commit 60ae66d7478bd6c944442377274a3a365d0861bb
Author: Lukas Berk <lberk@redhat.com>
Date: Fri Nov 24 10:24:44 2017 -0500
selinux: quick README update for tl:dr instructions
selinux: rhbz1515928 allow nfsd_fs_t accesses (file/dir)
Add to policy file, update testcase 917
build: selinux - directly test existance of semodule -X option
Instead of guessing, based on distro, if the semodule command adjusts
for priority, we now directly test and decide what command to issue
based on the output.
rpms: selinux - don't install policy file if selinux isnt active
Added a runtime check to see, even if the system has the proper
packages for selinux, if it's enabled on the system. For example;
containers, may have selinux packages to install, but it's not enabled
by default.
selinux: RHBZ1517656
Add three type enforcement context allowance lines
update qa, config bits for conditional context
selinux: RHBZ1517862 postfix context access addition
add context access for postfix_spool_t dir read's
update testcase
selinux: rhbz1517655 add missing file:map access
Added a single missing class capability for file's accessing maps
adjust qa and configure scripts accordingly to check
diff --git a/configure b/configure
index d39b76e59..f8dceca28 100755
--- a/configure
+++ b/configure
@@ -708,6 +708,8 @@ fmt_uint64
fmt_int64
fmt_pid
rdynamic_flag
+pcp_selinux_hostname_exec_map
+pcp_selinux_sock_file_getattr
pcp_selinux_tracefs
pcp_selinux_unreserved_port
pcp_selinux_systemd_exec
@@ -951,7 +953,6 @@ infodir
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -1098,7 +1099,6 @@ datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE}'
@@ -1351,15 +1351,6 @@ do
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1497,7 +1488,7 @@ fi
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1650,7 +1641,6 @@ Fine tuning of the installation directories:
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -11800,6 +11790,8 @@ pcp_selinux_systemd_unit_file=false
pcp_selinux_systemd_exec=false
pcp_selinux_tracefs=false
pcp_selinux_unreserved_port=false
+pcp_selinux_sock_file_getattr=false
+pcp_selinux_hostname_exec_map=false
if test "x$enable_selinux" != "xfalse"; then :
for policy_file in /etc/selinux/targeted/policy/policy.*
@@ -11856,6 +11848,17 @@ do
then
pcp_selinux_tracefs=true
fi
+ sock_file_getattr=`eval seinfo -x --class=sock_file -- $policy_file | grep getattr | awk '{ print $1 }'`
+ if test "x$sock_file_getattr" != "x"
+ then
+ pcp_selinux_sock_file_getattr=true
+ fi
+ hostname_exec_map_a=`eval seinfo -x --class=file -- $policy_file | grep map | awk '{ print $1 }'`
+ hostname_exec_map_b=`eval seinfo -x --common file -- $policy_file 2>/dev/null | grep map | awk '{ print $1 }'`
+ if test "x$hostname_exec_map_a" != "x" -o "x$hostname_exec_map_b" != "x"
+ then
+ pcp_selinux_hostname_exec_map=true
+ fi
fi
done
@@ -11872,6 +11875,8 @@ fi
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5
$as_echo_n "checking return type of signal handlers... " >&6; }
if ${ac_cv_type_signal+:} false; then :
diff --git a/configure.ac b/configure.ac
index ba799d146..42efb6bfe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1937,6 +1937,8 @@ pcp_selinux_systemd_unit_file=false
pcp_selinux_systemd_exec=false
pcp_selinux_tracefs=false
pcp_selinux_unreserved_port=false
+pcp_selinux_sock_file_getattr=false
+pcp_selinux_hostname_exec_map=false
AS_IF([test "x$enable_selinux" != "xfalse"], [
for policy_file in /etc/selinux/targeted/policy/policy.*
do
@@ -1992,6 +1994,17 @@ do
then
pcp_selinux_tracefs=true
fi
+ sock_file_getattr=`eval seinfo -x --class=sock_file -- $policy_file | grep getattr | awk '{ print $1 }'`
+ if test "x$sock_file_getattr" != "x"
+ then
+ pcp_selinux_sock_file_getattr=true
+ fi
+ hostname_exec_map_a=`eval seinfo -x --class=file -- $policy_file | grep map | awk '{ print $1 }'`
+ hostname_exec_map_b=`eval seinfo -x --common file -- $policy_file 2>/dev/null | grep map | awk '{ print $1 }'`
+ if test "x$hostname_exec_map_a" != "x" -o "x$hostname_exec_map_b" != "x"
+ then
+ pcp_selinux_hostname_exec_map=true
+ fi
fi
done
@@ -2006,6 +2019,8 @@ AC_SUBST(pcp_selinux_systemd_unit_file)
AC_SUBST(pcp_selinux_systemd_exec)
AC_SUBST(pcp_selinux_unreserved_port)
AC_SUBST(pcp_selinux_tracefs)
+AC_SUBST(pcp_selinux_sock_file_getattr)
+AC_SUBST(pcp_selinux_hostname_exec_map)
dnl Checks for library functions.
