|
 |
50ad7f |
From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
50ad7f |
Date: Tue, 7 Jul 2020 11:31:59 +0200
|
|
|
50ad7f |
Subject: [PATCH 1/3] modify rule description and ocil
|
|
|
50ad7f |
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++--------
|
|
|
50ad7f |
1 file changed, 11 insertions(+), 8 deletions(-)
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
|
|
50ad7f |
index 765fca583e..1667557740 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
|
|
|
50ad7f |
@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
|
|
|
50ad7f |
|
|
|
50ad7f |
description: |-
|
|
|
50ad7f |
Device files, which are used for communication with important system
|
|
|
50ad7f |
- resources, should be labeled with proper SELinux types. If any device
|
|
|
50ad7f |
- files do not carry the SELinux type <tt>device_t</tt>, report the bug so
|
|
|
50ad7f |
- that policy can be corrected. Supply information about what the device is
|
|
|
50ad7f |
- and what programs use it.
|
|
|
50ad7f |
+ resources, should be labeled with proper SELinux types. If any device files
|
|
|
50ad7f |
+ carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
|
|
|
50ad7f |
+ bug so that policy can be corrected. Supply information about what the
|
|
|
50ad7f |
+ device is and what programs use it.
|
|
|
50ad7f |
|
|
|
50ad7f |
- To check for unlabeled device files, run the following command:
|
|
|
50ad7f |
+ To check for incorrectly labeled device files, run following commands:
|
|
|
50ad7f |
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
|
|
|
50ad7f |
+ $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
|
|
|
50ad7f |
It should produce no output in a well-configured system.
|
|
|
50ad7f |
|
|
|
50ad7f |
rationale: |-
|
|
|
50ad7f |
- If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
|
|
|
50ad7f |
- cannot properly restrict access to the device file.
|
|
|
50ad7f |
+ If a device file carries the SELinux type <tt>device_t</tt> or
|
|
|
50ad7f |
+ <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
|
|
|
50ad7f |
+ device file.
|
|
|
50ad7f |
|
|
|
50ad7f |
severity: medium
|
|
|
50ad7f |
|
|
|
50ad7f |
@@ -45,8 +47,9 @@ references:
|
|
|
50ad7f |
ocil_clause: 'there is output'
|
|
|
50ad7f |
|
|
|
50ad7f |
ocil: |-
|
|
|
50ad7f |
- To check for unlabeled device files, run the following command:
|
|
|
50ad7f |
+ To check for incorrectly labeled device files, run following commands:
|
|
|
50ad7f |
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
|
|
|
50ad7f |
+ $ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
|
|
|
50ad7f |
It should produce no output in a well-configured system.
|
|
|
50ad7f |
|
|
|
50ad7f |
warnings:
|
|
|
50ad7f |
|
|
|
50ad7f |
From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
50ad7f |
Date: Tue, 7 Jul 2020 11:32:57 +0200
|
|
|
50ad7f |
Subject: [PATCH 2/3] updated oval to check only device files
|
|
|
50ad7f |
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../oval/shared.xml | 64 +++++++++++++------
|
|
|
50ad7f |
1 file changed, 43 insertions(+), 21 deletions(-)
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
|
|
50ad7f |
index 51b68008af..7dcfb98577 100644
|
|
|
50ad7f |
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
|
|
|
50ad7f |
@@ -2,32 +2,54 @@
|
|
|
50ad7f |
<definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
|
|
|
50ad7f |
<metadata>
|
|
|
50ad7f |
<title>Device Files Have Proper SELinux Context</title>
|
|
|
50ad7f |
- <affected family="unix">
|
|
|
50ad7f |
- <platform>Red Hat Enterprise Linux 6</platform>
|
|
|
50ad7f |
- <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
50ad7f |
- <platform>Red Hat Enterprise Linux 8</platform>
|
|
|
50ad7f |
- <platform>Red Hat Virtualization 4</platform>
|
|
|
50ad7f |
- <platform>multi_platform_fedora</platform>
|
|
|
50ad7f |
- <platform>multi_platform_ol</platform>
|
|
|
50ad7f |
- <platform>multi_platform_wrlinux</platform>
|
|
|
50ad7f |
- </affected>
|
|
|
50ad7f |
- <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
|
|
|
50ad7f |
+ {{{- oval_affected(products) }}}
|
|
|
50ad7f |
+ <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
|
|
|
50ad7f |
</metadata>
|
|
|
50ad7f |
- <criteria>
|
|
|
50ad7f |
- <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
|
|
|
50ad7f |
+ <criteria operator="AND">
|
|
|
50ad7f |
+ <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
|
|
|
50ad7f |
+ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
|
|
|
50ad7f |
</criteria>
|
|
|
50ad7f |
</definition>
|
|
|
50ad7f |
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
|
|
|
50ad7f |
- <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
|
|
|
50ad7f |
- <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
|
|
|
50ad7f |
+ <unix:behaviors recurse_direction="down" />
|
|
|
50ad7f |
