors like:
Failed to resolve booleanif statement at ...
Failed to resolve typeattribute statement at ...

This happens because refpolicy doesn't declare necessary attributes, types, and booleans. But why is this so? When I used standard selinux this macros worked fine. What am I doing wrong?

Add a destroy permission for x_server

XFixes 6.1, if accepted by upstream, will allow a client to cause the X Server to terminate. I currently intend to guard this by a x_server manage check, but it should really be x_server destroy. How can I handle this without breaking old policies?

Support custom login programs

Currently, there is no good way for third-party domains to log users in with pam_selinux.so.

Many daemons do not need to write user crontabs

Being able to write user crontabs is enough to execute code as that user.

chrome_sandbox_t sandbox breaks if unprivileged user namespaces are off

Allowing the following AVCs makes it work:

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability dac_override;
allow chrome_sandbox_t self:process setcap;
allow chrome_sandbox_t staff_t:file write;

#============= staff_t ==============
allow staff_t chrome_sandbox_t:process setsched;

Presumably similar rules would be needed for other user domains that can use rtkit.

Syntax error when building with Python 3.8

Hello,
When building refpolicy with Python 3.8, make conf fails with:

python3 -t -t -E -W error support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
  File "support/sedoctool.py", line 269
    if desc.data is not '':
       ^
SyntaxError: "is not" with a literal. Did you mean "!="?
make: *** [Makefile:403: conf.intermediate] Error 1

Could you please replace if desc.data is not '': with if desc.data != '': or if desc.data: in support/sedoctool.py?

Reporting a security issue

Who do I report a security vulnerability in the reference policy to?

blank screen with command prompt instead of xdm when started by openrc

this is a replication of:

TL;DR
when xdm is started by OpenRC it additionally wants to

type=AVC msg=audit(1571776002.581:399): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0
type=AVC msg=audit(1571776002.729:400): avc: denied { chown } for pid=6225 comm="X" capability=0 scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=capability permissive=0

this does not occur if this is run by root: /etc/init.d/xdm start

the bug is fixed when this is allowed: allow xserver_t self:capability chown

I don't know if this can be added to the global policy for xserver:
https://github.com/SELinuxProject/refpolicy/blame/master/policy/modules/services/xserver.te#L636

latest release 2.20190609 missing could not recognize sctp

cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 28914:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1

wenhui@wenhui:~/Downloads$ uname -a
Linux wenhui 4.18.0 #1 SMP Sun Aug 25 22:09:08 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

Access to udev "database"

Hello,

The udev module still references the udev_tbl_t as being stored in /dev, but these days, it's located in /run. That prevents some applications (like pcscd) to work properly.

Red Hat went the way of removing the udev_tbl_t type completely, see fedora-selinux/selinux-policy@382acd84f3

Would that be the road to go as well?

Build error ERROR 'unrecognized protocol sctp' at token 'portcon' on line 29847:

Trying to build refpolicy for debian by setting the following configuration:

diff --git a/build.conf b/build.conf
index a2f1a9b5..08e380aa 100644
--- a/build.conf
+++ b/build.conf
@@ -27,7 +27,7 @@ NAME = refpolicy
 # for the distribution.
 # redhat, gentoo, debian, suse, and rhel4 are current options.
 # Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = debian
 
 # Unknown Permissions Handling
 # The behavior for handling permissions defined in the
@@ -46,7 +46,7 @@ DIRECT_INITRC = n
 
