Update SELinux Wazuh policy #7916
Description
Description
There is SELinux section that covers the creation of a policy
https://documentation.wazuh.com/current/development/selinux-wazuh-context.html
Nevertheless, it was reported that it isn't working
It is required to update this section.
How to reproduce
I have followed the guide to confirm if there is a problem with it.
I'm using a CentOS 10 Stram Docker image.
The compilation step gives the same error
[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
wazuhT.te:57:ERROR 'Class process would have too many permissions to fit in an access vector with permission read' at token '}' on line 3452:
class process { transition getattr getpgid getsession setrlimit setsched signull open read};
role unconfined_r;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/wazuhT.mod] Error 1
The policy was added two years ago
If I remove the read permission from the mentioned line
class process { transition getattr getpgid getsession setrlimit setsched signull open};
I can compile the policy
[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
Creating targeted wazuhT.pp policy package
rm tmp/wazuhT.mod tmp/wazuhT.mod.fc
But I can't install it
[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
Failed to resolve permission open
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/wazuhT/cil:177
Failed to resolve AST
semodule: Failed!
Removing all references to open gives a similar error with read
[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
Failed to resolve permission read
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/wazuhT/cil:202
Failed to resolve AST
semodule: Failed!
Removing all references to read and the resulting empty lines, results in a successful compilation and installation
[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
Creating targeted wazuhT.pp policy package
rm tmp/wazuhT.mod tmp/wazuhT.mod.fc
[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
[root@4e242917b7a5 selinux-wazuh]#
This is a workaround, it should be tested in depth
wazuhT.te
policy_module(wazuhT,1.0)
require {
type bin_t;
type tmp_t;
type unconfined_t;
type initrc_t;
type unconfined_service_t;
type shell_exec_t;
type var_t;
type cert_t;
type node_t;
type init_t;
type kernel_t;
type system_dbusd_t;
type sshd_t;
type fs_t;
type unlabeled_t;
type sysctl_net_t;
type systemd_unit_file_t;
type cgroup_t;
type hugetlbfs_t;
type sysfs_t;
type iptables_exec_t;
type sshd_exec_t;
type device_t;
type fixed_disk_device_t;
type useradd_exec_t;
type journalctl_exec_t;
type proc_net_t;
type pstore_t;
type mount_exec_t;
type insmod_exec_t;
type systemd_systemctl_exec_t;
type crontab_exec_t;
type devlog_t;
type rpm_exec_t;
type proc_t;
type configfs_t;
type http_port_t;
type tmpfs_t;
type gssproxy_var_lib_t;
type rpm_log_t;
type auditd_unit_file_t;
type crond_unit_file_t;
type mount_var_run_t;
type rpm_var_lib_t;
type usermodehelper_t;
type var_run_t;
type etc_t;
type security_t;
type firewalld_t;
type iptables_t;
type dhcpc_t;
role system_r;
role unconfined_r;
class process { transition getattr getpgid getsession setrlimit setsched signull };
class rawip_socket {bind setopt getopt create };
class netlink_route_socket {bind setopt create write nlmsg_read};
class netlink_audit_socket {bind setopt create write nlmsg_read};
class lnk_file {getattr };
class file { getattr execute getattr };
class dir { getattr search };
class tcp_socket { bind connect create getopt listen name_bind name_connect node_bind setopt };
class capability { chown dac_override fowner fsetid kill net_bind_service net_raw setgid setuid sys_chroot sys_resource sys_ptrace};
class unix_dgram_socket { write create ioctl sendto bind getopt connect};
class netlink_tcpdiag_socket {create getattr setopt bind nlmsg_read write};
class filesystem { getattr };
class sock_file { getattr };
class blk_file { getattr };
class udp_socket name_bind;
class unix_stream_socket {connectto ioctl getattr};
class dbus send_msg;
}
# Private type declarations
type wazuh_t;
type wazuh_exec_t;
type wazuh_etc_t;
type wazuh_lib_t;
type wazuh_log_t;
type wazuh_tmp_t;
type wazuh_var_t;
# Ports label
type wazuh_port_t;
corenet_port(wazuh_port_t)
# domain_type macro specifies the type wazuh_t to be a domain
domain_type(wazuh_t)
# domain_entry_file specifies an entry point to the wazuh_t domain for the executable file of type wazuh_exec_t
domain_entry_file(wazuh_t, wazuh_exec_t)
