From 64ce9fe2f6cb90ebff66eb2085098eadc8b4c80a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Dec 15 2020 09:30:54 +0000 Subject: General NetworkManager related policy checks SELinux interferes with NetworkManager, nm-dispatcher and related programs. NetworkManager can interact with arping, systemd-hostnamed, iscsiadm, dnsmasq, openvswitch. --- diff --git a/selinux-policy/NetworkManager-general/Makefile b/selinux-policy/NetworkManager-general/Makefile new file mode 100644 index 0000000..7a85ad8 --- /dev/null +++ b/selinux-policy/NetworkManager-general/Makefile @@ -0,0 +1,116 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/NetworkManager-general +# Description: general NetworkManager related policy checks +# Author: Karel Srot +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/NetworkManager-general +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Karel Srot " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: general NetworkManager related policy checks" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 30m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "RunFor: NetworkManager" >> $(METADATA) + @echo "Requires: audit" >> $(METADATA) + @echo "Requires: glib2" >> $(METADATA) + @echo "Requires: initscripts" >> $(METADATA) + @echo "Requires: libselinux" >> $(METADATA) + @echo "Requires: libselinux-utils" >> $(METADATA) + @echo "Requires: NetworkManager" >> $(METADATA) + @echo "Requires: NetworkManager-bluetooth" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: selinux-policy" >> $(METADATA) + @echo "Requires: selinux-policy-mls" >> $(METADATA) + @echo "Requires: selinux-policy-targeted" >> $(METADATA) + @echo "Requires: samba-winbind" >> $(METADATA) + @echo "Requires: setools" >> $(METADATA) + @echo "Requires: setools-console" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + @echo "Bug: 474342" >> $(METADATA) # RHEL-5 + @echo "Bug: 693149" >> $(METADATA) # RHEL-5 + @echo "Bug: 696161" >> $(METADATA) # RHEL-6 + @echo "Bug: 731760" >> $(METADATA) # RHEL-6 + @echo "Bug: 920576" >> $(METADATA) # RHEL-7 + @echo "Bug: 1009661" >> $(METADATA) # RHEL-6 + @echo "Bug: 1039879" >> $(METADATA) # RHEL-7 + @echo "Bug: 1040631" >> $(METADATA) # RHEL-7 + @echo "Bug: 1041105" >> $(METADATA) # RHEL-7 + @echo "Bug: 1042838" >> $(METADATA) # RHEL-6 + @echo "Bug: 1044723" >> $(METADATA) # RHEL-7 + @echo "Bug: 1055734" >> $(METADATA) # RHEL-7 + @echo "Bug: 1069241" >> $(METADATA) # RHEL-7 + @echo "Bug: 1070829" >> $(METADATA) # RHEL-7 + @echo "Bug: 1071480" >> $(METADATA) # RHEL-7 + @echo "Bug: 1078900" >> $(METADATA) # RHEL-7 + @echo "Bug: 1192810" >> $(METADATA) # RHEL-7 + @echo "Bug: 1209854" >> $(METADATA) # RHEL-6 + @echo "Bug: 1212498" >> $(METADATA) # RHEL-7 + @echo "Bug: 1214747" >> $(METADATA) # RHEL-6 + @echo "Bug: 1234954" >> $(METADATA) # RHEL-7 + @echo "Bug: 1336722" >> $(METADATA) # RHEL-7 + @echo "Bug: 1342401" >> $(METADATA) # RHEL-7 + @echo "Bug: 1344505" >> $(METADATA) # RHEL-7 + @echo "Bug: 1517247" >> $(METADATA) # RHEL-7 + @echo "Bug: 1517895" >> $(METADATA) # RHEL-7 + @echo "Bug: 1530297" >> $(METADATA) # RHEL-8 + @echo "Bug: 1597729" >> $(METADATA) # RHEL-7 + @echo "Bug: 1598506" >> $(METADATA) # RHEL-7 + @echo "Bug: 1723877" >> $(METADATA) # RHEL-7 + @echo "Bug: 1747768" >> $(METADATA) # RHEL-8 + @echo "Bug: 1777506" >> $(METADATA) # RHEL-8 + @echo "Bug: 1781806" >> $(METADATA) # RHEL-8 + @echo "Bug: 1806894" >> $(METADATA) # RHEL-8 + @echo "Bug: 1831630" >> $(METADATA) # RHEL-8 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/NetworkManager-general/PURPOSE b/selinux-policy/NetworkManager-general/PURPOSE new file mode 100644 index 0000000..06d0f84 --- /dev/null +++ b/selinux-policy/NetworkManager-general/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/NetworkManager-general +Author: Karel Srot + +SELinux interferes with NetworkManager, nm-dispatcher and related programs. NetworkManager can interact with arping, systemd-hostnamed, iscsiadm, dnsmasq, openvswitch. + diff --git a/selinux-policy/NetworkManager-general/runtest.sh b/selinux-policy/NetworkManager-general/runtest.sh new file mode 100755 index 0000000..cb91aac --- /dev/null +++ b/selinux-policy/NetworkManager-general/runtest.sh @@ -0,0 +1,310 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/NetworkManager-general +# Description: general NetworkManager related policy checks +# Author: Karel Srot +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="selinux-policy" +ROOT_PASSWORD="redhat" + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm NetworkManager + + rlFileBackup /etc/shadow + rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 1 + rlPhaseEnd + + rlPhaseStartTest "bz#474342" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/var/lib/dhclient" "dhcpc_state_t" + rlSESearchRule "allow NetworkManager_t dhcpc_state_t : dir { getattr open search }" + rlPhaseEnd + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest "bz#696161" + # Meta-Fixed-in: selinux-policy-3.7.19-84.el6 + rlSESearchRule "dontaudit NetworkManager_t NetworkManager_t : capability { sys_module }" + rlPhaseEnd + + rlPhaseStartTest "bz#731760" + # Meta-Fixed-in: selinux-policy-3.7.19-108.el6 + rlSESearchRule "allow NetworkManager_t NetworkManager_t : netlink_socket { create }" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1071480" + rlSEMatchPathCon "/usr/libexec/nm-libreswan-service" "ipsec_mgmt_exec_t" + rlPhaseEnd + + rlPhaseStartTest "bz#920576" + rlSEMatchPathCon "/etc/hostname" "hostname_etc_t" + rlPhaseEnd + fi + + rlPhaseStartTest "bz#693149" + # META-Fixed-in: + if rlIsRHEL 5 ; then + rlSESearchRule "allow NetworkManager_t tmp_t : sock_file { write }" + else + rlSESearchRule "allow NetworkManager_t user_tmp_t : sock_file { write }" + fi + rlSESearchRule "allow NetworkManager_t unconfined_t : unix_dgram_socket { sendto }" + rlPhaseEnd + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest "bz#1009661" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/dev/rfkill" "wireless_device_t" + rlSESearchRule "allow NetworkManager_t wireless_device_t : chr_file { read write }" + rlPhaseEnd + fi + + if rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1042838" + rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_initrc_exec_t" + rlSESearchRule "allow system_dbusd_t NetworkManager_initrc_exec_t : file { getattr open read execute }" + rlSESearchRule "allow system_dbusd_t initrc_t : process { transition }" + rlSESearchRule "type_transition system_dbusd_t NetworkManager_initrc_exec_t : process initrc_t" + rlPhaseEnd + else # RHEL-7 and above + rlPhaseStartTest "bz#1039879" + rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t" + rlSESearchRule "allow init_t NetworkManager_exec_t : file { getattr open read execute }" + rlSESearchRule "allow init_t NetworkManager_t : process { transition }" + rlSESearchRule "type_transition init_t NetworkManager_exec_t : process NetworkManager_t" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest "real scenario -- bz#1039879 + bz#1042838" + DESTINATION="org.freedesktop.nm_dispatcher" + if rlIsRHEL 6 ; then + PROCESS_NAME="nm-dispatcher.action" + PROCESS_CONTEXT="initrc_t" + else # RHEL-7 and above + PROCESS_NAME="nm-dispatcher" + PROCESS_CONTEXT="NetworkManager_t" + fi + rlRun "gdbus introspect --system --object-path / --dest ${DESTINATION} >& /dev/null" + sleep 1 + rlRun "ps -efZ | grep -v grep | grep ${PROCESS_NAME}" + rlRun "ps -efZ | grep -v grep | grep \"${PROCESS_CONTEXT}.