| View previous topic :: View next topic |
| Author |
Message |
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
 Posted: Sun Dec 08, 2019 3:20 pm Post subject: [SELinux] kernel 5.4.x: No support for "watch" |
 |
|
After updating my kernel from 5.3 to 5.4 I had suspicious messages in my log. (I tried it last week with sys-kernel/gentoo-sources-5.4.0 and backed out due to the issue. Today I tried it again with sys-kernel/gentoo-sources-5.4.2):
It's primarily this one here on the system I used for testing:
| Code: | Dec 8 14:49:01 web kernel: audit: type=1400 audit(1575812941.870:2069): avc: denied { watch } for pid=2826 comm="crond" path="/var/spool/cron/crontabs" dev="sda3" ino=2539899 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:cron_spool_t tclass=dir permissive=0
|
It became quickly clear that linux 5.4 added some new capabilities for selinux to also control file system notifications (fanotify, inotify, dnotify) and that my policy does not know about that.
I did not test it, but it looks like cron won't notice if someone updates a cron file till it's restarted...
And it looks like this could cause some hard to spot problems for other programms, too. So I tried to find a way to either update the security policies to a compatible version or find some way to allow all of the new "watch" violations till a new security policy is available.
I first tried to audit2allow, to get the desired policy updates. But that failed: | Code: | web ~ # grep watch /var/log/avc.log | head -1 | audit2allow
libsepol.sepol_string_to_av_perm: could not convert watch to av bit
web ~ # |
I then first updated all policies to "2.20190201-r1" and after that did not help to "9999". (Normally the system is using stable, with only the kernel ~amd64.) In the end I used that in /etc/portage/package.keywords
| Code: | sys-apps/checkpolicy **
sys-libs/libsemanage **
sys-libs/libsepol **
sys-libs/libselinux **
sec-policy/selinux-apache **
sec-policy/selinux-apm **
sec-policy/selinux-base **
sec-policy/selinux-base-policy **
sec-policy/selinux-dirmngr **
sec-policy/selinux-git **
sec-policy/selinux-gpg **
sec-policy/selinux-kerberos **
sec-policy/selinux-logrotate **
sec-policy/selinux-mandb **
sec-policy/selinux-mysql **
sec-policy/selinux-ntp **
sec-policy/selinux-openrc **
sec-policy/selinux-phpfpm **
sec-policy/selinux-rngd **
sec-policy/selinux-rpc **
sec-policy/selinux-samba **
sec-policy/selinux-screen **
sec-policy/selinux-shutdown **
sec-policy/selinux-sudo **
sys-apps/selinux-python **
|
But this did not change anything... I still had the "denys" for watch in the log and audit2allow was still unable to handle it. I nevertheless tried to add it to selocal:
| Code: | web ~ # selocal -a "allow crond_t cron_spool_t:dir watch;" -c "Kernel 5.4 Fix #1"
web ~ # selocal -b
~/.selocal ~
## Building selocal.pp (in ~/.selocal):
# make -f /usr/share/selinux/strict/include/Makefile selocal.pp
Compiling strict selocal module
selocal.te:138:ERROR 'permission watch is not defined for class dir' at token ';' on line 1517:
allow crond_t cron_spool_t:dir watch; # Kernel 5.4 Fix #1
allow phpfpm_t pop_port_t:tcp_socket name_connect; # FPM Fix #17
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/strict/include/Makefile:166: tmp/selocal.mod] Error 1
~
web ~ # |
Now the funny thing is, checkpolicy told me on install it can handle up to policy 32:
| Code: | | * This checkpolicy can compile version 32 policy. |
But my kernel still claims to be only policy version 31 - the same as kernel 5.3:
| Code: | web ~ # sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: strict
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: disabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 31 |
I'm probably just missing something simple, my selinux skills are a bit rusty.... But it kind of looks like the policy version should have been bumped and the user space tools are not ready to handle "watch", yet...
As "last resort" solution I've now just undone commit ac5656d8a4cd ("fanotify, inotify, dnotify, security: add security hook for fs notifications") from the kernel which seems to finally have the desired effect.
