Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661

Merged
merged 17 commits into from Apr 12, 2019
Merged

data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661

merged 17 commits into from Apr 12, 2019

Commits on Mar 28, 2019

  1. tests/main/selinux-clean: keep SELinux denials in check 

    Add a spread test to monitor if basic snap management raises any SELinux
denials.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    26210a5 View commit details
    Browse the repository at this point in the history

  2. tests/main/selinux-clean: install fonts to catch fc-cache invocation … 

    …issues

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    cb17df1 View commit details
    Browse the repository at this point in the history

  3. tests/main/selinux-clean: verify that socket activated snaps work 

    Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    5fcff49 View commit details
    Browse the repository at this point in the history

  4. tests/main/selinux-clean: leave a note about snap logs 

    Snap logs will trigger snapd to run journalct. On a SELinux system, this will
cause a domain transition to journalctl_t. However, the policy does not allow
journalctl to poke /proc data of pid 1, thus causing denials to appear in the
log.

Until this is fixed, all we can do is have a TODO note as a reminder.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    eb538e9 View commit details
    Browse the repository at this point in the history

  5. data/selinux: allow sys_admin for snap-confine 

    Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    e7260e3 View commit details
    Browse the repository at this point in the history

  6. data/selinux: tune SELinux policy 

    - allow snap to exec snap-seccomp (for deriving system-key)
- allow snap to manage directories/links/files under ~/snap
- tweak snapd permissions to add remove links under
  /usr/share/bash-completion/completions (which is of usr_t type)
- tweak permissions of snap-confine (can do a great deal with tmp_t, but reads
  were not enabled)

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    261f16f View commit details
    Browse the repository at this point in the history

  7. tests/lib/snaps/socket-activation: create a second socket in a subdir… 

    …ectory

Add a second socket to the snap, but this time it should be created in a
subdirectory. This should help uncover any problems with SELinux policy
preventing systemd from creating subdirectories under $SNAP_{DATA,COMMON}.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Mar 28, 2019
    Copy the full SHA
    f329f05 View commit details
    Browse the repository at this point in the history

Commits on Apr 1, 2019

  1. Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi… 

    …nal-policy-update-clean-test
    @bboozzoo
    bboozzoo committed Apr 1, 2019
    Copy the full SHA
    409c4cf View commit details
    Browse the repository at this point in the history

Commits on Apr 2, 2019

  1. data/selinux: update the policy 

    - allow managing char files under /var/snap, those could have been created by
  snaps such as lxd
- allow fowner capabilty for snapd (snapshots?)
- allow snap-{update,discard}-ns to read tmpfs symlinks, etc. /etc/os-release
  which is from /etc bind mounted on top of tmpfs

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 2, 2019
    Copy the full SHA
    d551851 View commit details
    Browse the repository at this point in the history

  2. data/selinux: more policy tweaks 

    - allow querying SELinux enforcement mode
- use proper interfaces to allow service reload/start/stop/enable/disable
- account for cloud-init instance data access
- account for /proc/sys/fs/may_detach_mounts probe in sanity
- allow unliking incorrectly labeled socket files under /var/snap
- account for polkit support poking /proc/<pid>/stat of the calling process

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 2, 2019
    Copy the full SHA
    ee9b270 View commit details
    Browse the repository at this point in the history

  3. data/selinux: final tweak to the policy 

    - allow snap-confine to create directories in ~/snap
- allow dac_override for snap, when running as root

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 2, 2019
    Copy the full SHA
    ab234f5 View commit details
    Browse the repository at this point in the history

  4. Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi… 

    …nal-policy-update-clean-test
    @bboozzoo
    bboozzoo committed Apr 2, 2019
    Copy the full SHA
    c99d469 View commit details
    Browse the repository at this point in the history

  5. tests/main/selinux-clean: execute snap stop/start 

    Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 2, 2019
    Copy the full SHA
    96ddb89 View commit details
    Browse the repository at this point in the history

Commits on Apr 5, 2019

  1. tests/main/selinux-clean: correctly SELinux enforcing mode 

    Instead of assuming the mode should be permissive, restore to whatever was set
before the test.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 5, 2019
    Copy the full SHA
    24fbe72 View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi… 

    …nal-policy-update-clean-test
    @bboozzoo
    bboozzoo committed Apr 5, 2019
    Copy the full SHA
    6f500d9 View commit details
    Browse the repository at this point in the history

Commits on Apr 11, 2019

  1. Merge remote-tracking branch 'origin/master' into bboozzoo/selinux-fi… 

    …nal-policy-update-clean-test
    @bboozzoo
    bboozzoo committed Apr 11, 2019
    Copy the full SHA
    4fa2371 View commit details
    Browse the repository at this point in the history

  2. data/selinux: account for improved cwd handling in snap-confine 

    Services are started with their WorkingDirectory set to $SNAP_DATA. Since
snap-confine performs more checks on cwd now, we need to account for that in the
policy.

Relevant SELinux denial:
type=AVC msg=audit(1554975937.636:129): avc:  denied  { getattr } for  pid=1099
         comm="snap-confine" path="/var/snap/test-snapd-service/x1" dev="vda1"
         ino=393657
         scontext=system_u:system_r:snappy_confine_t:s0
         tcontext=system_u:object_r:snappy_var_t:s0 tclass=dir permissive=1

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
    @bboozzoo
    bboozzoo committed Apr 11, 2019
    Copy the full SHA
    d243da7 View commit details
    Browse the repository at this point in the history