|
|
eabbfc |
From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001
|
|
|
eabbfc |
From: Watson Sato <wsato@redhat.com>
|
|
|
eabbfc |
Date: Mon, 10 May 2021 18:53:02 +0200
|
|
|
eabbfc |
Subject: [PATCH] Update and select seboolean rules for R67
|
|
|
eabbfc |
|
|
|
eabbfc |
Fix description of sebool_deny_execmem, and warning about possible
|
|
|
eabbfc |
issues.
|
|
|
eabbfc |
Add rationale to rules the SELinux booleans.
|
|
|
eabbfc |
---
|
|
|
eabbfc |
controls/anssi.yml | 14 +++++++++---
|
|
|
eabbfc |
.../sebool_deny_execmem/rule.yml | 22 ++++++++++++++-----
|
|
|
eabbfc |
.../sebool_selinuxuser_execheap/rule.yml | 4 +++-
|
|
|
eabbfc |
.../sebool_selinuxuser_execstack/rule.yml | 3 ++-
|
|
|
eabbfc |
4 files changed, 33 insertions(+), 10 deletions(-)
|
|
|
eabbfc |
|
|
|
eabbfc |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
eabbfc |
index 705f8e25aab..ef9356a6fea 100644
|
|
|
eabbfc |
--- a/controls/anssi.yml
|
|
|
eabbfc |
+++ b/controls/anssi.yml
|
|
|
eabbfc |
@@ -967,10 +967,18 @@ controls:
|
|
|
eabbfc |
allow_execstack to off, forbids processes to make their stack executable;
|
|
|
eabbfc |
secure_mode_insmod to on, prohibits dynamic loading of modules by any process;
|
|
|
eabbfc |
ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.
|
|
|
eabbfc |
+ notes:
|
|
|
eabbfc |
+ In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the
|
|
|
eabbfc |
+ boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not
|
|
|
eabbfc |
+ available, deny_execmem provides the same functionality.
|
|
|
eabbfc |
+ automated: yes
|
|
|
eabbfc |
rules:
|
|
|
eabbfc |
- # Add rule for sebool allow_execheap
|
|
|
eabbfc |
- # Add rule for sebool allow_execmem
|
|
|
eabbfc |
- # Add rule for sebool allow_execstack
|
|
|
eabbfc |
+ - var_selinuxuser_execheap=off
|
|
|
eabbfc |
+ - sebool_selinuxuser_execheap
|
|
|
eabbfc |
+ - var_deny_execmem=on
|
|
|
eabbfc |
+ - sebool_deny_execmem
|
|
|
eabbfc |
+ - var_selinuxuser_execstack=off
|
|
|
eabbfc |
+ - sebool_selinuxuser_execstack
|
|
|
eabbfc |
- var_secure_mode_insmod=on
|
|
|
eabbfc |
- sebool_secure_mode_insmod
|
|
|
eabbfc |
- sebool_ssh_sysadm_login
|
|
|
eabbfc |
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
|
|
eabbfc |
index f340ea4be11..e8453fbfb8d 100644
|
|
|
eabbfc |
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
|
|
eabbfc |
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
|
|
|
eabbfc |
@@ -2,14 +2,16 @@ documentation_complete: true
|
|
|
eabbfc |
|
|
|
eabbfc |
prodtype: rhel7,rhel8,rhel9,rhv4
|
|
|
eabbfc |
|
|
|
eabbfc |
-title: 'Disable the deny_execmem SELinux Boolean'
|
|
|
eabbfc |
+title: 'Enable the deny_execmem SELinux Boolean'
|
|
|
eabbfc |
|
|
|
eabbfc |
description: |-
|
|
|
eabbfc |
By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.
|
|
|
eabbfc |
- If this setting is enabled, it should be disabled.
|
|
|
eabbfc |
+ If this setting is disabled, it should be enabled.
|
|
|
eabbfc |
{{{ describe_sebool_disable(sebool="deny_execmem") }}}
|
|
|
eabbfc |
|
|
|
eabbfc |
-rationale: ""
|
|
|
eabbfc |
+rationale: |-
|
|
|
eabbfc |
+ Allowing user domain applications to map a memory region as both writable and
|
|
|
eabbfc |
+ executable makes them more susceptible to data execution attacks.
|
|
|
eabbfc |
|
|
|
eabbfc |
severity: medium
|
|
|
eabbfc |
|
|
|
eabbfc |
@@ -19,10 +21,20 @@ identifiers:
|
|
|
eabbfc |
|
|
|
eabbfc |
references:
|
|
|
eabbfc |
anssi: BP28(R67)
|
|
|
eabbfc |
-
|
|
|
eabbfc |
-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}
|
|
|
eabbfc |
+
|
|
|
eabbfc |
+{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}}
|
|
|
eabbfc |
+
|
|
|
eabbfc |
+warnings:
|
|
|
eabbfc |
+ - general: |-
|
|
|
eabbfc |
+ This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
|
|
|
eabbfc |
+ applications to malfunction, for example Graphical login managers and Firefox.
|
|
|
eabbfc |
+ - functionality: |-
|
|
|
eabbfc |
+ Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.
|
|
|
eabbfc |
|
|
|
eabbfc |
template:
|
|
|
eabbfc |
name: sebool
|
|
|
eabbfc |
vars:
|
|
|
eabbfc |
seboolid: deny_execmem
|
|
|
eabbfc |
+ backends:
|
|
|
eabbfc |
+ bash: "off"
|
|
|
eabbfc |
+ ansible: "off"
|
|
|
eabbfc |
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
|
|
eabbfc |
index 45aa81a1223..7fedaab6130 100644
|
|
|
eabbfc |
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
|
|
eabbfc |
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
|
|
|
eabbfc |
@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean'
|
|
|
eabbfc |
|
|
|
eabbfc |
description: |-
|
|
|
eabbfc |
By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.
|
|
|
eabbfc |
+ When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
|
|
|
eabbfc |
If this setting is enabled, it should be disabled.
|
|
|
eabbfc |
{{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}
|
|
|
eabbfc |
|
|
|
eabbfc |
-rationale: ""
|
|
|
eabbfc |
+rationale: |-
|
|
|
eabbfc |
+ Disabling code execution from the heap blocks buffer overflow attacks.
|
|
|
eabbfc |
|
|
|
eabbfc |
severity: medium
|
|
|
eabbfc |
|
|
|
eabbfc |
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
|
|
eabbfc |
index 2b20d0bfe4f..2e0b19f881d 100644
|
|
|
eabbfc |
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
|
|
eabbfc |
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
|
|
|
eabbfc |
@@ -10,7 +10,8 @@ description: |-
|
|
|
eabbfc |
to make their stack executable.
|
|
|
eabbfc |
{{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}}
|
|
|
eabbfc |
|
|
|
eabbfc |
-rationale: ""
|
|
|
eabbfc |
+rationale: |-
|
|
|
eabbfc |
+ Disabling code execution from the stack blocks buffer overflow attacks.
|
|
|
eabbfc |
|
|
|
eabbfc |
severity: medium
|
|
|
eabbfc |
|