But what is the "correct solution for that? |
|
| Back to top |
|
 |
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
| Posted: Mon Dec 16, 2019 11:46 am Post subject: |
|
|
I've now asked upstream for help and got the pointer I was missing: link
The problem is only Gentoo's default policy to deny any unknown policy requests. We can simply change the setting till the policies and the user space has catched up.
Assuming Gentoo default settings the following should do the trick:
| Code: | | echo "handle-unknown = allow" >> /etc/selinux/semanage.conf; semodule -B |
sestatus can be used to confirm it did work:
| Code: | # sestatus | grep deny_unknown
Policy deny_unknown status: allowed |
All users of selinux in enforcing mode running a kernel >= 5.4.0 will need that setting for the foreseeable future, I believe. |
|
| Back to top |
|
|
papas
Tux's lil' helper
Joined: 01 Dec 2014
Posts: 141
Location: Athens
|
| Posted: Sun Dec 22, 2019 9:48 am Post subject: |
|
|
in my system after upgrade selinux-base and selinux-base-policy to -9999 seems to recognize "watch" permission. Using audit2allow for create a policy and i think is working.
| Code: |
master@gentoo ~ $ cat personalPolicy.te | grep watch
class file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
class dir { add_name create getattr map mounton open read relabelfrom relabelto remove_name rename reparent rmdir search setattr watch write };
class lnk_file { create getattr read relabelto rename setattr unlink watch };
class blk_file { getattr ioctl lock open read watch };
allow chromium_t etc_t:dir watch;
allow chromium_t locale_t:dir watch;
allow chromium_t root_t:dir watch;
allow crond_t cron_spool_t:dir watch;
allow crond_t system_cron_spool_t:dir watch;
allow crond_t system_cron_spool_t:file watch;
allow devicekit_disk_t etc_t:dir watch;
allow devicekit_disk_t mount_runtime_t:dir watch;
allow devicekit_disk_t mount_runtime_t:file { unlink watch watch_reads };
allow dirmngr_t user_tmp_t:dir watch;
allow getty_t getty_runtime_t:file watch;
allow gpg_agent_t portage_tmp_t:dir { add_name create getattr read search setattr watch write };
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow gpg_agent_t user_tmp_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow java_t lib_t:dir { add_name remove_name watch write };
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow java_t user_home_dir_t:dir { create rmdir setattr watch };
allow java_t user_home_t:dir watch;
allow java_t usr_t:dir { add_name remove_name setattr watch write };
allow java_t xdg_cache_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow mozilla_t device_t:dir watch;
allow mozilla_t etc_t:dir watch;
allow mozilla_t gnome_xdg_config_t:dir watch;
allow mozilla_t locale_t:dir watch;
allow mozilla_t mozilla_tmp_t:file watch;
allow mozilla_t root_t:dir watch;
allow mozilla_t user_home_dir_t:dir watch;
allow mozilla_t user_home_t:dir watch;
allow mozilla_t usr_t:dir watch;
allow mozilla_t xdg_config_t:dir watch;
allow mozilla_t xdg_data_t:dir watch;
allow policykit_t consolekit_var_run_t:dir watch;
allow policykit_t etc_t:dir watch;
allow policykit_t init_runtime_t:dir { read watch };
allow policykit_t usr_t:dir watch;
allow portage_fetch_t portage_tmp_t:dir watch;
allow portage_fetch_t user_runtime_t:dir { add_name create getattr read remove_name search watch write };
allow pulseaudio_t device_t:dir watch;
allow pulseaudio_t init_runtime_t:dir { read watch };
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_dbusd_t accountsd_var_lib_t:file watch;
allow staff_dbusd_t dbusd_etc_t:dir watch;
allow staff_dbusd_t etc_t:file watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_dbusd_t usr_t:dir watch;
