Update SELinux Wazuh policy

[pereyra-m]

Description

There is SELinux section that covers the creation of a policy https://documentation.wazuh.com/current/development/selinux-wazuh-context.html

Nevertheless, it was reported that it isn't working

• https://github.com/wazuh/wazuh/issues/18428

It is required to update this section.

How to reproduce

I have followed the guide to confirm if there is a problem with it. I'm using a CentOS 10 Stram Docker image.

The compilation step gives the same error

[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
wazuhT.te:57:ERROR 'Class process would have too many permissions to fit in an access vector with permission read' at token '}' on line 3452:
class process { transition getattr getpgid getsession setrlimit setsched signull open read};
role unconfined_r;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/wazuhT.mod] Error 1

The policy was added two years ago

• https://github.com/wazuh/wazuh-documentation/pull/4778

If I remove the read permission from the mentioned line

class process { transition getattr getpgid getsession setrlimit setsched signull open};

I can compile the policy

[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
Creating targeted wazuhT.pp policy package
rm tmp/wazuhT.mod tmp/wazuhT.mod.fc

But I can't install it

[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
Failed to resolve permission open
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/wazuhT/cil:177
Failed to resolve AST
semodule:  Failed!

Removing all references to open gives a similar error with read

[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
Failed to resolve permission read
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/wazuhT/cil:202
Failed to resolve AST
semodule:  Failed!

Removing all references to read and the resulting empty lines, results in a successful compilation and installation

[root@4e242917b7a5 selinux-wazuh]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted wazuhT module
Creating targeted wazuhT.pp policy package
rm tmp/wazuhT.mod tmp/wazuhT.mod.fc
[root@4e242917b7a5 selinux-wazuh]# semodule -i wazuhT.pp
[root@4e242917b7a5 selinux-wazuh]# 

