prohibit unconfined SELinux user (root) to install policy to a system
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am trying to write a SELinux policy which after its installation will prohibit for a unconfined (or another, which can be chosen) user any subsequent SELinux policy installation.
It seems that there are few ways to do this:
- prohibit the use of semodule so the user won't be able to install any policy. semodule has "semanage_exec_t" SELinux type. I am using object domain transition here.
- with the use of SELinux security class.
As for the 1st conclusion i am trying to use "domain_auto_trans" macro but this macro doesn't work for policyversion below 25. I have 24. Although i was able to check it on policyversion 28 and it worked as needed.
by the way it looks like this
policy_module(semanage_access_deny_label_B, 1.0.0)
require
type unconfined_t, semanage_exec_t, semanage_t;
role object_r;
domain_auto_trans (unconfined_t, semanage_exec_t semanage_t, user_t);
TE file for the 2nd conclusion looks like this
policy_module(semanage_access_deny, 1.0.0)
require
type unconfined_t;
role object_r;
class security compute_av compute_user compute_relabel
compute_create setenforce check_context load_policy setbool ;
allow unconfined_t self: security compute_user;
neverallow unconfined_t self: security compute_av setenforce check_context load_policy setbool ;
The 1st way works only on the current SELinux version and the 2nd one although being successfully compiled and applied doesn't do what i planned it to do (actually it doesn't do anything at all).
So the question is how to write a policy which after its installation will prohibit any subsequent SELinux policy installation for any chosen users and will work on current and previous SELinux versions?
permissions selinux
migrated from security.stackexchange.com Jun 26 at 8:52
This question came from our site for information security professionals.
add a comment |Â
up vote
2
down vote
favorite
I am trying to write a SELinux policy which after its installation will prohibit for a unconfined (or another, which can be chosen) user any subsequent SELinux policy installation.
It seems that there are few ways to do this:
- prohibit the use of semodule so the user won't be able to install any policy. semodule has "semanage_exec_t" SELinux type. I am using object domain transition here.
- with the use of SELinux security class.
As for the 1st conclusion i am trying to use "domain_auto_trans" macro but this macro doesn't work for policyversion below 25. I have 24. Although i was able to check it on policyversion 28 and it worked as needed.
by the way it looks like this
policy_module(semanage_access_deny_label_B, 1.0.0)
require
type unconfined_t, semanage_exec_t, semanage_t;
role object_r;
domain_auto_trans (unconfined_t, semanage_exec_t semanage_t, user_t);
TE file for the 2nd conclusion looks like this
policy_module(semanage_access_deny, 1.0.0)
require
type unconfined_t;
role object_r;
class security compute_av compute_user compute_relabel
compute_create setenforce check_context load_policy setbool ;
allow unconfined_t self: security compute_user;
neverallow unconfined_t self: security compute_av setenforce check_context load_policy setbool ;
The 1st way works only on the current SELinux version and the 2nd one although being successfully compiled and applied doesn't do what i planned it to do (actually it doesn't do anything at all).
So the question is how to write a policy which after its installation will prohibit any subsequent SELinux policy installation for any chosen users and will work on current and previous SELinux versions?
permissions selinux
migrated from security.stackexchange.com Jun 26 at 8:52
This question came from our site for information security professionals.
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am trying to write a SELinux policy which after its installation will prohibit for a unconfined (or another, which can be chosen) user any subsequent SELinux policy installation.
It seems that there are few ways to do this:
- prohibit the use of semodule so the user won't be able to install any policy. semodule has "semanage_exec_t" SELinux type. I am using object domain transition here.
- with the use of SELinux security class.
As for the 1st conclusion i am trying to use "domain_auto_trans" macro but this macro doesn't work for policyversion below 25. I have 24. Although i was able to check it on policyversion 28 and it worked as needed.
by the way it looks like this
policy_module(semanage_access_deny_label_B, 1.0.0)
require
type unconfined_t, semanage_exec_t, semanage_t;
role object_r;
domain_auto_trans (unconfined_t, semanage_exec_t semanage_t, user_t);
TE file for the 2nd conclusion looks like this
policy_module(semanage_access_deny, 1.0.0)
require
type unconfined_t;
role object_r;
class security compute_av compute_user compute_relabel
compute_create setenforce check_context load_policy setbool ;
allow unconfined_t self: security compute_user;
neverallow unconfined_t self: security compute_av setenforce check_context load_policy setbool ;
The 1st way works only on the current SELinux version and the 2nd one although being successfully compiled and applied doesn't do what i planned it to do (actually it doesn't do anything at all).
