From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Mon, 10 May 2021 18:53:02 +0200

Subject: [PATCH]  Update and select seboolean rules for R67

Fix description of sebool_deny_execmem, and warning about possible

issues.

Add rationale to rules the SELinux booleans.

---

 controls/anssi.yml                            | 14 +++++++++---

 .../sebool_deny_execmem/rule.yml              | 22 ++++++++++++++-----

 .../sebool_selinuxuser_execheap/rule.yml      |  4 +++-

 .../sebool_selinuxuser_execstack/rule.yml     |  3 ++-

 4 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index 705f8e25aab..ef9356a6fea 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -967,10 +967,18 @@ controls:

       allow_execstack to off, forbids processes to make their stack executable;

       secure_mode_insmod to on, prohibits dynamic loading of modules by any process;

       ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.

+    notes:

+      In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the

+      boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not

+      available, deny_execmem provides the same functionality.

+    automated: yes

     rules:

-    # Add rule for sebool allow_execheap

-    # Add rule for sebool allow_execmem

-    # Add rule for sebool allow_execstack

+    - var_selinuxuser_execheap=off

+    - sebool_selinuxuser_execheap

+    - var_deny_execmem=on

+    - sebool_deny_execmem

+    - var_selinuxuser_execstack=off

+    - sebool_selinuxuser_execstack

     - var_secure_mode_insmod=on

     - sebool_secure_mode_insmod

     - sebool_ssh_sysadm_login

diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml

index f340ea4be11..e8453fbfb8d 100644

--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml

+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml

@@ -2,14 +2,16 @@ documentation_complete: true

 prodtype: rhel7,rhel8,rhv4

-title: 'Disable the deny_execmem SELinux Boolean'

+title: 'Enable the deny_execmem SELinux Boolean'

 description: |-

     By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.

-    If this setting is enabled, it should be disabled.

+    If this setting is disabled, it should be enabled.

     {{{ describe_sebool_disable(sebool="deny_execmem") }}}

-rationale: ""

+rationale: |-

+    Allowing user domain applications to map a memory region as both writable and

+    executable makes them more susceptible to data execution attacks.

 severity: medium

@@ -19,10 +21,20 @@ identifiers:

 references:

     anssi: BP28(R67)

-    

-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}

+

+{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}}

+

+warnings:

+    - general: |-

+        This rule doesn't come with a remediation, as enabling this SELinux boolean can cause

+        applications to malfunction, for example Graphical login managers and Firefox.

+    - functionality: |-

+        Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.

 template:

     name: sebool

     vars:

         seboolid: deny_execmem

+    backends:

+        bash: "off"

+        ansible: "off"

diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml

index 45aa81a1223..7fedaab6130 100644

--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml

+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml

@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean'

 description: |-

     By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.

+    When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.

     If this setting is enabled, it should be disabled.

     {{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}

-rationale: ""

+rationale: |-

+    Disabling code execution from the heap blocks buffer overflow attacks.

 severity: medium

diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml

index 2b20d0bfe4f..2e0b19f881d 100644

--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml

+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml

@@ -10,7 +10,8 @@ description: |-

     to make their stack executable.

     {{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}}

-rationale: ""

+rationale: |-

+    Disabling code execution from the stack blocks buffer overflow attacks.

 severity: medium