diff options
| author |   Dave Sugar <dsugar100@gmail.com> | 2024-03-08 10:16:32 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:39 -0400 |
| commit | 8090af0848467371c0d416e0e5d46583d743e4f6 (patch) | |
| tree | 1fb0c8609662b2105ea0abc2841f1e8968211c2e | |
| parent | Setup domain for dbus selinux interface (diff) | |
| download | hardened-refpolicy-8090af0848467371c0d416e0e5d46583d743e4f6.tar.gz hardened-refpolicy-8090af0848467371c0d416e0e5d46583d743e4f6.tar.bz2 hardened-refpolicy-8090af0848467371c0d416e0e5d46583d743e4f6.zip | |
Update SOS report to work on RHEL9
binary is now /usr/sbin/sos
Cleanup "invalid security context" type errors
Allow read/write user ptty
node=destination type=AVC msg=audit(1709914012.455:7495): avc: denied { read write } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709914012.527:7512): avc: denied { ioctl } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709928066.892:80267): avc: denied { create } for pid=3998 comm="mkfifo" name="systemd-cat" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { write } for pid=3968 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { open } for pid=3968 comm="dracut" path="/var/tmp/dracut.GUBZQZ/systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80281): avc: denied { read } for pid=3999 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928068.848:94243): avc: denied { unlink } for pid=4049 comm="rm" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126505): avc: denied { create } for pid=2229 comm="sos" name="lvmpolld.socket" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126510): avc: denied { setattr } for pid=2229 comm="sos" name="lvmpolld.socket" dev="dm-3" ino=138652 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
Allow sosreport to read SELinux booleans
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { read } for pid=6578 comm="sestatus" name="aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { open } for pid=6578 comm="sestatus" path="/sys/fs/selinux/booleans/aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
Allow sosreport dbus send_msg
node=destination type=USER_AVC msg=audit(1709931682.344:10950): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931707.581:103764): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931711.203:109364): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker
node=destination type=USER_AVC msg=audit(1709931713.737:118226): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931741.992:218433): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931735.870:210757): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931742.051:218502): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
Allow sosreport to get status of all units
node=destination type=USER_AVC msg=audit(1709951886.954:202544): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dm-event.socket" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:lvm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951886.994:202604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dnf-makecache.timer" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:rpm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951860.321:103971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/fwupd.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951889.117:209277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-rfkill.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_rfkill_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
Allow sosreport to map some files
node=destination type=AVC msg=audit(1709951889.013:209184): avc: denied { map } for pid=6932 comm="lsusb" path="/etc/udev/hwdb.bin" dev="dm-0" ino=1180591 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951850.662:58892): avc: denied { map } for pid=3814 comm="journalctl" path="/var/log/journal/4fa8dbda531a499cb4bdf065a9b23471/user-1000@db7a3287b7234e07b839915b69371deb-000000000000110a-0006133115ceaa6d.journal" dev="dm-6" ino=262149 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Access SELinux stuff
node=destination type=AVC msg=audit(1709951851.398:60712): avc: denied { compute_av } for pid=3902 comm="crontab" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951864.926:110932): avc: denied { map } for pid=5345 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951883.687:182874): avc: denied { check_context } for pid=6675 comm="selinuxdefcon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.763:183087): avc: denied { compute_create } for pid=6696 comm="selinuxexeccon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.946:183609): avc: denied { map } for pid=6715 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951884.669:188960): avc: denied { read_policy } for pid=6703 comm="semanage" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/admin/sosreport.fc | 1 | ||||
| -rw-r--r-- | policy/modules/admin/sosreport.te | 47 |
2 files changed, 43 insertions, 5 deletions
diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc index d445530f..9958cde0 100644 --- a/policy/modules/admin/sosreport.fc +++ b/policy/modules/admin/sosreport.fc @@ -1,5 +1,6 @@ /usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) +/usr/sbin/sos -- gen_context(system_u:object_r:sosreport_exec_t,s0) /\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te index 1eb06003..fa3168a6 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te @@ -39,8 +39,10 @@ allow sosreport_t self:tcp_socket { accept listen }; allow sosreport_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_fifo_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) +manage_sock_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) @@ -91,10 +93,17 @@ files_read_kernel_modules(sosreport_t) files_read_all_symlinks(sosreport_t) files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) +files_map_usr_files(sosreport_t) fs_getattr_all_fs(sosreport_t) fs_list_inotifyfs(sosreport_t) +selinux_compute_access_vector(sosreport_t) +selinux_compute_create_context(sosreport_t) +selinux_get_all_booleans(sosreport_t) +selinux_read_policy(sosreport_t) +selinux_validate_context(sosreport_t) + storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) @@ -102,9 +111,11 @@ term_use_generic_ptys(sosreport_t) auth_use_nsswitch(sosreport_t) +init_get_all_units_status(sosreport_t) +init_dbus_chat(sosreport_t) init_domtrans_script(sosreport_t) -libs_domtrans_ldconfig(sosreport_t) +libs_run_ldconfig(sosreport_t, sosreport_roles) logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) @@ -113,6 +124,8 @@ miscfiles_read_localization(sosreport_t) modutils_read_module_deps(sosreport_t) +userdom_use_inherited_user_terminals(sosreport_t) + optional_policy(` abrt_manage_runtime_files(sosreport_t) abrt_manage_cache(sosreport_t) @@ -124,11 +137,20 @@ optional_policy(` ') optional_policy(` + devicekit_dbus_chat(sosreport_t) + devicekit_dbus_chat_disk(sosreport_t) +') + +optional_policy(` dmesg_domtrans(sosreport_t) ') optional_policy(` - fstools_domtrans(sosreport_t) + firewalld_dbus_chat(sosreport_t) +') + +optional_policy(` + fstools_run(sosreport_t, sosreport_roles) ') optional_policy(` @@ -140,11 +162,19 @@ optional_policy(` ') optional_policy(` - lvm_domtrans(sosreport_t) + lvm_run(sosreport_t, sosreport_roles) ') optional_policy(` - mount_domtrans(sosreport_t) + mount_run(sosreport_t, sosreport_roles) +') + +optional_policy(` + networkmanager_dbus_chat(sosreport_t) +') + +optional_policy(` + ntp_dbus_chat(sosreport_t) ') optional_policy(` @@ -158,7 +188,14 @@ optional_policy(` ') optional_policy(` - setroubleshoot_signull(sosreport_t) + setroubleshoot_signull(sosreport_t) +') + +optional_policy(` + systemd_dbus_chat_hostnamed(sosreport_t) + systemd_dbus_chat_logind(sosreport_t) + systemd_map_hwdb(sosreport_t) + systemd_read_journal_files(sosreport_t) ') optional_policy(` |