 # Systemd
 # Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
 
 # Build monolithic policy.  Putting y here
 # will build a monolithic policy.

make conf && make produce the error

m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy policy/flask/security_classes policy/flask/initial_sids policy/flask/access_vectors policy/context_defaults support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/mls policy/mcs policy/policy_capabilities > tmp/pre_te_files.conf
python3 -t -t -E -W error support/genclassperms.py policy/flask/access_vectors policy/flask/security_classes > tmp/generated_definitions.conf
test -f policy/booleans.conf && gawk -f support/set_bools_tuns.awk policy/booleans.conf >> tmp/generated_definitions.conf || true
m4 -E -E support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 policy/modules/kernel/corecommands.if policy/modules/kernel/corenetwork.if policy/modules/kernel/devices.if policy/modules/kernel/domain.if policy/modules/kernel/files.if policy/modules/kernel/filesystem.if policy/modules/kernel/kernel.if policy/modules/kernel/mcs.if policy/modules/kernel/mls.if policy/modules/kernel/selinux.if policy/modules/kernel/terminal.if policy/modules/kernel/ubac.if policy/modules/services/abrt.if policy/modules/services/accountsd.if policy/modules/admin/acct.if policy/modules/services/acpi.if policy/modules/apps/ada.if policy/modules/services/afs.if policy/modules/services/aiccu.if policy/modules/admin/aide.if policy/modules/services/aisexec.if policy/modules/admin/alsa.if policy/modules/admin/amanda.if policy/modules/services/amavis.if policy/modules/admin/amtu.if policy/modules/admin/anaconda.if policy/modules/services/apache.if policy/modules/services/apcupsd.if policy/modules/system/application.if policy/modules/admin/apt.if policy/modules/services/arpwatch.if policy/modules/services/asterisk.if policy/modules/roles/auditadm.if policy/modules/system/authlogin.if policy/modules/services/automount.if policy/modules/services/avahi.if policy/modules/apps/awstats.if policy/modules/admin/backup.if policy/modules/admin/bacula.if policy/modules/admin/bcfg2.if policy/modules/services/bind.if policy/modules/services/bird.if policy/modules/services/bitlbee.if policy/modules/admin/blueman.if policy/modules/services/bluetooth.if policy/modules/services/boinc.if policy/modules/admin/bootloader.if policy/modules/admin/brctl.if policy/modules/services/bugzilla.if policy/modules/services/cachefilesd.if policy/modules/apps/calamaris.if policy/modules/services/callweaver.if policy/modules/services/canna.if policy/modules/services/ccs.if policy/modules/apps/cdrecord.if policy/modules/services/certmaster.if policy/modules/services/certmonger.if policy/modules/admin/certwatch.if policy/modules/admin/cfengine.if policy/modules/services/cgmanager.if policy/modules/services/cgroup.if policy/modules/admin/chkrootkit.if policy/modules/apps/chromium.if policy/modules/services/chronyd.if policy/modules/services/cipe.if policy/modules/services/clamav.if policy/modules/system/clock.if policy/modules/services/clockspeed.if policy/modules/services/clogd.if policy/modules/services/cmirrord.if policy/modules/services/cobbler.if policy/modules/services/collectd.if policy/modules/services/colord.if policy/modules/services/comsat.if policy/modules/services/condor.if policy/modules/services/consolekit.if policy/modules/admin/consoletype.if policy/modules/services/corosync.if policy/modules/services/couchdb.if policy/modules/services/courier.if policy/modules/services/cpucontrol.if policy/modules/apps/cpufreqselector.if policy/modules/services/cron.if policy/modules/services/ctdb.if policy/modules/services/cups.if policy/modules/services/cvs.if policy/modules/services/cyphesis.if policy/modules/services/cyrus.if policy/modules/system/daemontools.if policy/modules/services/dante.if policy/modules/roles/dbadm.if policy/modules/services/dbskk.if policy/modules/services/dbus.if policy/modules/services/dcc.if policy/modules/services/ddclient.if policy/modules/admin/ddcprobe.if policy/modules/services/denyhosts.if policy/modules/services/devicekit.if policy/modules/services/dhcp.if policy/modules/services/dictd.if policy/modules/services/dirmngr.if policy/modules/services/distcc.if policy/modules/services/djbdns.if