aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <chpebeni@linux.microsoft.com>2024-02-23 16:12:25 -0500
committerKenton Groombridge <concord@gentoo.org>2024-05-14 13:41:20 -0400
commit88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4 (patch)
tree28ed0a077300ee599626549d7fdd3e64d8463a65 /testing
parentcockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. (diff)
downloadhardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.tar.gz
hardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.tar.bz2
hardened-refpolicy-88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4.zip
tests.yml: Add sechecker testing.
Add initial privilege and integrity tests. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'testing')
-rw-r--r--testing/sechecker.ini401
1 files changed, 401 insertions, 0 deletions
diff --git a/testing/sechecker.ini b/testing/sechecker.ini
new file mode 100644
index 000000000..b873b94ec
--- /dev/null
+++ b/testing/sechecker.ini
@@ -0,0 +1,401 @@
+#
+# SELinux Reference policy validation checks
+#
+# Note to users: This file is a good starting point for tightening your own
+# policy. However, these checks are for the entire Reference Policy, i.e.,
+# all modules are included in the policy. If you are using a subset of the
+# modules, the best starting place is to review each of the checks and remove
+# the types in the exempt lists that are not in your policy. Types that are
+# in these lists but not in your policy will *NOT* cause sechecker to fail.
+#
+# Note to developers: In general, please avoid using attributes in the
+# exempt lists. This will make it less likely for unexpected types to pass.
+#
+
+[PRIVILEGE-load_policy]
+check_type = assert_te
+desc = Verify only the load_policy program can load a SELinux policy update.
+tclass = security
+perms = load_policy
+exempt_source = kernel_t # Kernel thread loading policy at boot
+ load_policy_t # SELinux policy loading tool
+
+[PRIVILEGE-setbool]
+check_type = assert_te
+desc = Verify SELinux Booleans can be changed only by expected domains.
+tclass = security
+perms = setbool
+exempt_source = cloud_init_t # VM configuration on initial boot
+ init_t
+ load_policy_t # Persist Boolean state across policy loads
+ puppet_t # Puppet can configure Booleans
+ secadm_t # Security admin role
+ semanage_t # SELinux management tool, including Booleans
+ sysadm_t # System admin role
+
+[PRIVILEGE-setenforce]
+check_type = assert_te
+desc = Verify only expected domains can change SELinux to permissive mode.
+tclass = security
+perms = setenforce
+exempt_source = cloud_init_t # VM configuration on initial boot
+ secadm_t # Security admin role
+ sysadm_t # System admin role
+
+[PRIVILEGE-CAP_SYS_MODULE]
+check_type = assert_te
+desc = Verify only expected domains have CAP_SYS_MODULE (kernel module capability)
+tclass = capability
+perms = sys_module
+exempt_source = init_t
+ kernel_t
+ kmod_t
+ spc_t
+ systemd_modules_load_t
+ udev_t
+
+[PRIVILEGE-module_load]
+check_type = assert_te
+desc = Verify only expected domains can directly load kernel modules
+tclass = system
+perms = module_load
+# This list should match the above PRIVILEGE-CAP_SYS_MODULE exempt_source list.
+exempt_source = init_t
+ kernel_t
+ kmod_t
+ spc_t
+ systemd_modules_load_t
+ udev_t
+
+[PRIVILEGE-CAP_SYS_ADMIN]
+check_type = assert_te
+desc = Verify only expected domains have CAP_SYS_ADMIN
+tclass = capability
+perms = sys_admin
+# CAP_SYS_ADMIN is a kitchen sink of privileges, which means many privileged domains need it.
+exempt_source = acpi_t
+ acpid_t
+ afs_t
+ auditadm_sudo_t # Conditional access (allow_polyinstantiation)
+ automount_t
+ bluetooth_t
+ bootloader_t # Install bootloader
+ cachefilesd_t
+ cgclear_t # Move processes out of cgroups
+ cgconfig_t # Configure cgroups
+ cgmanager_t # Container cgroup manager
+ cgred_t # Move processes to cgroups based on configurable rules
+ chromium_sandbox_t
+ cockpit_session_t
+ container_engine_t
+ consoletype_t
+ container_t # Conditional access (container_use_sysadmin or container_use_host_all_caps)
+ corosync_t
+ crio_t
+ crond_t # Conditional access (allow_polyinstantiation)
+ cryfs_t
+ cupsd_t
+ devicekit_disk_t
+ devicekit_power_t
+ disk_munin_plugin_t
+ dmesg_t # Clear kernel printk buffer/set kernel log level
+ dockerd_t # Container engine (namespacing)
+ dockerd_user_t # Container engine (namespacing)
+ dphysswapfile_t # Configure swap files
+ entropyd_t # Add entropy to the system
+ fapolicyd_t
+ fsadm_t
+ fsdaemon_t
+ ftpd_t
+ getty_t # Configure tty devices
+ glusterd_t
+ gpm_t
+ hostname_t # Set hostname
+ hypervvssd_t
+ ifconfig_t
+ init_t
+ initrc_t
+ iscsid_t
+ kdump_t
+ kernel_t # Kernel threads have all caps
+ klogd_t
+ kubeadm_t
+ lircd_t
+ local_login_t # Conditional access (allow_polyinstantiation)
+ lvm_t # Configure logical volumes
+ mcelog_t # Decode and log CPU machine check exceptions
+ mdadm_t # Configure software RAID
+ modemmanager_t
+ mon_local_test_t
+ mount_t # (un)mount filesystems
+ nagios_checkdisk_plugin_t
+ newrole_t # Conditional access (allow_polyinstantiation)
+ nfsd_t
+ ntop_t
+ plymouthd_t
+ podman_t
+ podman_user_t
+ postgresql_t
+ pppd_t
+ quota_t # Configure filesystem quotas
+ remote_login_t # Conditional access (allow_polyinstantiation)
+ resmgrd_t
+ rlogind_t # Conditional access (allow_polyinstantiation)
+ rngd_t
+ rootlesskit_t # Container engine (namespacing)
+ rpcd_t
+ rpm_script_t # Package manager post-install scripts
+ rshd_t # Conditional access (allow_polyinstantiation)
+ secadm_sudo_t # Conditional access (allow_polyinstantiation)
+ seunshare_t # Create new flesystem namespaces
+ shorewall_t
+ smbd_t
+ smbmount_t # Mount SMB and CIFS filesystems
+ sosreport_t
+ spc_t
+ sshd_t # Conditional access (allow_polyinstantiation)
+ sssd_t
+ staff_sudo_t # Conditional access (allow_polyinstantiation)
+ sulogin_t
+ sysadm_t # System admin role
+ sysadm_sudo_t # Conditional access (allow_polyinstantiation)
+ syslogd_t
+ sysstat_t
+ systemd_generator_t
+ systemd_homework_t # Mount home directory images
+ systemd_hostnamed_t # Set hostname
+ systemd_logind_t
+ systemd_machine_id_setup_t
+ systemd_nspawn_t
+ systemd_sysctl_t
+ systemd_tmpfiles_t
+ systemd_user_runtime_dir_t
+ tuned_t
+ udev_t
+ user_sudo_t # Conditional access (allow_polyinstantiation)
+ vbetool_t
+ virtd_t # libvirt virtualization manager
+ virtd_lxc_t # libvirt LXC container engine (namespacing)
+ vmware_t # VMWare virtualization manager
+ watchdog_t
+ xserver_t
+ zed_t # ZFS events daemon (filesystem event monitoring)
+ zfs_t # ZFS filesystem tools
+
+[PRIVILEGE-CAP_SYS_RAWIO]
+check_type = assert_te
+desc = Verify only expected domains can use CAP_SYS_RAWIO
+tclass = capability
+perms = sys_rawio
+exempt_source = abrt_t # Conditional access (allow_raw_memory_access)
+ blkmapd_t
+ bootloader_t # Install bootloader, raw disk access
+ cdrecord_t # Burn optical media
+ container_t # Conditional access (container_use_host_all_caps)
+ cpucontrol_t
+ cupsd_t
+ devicekit_disk_t
+ disk_munin_plugin_t
+ dmidecode_t
+ fsadm_t
+ fsdaemon_t
+ hddtemp_t
+ hwclock_t
+ init_t
+ initrc_t
+ kernel_t # Kernel threads have all caps
+ kdump_t
+ klogd_t # Conditional access (allow_raw_memory_access)
+ lvm_t
+ mcelog_t # Conditional access (allow_raw_memory_access)
+ mount_t
+ munin_t
+ nagios_checkdisk_plugin_t
+ rasdaemon_t # Monitors ECC errors
+ resmgrd_t # Device resource manager
+ rpm_script_t # Package manager post-install scripts
+ smbmount_t
+ sosreport_t # Conditional access (allow_raw_memory_access)
+ spc_t
+ sysadm_t # System admin role
+ udev_t
+ vbetool_t # Conditional access (allow_raw_memory_access)
+ vmware_t
+ xdm_t
+ xserver_t
+ zfs_t
+
+[PRIVILEGE-CAP_NET_ADMIN]
+check_type = assert_te
+desc = Verify only expected domains can use CAP_NET_ADMIN.
+tclass = capability
+perms = net_admin
+exempt_source = arpwatch_t
+ asterisk_t
+ avahi_t
+ bird_t
+ blueman_t
+ bluetooth_t
+ brctl_t
+ cgred_t
+ chronyd_t # Conditional access (chronyd_hwtimestamp)
+ condor_startd_t
+ container_engine_t
+ container_t # Conditional access (container_use_host_all_caps)
+ crio_t
+ ctdbd_t
+ devicekit_disk_t
+ devicekit_power_t
+ dhcpc_t
+ dnsmasq_t
+ dockerd_t
+ dockerd_user_t
+ dpkg_script_t
+ drbd_t
+ fcoemon_t
+ firewalld_t
+ hostapd_t
+ hypervkvpd_t
+ hypervvssd_t
+ ifconfig_t
+ ifplugd_t
+ init_t
+ initrc_t
+ iodined_t
+ ipsec_t
+ ipsec_mgmt_t
+ ipsec_supervisor_t
+ iptables_t
+ iscsid_t
+ kernel_t
+ kismet_t
+ krb5kdc_t
+ kubeadm_t
+ kubelet_t
+ l2tpd_t
+ lldpad_t
+ lvm_t
+ minissdpd_t
+ modemmanager_t
+ ncftool_t
+ ndc_t
+ netlabel_mgmt_t
+ netutils_t
+ NetworkManager_t
+ nsd_t
+ ntop_t
+ openvpn_t
+ openvswitch_t
+ pegasus_t
+ podman_t
+ podman_user_t
+ portslave_t
+ pppd_t
+ pptp_t
+ psad_t
+ racoon_t
+ radvd_t
+ rkhunter_t
+ rootlesskit_t
+ rpm_script_t
+ setkey_t
+ shorewall_t
+ snmpd_t
+ snort_t
+ sosreport_t
+ spc_t
+ squid_t # Conditional access (squid_use_tproxy)
+ sssd_t
+ sysadm_t
+ syslogd_t # Conditional network config (logging_syslog_can_network)
+ system_cronjob_t
+ system_munin_plugin_t
+ systemd_cgroups_t
+ systemd_networkd_t
+ systemd_nspawn_t
+ systemd_sysctl_t
+ systemd_tmpfiles_t
+ traceroute_t
+ udev_t
+ ulogd_t
+ virt_bridgehelper_t
+ virtd_t
+ virtd_lxc_t
+ vpnc_t
+ watchdog_t
+ wireguard_t
+ wireshark_t
+ xm_t
+ zebra_t
+
+[PRIVILEGE-setcurrent]
+check_type = assert_te
+desc = Verify only the expected domains can change their process label.
+tclass = process
+perms = setcurrent
+exempt_source = chromium_t # Changes MCS level for each tab
+ kernel_t # When systemd loads the policy it has the kernel_t label and changes context to init_t
+ sepgsql_ranged_proc_t # Changes MCS level
+
+[NONTRANQUILITY-systemd]
+check_type = assert_te
+desc = Verify dynamic transition allowed by PRIVILEGE-setcurrent test can only
+ go from kernel_t to init_t (systemd)
+source = kernel_t
+tclass = process
+perms = dyntransition
+# kernel_t -> kernel_t and kernel_t -> init_t
+exempt_target = init_t kernel_t
+
+[INTEGRITY-readonly-executables]
+check_type = ro_execs
+#
+# This is an expensive check, but this security goal is important to verify.
+# To tighten your policy, first try to remove entries from exempt_file, as it
+# is very broad in terms of this check, as the type is simply ignored both for
+# write checks and for execute checks.
+#
+# Next, try to remove entries from exempt_write_domain. These are domains that
+# are accepted as able to write executables.
+#
+# If you don't have unconfined domains, you should remove the
+# exempt_exec_domain option. The only purpose for this option is because all
+# file types would be considered executable otherwise.
+#
+# When you have a failure on this test, first verify that the file type is
+# supposed to be executable; if not, remove the exec access. If it is supposed
+# to be executable, verify domains that have write access are legitimate
+# writers. If the access is legitimate, e.g. by a package manager, add the
+# domain to exempt_write_domain. If not, remove the write access.
+#
+desc = Enforce executable files (including libraries) are not writable
+ except from expected domains, such as package managers.
+exempt_file = container_file_t # Container files don't distinguish executables.
+ container_ro_file_t # Container files don't distinguish executables.
+ gstreamer_orcexec_t # OIL Runtime Compiler code optimizer is used by pulseaudio
+ httpd_script_exec_type # Web admin can edit scripts
+ httpdcontent # Web admin can edit scripts, webalizer output, etc.
+ noxattrfs # Filesystem does not support xattrs; executable by users, can't distinguish executables
+ user_home_content_type # User home content, users can install apps in own home, write scripts, etc. JIT compiles, and libFFI use.
+exempt_write_domain = cloud_init_t # Can conditionally manage all non-auth files (cloudinit_manage_non_security)
+ dpkg_t # Package manager
+ dpkg_script_t # Package manager
+ gcc_config_t # Gentoo compiler chooser
+ init_t # Systemd can create file mountpoints
+ ftpd_t # Can conditionally manage all non-auth files (allow_ftpd_full_access)
+ kernel_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
+ nfsd_t # Can conditionally manage all non-auth files (nfs_export_all_rw)
+ nmbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
+ prelink_t # Prelinking executables
+ portage_t # Package manager
+ puppet_t # Can conditionally manage all non-auth files (puppet_manage_all_files)
+ rpm_t # Package manager
+ rpm_script_t # Package manager
+ sftpd_t # Can conditionally manage all non-auth files (sftpd_full_access)
+ smbd_t # Can conditionally manage all non-auth files (samba_export_all_rw)
+ systemd_tmpfiles_t # Can conditionally manage all non-auth files (systemd_tmpfiles_manage_all)
+ sysadm_t # Privileged admin domain
+ files_unconfined_type
+# files_unconfined_type: Unconfined; can execute anything; muddies the water on what is
+# intended to be executable by constrained domains.
+exempt_exec_domain = files_unconfined_type