AC_TYPE_SIGNAL
diff --git a/qa/917 b/qa/917
index 83a6ed684..9fc3a993e 100755
--- a/qa/917
+++ b/qa/917
@@ -34,6 +34,9 @@ cap_userns_ptrace=`seinfo --class=cap_userns -x 2>&1 | grep "sys_ptrace$"`
unreserved_port_t=`seinfo -t | grep "unreserved_port_t$"`
tracefs_t=`seinfo -t | grep "tracefs_t$"`
class_status=`seinfo -x --class=system | grep "status$"`
+sock_file_getattr=`seinfo -x --class=sock_file | grep "getattr$"`
+hostname_exec_map_a=`seinfo -x --class=file | grep "map$"`
+hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"`
_filter_semodule()
{
@@ -63,6 +66,9 @@ _filter_outfile()
-v cap_userns_ptrace="$cap_userns_ptrace" \
-v unreserved_port_t="$unreserved_port_t" \
-v tracefs_t="$tracefs_t" \
+ -v sock_file_getattr="$sock_file_getattr" \
+ -v hostname_exec_map_a="$hostname_exec_map_a" \
+ -v hostname_exec_map_b="$hostname_exec_map_b" \
'{
if (container_t == "" && /container_runtime_t/)
!/container_runtime_t/ ;
@@ -90,6 +96,11 @@ _filter_outfile()
!/tracefs_t/ ;
else if (class_status == "" && /system.*status/)
!/system.*status/ ;
+ else if (sock_file_getattr == "" && /gpmctl_t/)
+ !/gpmctl_t/ ;
+ else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) {
+ printf(" allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n")
+ }
else
print;
}'
diff --git a/qa/917.out.in b/qa/917.out.in
index a8c337964..86805d11a 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -44,6 +44,10 @@ decl 1:
allow [pcp_pmcd_t] [haproxy_var_lib_t] : [sock_file] { write };
allow [pcp_pmcd_t] [haproxy_t] : [unix_stream_socket] { connectto };
allow [pcp_pmcd_t] [sysctl_fs_t] : [file] { write };
+ allow [pcp_pmcd_t] [nfsd_fs_t] : [dir] { search };
+ allow [pcp_pmcd_t] [nfsd_fs_t] : [file] { getattr open read };
+ allow [pcp_pmcd_t] [gpmctl_t] : [sock_file] { getattr };
+ allow [pcp_pmcd_t] [postfix_spool_t] : [dir] { read };
allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
allow [pcp_pmlogger_t] self : [capability] { kill };
allow [pcp_pmlogger_t] [init_t] : [system] { status };
@@ -54,7 +58,7 @@ decl 1:
allow [pcp_pmlogger_t] [pcp_pmlogger_exec_t] : [file] { execute_no_trans };
allow [pcp_pmlogger_t] [dey_sapi_port_t] : [tcp_socket] { name_connect };
allow [pcp_pmlogger_t] [user_home_dir_t] : [dir] { search };
- allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
+ allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read map };
allow [pcp_pmie_t] self : [capability] { kill sys_ptrace net_admin chown };
allow [pcp_pmie_t] [init_t] : [unix_stream_socket] { connectto };
allow [pcp_pmie_t] [initrc_var_run_t] : [file] { lock open read };
@@ -63,6 +67,7 @@ decl 1:
allow [pcp_pmie_t] [systemd_systemctl_exec_t] : [file] { execute execute_no_trans getattr open read };
allow [pcp_pmie_t] [unconfined_t] : [unix_stream_socket] { connectto };
allow [pcp_pmie_t] [pcp_pmie_exec_t] : [file] { execute_no_trans };
+ allow [pcp_pmie_t] [proc_net_t] : [file] { read };
allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
@@ -75,6 +80,7 @@ decl 1:
