Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sechecker failures due to differences from upstream #9

Open
0xC0ncord opened this issue Jan 6, 2025 · 0 comments
Open

sechecker failures due to differences from upstream #9

0xC0ncord opened this issue Jan 6, 2025 · 0 comments

Comments

@0xC0ncord
Copy link
Member

Upstream introduced a workflow for validating critical policy checks, but it relies on a config file to know which domains are allowed to do some sensitive actions.

We're carrying some other domains with such permissions but they haven't been added to this config. We should review these domains and either drop the access or add it to testing/sechecker.ini.

Check name: PRIVILEGE-setenforce

Description: Verify only expected domains can change SELinux to permissive mode.

    * allow can_setenforce security_t:security setenforce; [ secure_mode_policyload ]:False

Check FAILED

---------------------------------------------------------

Check name: PRIVILEGE-CAP_SYS_ADMIN

Description: Verify only expected domains have CAP_SYS_ADMIN

    * allow portage_t portage_t:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin net_raw setfcap setgid setuid sys_admin sys_nice };
    * allow qemu_ga_t qemu_ga_t:capability sys_admin;

Check FAILED

---------------------------------------------------------

Check name: PRIVILEGE-CAP_NET_ADMIN

Description: Verify only expected domains can use CAP_NET_ADMIN.

    * allow portage_t portage_t:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin net_raw setfcap setgid setuid sys_admin sys_nice };
    * allow salt_master_t salt_master_t:capability { net_admin sys_admin sys_nice sys_tty_config };
    * allow salt_minion_t salt_minion_t:capability { chown dac_override dac_read_search fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_tty_config };
    * allow ss_t ss_t:capability net_admin;
    * allow vde_t vde_t:capability { chown dac_override fowner fsetid net_admin };

Check FAILED

---------------------------------------------------------

Result Summary:

PRIVILEGE-load_policy                   PASSED
PRIVILEGE-setbool                       PASSED
PRIVILEGE-setenforce                    FAILED (1 failures)
PRIVILEGE-CAP_SYS_MODULE                PASSED
PRIVILEGE-module_load                   PASSED
PRIVILEGE-CAP_SYS_ADMIN                 FAILED (2 failures)
PRIVILEGE-CAP_SYS_RAWIO                 PASSED
PRIVILEGE-CAP_NET_ADMIN                 FAILED (5 failures)
PRIVILEGE-setcurrent                    PASSED
NONTRANQUILITY-systemd                  PASSED
INTEGRITY-readonly-executables          PASSED

8 failure(s) found.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@0xC0ncord