policy/modules/services/dkim.if policy/modules/admin/dmesg.if policy/modules/admin/dmidecode.if policy/modules/services/dnsmasq.if policy/modules/services/dnssectrigger.if policy/modules/services/dovecot.if policy/modules/admin/dphysswapfile.if policy/modules/admin/dpkg.if policy/modules/services/drbd.if policy/modules/services/dspam.if policy/modules/services/entropyd.if policy/modules/apps/evolution.if policy/modules/services/exim.if policy/modules/services/fail2ban.if policy/modules/admin/fakehwclock.if policy/modules/services/fcoe.if policy/modules/services/fetchmail.if policy/modules/services/finger.if policy/modules/services/firewalld.if policy/modules/apps/firewallgui.if policy/modules/admin/firstboot.if policy/modules/services/fprintd.if policy/modules/system/fstools.if policy/modules/services/ftp.if policy/modules/apps/games.if policy/modules/services/gatekeeper.if policy/modules/services/gdomap.if policy/modules/services/geoclue.if policy/modules/system/getty.if policy/modules/apps/gift.if policy/modules/services/git.if policy/modules/apps/gitosis.if policy/modules/services/glance.if policy/modules/services/glusterfs.if policy/modules/apps/gnome.if policy/modules/services/gnomeclock.if policy/modules/apps/gpg.if policy/modules/services/gpm.if policy/modules/services/gpsd.if policy/modules/services/gssproxy.if policy/modules/roles/guest.if policy/modules/services/hadoop.if policy/modules/services/hal.if policy/modules/services/hddtemp.if policy/modules/services/hostapd.if policy/modules/system/hostname.if policy/modules/system/hotplug.if policy/modules/services/howl.if policy/modules/admin/hwloc.if policy/modules/services/hypervkvp.if policy/modules/services/i18n_input.if policy/modules/services/icecast.if policy/modules/services/ifplugd.if policy/modules/services/imaze.if policy/modules/services/inetd.if policy/modules/system/init.if policy/modules/services/inn.if policy/modules/services/iodine.if policy/modules/system/ipsec.if policy/modules/system/iptables.if policy/modules/apps/irc.if policy/modules/services/ircd.if policy/modules/services/irqbalance.if policy/modules/system/iscsi.if policy/modules/services/isns.if policy/modules/services/jabber.if policy/modules/apps/java.if policy/modules/services/jockey.if policy/modules/admin/kdump.if policy/modules/admin/kdumpgui.if policy/modules/services/kerberos.if policy/modules/services/kerneloops.if policy/modules/services/keyboardd.if policy/modules/services/keystone.if policy/modules/admin/kismet.if policy/modules/services/ksmtuned.if policy/modules/services/ktalk.if policy/modules/admin/kudzu.if policy/modules/services/l2tp.if policy/modules/services/ldap.if policy/modules/apps/libmtp.if policy/modules/system/libraries.if policy/modules/apps/lightsquid.if policy/modules/services/likewise.if policy/modules/services/lircd.if policy/modules/apps/livecd.if policy/modules/services/lldpad.if policy/modules/apps/loadkeys.if policy/modules/system/locallogin.if policy/modules/apps/lockdev.if policy/modules/roles/logadm.if policy/modules/system/logging.if policy/modules/admin/logrotate.if policy/modules/admin/logwatch.if policy/modules/services/lpd.if policy/modules/services/lsm.if policy/modules/system/lvm.if policy/modules/services/mailman.if policy/modules/services/mailscanner.if policy/modules/apps/man2html.if policy/modules/apps/mandb.if policy/modules/admin/mcelog.if policy/modules/services/mediawiki.if policy/modules/services/memcached.if policy/modules/services/milter.if policy/modules/services/minidlna.if policy/modules/services/minissdpd.if policy/modules/system/miscfiles.if policy/modules/services/modemmanager.if policy/modules/system/modutils.if policy/modules/services/mojomojo.if policy/modules/services/mon.if policy/modules/services/mongodb.if policy/modules/services/monit.if policy/modules/apps/mono.if policy/modules/services/monop.if policy/modules/system/mount.if policy/modules/apps/mozilla.if policy/modules/services/mpd.if policy/modules/apps/mplayer.if policy/modules/admin/mrtg.if policy/modules/services/mta.if policy/modules/services/munin.if policy/modules/services/mysql.if policy/modules/services/nagios.if policy/modules/admin/ncftool.if policy/modules/services/nessus.if policy/modules/system/netlabel.if policy/modules/admin/netutils.if