allow [pcp_pmproxy_t] self : [capability] { net_admin };
allow [pcp_pmproxy_t] [sysctl_net_t] : [file] { getattr open read };
allow [pcp_pmproxy_t] [sysctl_net_t] : [dir] { search };
+ allow [pcp_pmproxy_t] [proc_net_t] : [file] { read };
allow [pcp_pmmgr_t] [unreserved_port_t] : [tcp_socket] { name_bind };
allow [pcp_pmmgr_t] [unconfined_t] : [unix_stream_socket] { connectto };
diff --git a/src/include/builddefs.in b/src/include/builddefs.in
index e75a08d61..40fc380fb 100644
--- a/src/include/builddefs.in
+++ b/src/include/builddefs.in
@@ -265,6 +265,8 @@ PCP_SELINUX_SYSTEMD_UNIT_FILE = @pcp_selinux_systemd_unit_file@
PCP_SELINUX_SYSTEMD_EXEC = @pcp_selinux_systemd_exec@
PCP_SELINUX_UNRESERVED_PORT = @pcp_selinux_unreserved_port@
PCP_SELINUX_TRACEFS = @pcp_selinux_tracefs@
+PCP_SELINUX_SOCK_FILE_GETATTR = @pcp_selinux_sock_file_getattr@
+PCP_SELINUX_HOSTNAME_EXEC_MAP = @pcp_selinux_hostname_exec_map@
# for code supporting any modern version of perl
HAVE_PERL = @have_perl@
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
index 32f493a8a..65c296611 100644
--- a/src/selinux/GNUlocaldefs
+++ b/src/selinux/GNUlocaldefs
@@ -58,3 +58,12 @@ PCP_TRACEFS_FS_RULE="allow pcp_pmcd_t tracefs_t:filesystem mount\;"
PCP_TRACEFS_DIR_RULE="allow pcp_pmcd_t tracefs_t:dir { search read open }\;"
PCP_TRACEFS_FILE_RULE="allow pcp_pmcd_t tracefs_t:file { read open }\;"
endif
+
+ifeq "$(PCP_SELINUX_SOCK_FILE_GETATTR)" "true"
+PCP_SOCK_FILE_GETATTR="class sock_file getattr\;"
+PCP_SOCK_FILE_GETATTR_RULE="allow pcp_pmcd_t gpmctl_t:sock_file getattr\;"
+endif
+
+ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
+PCP_HOSTNAME_EXEC_MAP=" map "
+endif
\ No newline at end of file
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
index ed4132b80..6635c8e7b 100644
--- a/src/selinux/GNUmakefile
+++ b/src/selinux/GNUmakefile
@@ -58,6 +58,9 @@ $(IAM).te: $(IAM).te.in
-e 's;@PCP_TRACEFS_FS_RULE@;'$(PCP_TRACEFS_FS_RULE)';' \
-e 's;@PCP_TRACEFS_DIR_RULE@;'$(PCP_TRACEFS_DIR_RULE)';' \
-e 's;@PCP_TRACEFS_FILE_RULE@;'$(PCP_TRACEFS_FILE_RULE)';' \
+ -e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \
+ -e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \
+ -e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \
# END
make -f /usr/share/selinux/devel/Makefile
diff --git a/src/selinux/README b/src/selinux/README
index af7d51be1..b071bbd5a 100644
--- a/src/selinux/README
+++ b/src/selinux/README
@@ -1,5 +1,28 @@
PCP SELinux Module
+== TL;DR ==
+
+Dammit Jim, I'm a developer, not a selinux expert!
+
+Ok ok, AVC denials are logged in /var/log/audit/audit.log Pull out the
+relevant errors, and either, forward that along with the bug/pull
+request for us to add/fix, or run:
+
+cat /var/log/audit/audit.log | audit2allow -w
+
+which will verify that the avc is not already covered in the pcp
+policy file, and then:
+
+cat /var/log/audit/audit.log | audit2allow -M mypolicy
+semodule -i mypolicy.pp
+
+Be careful you understand what context accesses you're allowing with
+this policy, and that they *should* be allowed.
