diff options
author | Chris PeBenito <chpebeni@linux.microsoft.com> | 2024-02-23 16:12:25 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:20 -0400 |
commit | 88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4 (patch) | |
tree | 28ed0a077300ee599626549d7fdd3e64d8463a65 /testing | |
parent | cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. (diff) | |
download | hardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.tar.gz hardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.tar.bz2 hardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.zip |
tests.yml: Add sechecker testing.
Add initial privilege and integrity tests.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'testing')
-rw-r--r-- | testing/sechecker.ini | 401 |
1 files changed, 401 insertions, 0 deletions
diff --git a/testing/sechecker.ini b/testing/sechecker.ini new file mode 100644 index 000000000..b873b94ec --- /dev/null +++ b/testing/sechecker.ini @@ -0,0 +1,401 @@ +# +# SELinux Reference policy validation checks +# +# Note to users: This file is a good starting point for tightening your own +# policy. However, these checks are for the entire Reference Policy, i.e., +# all modules are included in the policy. If you are using a subset of the +# modules, the best starting place is to review each of the checks and remove +# the types in the exempt lists that are not in your policy. Types that are +# in these lists but not in your policy will *NOT* cause sechecker to fail. +# +# Note to developers: In general, please avoid using attributes in the +# exempt lists. This will make it less likely for unexpected types to pass. +# + +[PRIVILEGE-load_policy] +check_type = assert_te +desc = Verify only the load_policy program can load a SELinux policy update. +tclass = security +perms = load_policy +exempt_source = kernel_t # Kernel thread loading policy at boot + load_policy_t # SELinux policy loading tool + +[PRIVILEGE-setbool] +check_type = assert_te +desc = Verify SELinux Booleans can be changed only by expected domains. +tclass = security +perms = setbool +exempt_source = cloud_init_t # VM configuration on initial boot + init_t + load_policy_t # Persist Boolean state across policy loads + puppet_t # Puppet can configure Booleans + secadm_t # Security admin role + semanage_t # SELinux management tool, including Booleans + sysadm_t # System admin role + +[PRIVILEGE-setenforce] +check_type = assert_te +desc = Verify only expected domains can change SELinux to permissive mode. +tclass = security +perms = setenforce +exempt_source = cloud_init_t # VM configuration on initial boot + secadm_t # Security admin role + sysadm_t # System admin role + +[PRIVILEGE-CAP_SYS_MODULE] +check_type = assert_te +desc = Verify only expected domains have CAP_SYS_MODULE (kernel module capability) +tclass = capability +perms = sys_module +exempt_source = init_t + kernel_t + kmod_t + spc_t + systemd_modules_load_t + udev_t + +[PRIVILEGE-module_load] +check_type = assert_te +desc = Verify only expected domains can directly load kernel modules +tclass = system +perms = module_load +# This list should match the above PRIVILEGE-CAP_SYS_MODULE exempt_source list. +exempt_source = init_t + kernel_t + kmod_t + spc_t + systemd_modules_load_t + udev_t + +[PRIVILEGE-CAP_SYS_ADMIN] +check_type = assert_te +desc = Verify only expected domains have CAP_SYS_ADMIN +tclass = capability +perms = sys_admin +# CAP_SYS_ADMIN is a kitchen sink of privileges, which means many privileged domains need it. +exempt_source = acpi_t + acpid_t + afs_t + auditadm_sudo_t # Conditional access (allow_polyinstantiation) + automount_t + bluetooth_t + bootloader_t # Install bootloader + cachefilesd_t + cgclear_t # Move processes out of cgroups + cgconfig_t # Configure cgroups + cgmanager_t # Container cgroup manager + cgred_t # Move processes to cgroups based on configurable rules + chromium_sandbox_t + cockpit_session_t + container_engine_t + consoletype_t + container_t # Conditional access (container_use_sysadmin or container_use_host_all_caps) + corosync_t + crio_t + crond_t # Conditional access (allow_polyinstantiation) + cryfs_t + cupsd_t + devicekit_disk_t + devicekit_power_t + disk_munin_plugin_t + dmesg_t # Clear kernel printk buffer/set kernel log level + dockerd_t # Container engine (namespacing) + dockerd_user_t # Container