So the question is how to write a policy which after its installation will prohibit any subsequent SELinux policy installation for any chosen users and will work on current and previous SELinux versions?
permissions selinux
I am trying to write a SELinux policy which after its installation will prohibit for a unconfined (or another, which can be chosen) user any subsequent SELinux policy installation.
It seems that there are few ways to do this:
- prohibit the use of semodule so the user won't be able to install any policy. semodule has "semanage_exec_t" SELinux type. I am using object domain transition here.
- with the use of SELinux security class.
As for the 1st conclusion i am trying to use "domain_auto_trans" macro but this macro doesn't work for policyversion below 25. I have 24. Although i was able to check it on policyversion 28 and it worked as needed.
by the way it looks like this
policy_module(semanage_access_deny_label_B, 1.0.0)
require
type unconfined_t, semanage_exec_t, semanage_t;
role object_r;
domain_auto_trans (unconfined_t, semanage_exec_t semanage_t, user_t);
TE file for the 2nd conclusion looks like this
policy_module(semanage_access_deny, 1.0.0)
require
type unconfined_t;
role object_r;
class security compute_av compute_user compute_relabel
compute_create setenforce check_context load_policy setbool ;
allow unconfined_t self: security compute_user;
neverallow unconfined_t self: security compute_av setenforce check_context load_policy setbool ;
The 1st way works only on the current SELinux version and the 2nd one although being successfully compiled and applied doesn't do what i planned it to do (actually it doesn't do anything at all).
So the question is how to write a policy which after its installation will prohibit any subsequent SELinux policy installation for any chosen users and will work on current and previous SELinux versions?
permissions selinux
asked Jun 26 at 7:50
Dmitriy Kormulev
113
113
migrated from security.stackexchange.com Jun 26 at 8:52
This question came from our site for information security professionals.
migrated from security.stackexchange.com Jun 26 at 8:52
This question came from our site for information security professionals.
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
0
down vote
Your first module has a problem: root user in unconfined_t still has the permissions and rules in place allowing selinux policy modifications. Your custom policy only applies new automatic transitions for semanage_exec_t to user_t. Process in user_t domain can't modify the policy, hence semodule
, semanage
, etc. fail. However, any program in unconfied domain could still modify the policy. Also, root could just relabel those semanage_exec_t labeled binaries to any unconfined type to run them.
Your second policy module doesn't do anything, because neverallow rules are compiler-checked and do not result in any rules in compiled policy. You can not use neverallow to remove/blacklist rules already included in loaded policy (and there isn't a deny statement in SELinux policy language which you could use in such fashion).
Policy compilation should issue error and fail if there are conflicting allow and neverallow rules. According to documentation, neverallow rules can be used in policy modules, but for the checks to be effective expand-check
must be set to 1 in semanage.conf
(possibly the reason why your module compiled successfully).
Some ways to approach your problem for preventing modifications to loaded SELinux policy:
Use
secure_mode_policyload
boolean:
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.
Similarly
secure_mode_insmod
boolean will prevent loading additional kernel modules. These booleans can not be turned off on running system, once turned on (reboot required to turn off).Configure users to more confined domains (such as user_t), which doesn't allow modifying loaded policy. Switching to root with
su
/sudo
will not elevate to more privledged SELinux user and keeps the same SELinux enforced restrictions in place.Create your own SELinux user. You could base it on a SELinux user provided by your distribution (download your distribution's policy sources). You probably should consider using some confined user as template instead of unconfined user and only add permissions you need to allow to avoid granting overly broad permissions.
Also, if you only need to grant some limited access (transitions/rules), you could write a policy module granting the necessary access to the limited user.
add a comment |Â
up vote
0
down vote
When it comes down to "installing" new policy it boils down to restricting access to who can "write" and "relabelto" /etc/selinux/TYPE/policy/policy.* files.
Determine the type of that target. Use the SELinux policy analysis suite to determine what can "write" and "relabelto" that type of file. Then make sure that whatever process you do not want to be able to install policy does not have that access (directly or indirectly) to that type of file.
In addition, you probably also want to make sure that any processes that you do not want to be able to install policy do not have access to "security setenforce", and do not have physical access. Because otherwise these processes could just go around SELinux.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Your first module has a problem: root user in unconfined_t still has the permissions and rules in place allowing selinux policy modifications. Your custom policy only applies new automatic transitions for semanage_exec_t to user_t. Process in user_t domain can't modify the policy, hence semodule
, semanage
, etc. fail. However, any program in unconfied domain could still modify the policy. Also, root could just relabel those semanage_exec_t labeled binaries to any unconfined type to run them.