+
+If you choose the latter, please be a good samaritan and forward the
+relevant avc denials upstream for the community to apply and ship the
+updated policy package.
+
== Building ==
make -f /usr/share/selinux/devel/Makefile
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 5f48533c1..236a0ecf1 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -31,6 +31,7 @@ require {
type saslauthd_t; # pcp-lio
type modules_object_t; # pcp-lio
@PCP_NSFS_T@
+ type nfsd_fs_t; #RHBZ1515928
type pcp_pmie_exec_t; # pmdasummary
@PCP_SYSTEMCTL_UNIT_FILE_T@
@PCP_SYSTEMCTL_EXEC_T@
@@ -45,8 +46,11 @@ require {
type haproxy_t; # pmda.haproxy
type websm_port_t; # pmda.prometheus
type dey_sapi_port_t; #RHBZ1447585
+ type gpmctl_t; #RHBZ1517656
+ type proc_net_t; #RHBZ1517656
+ type postfix_spool_t; #RHBZ1517862
class lnk_file { read getattr };
- class file { append create execute execute_no_trans getattr ioctl lock open read write };
+ class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
class dir { add_name open read search write getattr };
class unix_stream_socket connectto;
class capability { kill sys_ptrace net_admin chown sys_chroot ipc_owner };
@@ -55,6 +59,7 @@ require {
class fifo_file { getattr read open unlink }; # qa/455
class process signal; #RHBZ1443632
class sock_file write; #RHBZ1449671
+ @PCP_SOCK_FILE_GETATTR@
@PCP_CLASS_STATUS@
class tcp_socket { name_bind name_connect };
class shm { unix_read associate getattr };
@@ -169,6 +174,15 @@ allow pcp_pmcd_t haproxy_t:unix_stream_socket connectto;
#RHBZ1505888
allow pcp_pmcd_t sysctl_fs_t:file write;
+#RHBZ1515928
+allow pcp_pmcd_t nfsd_fs_t:dir search;
+allow pcp_pmcd_t nfsd_fs_t:file { getattr open read };
+
+#RHBZ1517656
+@PCP_SOCK_FILE_GETATTR_RULE@
+
+#RHBZ1517862
+allow pcp_pmcd_t postfix_spool_t:dir read;
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
allow pcp_pmlogger_t self:capability kill;
@@ -199,7 +213,7 @@ allow pcp_pmlogger_t dey_sapi_port_t:tcp_socket name_connect;
allow pcp_pmlogger_t user_home_dir_t:dir search;
#============= pcp_pmie_t ==============
-allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read };
+allow pcp_pmie_t hostname_exec_t:file { execute execute_no_trans getattr open read @PCP_HOSTNAME_EXEC_MAP@ };
#type=AVC msg=audit(1498847682.537:15753): avc: denied { sys_ptrace } for pid=30881 comm="ps" capability=19 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
allow pcp_pmie_t self:capability { chown kill net_admin sys_ptrace };
@@ -233,6 +247,10 @@ allow pcp_pmie_t unconfined_t:unix_stream_socket connectto;
#audit: type=1400 audit(1504924094.677:197): avc: denied { execute_no_trans } for pid=3703 comm=pmie_check path=/usr/bin/pmie dev=dm-0 ino=2506240 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans;
+
+#RHBZ1517656
+allow pcp_pmie_t proc_net_t:file read;
+
#============= pmda-lio ==============
allow pcp_pmcd_t configfs_t:dir { open read search };
allow pcp_pmcd_t configfs_t:file { getattr open read };
@@ -259,6 +277,11 @@ allow pcp_pmproxy_t sysctl_net_t:file { getattr open read };
#type=AVC msg=audit(1498837089.845:16693): avc: denied { search } for pid=14446 comm="pmproxy" name="net" dev="proc" ino=1168 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
allow pcp_pmproxy_t sysctl_net_t:dir search;
+
+#type=AVC msg=audit(1511771694.686:575): avc: denied { read } for pid=28833 comm="pmproxy" name="unix" dev="proc" ino=4026532015 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
+#RHBZ1517656
+allow pcp_pmproxy_t proc_net_t:file read;
+
#============= pcp_pmmgr_t ==============
#type=AVC msg=audit(1498835526.281:10254): avc: denied { name_bind } for pid=13114 comm="pmlogger" src=4332 scontext=system_u:system_r:pcp_pmmgr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0