policy/modules/services/networkmanager.if policy/modules/services/nis.if policy/modules/services/nscd.if policy/modules/services/nsd.if policy/modules/services/nslcd.if policy/modules/services/ntop.if policy/modules/services/ntp.if policy/modules/services/numad.if policy/modules/services/nut.if policy/modules/services/nx.if policy/modules/services/oav.if policy/modules/services/obex.if policy/modules/services/oddjob.if policy/modules/services/oident.if policy/modules/services/openca.if policy/modules/services/openct.if policy/modules/services/openhpi.if policy/modules/apps/openoffice.if policy/modules/services/openvpn.if policy/modules/services/openvswitch.if policy/modules/services/pacemaker.if policy/modules/services/pads.if policy/modules/admin/passenger.if policy/modules/system/pcmcia.if policy/modules/services/pcscd.if policy/modules/services/pegasus.if policy/modules/services/perdition.if policy/modules/services/pingd.if policy/modules/services/pkcs.if policy/modules/services/plymouthd.if policy/modules/apps/podsleuth.if policy/modules/services/policykit.if policy/modules/services/polipo.if policy/modules/admin/portage.if policy/modules/services/portmap.if policy/modules/services/portreserve.if policy/modules/services/portslave.if policy/modules/services/postfix.if policy/modules/services/postfixpolicyd.if policy/modules/services/postgresql.if policy/modules/services/postgrey.if policy/modules/services/ppp.if policy/modules/admin/prelink.if policy/modules/services/prelude.if policy/modules/services/privoxy.if policy/modules/services/procmail.if policy/modules/services/psad.if policy/modules/apps/ptchown.if policy/modules/services/publicfile.if policy/modules/apps/pulseaudio.if policy/modules/admin/puppet.if policy/modules/services/pwauth.if policy/modules/services/pxe.if policy/modules/services/pyicqt.if policy/modules/services/pyzor.if policy/modules/apps/qemu.if policy/modules/services/qmail.if policy/modules/services/qpid.if policy/modules/services/quantum.if policy/modules/admin/quota.if policy/modules/services/rabbitmq.if policy/modules/services/radius.if policy/modules/services/radvd.if policy/modules/system/raid.if policy/modules/services/razor.if policy/modules/services/rdisc.if policy/modules/admin/readahead.if policy/modules/services/realmd.if policy/modules/services/redis.if policy/modules/services/remotelogin.if policy/modules/services/resmgr.if policy/modules/services/rgmanager.if policy/modules/services/rhcs.if policy/modules/services/rhgb.if policy/modules/services/rhsmcertd.if policy/modules/services/ricci.if policy/modules/admin/rkhunter.if policy/modules/services/rlogin.if policy/modules/services/rngd.if policy/modules/services/roundup.if policy/modules/services/rpc.if policy/modules/services/rpcbind.if policy/modules/admin/rpm.if policy/modules/services/rshd.if policy/modules/apps/rssh.if policy/modules/services/rsync.if policy/modules/services/rtkit.if policy/modules/services/rwho.if policy/modules/services/samba.if policy/modules/apps/sambagui.if policy/modules/admin/samhain.if policy/modules/services/sanlock.if policy/modules/services/sasl.if policy/modules/admin/sblim.if policy/modules/apps/screen.if policy/modules/roles/secadm.if policy/modules/admin/sectoolm.if policy/modules/system/selinuxutil.if policy/modules/services/sendmail.if policy/modules/services/sensord.if policy/modules/system/setrans.if policy/modules/services/setroubleshoot.if policy/modules/apps/seunshare.if policy/modules/services/shibboleth.if policy/modules/admin/shorewall.if policy/modules/admin/shutdown.if policy/modules/apps/sigrok.if policy/modules/apps/slocate.if policy/modules/services/slpd.if policy/modules/services/slrnpull.if policy/modules/services/smartmon.if policy/modules/services/smokeping.if policy/modules/admin/smoltclient.if policy/modules/services/smstools.if policy/modules/services/snmp.if policy/modules/services/snort.if policy/modules/admin/sosreport.if policy/modules/services/soundserver.if policy/modules/services/spamassassin.if policy/modules/services/speedtouch.if policy/modules/services/squid.if policy/modules/services/ssh.if policy/modules/services/sssd.if policy/modules/roles/staff.if policy/modules/kernel/storage.if policy/modules/services/stubby.if policy/modules/services/stunnel.if