*${PROCESS_NAME}\"" + + if ! rlIsRHEL 6 ; then + rlSEService ${ROOT_PASSWORD} NetworkManager-dispatcher nm-dispatcher NetworkManager_t "start status restart status stop status" 1 + fi + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1040631 + bz#1041105" + rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t" + rlSEMatchPathCon "/etc/NetworkManager/dispatcher.d" "NetworkManager_initrc_exec_t" + rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : dir { getattr open read }" + rlPhaseEnd + + rlPhaseStartTest "bz#1044723" + rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t" + rlSESearchRule "allow NetworkManager_t initrc_t : process { signull }" + rlPhaseEnd + + rlPhaseStartTest "bz#1055734" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/usr/sbin/iscsiadm" "iscsid_exec_t" + rlSESearchRule "allow NetworkManager_t iscsid_exec_t : file { getattr open read execute }" + rlSESearchRule "allow NetworkManager_t iscsid_t : process { transition }" + rlSESearchRule "type_transition NetworkManager_t iscsid_exec_t : process iscsid_t" + rlPhaseEnd + fi + + rlPhaseStartTest "real scenario -- bz#1040631 + bz#1041105 + bz#1069241 + bz#1070829" + rlSEService ${ROOT_PASSWORD} NetworkManager NetworkManager NetworkManager_t "start status restart status" 1 + if ! rlIsRHEL 5 6 ; then + # rlRun "ls -Z /run/systemd/resolve/resolv.conf | grep :net_conf_t" + SAME_NAME=`cat /etc/hostname` + rlRun "nmcli gen hostname ${SAME_NAME}" + rlRun "ls -Z /etc/hostname | grep :hostname_etc_t" + rlRun "restorecon -v /etc/hostname" + fi + rlSEService ${ROOT_PASSWORD} NetworkManager NetworkManager NetworkManager_t "stop status" 1 + rlPhaseEnd + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1069241" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/etc/hostname" "hostname_etc_t" + rlSESearchRule "allow NetworkManager_t hostname_etc_t : file { unlink }" + rlPhaseEnd + + rlPhaseStartTest "bz#1070829" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/etc" "etc_t" + rlSEMatchPathCon "/etc/hostname" "hostname_etc_t" + rlSESearchRule "allow NetworkManager_t hostname_etc_t : file { create }" + rlRun "sesearch -T -s NetworkManager_t -t etc_t -c file | grep \"hostname_etc_t.*hostname\"" + rlPhaseEnd + + rlPhaseStartTest "bz#1234954" + rlSESearchRule "allow NetworkManager_t systemd_hostnamed_t : dbus { send_msg }" + rlSESearchRule "allow NetworkManager_t sysfs_t : dir { write }" + rlPhaseEnd + + rlPhaseStartTest "bz#1192810" + rlRun "sesearch -c file -T | grep 'nm-dhclient\.'" 1 + rlPhaseEnd + + rlPhaseStartTest "bz#1212498" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/dev/rfcomm0" "tty_device_t" + rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : lnk_file { getattr read }" + rlSESearchRule "allow NetworkManager_t sysfs_t : dir { write }" + rlSESearchRule "allow NetworkManager_t tty_device_t : chr_file { getattr open read } [ ]" + rlSESearchRule "allow NetworkManager_t etc_t : dir { read write getattr open search add_name remove_name } [ ]" + rlRun "sesearch -s NetworkManager_t -t etc_t -c lnk_file -T | grep \"net_conf_t.*resolv.conf.NetworkManager\"" + rlSESearchRule "allow NetworkManager_t net_conf_t : lnk_file { create }" + rlPhaseEnd + + rlPhaseStartTest "bz#1336722" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSESearchRule "allow NetworkManager_t dnsmasq_t : dbus { send_msg } [ ]" + rlSESearchRule "allow dnsmasq_t NetworkManager_t : dbus { send_msg } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1342401 + bz#1344505" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/etc/resolv.conf" "net_conf_t" + rlSEMatchPathCon "/etc/resolv.conf.GWNQIY" "net_conf_t" + rlSESearchRule "allow NetworkManager_t net_conf_t : file { create rename }" + rlRun "sesearch -s NetworkManager_t -t etc_t -c file -T | grep \"type_transition .