# logging_log_file macro makes wazuh_log_t become the type of log file with the necessary groups and rules
logging_log_file(wazuh_log_t)
# Allow domain wazuh_t to manipulate log files
allow wazuh_t wazuh_log_t:file append_file_perms;
# files_tmp_file takes the type of wazuh_tmp_t to the necessary groups so that it becomes the type of tmp file
files_tmp_file(wazuh_tmp_t)
# Allow the wazuh_t domain write privileges into the tmp_t labeled directory, but with an automatic file transition towards wazuh_tmp_t for every file written
files_tmp_filetrans(wazuh_t,wazuh_tmp_t,file)
# Allow domain wazuh_t to manipulate tmp files
allow wazuh_t wazuh_tmp_t:file manage_file_perms;
#============== Allow transition
role unconfined_r types wazuh_t;
role system_r types wazuh_t;
allow wazuh_t bin_t : file execute;
allow unconfined_t wazuh_t : process transition;
allow initrc_t wazuh_t : process transition;
allow unconfined_service_t wazuh_t : process transition;
allow unconfined_t wazuh_exec_t : file execute;
allow initrc_t wazuh_exec_t : file execute;
allow unconfined_service_t wazuh_exec_t : file execute;
allow wazuh_t wazuh_exec_t : file entrypoint;
type_transition unconfined_t wazuh_exec_t : process wazuh_t;
type_transition initrc_t wazuh_exec_t : process wazuh_t;
type_transition unconfined_service_t wazuh_exec_t : process wazuh_t;
#============== Permissions for wazuh-control to run Wazuh
allow wazuh_t shell_exec_t:file { execute execute_no_trans };
allow wazuh_t bin_t:file execute_no_trans;
allow wazuh_t wazuh_var_t:dir { create rmdir add_name remove_name write getattr setattr search};
allow wazuh_t wazuh_var_t:file { create getattr append rename setattr unlink write ioctl lock};
allow wazuh_t wazuh_exec_t:dir { create rmdir getattr add_name remove_name write setattr search};
allow wazuh_t wazuh_exec_t:file { create getattr append rename setattr link unlink write ioctl lock execute execute_no_trans};
allow wazuh_t wazuh_log_t:dir { create rmdir getattr add_name remove_name write setattr search};
allow wazuh_t wazuh_log_t:file { create getattr append rename setattr link unlink write ioctl lock};
allow wazuh_t wazuh_etc_t:dir { create rmdir getattr add_name remove_name write setattr search};
allow wazuh_t wazuh_tmp_t:dir { create rmdir getattr add_name remove_name write setattr search rmdir};
allow wazuh_t wazuh_tmp_t:file { create getattr append rename setattr link unlink write ioctl lock};
allow wazuh_t wazuh_lib_t:dir { create rmdir getattr add_name remove_name write setattr search};
allow wazuh_t wazuh_lib_t:file { getattr map execute};
allow wazuh_t wazuh_var_t:filesystem { associate};
allow wazuh_var_t fs_t:filesystem { associate};
allow wazuh_etc_t fs_t:filesystem { associate};
# Permissions to read /proc
domain_read_all_domains_state(wazuh_t)
domain_getpgid_all_domains( wazuh_t )
domain_getattr_all_domains( wazuh_t )
domain_getsession_all_domains( wazuh_t )
domain_signull_all_domains( wazuh_t )
#============== Permissions for Framework and API
allow wazuh_t self:tcp_socket { bind connect create getopt listen setopt };
allow wazuh_t self:udp_socket { bind connect create getattr ioctl setopt };
allow wazuh_t node_t:tcp_socket node_bind;
allow wazuh_t node_t:udp_socket node_bind;
#============== Permissions for wazuh-analysisd to run
allow wazuh_t self:process { getattr getpgid getsession setrlimit setsched };
allow wazuh_t wazuh_etc_t:file { create getattr append rename setattr link unlink write ioctl lock map};
#============== Permissions for wazuh-remoted to use sockets
allow wazuh_t wazuh_var_t:sock_file { write getattr create setattr unlink} ;
allow wazuh_t wazuh_t:unix_stream_socket {connectto ioctl};
allow wazuh_t wazuh_port_t:tcp_socket {name_connect name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr};
allow wazuh_t wazuh_t:tcp_socket {accept bind name_connect name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr};
allow wazuh_t wazuh_port_t:udp_socket {name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr};
allow wazuh_t wazuh_t:udp_socket {accept name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr};
allow wazuh_t wazuh_t:unix_dgram_socket { write create ioctl sendto bind getopt connect};
#============== Permissions for wazuh-syscheckd to monitor files and directories and for wazuh-logcollector to logs files
files_read_all_files(wazuh_t)
files_read_all_chr_files(wazuh_t)
files_read_all_symlinks(wazuh_t)
fs_getattr_all_chr_files(wazuh_t)
dev_getattr_all_chr_files(wazuh_t)