policy/modules/admin/su.if policy/modules/admin/sudo.if policy/modules/services/svnserve.if policy/modules/admin/sxid.if policy/modules/apps/syncthing.if policy/modules/roles/sysadm.if policy/modules/system/sysnetwork.if policy/modules/services/sysstat.if policy/modules/system/systemd.if policy/modules/services/systemtap.if policy/modules/admin/tboot.if policy/modules/services/tcpd.if policy/modules/services/tcsd.if policy/modules/apps/telepathy.if policy/modules/services/telnet.if policy/modules/services/tftp.if policy/modules/services/tgtd.if policy/modules/apps/thunderbird.if policy/modules/services/timidity.if policy/modules/admin/tmpreaper.if policy/modules/services/tor.if policy/modules/services/transproxy.if policy/modules/admin/tripwire.if policy/modules/services/tuned.if policy/modules/apps/tvtime.if policy/modules/admin/tzdata.if policy/modules/services/ucspitcp.if policy/modules/system/udev.if policy/modules/services/ulogd.if policy/modules/apps/uml.if policy/modules/system/unconfined.if policy/modules/roles/unprivuser.if policy/modules/admin/updfstab.if policy/modules/services/uptime.if policy/modules/admin/usbmodules.if policy/modules/services/usbmuxd.if policy/modules/system/userdomain.if policy/modules/apps/userhelper.if policy/modules/admin/usermanage.if policy/modules/apps/usernetctl.if policy/modules/services/uucp.if policy/modules/services/uuidd.if policy/modules/services/uwimap.if policy/modules/services/varnishd.if policy/modules/admin/vbetool.if policy/modules/services/vdagent.if policy/modules/services/vhostmd.if policy/modules/services/virt.if policy/modules/apps/vlock.if policy/modules/apps/vmware.if policy/modules/services/vnstatd.if policy/modules/admin/vpn.if policy/modules/services/w3c.if policy/modules/services/watchdog.if policy/modules/services/wdmd.if policy/modules/roles/webadm.if policy/modules/apps/webalizer.if policy/modules/apps/wine.if policy/modules/apps/wireshark.if policy/modules/apps/wm.if policy/modules/system/xdg.if policy/modules/system/xen.if policy/modules/services/xfs.if policy/modules/roles/xguest.if policy/modules/services/xprint.if policy/modules/apps/xscreensaver.if policy/modules/services/xserver.if policy/modules/apps/yam.if policy/modules/services/zabbix.if policy/modules/services/zarafa.if policy/modules/services/zebra.if policy/modules/services/zosremote.if support/iferror.m4 >> tmp/all_interfaces.conf.tmp
sed -e s/dollarsstar/\$\*/g tmp/all_interfaces.conf.tmp >> tmp/all_interfaces.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/kernel/corecommands.te policy/modules/kernel/corenetwork.te policy/modules/kernel/devices.te policy/modules/kernel/domain.te policy/modules/kernel/files.te policy/modules/kernel/filesystem.te policy/modules/kernel/kernel.te policy/modules/kernel/mcs.te policy/modules/kernel/mls.te policy/modules/kernel/selinux.te policy/modules/kernel/terminal.te policy/modules/kernel/ubac.te support/fatal_error.m4 > tmp/all_te_files.conf
sed -r -f support/get_type_attr_decl.sed tmp/all_te_files.conf | LC_ALL=C sort > tmp/all_attrs_types.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf
sed -r -f support/comment_move_decl.sed tmp/all_te_files.conf > tmp/only_te_rules.conf
m4 -E -E -D distro_debian -D init_systemd -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -D self_contained_policy support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4 tmp/generated_definitions.conf policy/users policy/constraints > tmp/post_te_files.conf
cat tmp/post_te_files.conf > tmp/all_post.conf
egrep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^portcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^netifcon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^nodecon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibpkeycon tmp/all_te_files.conf >> tmp/all_post.conf || true
egrep ^ibendportcon tmp/all_te_files.conf >> tmp/all_post.conf || true
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/ubac.te:2490:ERROR 'unrecognized protocol sctp' at token 'portcon' on line 29847:
portcon sctp 512-1023 system_u:object_r:hi_reserved_port_t
portcon sctp 1024-65535 system_u:object_r:unreserved_port_t
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
Rules.modular:102: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1