+ <unix:path operation="equals">/dev</unix:path>
|
|
|
50ad7f |
+ <unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
50ad7f |
+ <filter action="include">state_block_or_char_device_file</filter>
|
|
|
50ad7f |
+ </unix:file_object>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
|
|
|
50ad7f |
+ <unix:type operation="pattern match">^(block|character) special$</unix:type>
|
|
|
50ad7f |
+ </unix:file_state>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
|
|
|
50ad7f |
+ <object_component object_ref="object_dev_device_files" item_field="filepath" />
|
|
|
50ad7f |
+ </local_variable>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
|
|
|
50ad7f |
+ <linux:object object_ref="object_selinux_dev_device_t" />
|
|
|
50ad7f |
+ <linux:state state_ref="state_selinux_dev_device_t" />
|
|
|
50ad7f |
</linux:selinuxsecuritycontext_test>
|
|
|
50ad7f |
- <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
|
|
|
50ad7f |
- <linux:behaviors recurse_direction="down" />
|
|
|
50ad7f |
- <linux:path>/dev</linux:path>
|
|
|
50ad7f |
- <linux:filename operation="pattern match">^.*$</linux:filename>
|
|
|
50ad7f |
- <filter action="include">state_selinux_all_devicefiles_labeled</filter>
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
|
|
|
50ad7f |
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
|
|
|
50ad7f |
+ <filter action="include">state_selinux_dev_device_t</filter>
|
|
|
50ad7f |
</linux:selinuxsecuritycontext_object>
|
|
|
50ad7f |
- <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
|
|
|
50ad7f |
<linux:type datatype="string" operation="equals">device_t</linux:type>
|
|
|
50ad7f |
</linux:selinuxsecuritycontext_state>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
|
|
|
50ad7f |
+ <linux:object object_ref="object_selinux_dev_unlabeled_t" />
|
|
|
50ad7f |
+ <linux:state state_ref="state_selinux_dev_unlabeled_t" />
|
|
|
50ad7f |
+ </linux:selinuxsecuritycontext_test>
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
|
|
|
50ad7f |
+ <linux:filepath operation="equals" var_ref="variable_dev_device_files" var_check="at least one"/>
|
|
|
50ad7f |
+ <filter action="include">state_selinux_dev_unlabeled_t</filter>
|
|
|
50ad7f |
+ </linux:selinuxsecuritycontext_object>
|
|
|
50ad7f |
+ <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
|
|
|
50ad7f |
+ <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
|
|
|
50ad7f |
+ </linux:selinuxsecuritycontext_state>
|
|
|
50ad7f |
+
|
|
|
50ad7f |
</def-group>
|
|
|
50ad7f |
|
|
|
50ad7f |
From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
|
|
|
50ad7f |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
50ad7f |
Date: Tue, 7 Jul 2020 11:33:26 +0200
|
|
|
50ad7f |
Subject: [PATCH 3/3] add tests
|
|
|
50ad7f |
|
|
|
50ad7f |
---
|
|
|
50ad7f |
.../tests/block_device_device_t.fail.sh | 4 ++++
|
|
|
50ad7f |
.../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++
|
|
|
50ad7f |
.../tests/regular_file_device_t.pass.sh | 4 ++++
|
|
|
50ad7f |
.../tests/symlink_with_wrong_label.pass.sh | 4 ++++
|
|
|
50ad7f |
4 files changed, 26 insertions(+)
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
|
|
50ad7f |
create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
|
|
50ad7f |
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..08c4142e5b
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
|
|
|
50ad7f |
@@ -0,0 +1,4 @@
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+mknod /dev/foo b 1 5
|
|
|
50ad7f |
+chcon -t device_t /dev/foo
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..1da85c2034
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
|
|
|
50ad7f |
@@ -0,0 +1,14 @@
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+# selinux does not allow unlabeled_t in /dev
|
|
|
50ad7f |
+# we have to modify the selinux policy to allow that
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
|
|
|
50ad7f |
+semodule -i /tmp/unlabeled_t.cil
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+mknod /dev/foo c 1 5
|
|
|
50ad7f |
+chcon -t unlabeled_t /dev/foo
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+mknod /dev/foo c 1 5
|
|
|
50ad7f |
+chcon -t device_t /dev/foo
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..d161951d7a
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
|
|
|
50ad7f |
@@ -0,0 +1,4 @@
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+touch /dev/foo
|
|
|
50ad7f |
+restorecon -F /dev/foo
|
|
|
50ad7f |
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
|
|
50ad7f |
new file mode 100644
|
|
|
50ad7f |
index 0000000000..a8280bf37e
|
|
|
50ad7f |
--- /dev/null
|
|
|
50ad7f |
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
|
|
|
50ad7f |
@@ -0,0 +1,4 @@
|
|
|
50ad7f |
+#!/bin/bash
|
|
|
50ad7f |
+
|
|
|
50ad7f |
+ln -s /dev/cpu /dev/foo
|
|
|
50ad7f |
+restorecon -F /dev/foo
|