allow staff_dbusd_t usr_t:file watch;
allow staff_dbusd_t xdg_config_t:dir { open watch };
allow staff_dbusd_t xdg_config_t:file watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_dbusd_t xdg_data_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t accountsd_var_lib_t:file watch;
allow staff_t bin_t:dir watch;
allow staff_t dosfs_t:dir watch;
allow staff_t etc_t:dir watch;
allow staff_t etc_t:file { link relabelfrom watch };
allow staff_t etc_t:lnk_file watch;
allow staff_t exports_t:file watch;
allow staff_t fonts_t:dir { map setattr watch };
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t home_root_t:dir watch;
allow staff_t lib_t:dir watch;
allow staff_t locale_t:dir { setattr watch };
allow staff_t locale_t:file watch;
allow staff_t portage_tmp_t:dir { map watch };
allow staff_t root_t:dir watch;
allow staff_t self:file watch;
allow staff_t selinux_config_t:file { relabelto watch };
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t user_home_dir_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t user_home_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t user_home_t:file watch;
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t usr_t:dir watch;
allow staff_t usr_t:file { append watch };
allow staff_t xdg_cache_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t xdg_cache_t:file watch;
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t xdg_config_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t xdg_config_t:file watch;
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t xdg_data_t:dir watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow staff_t xdg_data_t:file watch;
allow staff_t xdg_downloads_t:dir watch;
allow staff_t xdg_downloads_t:file watch;
allow staff_t xdg_pictures_t:dir watch;
allow sysadm_t device_t:dir watch;
allow system_dbusd_t dbusd_etc_t:dir watch;
allow system_dbusd_t usr_t:dir { add_name create remove_name watch write };
allow udev_t fixed_disk_device_t:blk_file watch;
# constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
# constrain file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint } ((u1 == u2 -Fail-) or (u1 == system_u -Fail-) or (u2 == system_u -Fail-) or (t1 != ubac_constrained_type -Fail-) or (t2 != ubac_constrained_type -Fail-) or (t1 == ubacfile -Fail-) ); Constraint DENIED
allow xdm_t dbusd_etc_t:dir watch;
allow xdm_t etc_t:file watch;
allow xdm_t usr_t:dir watch;
allow xdm_t usr_t:file watch;
allow xdm_t xkb_var_lib_t:dir watch;
|
as for the
| Code: |
Max kernel policy version: 31
|
i think kernel guys, they dont "merge" it yet.
My security.h (5.4.6) against the live source
| Code: |
master@gentoo ~ $ diff -y security.h /usr/src/linux/security/selinux/include/security.h
/* SPDX-License-Identifier: GPL-2.0 */ /* SPDX-License-Identifier: GPL-2.0 */
/* /*
* Security server interface. * Security server interface.
* *
* Author : Stephen Smalley, <sds@tycho.nsa.gov> * Author : Stephen Smalley, <sds@tycho.nsa.gov>
* *
*/ */
#ifndef _SELINUX_SECURITY_H_ #ifndef _SELINUX_SECURITY_H_
#define _SELINUX_SECURITY_H_ #define _SELINUX_SECURITY_H_
#include <linux/compiler.h> #include <linux/compiler.h>
#include <linux/dcache.h> #include <linux/dcache.h>
#include <linux/magic.h> #include <linux/magic.h>
#include <linux/types.h> #include <linux/types.h>
#include <linux/refcount.h> #include <linux/refcount.h>
#include <linux/workqueue.h> #include <linux/workqueue.h>
#include "flask.h" #include "flask.h"
#define SECSID_NULL 0x00000000 /* unspeci #define SECSID_NULL 0x00000000 /* unspeci
#define SECSID_WILD 0xffffffff /* wildcar #define SECSID_WILD 0xffffffff /* wildcar
#define SECCLASS_NULL 0x0000 /* no class */ #define SECCLASS_NULL 0x0000 /* no class */