allow wazuh_t gssproxy_var_lib_t:sock_file { getattr };
allow wazuh_t fixed_disk_device_t:blk_file { getattr };
allow wazuh_t devlog_t:sock_file { write getattr create setattr unlink};
#============== Permissions for rootcheck to monitor ports
corenet_udp_bind_all_ports(wazuh_t)
corenet_tcp_bind_all_ports(wazuh_t)
#============== Permissions for wazuh-modulesd to run
allow wazuh_t proc_net_t:file { getattr };
allow wazuh_t self:netlink_route_socket {create getattr bind nlmsg_read write};
# Permissions for wazuh-modulesd to run SCA scans
allow wazuh_t sshd_exec_t:file { execute execute_no_trans };
allow wazuh_t useradd_exec_t:file { execute execute_no_trans};
allow wazuh_t rpm_exec_t:file { execute execute_no_trans ioctl};
allow wazuh_t systemd_systemctl_exec_t:file { execute execute_no_trans};
allow wazuh_t insmod_exec_t:file { execute execute_no_trans };
allow wazuh_t iptables_exec_t:file { execute execute_no_trans };
allow wazuh_t crontab_exec_t:file { execute execute_no_trans };
allow wazuh_t journalctl_exec_t:file { execute execute_no_trans};
allow wazuh_t mount_exec_t:file { execute execute_no_trans getattr};
allow wazuh_t rpm_log_t:file { getattr append};
allow wazuh_t rpm_var_lib_t:file { write create setattr unlink rename};
allow wazuh_t rpm_var_lib_t:dir { write add_name remove_name};
allow wazuh_t cert_t:dir { search write create add_name remove_name rmdir};
allow wazuh_t cert_t:file { lock write};
allow wazuh_t tmp_t:dir { search write create add_name remove_name rmdir};
allow wazuh_t unlabeled_t:file { getattr };
allow wazuh_t security_t:security compute_av;
allow wazuh_t security_t:file {write};
allow wazuh_t security_t:dir {write};
allow wazuh_t init_t:unix_stream_socket {connectto ioctl getattr};
allow wazuh_t init_t:system { status };
allow wazuh_t init_t:service { status };
allow wazuh_t system_dbusd_t:dbus send_msg;
allow wazuh_t tmpfs_t:filesystem { getattr };
allow wazuh_t cgroup_t:filesystem { getattr };
allow wazuh_t configfs_t:filesystem { getattr };
allow wazuh_t device_t:filesystem { getattr };
allow wazuh_t hugetlbfs_t:filesystem { getattr };
allow wazuh_t proc_t:filesystem { getattr };
allow wazuh_t pstore_t:filesystem { getattr };
allow wazuh_t sysfs_t:filesystem { getattr };
allow wazuh_t fs_t:filesystem { getattr };
allow wazuh_t self:rawip_socket {bind setopt getopt create };
allow wazuh_t kernel_t:unix_dgram_socket sendto;
allow wazuh_t auditd_unit_file_t:service { status };
allow wazuh_t crond_unit_file_t:service { status };
allow wazuh_t systemd_unit_file_t:service { status start};
allow wazuh_t mount_var_run_t:dir { getattr write search write};
allow wazuh_t var_run_t:dir { getattr search write add_name remove_name};
allow wazuh_t var_run_t:file { getattr write lock create unlink};
allow wazuh_t sysctl_net_t:dir search;
allow wazuh_t sysctl_net_t:file { getattr };
allow wazuh_t usermodehelper_t:file { getattr };
allow wazuh_t self:netlink_audit_socket {create setopt bind nlmsg_read write};
allow wazuh_t self:netlink_tcpdiag_socket {create getattr setopt bind nlmsg_read write};
allow wazuh_t kernel_t:system module_request;
allow dhcpc_t unlabeled_t:file {getattr };
#============== Permissions for wazuh-execd to run AR
allow wazuh_t self:capability { chown dac_override fowner fsetid kill net_bind_service net_raw setgid setuid sys_chroot sys_resource sys_ptrace};
allow wazuh_t etc_t:dir { getattr search write add_name remove_name};
allow sshd_t var_t:file { getattr create append ioctl lock setattr write};
allow wazuh_t firewalld_t:dbus send_msg;
allow firewalld_t wazuh_t:dbus send_msg;
allow wazuh_t firewalld_t:process { getattr getpgid getsession signull };
allow iptables_t var_run_t:file { lock};
allow wazuh_t system_dbusd_t:unix_stream_socket connectto;
allow wazuh_t http_port_t:tcp_socket {name_bind name_connect write };
#============== Permissions to assign new contexts
allow unconfined_t wazuh_var_t:dir {getattr search relabelto};
allow unconfined_t wazuh_var_t:file {getattr relabelto};
allow unconfined_t wazuh_var_t:sock_file {getattr relabelto};
allow unconfined_t wazuh_lib_t:dir {getattr search relabelto};
allow unconfined_t wazuh_lib_t:file {getattr relabelto};
allow unconfined_t wazuh_etc_t:dir {getattr search relabelto};
allow unconfined_t wazuh_etc_t:file {getattr write relabelto};
DoD
- Re-write the policy, adding/removing sections as required
- Test that all the Wazuh agent/manager features work as expected