Your second policy module doesn't do anything, because neverallow rules are compiler-checked and do not result in any rules in compiled policy. You can not use neverallow to remove/blacklist rules already included in loaded policy (and there isn't a deny statement in SELinux policy language which you could use in such fashion).
Policy compilation should issue error and fail if there are conflicting allow and neverallow rules. According to documentation, neverallow rules can be used in policy modules, but for the checks to be effective expand-check
must be set to 1 in semanage.conf
(possibly the reason why your module compiled successfully).
Some ways to approach your problem for preventing modifications to loaded SELinux policy:
Use
secure_mode_policyload
boolean:
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.
Similarly
secure_mode_insmod
boolean will prevent loading additional kernel modules. These booleans can not be turned off on running system, once turned on (reboot required to turn off).Configure users to more confined domains (such as user_t), which doesn't allow modifying loaded policy. Switching to root with
su
/sudo
will not elevate to more privledged SELinux user and keeps the same SELinux enforced restrictions in place.Create your own SELinux user. You could base it on a SELinux user provided by your distribution (download your distribution's policy sources). You probably should consider using some confined user as template instead of unconfined user and only add permissions you need to allow to avoid granting overly broad permissions.
Also, if you only need to grant some limited access (transitions/rules), you could write a policy module granting the necessary access to the limited user.
add a comment |Â
up vote
0
down vote
Your first module has a problem: root user in unconfined_t still has the permissions and rules in place allowing selinux policy modifications. Your custom policy only applies new automatic transitions for semanage_exec_t to user_t. Process in user_t domain can't modify the policy, hence semodule
, semanage
, etc. fail. However, any program in unconfied domain could still modify the policy. Also, root could just relabel those semanage_exec_t labeled binaries to any unconfined type to run them.
Your second policy module doesn't do anything, because neverallow rules are compiler-checked and do not result in any rules in compiled policy. You can not use neverallow to remove/blacklist rules already included in loaded policy (and there isn't a deny statement in SELinux policy language which you could use in such fashion).
Policy compilation should issue error and fail if there are conflicting allow and neverallow rules. According to documentation, neverallow rules can be used in policy modules, but for the checks to be effective expand-check
must be set to 1 in semanage.conf
(possibly the reason why your module compiled successfully).
Some ways to approach your problem for preventing modifications to loaded SELinux policy:
Use
secure_mode_policyload
boolean:
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.
Similarly
secure_mode_insmod
boolean will prevent loading additional kernel modules. These booleans can not be turned off on running system, once turned on (reboot required to turn off).Configure users to more confined domains (such as user_t), which doesn't allow modifying loaded policy. Switching to root with
su
/sudo
will not elevate to more privledged SELinux user and keeps the same SELinux enforced restrictions in place.Create your own SELinux user. You could base it on a SELinux user provided by your distribution (download your distribution's policy sources). You probably should consider using some confined user as template instead of unconfined user and only add permissions you need to allow to avoid granting overly broad permissions.
Also, if you only need to grant some limited access (transitions/rules), you could write a policy module granting the necessary access to the limited user.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Your first module has a problem: root user in unconfined_t still has the permissions and rules in place allowing selinux policy modifications. Your custom policy only applies new automatic transitions for semanage_exec_t to user_t. Process in user_t domain can't modify the policy, hence semodule
, semanage
, etc. fail. However, any program in unconfied domain could still modify the policy. Also, root could just relabel those semanage_exec_t labeled binaries to any unconfined type to run them.
Your second policy module doesn't do anything, because neverallow rules are compiler-checked and do not result in any rules in compiled policy. You can not use neverallow to remove/blacklist rules already included in loaded policy (and there isn't a deny statement in SELinux policy language which you could use in such fashion).
Policy compilation should issue error and fail if there are conflicting allow and neverallow rules. According to documentation, neverallow rules can be used in policy modules, but for the checks to be effective expand-check
must be set to 1 in semanage.conf
(possibly the reason why your module compiled successfully).
Some ways to approach your problem for preventing modifications to loaded SELinux policy:
Use
secure_mode_policyload
boolean:
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.
Similarly
secure_mode_insmod
boolean will prevent loading additional kernel modules. These booleans can not be turned off on running system, once turned on (reboot required to turn off).Configure users to more confined domains (such as user_t), which doesn't allow modifying loaded policy. Switching to root with
su
/sudo
will not elevate to more privledged SELinux user and keeps the same SELinux enforced restrictions in place.Create your own SELinux user. You could base it on a SELinux user provided by your distribution (download your distribution's policy sources). You probably should consider using some confined user as template instead of unconfined user and only add permissions you need to allow to avoid granting overly broad permissions.
