-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refpolicy aos vm #2
Refpolicy aos vm #2
Conversation
README
Outdated
## How to work with SELinux | ||
### Introduction | ||
|
||
To be able to add and change the SELinux policy, you need to clone the repository with refpolicy, and make changes with a separate commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please write instructions in indirect form(withou you)
e.g.
To add and change the SELinux policy, the repository with refpolicy should be cloned and changes are done with a separate commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
|
||
Refpolicy contains the following file types: | ||
1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file does not say that this process can run another file, it just says that the process labeled A can read the file labeled B. | ||
2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy is install. By default, directories or files inherit the context of their parents, but you can manually set the desired context through this file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but the desired context could be manually set using this file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
Refpolicy contains the following file types: | ||
1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file does not say that this process can run another file, it just says that the process labeled A can read the file labeled B. | ||
2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy is install. By default, directories or files inherit the context of their parents, but you can manually set the desired context through this file | ||
3. **if** - the interface file creates the macros that other modules will use to gain access to my resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to the resources
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
- **name** - name of the target | ||
- can contained **path** - path to the object (target) the process attempted to access. | ||
|
||
Next we need to analyze the received log and find the corresponding **te** file by **scontext**, for example, for **dnsmasq_t** there is a corresponding **dnsmasq.te** file and in this file you need to add a rule that allows **scontext** to access **tcontext**. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The next step is to analyze ... dnsmasq.te file and in this file rule that allows scontext to access tcontext should be added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
d8ba020
to
182a572
Compare
policy/modules/kernel/files.if
Outdated
@@ -5834,6 +5834,7 @@ interface(`files_dontaudit_rw_var_files',` | |||
dontaudit $1 var_t:file rw_file_perms; | |||
') | |||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not relevant change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -6047,6 +6048,24 @@ interface(`files_manage_var_lib_dirs',` | |||
allow $1 var_lib_t:dir manage_dir_perms; | |||
') | |||
|
|||
######################################## |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to have it in separate commit:
- provide access for /var/run
- provide access for efivars
In this case, it would be easier to apply policies for new platform. For example for u-boot devices we should remove efivar access e.g.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Split to several commits
README
Outdated
|
||
Each process or resource (file, dir etc.) has a label (type) that describes what can be accessed. | ||
|
||
SELinux considers subject-access-object rule set. On a Linux system, subjects are processes, and object is the resource on which an action applies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you use max 120 length line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
b4e28ed
to
3c646a1
Compare
README
Outdated
## How to work with SELinux | ||
### Introduction | ||
|
||
To add and change the SELinux policy, the repository with refpolicy, and make changes with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like something is missing in this sentence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this sentence
README
Outdated
Each process or resource (file, dir etc.) has a label (type) that describes what can be accessed. | ||
|
||
SELinux considers subject-access-object rule set. On a Linux system, subjects are processes, and object is the resource | ||
on which an action applies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is applied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
does not say that this process can run another file, it just says that the process labeled A can read the file | ||
labeled B. | ||
2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy | ||
is install. By default, directories or files inherit the context of their parents, but the desired context could |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is installed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
on which an action applies. | ||
|
||
Refpolicy contains the following file types: | ||
1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add full name for each type: te - (type enforcement)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
1. **te** - the file contains rules describing what the domain can do (labels of the subjects or objects). This file | ||
does not say that this process can run another file, it just says that the process labeled A can read the file | ||
labeled B. | ||
2. **fc** - describes the security context (labels) on a file, directory, etc., which will be applied when the policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fc - (file context)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
command or another command, after that the resource or process's will be labeled with proper context. | ||
|
||
**It is important** if need to create a new label, then must be create three files **te, fc, if** with the name | ||
of the label that with which is created. At the same time, the **te** file in which declare a new label type must not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The te file that declares (or in which the new label is declared) should not be empty whereas fc, if files can be empty,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
of the label that with which is created. At the same time, the **te** file in which declare a new label type must not | ||
be empty, the **fc, if** files can be empty. | ||
|
||
Sometimes in the logs contains denials security policies, but which may not be very critical, for example, get the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes, logs may contain denials security policies that are not very critical, for example, getting... or reading
- Need to be restructured: for example, ... , for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
|
||
Sometimes in the logs contains denials security policies, but which may not be very critical, for example, get the | ||
file attribute or read a file that may not affect the system, for example, when login into the system, being created | ||
policies to denial write to the system log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 | ||
tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=0 | ||
``` | ||
For these denials **not need to add rules** to the refpolicy if it is not necessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to add rules
or rules may not be added
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
README
Outdated
For these denials **not need to add rules** to the refpolicy if it is not necessary. | ||
|
||
After the corresponding security policy is added, it is necessary to build the refpolicy again through yocto. | ||
To find interest a custom module with the **pp** extension and install it on the system without reinstalling |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unclear sentence, please rephrase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed this sentence as it is incorrect in our context
Fixes: avc: denied { write } for pid=165 comm="systemd-journal" name="syslog" dev="tmpfs" ino=545 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file permissive=0 Signed-off-by: Yi Zhao <[email protected]>
* Add dac_read_search capability to radiusd_t * Add getcap to radiusd_t process Fixes: avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2 scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1 avc: denied { getcap } for pid=473 comm="radiusd" scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=process permissive=1 Signed-off-by: Yi Zhao <[email protected]>
3c646a1
to
b0b942b
Compare
radius: fixes for freeradius
logging: allow systemd-journal to write syslogd_runtime_t sock_file
Signed-off-by: Dave Sugar <[email protected]>
node=localhost type=AVC msg=audit(1664829990.107:8051): avc: denied { chown } for pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar <[email protected]>
Signed-off-by: Dave Sugar <[email protected]>
Fapolicyd fixes
chpasswd is installed to /usr/bin in Gentoo. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
The git binary and its subcommands are hardlinks that live in /usr/bin and /usr/libexec/git-core. Add a file context to encompass all these binaries. This also fixes conflicting type specifications. Signed-off-by: Kenton Groombridge <[email protected]>
mount.nfs will attempt to start the rpc-statd.service unit but will fall back to executing start-statd directly. Dontaudit attempts to start the unit and perform a domain transition to start-statd from mount. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Mykola Solianko <[email protected]>
d7e5ed4
to
5711830
Compare
Signed-off-by: Mykola Solianko <[email protected]>
024c902
to
097873b
Compare
Signed-off-by: Mykola Solianko <[email protected]>
097873b
to
9b81e58
Compare
a7e5fe0
to
cdbadaa
Compare
Signed-off-by: Mykola Solianko <[email protected]>
cdbadaa
to
a49fd8c
Compare
No description provided.