Update CPE

The current refpolicy CPE still points to tresys, however this project moved over to selinuxproject. Please add an updated entry to nvm.nist.gov.

dbadm_t and mysqld_initrc_exec_t in conflict

Attempting to load the policy with systemd on gentoo results in errors, failing to generate binary policy file.

Conflicting type rules (scontext=dbadm_t tcontext=mysqld_initrc_exec_t tclass=process result=run_init_t), existing=initrc_t

The following shows the specific build configs:

diff --git a/build.conf b/build.conf
index a2f1a9b5..1e6a61c8 100644
--- a/build.conf
+++ b/build.conf
@@ -20,3 +20,3 @@ TYPE = standard
 # used for the name.
-NAME = refpolicy
+NAME = systemdg
 
@@ -29,3 +29,3 @@ NAME = refpolicy
 # Fedora users should enable redhat.
-#DISTRO = redhat
+DISTRO = gentoo
 
@@ -44,3 +44,3 @@ UNK_PERMS = deny
 # not work in conditional policy.
-DIRECT_INITRC = n
+DIRECT_INITRC = y
 
@@ -48,3 +48,3 @@ DIRECT_INITRC = n
 # Setting this will configure systemd as the init system.
-SYSTEMD = n
+SYSTEMD = y
 
diff --git a/config/local.users b/config/local.users
index 3f5dd1f5..94ea215b 100644
--- a/config/local.users
+++ b/config/local.users
@@ -18,2 +18,3 @@
 # user jadmin roles { staff_r sysadm_r };
+user ilmostro roles { staff_r sysadm_r };

shell pipes can fail, fither use tmp files or use -o pipefail

There is multiple places where pipe is now used with m4.

As per:
#389 (comment)
intermediates are preferred.

After my testmakes below, I think there should be either no shell pipes at all (or at least any that can possibly fail), or there should be .SHELLFLAGS := -c -o -pipefail. Otherwise failures can be hidden.

