Skip to content

Commit

Permalink
Remove the lockdown-class rules from the policy
Browse files Browse the repository at this point in the history
A comprehensive fix for all the problems caused by the lockdown SELinux
class was rejected by Linus and for the lack of a better option,
the consensus upstream was to just remove the class entirely and stop
checking anything in the lockdown hook.

The lockdown class was removed from the upstream kernel in the
"selinux: remove the SELinux lockdown implementation" commit and is not
present any longer in Fedora 36 and newer.

    Related: rhbz#2017848

    Resolves: rhbz#2145266
  • Loading branch information
zpytela committed Oct 19, 2023
1 parent ba41134 commit 64ee67e
Show file tree
Hide file tree
Showing 5 changed files with 0 additions and 23 deletions.
2 changes: 0 additions & 2 deletions policy/modules/kernel/devices.if
Original file line number Diff line number Diff line change
Expand Up @@ -3232,7 +3232,6 @@ interface(`dev_read_raw_memory',`

read_chr_files_pattern($1, device_t, memory_device_t)
allow $1 memory_device_t:chr_file map;
allow $1 self:lockdown integrity;

allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
Expand Down Expand Up @@ -5757,7 +5756,6 @@ interface(`dev_map_userio_dev',`
')

allow $1 userio_device_t:chr_file map;
allow $1 self:lockdown integrity;
')

########################################
Expand Down
2 changes: 0 additions & 2 deletions policy/modules/kernel/filesystem.if
Original file line number Diff line number Diff line change
Expand Up @@ -7136,7 +7136,6 @@ interface(`fs_rw_tracefs_files',`
')

rw_files_pattern($1, tracefs_t, tracefs_t)
allow $1 self:lockdown confidentiality;
')

########################################
Expand All @@ -7157,7 +7156,6 @@ interface(`fs_manage_tracefs_dirs',`
')

manage_dirs_pattern($1, tracefs_t, tracefs_t)
allow $1 self:lockdown confidentiality;
')

########################################
Expand Down
9 changes: 0 additions & 9 deletions policy/modules/kernel/kernel.if
Original file line number Diff line number Diff line change
Expand Up @@ -432,7 +432,6 @@ interface(`kernel_load_module',`
## </param>
#
interface(`kernel_load_unsigned_module',`
allow $1 self:lockdown integrity;
kernel_load_module($1)
')

Expand Down Expand Up @@ -882,8 +881,6 @@ interface(`kernel_read_debugfs',`
type debugfs_t;
')

allow $1 self:lockdown integrity;

read_files_pattern($1, debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
list_dirs_pattern($1, debugfs_t, debugfs_t)
Expand Down Expand Up @@ -922,8 +919,6 @@ interface(`kernel_manage_debugfs',`
type debugfs_t;
')

allow $1 self:lockdown integrity;

manage_files_pattern($1, debugfs_t, debugfs_t)
manage_dirs_pattern($1,debugfs_t, debugfs_t)
read_lnk_files_pattern($1, debugfs_t, debugfs_t)
Expand Down Expand Up @@ -1469,7 +1464,6 @@ interface(`kernel_read_core_if',`
')

allow $1 self:capability sys_rawio;
allow $1 self:lockdown confidentiality;
read_files_pattern($1, proc_t, proc_kcore_t)
list_dirs_pattern($1, proc_t, proc_t)

Expand Down Expand Up @@ -4452,7 +4446,6 @@ interface(`kernel_unlabeled_entry_type',`
#
interface(`kernel_kexec_load',`
allow $1 self:capability sys_boot;
allow $1 self:lockdown integrity;
')

########################################
Expand All @@ -4471,7 +4464,6 @@ interface(`kernel_write_perf_event',`
# the kernel commit 08ef1af4de5f
# (perf/core: Fix unconditional security_locked_down() call)
# is backported to stable kernels
allow $1 self:lockdown confidentiality;
allow $1 self:perf_event write_perf_event_perms;
')

Expand All @@ -4488,7 +4480,6 @@ interface(`kernel_write_perf_event',`
interface(`kernel_manage_perf_event',`
allow $1 self:capability2 perfmon;
# The confidentiality permission may not be needed, refer to kernel_write_perf_event()
allow $1 self:lockdown confidentiality;
allow $1 self:perf_event manage_perf_event_perms;
')

Expand Down
8 changes: 0 additions & 8 deletions policy/modules/system/systemd.te
Original file line number Diff line number Diff line change
Expand Up @@ -251,12 +251,6 @@ files_type(systemd_pstore_var_lib_t)
allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
allow systemd_logind_t self:capability2 block_suspend;

# systemd-logind reads state from /sys/power, which changes output based on
# whether hibernations is available, which tries to take the lockdown state
# into account. So the permission is somewhat unnecessary (systemd-logind
# doesn't actually try to change anything), but it's better to allow it so that
# systemd-logind sees the right system state.
allow systemd_logind_t self:lockdown integrity;
allow systemd_logind_t self:process getcap;
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
Expand Down Expand Up @@ -1588,8 +1582,6 @@ allow systemd_sleep_t self:capability { linux_immutable sys_resource };
# systemd-sleep needs to set timer for suspend-then-hibernate
allow systemd_sleep_t self:capability2 wake_alarm;
dontaudit systemd_sleep_t self:capability sys_ptrace;
# systemd-sleep needs the permission to change sleep state
allow systemd_sleep_t self:lockdown integrity;

allow systemd_sleep_t systemd_unit_file_t:service { start stop };

Expand Down
2 changes: 0 additions & 2 deletions policy/modules/system/unconfined.if
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ interface(`unconfined_domain_noaudit',`
allow $1 self:file manage_file_perms;
allow $1 self:dir rw_dir_perms;

allow $1 self:lockdown { confidentiality integrity };

# Userland object managers
allow $1 self:nscd all_nscd_perms;
allow $1 self:dbus all_dbus_perms;
Expand Down

0 comments on commit 64ee67e

Please sign in to comment.