* net_conf_t;\"" + rlPhaseEnd + + rlPhaseStartTest "bz#1517247" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSESearchRule "allow NetworkManager_t openvswitch_t : unix_stream_socket { connectto } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1517895" + rlSESearchRule "allow NetworkManager_t unlabeled_t : infiniband_pkey { access }" + rlSESearchRule "allow NetworkManager_t unlabeled_t : infiniband_endport { manage_subnet }" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest "bz#1078900 + bz#1209854" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSEMatchPathCon "/sbin/arping" "netutils_exec_t" + rlSESearchRule "allow NetworkManager_t netutils_exec_t : file { getattr open read execute_no_trans }" + rlSESearchRule "allow NetworkManager_t netutils_t : process { transition }" 1 + rlPhaseEnd + + rlPhaseStartTest "bz#1214747" + rlSEMatchPathCon "/usr/libexec/nm-vpnc-service" "bin_t" + rlSESearchRule "allow NetworkManager_t kernel_t : process { signull }" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 7 ; then + rlPhaseStartTest "bz#1530297" + rlSEMatchPathCon "/run/systemd/resolve" "systemd_resolved_var_run_t" + rlSEMatchPathCon "/run/systemd/resolve/resolv.conf" "net_conf_t" + rlSESearchRule "allow NetworkManager_t net_conf_t : file { getattr } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1747768" + rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t" + rlSESearchRule "allow NetworkManager_t NetworkManager_t : bluetooth_socket { create } [ deny_bluetooth ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1777506" + rlSEMatchPathCon "/usr/libexec/nm-dispatcher" "NetworkManager_exec_t" + rlSEMatchPathCon "/usr/lib/NetworkManager/dispatcher.d" "NetworkManager_initrc_exec_t" + rlSEMatchPathCon "/usr/lib/NetworkManager/dispatcher.d/30-winbind" "NetworkManager_initrc_exec_t" + rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : file { getattr open read execute map } [ ]" + rlSESearchRule "type_transition NetworkManager_t NetworkManager_initrc_exec_t : process initrc_t" + rlSESearchRule "allow NetworkManager_t initrc_t : process { transition } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1781806" + rlSEMatchPathCon "/usr/lib/systemd/system/winbind.service" "samba_unit_file_t" + rlSESearchRule "allow NetworkManager_t samba_unit_file_t : service { status } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1806894" + rlSEMatchPathCon "/usr/lib/systemd/system/nm-cloud-setup.service" "NetworkManager_unit_file_t" + rlSESearchRule "allow NetworkManager_t NetworkManager_unit_file_t : file { getattr } [ ]" + rlPhaseEnd + + rlPhaseStartTest "bz#1831630" + rlSEMatchPathCon "/usr/sbin/rfkill" "bin_t" + rlSEMatchPathCon "/dev/rfkill" "wireless_device_t" + for USER_TYPE in staff_t user_t sysadm_t xguest_t unconfined_t ; do + rlSESearchRule "allow ${USER_TYPE} wireless_device_t : chr_file { read write } [ ]" + done + rlPhaseEnd + fi + + # TODO: add real scenario where confined users run rfkill {,list,event} + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest "bz#1597729" + rlSEMatchPathCon "/usr/sbin/openvpn" "openvpn_exec_t" + rlSESearchRule "allow NetworkManager_t openvpn_exec_t : file { map }" + rlPhaseEnd + + rlPhaseStartTest "bz#1598506" + rlSEMatchPathCon "/usr/sbin/dnsmasq" "dnsmasq_exec_t" + rlSESearchRule "allow NetworkManager_t dnsmasq_exec_t : file { map }" + rlPhaseEnd + + rlPhaseStartTest "bz#1723877" + rlSESearchRule "allow NetworkManager_t systemd_resolved_t : dbus { send_msg } [ ]" + rlSESearchRule "allow systemd_resolved_t NetworkManager_t : dbus { send_msg } [ ]" + rlPhaseEnd + fi + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlFileRestore + rlPhaseEnd + rlJournalPrintText +rlJournalEnd +