From patchwork Wed Feb 20 19:43:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 10822629 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7D561922 for ; Wed, 20 Feb 2019 19:43:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A19F2F586 for ; Wed, 20 Feb 2019 19:43:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 687E32F940; Wed, 20 Feb 2019 19:43:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6DAE2F586 for ; Wed, 20 Feb 2019 19:43:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725834AbfBTTnW (ORCPT ); Wed, 20 Feb 2019 14:43:22 -0500 Received: from dgrift.xs4all.space ([80.100.19.56]:50400 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725806AbfBTTnW (ORCPT ); Wed, 20 Feb 2019 14:43:22 -0500 Received: from localhost (localhost [127.0.0.1]) by agnus.defensec.nl (Postfix) with ESMTP id 7375B2E0566; Wed, 20 Feb 2019 20:43:20 +0100 (CET) X-Virus-Scanned: amavisd-new at defensec.nl Received: from agnus.defensec.nl ([127.0.0.1]) by localhost (agnus.defensec.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id M3K6EYVOUeYd; Wed, 20 Feb 2019 20:43:19 +0100 (CET) Received: from localhost.localdomain (myguest.lan [IPv6:2001:985:d55d::146]) by agnus.defensec.nl (Postfix) with ESMTPSA id B719B2E0165; Wed, 20 Feb 2019 20:43:19 +0100 (CET) From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [PATCH v4] scripts/selinux: modernize mdp Date: Wed, 20 Feb 2019 20:43:02 +0100 Message-Id: <20190220194302.2075-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.21.0.rc1 In-Reply-To: <0190220123354.1589-1-dominick.grift@defensec.nl> References: <0190220123354.1589-1-dominick.grift@defensec.nl> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The MDP example no longer works on modern systems. Add support for devtmpfs. This is required by login programs to relabel terminals. Compile the policy with deny_unknown allow status to anticipate user space object managers in core components such as systemd. Add default seusers mapping and failsafe context for the SELinux PAM module. V2: Fix existing file test for setfiles. Add a file test for checkpolicy similar to the test for setfiles for consistency. Execute setfiles with -F to ensure that customizables are relabeled as well in scenarios where filesystems are labeled but where SELinux is disabled. V3: Fixes file test that was introduced in V2. V4: Remove file tests and instead rely on which Signed-off-by: Dominick Grift --- scripts/selinux/install_policy.sh | 23 +++++++++++++---------- scripts/selinux/mdp/mdp.c | 1 + 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh index 0b86c47baf7d..773377838670 100755 --- a/scripts/selinux/install_policy.sh +++ b/scripts/selinux/install_policy.sh @@ -6,25 +6,28 @@ if [ `id -u` -ne 0 ]; then fi SF=`which setfiles` if [ $? -eq 1 ]; then - if [ -f /sbin/setfiles ]; then - SF="/usr/setfiles" - else - echo "no selinux tools installed: setfiles" - exit 1 - fi + echo "no selinux tools installed: setfiles" + exit 1 fi cd mdp CP=`which checkpolicy` +if [ $? -eq 1 ]; then + echo "no selinux tools installed: checkpolicy" + exit 1 +fi VERS=`$CP -V | awk '{print $1}'` ./mdp policy.conf file_contexts -$CP -o policy.$VERS policy.conf +$CP -U allow -o policy.$VERS policy.conf mkdir -p /etc/selinux/dummy/policy mkdir -p /etc/selinux/dummy/contexts/files +echo "__default__:user_u" > /etc/selinux/dummy/seusers +echo "base_r:base_t" > /etc/selinux/dummy/contexts/failsafe_context + cp file_contexts /etc/selinux/dummy/contexts/files cp dbus_contexts /etc/selinux/dummy/contexts cp policy.$VERS /etc/selinux/dummy/policy @@ -55,15 +58,15 @@ else fi cd /etc/selinux/dummy/contexts/files -$SF file_contexts / +$SF -F file_contexts / mounts=`cat /proc/$$/mounts | egrep "ext2|ext3|xfs|jfs|ext4|ext4dev|gfs2" | awk '{ print $2 '}` -$SF file_contexts $mounts +$SF -F file_contexts $mounts dodev=`cat /proc/$$/mounts | grep "/dev "` if [ "eq$dodev" != "eq" ]; then mount --move /dev /mnt - $SF file_contexts /dev + $SF -F file_contexts /dev mount --move /mnt /dev fi diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 073fe7537f6c..cf06d5694cbc 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -131,6 +131,7 @@ int main(int argc, char *argv[]) fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n"); fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n"); + fprintf(fout, "fs_use_trans devtmpfs user_u:base_r:base_t;\n"); fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n"); fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n"); fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");