Refpolicy aos vm #2
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Eabramov84
reviewed
Sep 12, 2022
README
Outdated
| ## How to work with SELinux | ||
| ### Introduction | ||
|
|
||
| To be able to add and change the SELinux policy, you need to clone the repository with refpolicy, and make changes with a separate commit. |
There was a problem hiding this comment.
Please write instructions in indirect form(withou you)
e.g.
To add and change the SELinux policy, the repository with refpolicy should be cloned and changes are done with a separate commit.
Eabramov84
reviewed
Sep 12, 2022
README
Outdated
|
|
||
| Refpolicy contains the following file types: | ||
| 1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file does not say that this process can run another file, it just says that the process labeled A can read the file labeled B. | ||
| 2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy is install. By default, directories or files inherit the context of their parents, but you can manually set the desired context through this file |
There was a problem hiding this comment.
but the desired context could be manually set using this file
Eabramov84
reviewed
Sep 12, 2022
README
Outdated
| Refpolicy contains the following file types: | ||
| 1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file does not say that this process can run another file, it just says that the process labeled A can read the file labeled B. | ||
| 2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy is install. By default, directories or files inherit the context of their parents, but you can manually set the desired context through this file | ||
| 3. **if** - the interface file creates the macros that other modules will use to gain access to my resources. |
Eabramov84
reviewed
Sep 12, 2022
README
Outdated
| - **name** - name of the target | ||
| - can contained **path** - path to the object (target) the process attempted to access. | ||
|
|
||
| Next we need to analyze the received log and find the corresponding **te** file by **scontext**, for example, for **dnsmasq_t** there is a corresponding **dnsmasq.te** file and in this file you need to add a rule that allows **scontext** to access **tcontext**. |
There was a problem hiding this comment.
The next step is to analyze ... dnsmasq.te file and in this file rule that allows scontext to access tcontext should be added.
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
4 times, most recently
from
d8ba020
to
182a572
Compare
al1img
reviewed
Sep 13, 2022
policy/modules/kernel/files.if
Outdated
| @@ -5834,6 +5834,7 @@ interface(`files_dontaudit_rw_var_files',` | |||
| dontaudit $1 var_t:file rw_file_perms; | |||
| ') | |||
|
|
|||
|
|
|||
| @@ -6047,6 +6048,24 @@ interface(`files_manage_var_lib_dirs',` | |||
| allow $1 var_lib_t:dir manage_dir_perms; | |||
| ') | |||
|
|
|||
| ######################################## | |||
There was a problem hiding this comment.
Would be nice to have it in separate commit:
- provide access for /var/run
- provide access for efivars
In this case, it would be easier to apply policies for new platform. For example for u-boot devices we should remove efivar access e.g.
There was a problem hiding this comment.
Done. Split to several commits
README
Outdated
|
|
||
| Each process or resource (file, dir etc.) has a label (type) that describes what can be accessed. | ||
|
|
||
| SELinux considers subject-access-object rule set. On a Linux system, subjects are processes, and object is the resource on which an action applies. |
There was a problem hiding this comment.
Could you use max 120 length line?
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
2 times, most recently
from
b4e28ed
to
3c646a1
Compare
al1img
reviewed
Sep 20, 2022
README
Outdated
| ## How to work with SELinux | ||
| ### Introduction | ||
|
|
||
| To add and change the SELinux policy, the repository with refpolicy, and make changes with |
There was a problem hiding this comment.
Looks like something is missing in this sentence.
There was a problem hiding this comment.
Remove this sentence
README
Outdated
| Each process or resource (file, dir etc.) has a label (type) that describes what can be accessed. | ||
|
|
||
| SELinux considers subject-access-object rule set. On a Linux system, subjects are processes, and object is the resource | ||
| on which an action applies. |
README
Outdated
| does not say that this process can run another file, it just says that the process labeled A can read the file | ||
| labeled B. | ||
| 2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy | ||
| is install. By default, directories or files inherit the context of their parents, but the desired context could |
README
Outdated
| on which an action applies. | ||
|
|
||
| Refpolicy contains the following file types: | ||
| 1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file |
There was a problem hiding this comment.