/* Identify specific policy version changes */ /* Identify specific policy version changes */
#define POLICYDB_VERSION_BASE 15 #define POLICYDB_VERSION_BASE 15
#define POLICYDB_VERSION_BOOL 16 #define POLICYDB_VERSION_BOOL 16
#define POLICYDB_VERSION_IPV6 17 #define POLICYDB_VERSION_IPV6 17
#define POLICYDB_VERSION_NLCLASS 18 #define POLICYDB_VERSION_NLCLASS 18
#define POLICYDB_VERSION_VALIDATETRANS 19 #define POLICYDB_VERSION_VALIDATETRANS 19
#define POLICYDB_VERSION_MLS 19 #define POLICYDB_VERSION_MLS 19
#define POLICYDB_VERSION_AVTAB 20 #define POLICYDB_VERSION_AVTAB 20
#define POLICYDB_VERSION_RANGETRANS 21 #define POLICYDB_VERSION_RANGETRANS 21
#define POLICYDB_VERSION_POLCAP 22 #define POLICYDB_VERSION_POLCAP 22
#define POLICYDB_VERSION_PERMISSIVE 23 #define POLICYDB_VERSION_PERMISSIVE 23
#define POLICYDB_VERSION_BOUNDARY 24 #define POLICYDB_VERSION_BOUNDARY 24
#define POLICYDB_VERSION_FILENAME_TRANS 25 #define POLICYDB_VERSION_FILENAME_TRANS 25
#define POLICYDB_VERSION_ROLETRANS 26 #define POLICYDB_VERSION_ROLETRANS 26
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
#define POLICYDB_VERSION_DEFAULT_TYPE 28 #define POLICYDB_VERSION_DEFAULT_TYPE 28
#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 #define POLICYDB_VERSION_CONSTRAINT_NAMES 29
#define POLICYDB_VERSION_XPERMS_IOCTL 30 #define POLICYDB_VERSION_XPERMS_IOCTL 30
#define POLICYDB_VERSION_INFINIBAND 31 #define POLICYDB_VERSION_INFINIBAND 31
#define POLICYDB_VERSION_GLBLUB 32 <
/* Range of policy versions we understand*/ /* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND
|
https://github.com/torvalds/linux/blob/master/security/selinux/include/security.h |
|
| Back to top |
|
|
y351
Apprentice
Joined: 21 May 2017
Posts: 195
|
| Posted: Mon Mar 09, 2020 10:22 am Post subject: |
|
|
Hi,
I met some trouble with watch message that i found suspect...
Kernel : 5.5.7-gentoo
From the logs /var/log/audit/audit.log :
| Quote: |
type=AVC msg=audit(1583748767.566:7056): avc: denied { watch } for pid=5922 comm="gmain" path="/usr" dev="dm-1" ino=261 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:usr_t tclass=dir permissive=0
type=AVC msg=audit(1583748755.566:7031): avc: denied { watch } for pid=5922 comm="gmain" path="/usr/local/share/applications" dev="dm-1" ino=259225 scontext=staff_u:staff_r:mozilla_t tcontext=system_u:object_r:usr_t tclass=dir permissive=0
|
| Quote: |
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: strict
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: disabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
|
Here is the policy that i should apply to avoid these "denied" although i don't know why...
| Quote: |
require {
type user_home_dir_t;
type lib_t;
type staff_t;
type locale_t;
type xdg_data_t;
type user_home_t;
type gpg_agent_t;
type cifs_t;
type xdg_config_t;
type etc_t;
type user_tmp_t;
type mail_home_rw_t;
type mutt_t;
type mozilla_t;
type gpg_secret_t;
type usr_t;
class dir watch;
class file watch;
}
#============= gpg_agent_t ==============
allow gpg_agent_t gpg_secret_t:dir watch;
allow gpg_agent_t user_tmp_t:dir watch;
#============= mozilla_t ==============
allow mozilla_t etc_t:dir watch;
allow mozilla_t usr_t:dir watch;
allow mozilla_t xdg_config_t:dir watch;
allow mozilla_t xdg_data_t:dir watch;
#============= mutt_t ==============
allow mutt_t mail_home_rw_t:dir watch;
#============= staff_t ==============
allow staff_t cifs_t:file watch;
allow staff_t etc_t:dir watch;
allow staff_t lib_t:dir watch;
allow staff_t locale_t:file watch;
allow staff_t user_home_dir_t:dir watch;
allow staff_t user_home_t:dir watch;
allow staff_t usr_t:dir watch;
allow staff_t xdg_data_t:dir watch;
|
|
|
| Back to top |
|
|
|
Networking & Security