engine (namespacing) + dphysswapfile_t # Configure swap files + entropyd_t # Add entropy to the system + fapolicyd_t + fsadm_t + fsdaemon_t + ftpd_t + getty_t # Configure tty devices + glusterd_t + gpm_t + hostname_t # Set hostname + hypervvssd_t + ifconfig_t + init_t + initrc_t + iscsid_t + kdump_t + kernel_t # Kernel threads have all caps + klogd_t + kubeadm_t + lircd_t + local_login_t # Conditional access (allow_polyinstantiation) + lvm_t # Configure logical volumes + mcelog_t # Decode and log CPU machine check exceptions + mdadm_t # Configure software RAID + modemmanager_t + mon_local_test_t + mount_t # (un)mount filesystems + nagios_checkdisk_plugin_t + newrole_t # Conditional access (allow_polyinstantiation) + nfsd_t + ntop_t + plymouthd_t + podman_t + podman_user_t + postgresql_t + pppd_t + quota_t # Configure filesystem quotas + remote_login_t # Conditional access (allow_polyinstantiation) + resmgrd_t + rlogind_t # Conditional access (allow_polyinstantiation) + rngd_t + rootlesskit_t # Container engine (namespacing) + rpcd_t + rpm_script_t # Package manager post-install scripts + rshd_t # Conditional access (allow_polyinstantiation) + secadm_sudo_t # Conditional access (allow_polyinstantiation) + seunshare_t # Create new flesystem namespaces + shorewall_t + smbd_t + smbmount_t # Mount SMB and CIFS filesystems + sosreport_t + spc_t + sshd_t # Conditional access (allow_polyinstantiation) + sssd_t + staff_sudo_t # Conditional access (allow_polyinstantiation) + sulogin_t + sysadm_t # System admin role + sysadm_sudo_t # Conditional access (allow_polyinstantiation) + syslogd_t + sysstat_t + systemd_generator_t + systemd_homework_t # Mount home directory images + systemd_hostnamed_t # Set hostname + systemd_logind_t + systemd_machine_id_setup_t + systemd_nspawn_t + systemd_sysctl_t + systemd_tmpfiles_t + systemd_user_runtime_dir_t + tuned_t + udev_t + user_sudo_t # Conditional access (allow_polyinstantiation) + vbetool_t + virtd_t # libvirt virtualization manager + virtd_lxc_t # libvirt LXC container engine (namespacing) + vmware_t # VMWare virtualization manager + watchdog_t + xserver_t + zed_t # ZFS events daemon (filesystem event monitoring) + zfs_t # ZFS filesystem tools + +[PRIVILEGE-CAP_SYS_RAWIO] +check_type = assert_te +desc = Verify only expected domains can use CAP_SYS_RAWIO +tclass = capability +perms = sys_rawio +exempt_source = abrt_t # Conditional access (allow_raw_memory_access) + blkmapd_t + bootloader_t # Install bootloader, raw disk access + cdrecord_t # Burn optical media + container_t # Conditional access (container_use_host_all_caps) + cpucontrol_t + cupsd_t + devicekit_disk_t + disk_munin_plugin_t + dmidecode_t + fsadm_t + fsdaemon_t + hddtemp_t + hwclock_t + init_t + initrc_t + kernel_t # Kernel threads have all caps + kdump_t + klogd_t # Conditional access (allow_raw_memory_access) + lvm_t + mcelog_t # Conditional access (allow_raw_memory_access) + mount_t + munin_t + nagios_checkdisk_plugin_t + rasdaemon_t # Monitors ECC errors + resmgrd_t # Device resource manager + rpm_script_t # Package manager post-install scripts + smbmount_t + sosreport_t # Conditional access (allow_raw_memory_access) + spc_t + sysadm_t # System admin role + udev_t + vbetool_t # Conditional access (allow_raw_memory_access) + vmware_t + xdm_t + xserver_t + zfs_t + +[PRIVILEGE-CAP_NET_ADMIN] +check_type = assert_te +desc = Verify only expected domains can use CAP_NET_ADMIN. +tclass = capability +perms = net_admin +exempt_source = arpwatch_t + asterisk_t + avahi_t + bird_t + blueman_t + bluetooth_t + brctl_t + cgred_t + chronyd_t # Conditional access (chronyd_hwtimestamp) + condor_startd_t + container_engine_t + container_t # Conditional access (container_use_host_all_caps) + crio_t + ctdbd_t + devicekit_disk_t + devicekit_power_t + dhcpc_t + dnsmasq_t + dockerd_t + dockerd_user_t + dpkg_script_t + drbd_t + fcoemon_t + firewalld_t + hostapd_t + hypervkvpd_t + hypervvssd_t + ifconfig_t + ifplugd_t + init_t + initrc_t + iodined_t + ipsec_t + ipsec_mgmt_t + ipsec_supervisor_t + iptables_t + iscsid_t + kernel_t + kismet_t + krb5kdc_t + kubeadm_t + kubelet_t + l2tpd_t + lldpad_t + lvm_t + minissdpd_t + modemmanager_t + ncftool_t + ndc_t + netlabel_mgmt_t + netutils_t + NetworkManager_t + nsd_t + ntop_t + openvpn_t + openvswitch_t + pegasus_t + podman_t + podman_user_t + portslave_t + pppd_t + pptp_t + psad_t + racoon_t + radvd_t + rkhunter_t + rootlesskit_t + rpm_script_t + setkey_t + shorewall_t + snmpd_t + snort_t + sosreport_t + spc_t + squid_t # Conditional access (squid_use_tproxy) + sssd_t + sysadm_t + syslogd_t # Conditional network config (logging_syslog_can_network) + system_cronjob_t + system_munin_plugin_t + systemd_cgroups_t + systemd_networkd_t + systemd_nspawn_t + systemd_sysctl_t + systemd_tmpfiles_t + traceroute_t + udev_t + ulogd_t + virt_bridgehelper_t + virtd_t + virtd_lxc_t + vpnc_t + watchdog_t + wireguard_t + wireshark_t + xm_t + zebra_t + +[PRIVILEGE-setcurrent] +check_type = assert_te +desc = Verify only the expected domains can change their process label. +tclass = process +perms = setcurrent +exempt_source = chromium_t # Changes MCS level for each tab + kernel_t # When systemd loads the policy it has the kernel_t label and changes context to init_t + sepgsql_ranged_proc_t # Changes MCS level + +[NONTRANQUILITY-systemd] +check_type = assert_te +desc = Verify dynamic transition allowed by PRIVILEGE-setcurrent test can only + go from kernel_t to init_t (systemd) +source = kernel_t +tclass = process +perms = dyntransition +# kernel_t -> kernel_t and kernel_t -> init_t +exempt_target = init_t kernel_t + +[INTEGRITY-readonly-executables] +check_type = ro_execs +# +# This is an expensive check, but this security goal is important to verify. +# To tighten your policy, first try to remove entries from exempt_file, as it +# is very broad in terms of this check, as the type is simply ignored both for +# write checks and for execute checks. +# +# Next, try to remove entries from exempt_write_domain. These are domains that +# are accepted as able to write executables. +# +# If you don't have unconfined domains, you should remove the +# exempt_exec_domain option. The only purpose for this option is because all +# file types would be considered executable otherwise. +# +# When you have a failure on this test, first verify that the file type is +# supposed to be executable; if not, remove the exec access. If it is supposed +# to be executable, verify domains that have write access are legitimate +# writers. If the access is legitimate, e.g. by a package manager, add the +# domain to exempt_write_domain. If not, remove the write access. +# +desc = Enforce executable files (including libraries) are not writable + except from expected domains, such as package managers. +exempt_file = container_file_t # Container files don't distinguish executables. + container_ro_file_t # Container files don't distinguish executables. + gstreamer_orcexec_t # OIL Runtime Compiler code optimizer is used by pulseaudio + httpd_script_exec_type # Web admin can edit scripts + httpdcontent # Web admin can edit scripts, webalizer output, etc. + noxattrfs # Filesystem does not support xattrs; executable by users, can't distinguish executables + user_home_content_type # User home content, users can install apps in own home, write scripts, etc. JIT compiles, and libFFI use. +exempt_write_domain = cloud_init_t # Can conditionally manage all non-auth files (cloudinit_manage_non_security) + dpkg_t # Package manager + dpkg_script_t # Package manager + gcc_config_t # Gentoo compiler chooser + init_t # Systemd can create file mountpoints + ftpd_t # Can conditionally manage all non-auth files (allow_ftpd_full_access) + kernel_t # Can conditionally manage all non-auth files (nfs_export_all_rw) + nfsd_t # Can conditionally manage all non-auth files (nfs_export_all_rw) + nmbd_t # Can conditionally manage all non-auth files (samba_export_all_rw) + prelink_t # Prelinking executables + portage_t # Package manager + puppet_t # Can conditionally manage all non-auth files (puppet_manage_all_files) + rpm_t # Package manager + rpm_script_t # Package manager + sftpd_t # Can conditionally manage all non-auth files (sftpd_full_access) + smbd_t # Can conditionally manage all non-auth files (samba_export_all_rw) + systemd_tmpfiles_t # Can conditionally manage all non-auth files (systemd_tmpfiles_manage_all) + sysadm_t # Privileged admin domain + files_unconfined_type +# files_unconfined_type: Unconfined; can execute anything; muddies the water on what is +# intended to be executable by constrained domains. +exempt_exec_domain = files_unconfined_type |