Add full name for each type: te - (type enforcement)
README
Outdated
| 1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file | ||
| does not say that this process can run another file, it just says that the process labeled A can read the file | ||
| labeled B. | ||
| 2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy |
README
Outdated
| command or another command, after that the resource or process's will be labeled with proper context. | ||
|
|
||
| **It is important** if need to create a new label, then must be create three files **te, fc, if** with the name | ||
| of the label that with which is created. At the same time, the **te** file in which declare a new label type must not |
There was a problem hiding this comment.
The te file that declares (or in which the new label is declared) should not be empty whereas fc, if files can be empty,
README
Outdated
| of the label that with which is created. At the same time, the **te** file in which declare a new label type must not | ||
| be empty, the **fc, if** files can be empty. | ||
|
|
||
| Sometimes in the logs contains denials security policies, but which may not be very critical, for example, get the |
There was a problem hiding this comment.
Sometimes, logs may contain denials security policies that are not very critical, for example, getting... or reading- Need to be restructured: for example, ... , for example.
README
Outdated
|
|
||
| Sometimes in the logs contains denials security policies, but which may not be very critical, for example, get the | ||
| file attribute or read a file that may not affect the system, for example, when login into the system, being created | ||
| policies to denial write to the system log |
README
Outdated
| scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 | ||
| tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0 | ||
| ``` | ||
| For these denials **not need to add rules** to the refpolicy if it is not necessary. |
There was a problem hiding this comment.
no need to add rules or rules may not be added
README
Outdated
| For these denials **not need to add rules** to the refpolicy if it is not necessary. | ||
|
|
||
| After the corresponding security policy is added, it is necessary to build the refpolicy again through yocto. | ||
| To find interest a custom module with the **pp** extension and install it on the system without reinstalling |
There was a problem hiding this comment.
Unclear sentence, please rephrase.
There was a problem hiding this comment.
Removed this sentence as it is incorrect in our context
Fixes:
avc: denied { write } for pid=165 comm="systemd-journal"
name="syslog" dev="tmpfs" ino=545 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file permissive=0
Signed-off-by: Yi Zhao <[email protected]>
* Add dac_read_search capability to radiusd_t
* Add getcap to radiusd_t process
Fixes:
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1
avc: denied { getcap } for pid=473 comm="radiusd"
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1
Signed-off-by: Yi Zhao <[email protected]>
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
from
3c646a1
to
b0b942b
Compare
radius: fixes for freeradius
logging: allow systemd-journal to write syslogd_runtime_t sock_file
Signed-off-by: Dave Sugar <[email protected]>
node=localhost type=AVC msg=audit(1664829990.107:8051): avc: denied { chown } for pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0
Signed-off-by: Dave Sugar <[email protected]>
Signed-off-by: Dave Sugar <[email protected]>
Fapolicyd fixes
chpasswd is installed to /usr/bin in Gentoo. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
The git binary and its subcommands are hardlinks that live in /usr/bin and /usr/libexec/git-core. Add a file context to encompass all these binaries. This also fixes conflicting type specifications. Signed-off-by: Kenton Groombridge <[email protected]>
mount.nfs will attempt to start the rpc-statd.service unit but will fall back to executing start-statd directly. Dontaudit attempts to start the unit and perform a domain transition to start-statd from mount. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Mykola Solianko <[email protected]>
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
from
d7e5ed4
to
5711830
Compare
Signed-off-by: Mykola Solianko <[email protected]>
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
from
024c902
to
097873b
Compare
Signed-off-by: Mykola Solianko <[email protected]>
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
from
097873b
to
9b81e58
Compare
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
21 times, most recently
from
a7e5fe0
to
cdbadaa
Compare
Signed-off-by: Mykola Solianko <[email protected]>
MykolaSolyanko
force-pushed
the
refpolicy_aos_vm
branch
from
cdbadaa
to
a49fd8c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.