Blob Blame History Raw
From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:31:59 +0200
Subject: [PATCH 1/3] modify rule description and ocil

---
 .../selinux_all_devicefiles_labeled/rule.yml  | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
index 765fca583e..1667557740 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux'
 
 description: |-
     Device files, which are used for communication with important system
-    resources, should be labeled with proper SELinux types. If any device
-    files do not carry the SELinux type <tt>device_t</tt>, report the bug so
-    that policy can be corrected. Supply information about what the device is
-    and what programs use it.
+    resources, should be labeled with proper SELinux types. If any device files
+    carry the SELinux type <tt>device_t</tt> or <tt>unlabeled_t</tt>, report the
+    bug so that policy can be corrected. Supply information about what the
+    device is and what programs use it.
     <br /><br />
-    To check for unlabeled device files, run the following command:
+    To check for incorrectly labeled device files, run following commands:
     <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+    <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
     It should produce no output in a well-configured system.
 
 rationale: |-
-    If a device file carries the SELinux type <tt>device_t</tt>, then SELinux
-    cannot properly restrict access to the device file.
+    If a device file carries the SELinux type <tt>device_t</tt> or
+    <tt>unlabeled_t</tt>, then SELinux cannot properly restrict access to the
+    device file.
 
 severity: medium
 
@@ -45,8 +47,9 @@ references:
 ocil_clause: 'there is output'
 
 ocil: |-
-    To check for unlabeled device files, run the following command:
+    To check for incorrectly labeled device files, run following commands:
     <pre>$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
+    <pre>$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"</pre>
     It should produce no output in a well-configured system.
 
 warnings:

From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:32:57 +0200
Subject: [PATCH 2/3] updated oval to check only device files

---
 .../oval/shared.xml                           | 64 +++++++++++++------
 1 file changed, 43 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
index 51b68008af..7dcfb98577 100644
--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
@@ -2,32 +2,54 @@
   <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
     <metadata>
       <title>Device Files Have Proper SELinux Context</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 6</platform>
-        <platform>Red Hat Enterprise Linux 7</platform>
-        <platform>Red Hat Enterprise Linux 8</platform>
-        <platform>Red Hat Virtualization 4</platform>
-        <platform>multi_platform_fedora</platform>
-        <platform>multi_platform_ol</platform>
-        <platform>multi_platform_wrlinux</platform>
-      </affected>
-      <description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</description>
+      {{{- oval_affected(products) }}}
+      <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
     </metadata>
-    <criteria>
-      <criterion comment="device_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" />
+    <criteria operator="AND">
+      <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
+      <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
     </criteria>
   </definition>
-  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2">
-    <linux:object object_ref="object_selinux_all_devicefiles_labeled" />
-    <linux:state state_ref="state_selinux_all_devicefiles_labeled" />
+
+  <!-- collect all special files from /dev directory -->
+  <unix:file_object id="object_dev_device_files" comment="device files within /dev directory" version="1">
+    <unix:behaviors recurse_direction="down" />
+    <unix:path operation="equals">/dev</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">state_block_or_char_device_file</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_block_or_char_device_file" version="1" comment="device files" >
+    <unix:type operation="pattern match">^(block|character) special$</unix:type>
+  </unix:file_state>
+
+  <local_variable id="variable_dev_device_files" comment="all device files within /dev directory" datatype="string" version="1">
+    <object_component object_ref="object_dev_device_files" item_field="filepath" />
+  </local_variable>
+
+
+  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="test_selinux_dev_device_t" version="2">
+    <linux:object object_ref="object_selinux_dev_device_t" />
+    <linux:state state_ref="state_selinux_dev_device_t" />
   </linux:selinuxsecuritycontext_test>
-  <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_all_devicefiles_labeled" version="1">
-    <linux:behaviors recurse_direction="down" />
-    <linux:path>/dev</linux:path>
-    <linux:filename operation="pattern match">^.*$</linux:filename>
-    <filter action="include">state_selinux_all_devicefiles_labeled</filter>
+  <linux:selinuxsecuritycontext_object comment="device_t in /dev" id="object_selinux_dev_device_t" version="1">
+    <linux:filepath operation="equals" var_ref="variable_dev_device_files"  var_check="at least one"/>
+    <filter action="include">state_selinux_dev_device_t</filter>
   </linux:selinuxsecuritycontext_object>
-  <linux:selinuxsecuritycontext_state comment="do it" id="state_selinux_all_devicefiles_labeled" version="1">
+  <linux:selinuxsecuritycontext_state comment="device_t label" id="state_selinux_dev_device_t" version="1">
     <linux:type datatype="string" operation="equals">device_t</linux:type>
   </linux:selinuxsecuritycontext_state>
+
+  <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_dev_unlabeled_t" version="2">
+    <linux:object object_ref="object_selinux_dev_unlabeled_t" />
+    <linux:state state_ref="state_selinux_dev_unlabeled_t" />
+  </linux:selinuxsecuritycontext_test>
+  <linux:selinuxsecuritycontext_object comment="unlabeled_t in /dev" id="object_selinux_dev_unlabeled_t" version="1">
+    <linux:filepath operation="equals" var_ref="variable_dev_device_files"  var_check="at least one"/>
+    <filter action="include">state_selinux_dev_unlabeled_t</filter>
+  </linux:selinuxsecuritycontext_object>
+  <linux:selinuxsecuritycontext_state comment="unlabeled_t label" id="state_selinux_dev_unlabeled_t" version="1">
+    <linux:type datatype="string" operation="equals">unlabeled_t</linux:type>
+  </linux:selinuxsecuritycontext_state>
+
 </def-group>

From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 7 Jul 2020 11:33:26 +0200
Subject: [PATCH 3/3] add tests

---
 .../tests/block_device_device_t.fail.sh            |  4 ++++
 .../tests/char_device_unlabeled_t.fail.sh          | 14 ++++++++++++++
 .../tests/regular_file_device_t.pass.sh            |  4 ++++
 .../tests/symlink_with_wrong_label.pass.sh         |  4 ++++
 4 files changed, 26 insertions(+)
 create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
 create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
 create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
 create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh

diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
new file mode 100644
index 0000000000..08c4142e5b
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mknod /dev/foo b 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
new file mode 100644
index 0000000000..1da85c2034
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# selinux does not allow unlabeled_t in /dev
+# we have to modify the selinux policy to allow that
+
+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil
+semodule -i /tmp/unlabeled_t.cil
+
+mknod /dev/foo c 1 5
+chcon -t unlabeled_t /dev/foo
+
+
+mknod /dev/foo c 1 5
+chcon -t device_t /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
new file mode 100644
index 0000000000..d161951d7a
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+touch /dev/foo
+restorecon -F /dev/foo
diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
new file mode 100644
index 0000000000..a8280bf37e
--- /dev/null
+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+ln -s /dev/cpu /dev/foo
+restorecon -F /dev/foo