Also, if you only need to grant some limited access (transitions/rules), you could write a policy module granting the necessary access to the limited user.
Your first module has a problem: root user in unconfined_t still has the permissions and rules in place allowing selinux policy modifications. Your custom policy only applies new automatic transitions for semanage_exec_t to user_t. Process in user_t domain can't modify the policy, hence semodule
, semanage
, etc. fail. However, any program in unconfied domain could still modify the policy. Also, root could just relabel those semanage_exec_t labeled binaries to any unconfined type to run them.
Your second policy module doesn't do anything, because neverallow rules are compiler-checked and do not result in any rules in compiled policy. You can not use neverallow to remove/blacklist rules already included in loaded policy (and there isn't a deny statement in SELinux policy language which you could use in such fashion).
Policy compilation should issue error and fail if there are conflicting allow and neverallow rules. According to documentation, neverallow rules can be used in policy modules, but for the checks to be effective expand-check
must be set to 1 in semanage.conf
(possibly the reason why your module compiled successfully).
Some ways to approach your problem for preventing modifications to loaded SELinux policy:
Use
secure_mode_policyload
boolean:
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values.
Similarly
secure_mode_insmod
boolean will prevent loading additional kernel modules. These booleans can not be turned off on running system, once turned on (reboot required to turn off).Configure users to more confined domains (such as user_t), which doesn't allow modifying loaded policy. Switching to root with
su
/sudo
will not elevate to more privledged SELinux user and keeps the same SELinux enforced restrictions in place.Create your own SELinux user. You could base it on a SELinux user provided by your distribution (download your distribution's policy sources). You probably should consider using some confined user as template instead of unconfined user and only add permissions you need to allow to avoid granting overly broad permissions.
Also, if you only need to grant some limited access (transitions/rules), you could write a policy module granting the necessary access to the limited user.
edited Jun 26 at 13:14
answered Jun 26 at 11:34
sebasth
5,78221640
5,78221640
add a comment |Â
add a comment |Â
up vote
0
down vote
When it comes down to "installing" new policy it boils down to restricting access to who can "write" and "relabelto" /etc/selinux/TYPE/policy/policy.* files.
Determine the type of that target. Use the SELinux policy analysis suite to determine what can "write" and "relabelto" that type of file. Then make sure that whatever process you do not want to be able to install policy does not have that access (directly or indirectly) to that type of file.
In addition, you probably also want to make sure that any processes that you do not want to be able to install policy do not have access to "security setenforce", and do not have physical access. Because otherwise these processes could just go around SELinux.
add a comment |Â
up vote
0
down vote
When it comes down to "installing" new policy it boils down to restricting access to who can "write" and "relabelto" /etc/selinux/TYPE/policy/policy.* files.
Determine the type of that target. Use the SELinux policy analysis suite to determine what can "write" and "relabelto" that type of file. Then make sure that whatever process you do not want to be able to install policy does not have that access (directly or indirectly) to that type of file.
In addition, you probably also want to make sure that any processes that you do not want to be able to install policy do not have access to "security setenforce", and do not have physical access. Because otherwise these processes could just go around SELinux.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
When it comes down to "installing" new policy it boils down to restricting access to who can "write" and "relabelto" /etc/selinux/TYPE/policy/policy.* files.
Determine the type of that target. Use the SELinux policy analysis suite to determine what can "write" and "relabelto" that type of file. Then make sure that whatever process you do not want to be able to install policy does not have that access (directly or indirectly) to that type of file.
In addition, you probably also want to make sure that any processes that you do not want to be able to install policy do not have access to "security setenforce", and do not have physical access. Because otherwise these processes could just go around SELinux.
When it comes down to "installing" new policy it boils down to restricting access to who can "write" and "relabelto" /etc/selinux/TYPE/policy/policy.* files.
Determine the type of that target. Use the SELinux policy analysis suite to determine what can "write" and "relabelto" that type of file. Then make sure that whatever process you do not want to be able to install policy does not have that access (directly or indirectly) to that type of file.
In addition, you probably also want to make sure that any processes that you do not want to be able to install policy do not have access to "security setenforce", and do not have physical access. Because otherwise these processes could just go around SELinux.
answered Jun 26 at 15:33
dac.override
1
1
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451961%2fprohibit-unconfined-selinux-user-root-to-install-policy-to-a-system%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password