$ cat testmake
a: m4exit.m4
	m4 $^ | sed -e s/1/2/
b: m4exit.m4
	m4 $^ > tmp1
	sed -e s/1/2/ tmp1

m4exit.m4:
	echo "m4exit(\`1')" > $@
$ cat testmake-pipefail 
.SHELLFLAGS := -c -o pipefail

a: m4exit.m4
	m4 $^ | sed -e s/1/2/
b: m4exit.m4
	m4 $^ > tmp1
	sed -e s/1/2/ tmp1

m4exit.m4:
	echo "m4exit(\`1')" > $@

Now without -o pipefail, using pipe does not fail:

$ make -f testmake -k a b
m4 m4exit.m4 | sed -e s/1/2/
m4 m4exit.m4 > tmp1
make: *** [testmake:6: b] Error 1

With -o pipefail, both examples fail as expected:

$ make -f testmake-pipefail -k a b
m4 m4exit.m4 | sed -e s/1/2/
make: *** [testmake-pipefail:4: a] Error 1
m4 m4exit.m4 > tmp1
make: *** [testmake-pipefail:6: b] Error 1

There is multiple cases where pipe is used.

regarding to m4 at least these:

refpolicy/Makefile

Line 379 in 6c2f4bf

 $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ 

refpolicy/Makefile

Line 388 in 6c2f4bf

$(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \

refpolicy/Makefile

Line 482 in 6c2f4bf

 $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \ 

refpolicy/Makefile

Line 498 in 6c2f4bf

$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@

refpolicy/Rules.modular

Line 107 in 6c2f4bf

$(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@

refpolicy/Rules.modular

Line 111 in 6c2f4bf

$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \

refpolicy/Rules.monolithic

Line 253 in 6c2f4bf

 $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $(tmpdir)/seusers 

refpolicy/support/Makefile.devel

Line 180 in 6c2f4bf

$(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@

Other substantial cases:

refpolicy/Makefile

Line 508 in 6c2f4bf

$(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \

refpolicy/Rules.modular

Line 165 in 6c2f4bf

$(verbose) $(get_type_attr_decl) $^ | $(SORT) > $@

I introduced this issue at:
#389

But now I think it should have its own issue and maybe patch set if it is deemed something to be actioned upon as this has to do mostly with correctness and minimally regarding to speedup.

kmod_t and udev_t cannot use tracefs with kernel_lockdown

Hi, I'm encountering errors in the lockdown subsystem where kmod_t and udev_t forbid the use of tracefs. I've been able to skate without rules allowing confidentiality for these types up until last kernel update (Arch hardened x64, 5.10.12) at which point I'm seeing log errors that look like this:

AVC avc: denied {confidentiality} for pid=325 comm=systemd-udevd lockdown reason="use of tracefs" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=lockdown permissive=0

Could not create tracefs "filter" entry Could not create tracefs "id" entry Could not create tracefs "enable" entry

These are showing up practically thousands of times and making it impossible to read the log when it's needed to diagnose problems (after kernel or application panic for instance). Masking tracefs, which one would think prevents it from loading thereby attempts made to use it, doesn't help. If this is the way it is for a reason, can someone please enlighten me as to why, and if not is there anything that can be done?

How can I disable some modules to be built

Earlier there were policy/ modules.conf was there which can be used to prevent a module from being used. Now I don't find this file.

This file contains a listing of available modules, and how they will be used when building Reference Policy. To prevent a module from being used, set the module to"off". For monolithic policies, modules set to "base" and "module" will be included in the policy. For modular policies, modules set to "base"will be included in the base module; those set to "module" will becompiled as individual loadable modules.

PR checks are broken

It seems that this repository underwent a reconfiguration for the Travis checks and now there are two CI checks defined. Both are Travis CI, but one (the newer) is working while the other one (the older) does not. Should the continuous-integration/travis-ci check be decommissioned?

/usr/bin/udevadm        system_u:object_r:udevadm_exec_t:SystemLow
/usr/lib/systemd/systemd-udevd  system_u:object_r:udev_exec_t:SystemLow

	$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
	@test -d $(tmpdir) \|\| mkdir -p $(tmpdir)
	@echo "divert(-1)" > $@
	$(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
	$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
	@echo "divert" >> $@

selinuxproject / refpolicy Goto Github PK

refpolicy's Introduction

refpolicy's People

Contributors

Stargazers

Watchers

Forkers

refpolicy's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs