From e966e599e2d13b3d3cf1367c8b7d758f0431d8ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Thu, 25 Nov 2021 18:05:31 +0100 Subject: [PATCH 1/2] selinux: remap security classes on policyload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Re-map the SELinux security classes on policy loads, as the mapping will be desynchronized (see man:selinux_set_mapping(3)) and audit messages will not show the actual class and permission names: USER_AVC pid=24283 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc: denied { 0x10 } for request=XFIXES:SelectSelectionInput comm=/usr/bin/python3 resid=6400001 restype=WINDOW scontext=xuser_u:xuser_r:systemd_user_instance_generic_bin_t:s0 tcontext=xuser_u:object_r:xorg_t:s0 tclass=(null) permissive=1 In addition use type-safe assignments. Signed-off-by: Christian Göttsche --- Xext/xselinux_hooks.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c index 57b24e452..b9d47103a 100644 --- a/Xext/xselinux_hooks.c +++ b/Xext/xselinux_hooks.c @@ -324,6 +324,21 @@ SELinuxLog(int type, const char *fmt, ...) return 0; } +static int +SELinuxPolicyLoad(int seqno) +{ + LogMessage(X_INFO, "SELinux: PolicyLoad (%d) detected, remapping security classes\n", seqno); + + if (selinux_set_mapping(map) < 0) { + if (errno == EINVAL) + ErrorF("SELinux: Invalid object class mapping\n"); + else + ErrorF("SELinux: Failed to set up security class mapping\n"); + } + + return 0; +} + /* * XACE Callbacks */ @@ -865,9 +880,9 @@ SELinuxFlaskInit(void) } /* Set up SELinux stuff */ - selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) SELinuxLog); - selinux_set_callback(SELINUX_CB_AUDIT, - (union selinux_callback) SELinuxAudit); + selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = SELinuxLog }); + selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) { .func_audit = SELinuxAudit }); + selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) { .func_policyload = SELinuxPolicyLoad }); if (selinux_set_mapping(map) < 0) { if (errno == EINVAL) { -- GitLab From 48176e7946e49ccde3aca18eccaf7a8335da7308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Thu, 25 Nov 2021 18:22:32 +0100 Subject: [PATCH 2/2] selinux: only generate audit events for avc and error messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Only generate audit events for messages of the type avc (permission denied) and error (e.g. invalid context). For example avoid USER_SELINUX_ERR for policy load events: audit[980]: USER_SELINUX_ERR pid=980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc: op=load_policy lsm=selinux seqno=8 res=1 exe="/usr/lib/xorg/Xorg" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Christian Göttsche --- Xext/xselinux_hooks.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c index b9d47103a..6c1e6d162 100644 --- a/Xext/xselinux_hooks.c +++ b/Xext/xselinux_hooks.c @@ -301,25 +301,27 @@ SELinuxLog(int type, const char *fmt, ...) { va_list ap; char buf[MAX_AUDIT_MESSAGE_LENGTH]; - int rc, aut; + int aut; switch (type) { - case SELINUX_INFO: - aut = AUDIT_USER_MAC_POLICY_LOAD; + case SELINUX_ERROR: + aut = AUDIT_USER_SELINUX_ERR; break; case SELINUX_AVC: aut = AUDIT_USER_AVC; break; default: - aut = AUDIT_USER_SELINUX_ERR; + /* Do not generate an audit event, just log normally. */ + aut = -1; break; } va_start(ap, fmt); vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap); - rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0); - (void) rc; va_end(ap); + + if (aut != -1) + (void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0); LogMessageVerb(X_WARNING, 0, "%s", buf); return 0; } -- GitLab