From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3319CC4361B for ; Fri, 11 Dec 2020 07:04:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E75CF23F2A for ; Fri, 11 Dec 2020 07:04:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730331AbgLKHDO (ORCPT ); Fri, 11 Dec 2020 02:03:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725945AbgLKHCr (ORCPT ); Fri, 11 Dec 2020 02:02:47 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD382C0613CF for ; Thu, 10 Dec 2020 23:02:07 -0800 (PST) Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id F40A1F87C for ; Fri, 11 Dec 2020 18:02:02 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1607670123; bh=NF6kWrj/4j5tmk8y9QuEB4OQLYk+OG6az/o5mOMMkmY=; l=1099; h=From:To:Subject:Date:From; b=V4LnmK99AK+BtHu8dLhNY+FLiPima7SlC27MHzwUvYFAxKtq6bAWr5d7vGYtLB0qd XBaVhCeqLPoR35zlOUvoGDDEjQwa7xii/YGnbjRYBmQo8VgZbObSgccB8gXLue28iQ 2rXLmhBZvHPyjQJK5pzkXyyVa2jA0yfGEd2vGIpE= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: lockdown class Date: Fri, 11 Dec 2020 18:01:58 +1100 Message-ID: <2911391.mirxchbQ87@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org allow systemd_modules_load_t systemd_modules_load_t:lockdown integrity; allow udev_t udev_t:lockdown confidentiality; I've seen access that caused the above to be generated from audit2allow. /var/log/audit/audit.log.1:type=AVC msg=audit(1607515838.132:56): avc: denied { confidentiality } for pid=253 comm="systemd-udevd" lockdown_reason="use of tracefs" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lockdown permissive=1 Above is the only log entry I've got for that from my previous testing (I haven't been able to reproduce whatever it was that caused the systemd_modules_load_t to get that audited). https://www.paul-moore.com/blog/d/2020/03/linux_v56.html I've read the above blog post and I'm still not sure exactly how we are to use it. Do I allow this for systemd_modules_load_t because loading modules is an integrity issue? Do I allow it for udev_t because changing device names etc allows universal MITM attacks? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/