Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add policycoreutils and related tools #1016

Merged
merged 8 commits into from
Aug 10, 2020
Merged

add policycoreutils and related tools #1016

merged 8 commits into from
Aug 10, 2020

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Aug 8, 2020

Issue number:
#997

Description of changes:
Add policycoreutils to the default install, so that higher level tools for managing the policy are available if the break-glass admin container is used. In particular, semodule is useful for making temporary adjustments to troubleshoot an issue.

The policy files are now included in the image, as otherwise it is not possible to extend the policy without obtaining them from the repository.

Adjust the kernel default for memory protection checking so that sestatus reports "actual (secure)". We don't enforce the memory protection checks for processes running inside containers, and none of the host binaries request memory that's both writable and executable, so this is not a fixing an actual vulnerability, just hardening the default.

Testing done:
Built the aws-dev variant. Confirmed that the policy was loaded and that files copied by tmpfiles.d were correctly labeled.

Built the aws-k8s-1.17 variant. Verified that conformance tests passed with no AVC denials.

Tested various semodule commands: -R reloads the policy and -B builds and reloads the policy.

Verified that a new policy module that refers to existing policy types can be created and loaded:

# cat <<EOF >/tmp/permissive.cil
(typepermissive super_t)
EOF
# semodule -i /tmp/permissive.cil
# echo -n 'system_u:system_r:system_t:s0' > /proc/self/attr/current
# dmesg
[...] audit: type=1400 audit(1596900137.247:11): avc:  denied  { dyntransition } for  pid=570238 comm="bash" scontext=system_u:system_r:super_t:s0 tcontext=system_u:system_r:system_t:s0 tclass=process permissive=1

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey added 8 commits August 7, 2020 20:31
@bcressey
kernel: set checkreqprot=0 by default
a17c9f1 
The feature will eventually be deprecated so that only the secure
form is available, per upstream discussion:
  https://patchwork.kernel.org/patch/11324099/

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
build libbzip2
adc4ab1 
This is required by libsemanage, which expects policy modules to be
compressed with bzip2.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
build libsemanage
668f6b8 
Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
selinux: move policy directory back to /etc
b10ea28 
To allow the policy to be extended or modified at runtime, we need to
store the files in /etc rather than on the immutable root filesystem.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
libselinux: add utils subpackage
2a54d8b 
`avcstat` can be used by an administrator to display AVC statistics,
and `sefcontext_compile` is required to rebuild the SELinux policy.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
selinux-policy: include policy modules
1ac21fe 
Shipping the modules enables an administrator to customize the policy
at runtime without needing to obtain the sources from elsewhere.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
build policycoreutils
f59028d 
`semodule` can be used by an administrator to add new modules to the
SELinux policy, which can be helpful for troubleshooting. It depends
on `load_policy` and `setfiles` to rebuild the policy.

`sestatus` provides a quick summary of the SELinux configuration.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
release: add policycoreutils
b181cc2 
Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey bcressey requested review from iliana and jamieand August 8, 2020 15:29
@bcressey bcressey linked an issue Aug 8, 2020 that may be closed by this pull request
add utilities from policycoreutils #997
Closed
@bcressey bcressey merged commit 86dab58 into bottlerocket-os:develop Aug 10, 2020
@bcressey bcressey deleted the policycoreutils branch August 10, 2020 18:08
@fheinecke fheinecke mentioned this pull request Jun 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamieand jamieand jamieand approved these changes

@iliana iliana iliana approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add utilities from policycoreutils
4 participants
@bcressey @tjkirch @iliana @jamieand