This is a workaround, it should be tested in depth

wazuhT.te

``` policy_module(wazuhT,1.0) require { type bin_t; type tmp_t; type unconfined_t; type initrc_t; type unconfined_service_t; type shell_exec_t; type var_t; type cert_t; type node_t; type init_t; type kernel_t; type system_dbusd_t; type sshd_t; type fs_t; type unlabeled_t; type sysctl_net_t; type systemd_unit_file_t; type cgroup_t; type hugetlbfs_t; type sysfs_t; type iptables_exec_t; type sshd_exec_t; type device_t; type fixed_disk_device_t; type useradd_exec_t; type journalctl_exec_t; type proc_net_t; type pstore_t; type mount_exec_t; type insmod_exec_t; type systemd_systemctl_exec_t; type crontab_exec_t; type devlog_t; type rpm_exec_t; type proc_t; type configfs_t; type http_port_t; type tmpfs_t; type gssproxy_var_lib_t; type rpm_log_t; type auditd_unit_file_t; type crond_unit_file_t; type mount_var_run_t; type rpm_var_lib_t; type usermodehelper_t; type var_run_t; type etc_t; type security_t; type firewalld_t; type iptables_t; type dhcpc_t; role system_r; role unconfined_r; class process { transition getattr getpgid getsession setrlimit setsched signull }; class rawip_socket {bind setopt getopt create }; class netlink_route_socket {bind setopt create write nlmsg_read}; class netlink_audit_socket {bind setopt create write nlmsg_read}; class lnk_file {getattr }; class file { getattr execute getattr }; class dir { getattr search }; class tcp_socket { bind connect create getopt listen name_bind name_connect node_bind setopt }; class capability { chown dac_override fowner fsetid kill net_bind_service net_raw setgid setuid sys_chroot sys_resource sys_ptrace}; class unix_dgram_socket { write create ioctl sendto bind getopt connect}; class netlink_tcpdiag_socket {create getattr setopt bind nlmsg_read write}; class filesystem { getattr }; class sock_file { getattr }; class blk_file { getattr }; class udp_socket name_bind; class unix_stream_socket {connectto ioctl getattr}; class dbus send_msg; } # Private type declarations type wazuh_t; type wazuh_exec_t; type wazuh_etc_t; type wazuh_lib_t; type wazuh_log_t; type wazuh_tmp_t; type wazuh_var_t; # Ports label type wazuh_port_t; corenet_port(wazuh_port_t) # domain_type macro specifies the type wazuh_t to be a domain domain_type(wazuh_t) # domain_entry_file specifies an entry point to the wazuh_t domain for the executable file of type wazuh_exec_t domain_entry_file(wazuh_t, wazuh_exec_t) # logging_log_file macro makes wazuh_log_t become the type of log file with the necessary groups and rules logging_log_file(wazuh_log_t) # Allow domain wazuh_t to manipulate log files allow wazuh_t wazuh_log_t:file append_file_perms; # files_tmp_file takes the type of wazuh_tmp_t to the necessary groups so that it becomes the type of tmp file files_tmp_file(wazuh_tmp_t) # Allow the wazuh_t domain write privileges into the tmp_t labeled directory, but with an automatic file transition towards wazuh_tmp_t for every file written files_tmp_filetrans(wazuh_t,wazuh_tmp_t,file) # Allow domain wazuh_t to manipulate tmp files allow wazuh_t wazuh_tmp_t:file manage_file_perms; #============== Allow transition role unconfined_r types wazuh_t; role system_r types wazuh_t; allow wazuh_t bin_t : file execute; allow unconfined_t wazuh_t : process transition; allow initrc_t wazuh_t : process transition; allow unconfined_service_t wazuh_t : process transition; allow unconfined_t wazuh_exec_t : file execute; allow initrc_t wazuh_exec_t : file execute; allow unconfined_service_t wazuh_exec_t : file execute; allow wazuh_t wazuh_exec_t : file entrypoint; type_transition unconfined_t wazuh_exec_t : process wazuh_t; type_transition initrc_t wazuh_exec_t : process wazuh_t; type_transition unconfined_service_t wazuh_exec_t : process wazuh_t; #============== Permissions for wazuh-control to run Wazuh allow wazuh_t shell_exec_t:file { execute execute_no_trans }; allow wazuh_t bin_t:file execute_no_trans; allow wazuh_t wazuh_var_t:dir { create rmdir add_name remove_name write getattr setattr search}; allow wazuh_t wazuh_var_t:file { create getattr append rename setattr unlink write ioctl lock}; allow wazuh_t wazuh_exec_t:dir { create rmdir getattr add_name remove_name write setattr search}; allow wazuh_t wazuh_exec_t:file { create getattr append rename setattr link unlink write ioctl lock execute execute_no_trans}; allow wazuh_t wazuh_log_t:dir { create rmdir getattr add_name remove_name write setattr search}; allow wazuh_t wazuh_log_t:file { create getattr append rename setattr link unlink write ioctl lock}; allow wazuh_t wazuh_etc_t:dir { create rmdir getattr add_name remove_name write setattr search}; allow wazuh_t wazuh_tmp_t:dir { create rmdir getattr add_name remove_name write setattr search rmdir}; allow wazuh_t wazuh_tmp_t:file { create getattr append rename setattr link unlink write ioctl lock}; allow wazuh_t wazuh_lib_t:dir { create rmdir getattr add_name remove_name write setattr search}; allow wazuh_t wazuh_lib_t:file { getattr map execute}; allow wazuh_t wazuh_var_t:filesystem { associate}; allow wazuh_var_t fs_t:filesystem { associate}; allow wazuh_etc_t fs_t:filesystem { associate}; # Permissions to read /proc domain_read_all_domains_state(wazuh_t) domain_getpgid_all_domains( wazuh_t ) domain_getattr_all_domains( wazuh_t ) domain_getsession_all_domains( wazuh_t ) domain_signull_all_domains( wazuh_t ) #============== Permissions for Framework and API allow wazuh_t self:tcp_socket { bind connect create getopt listen setopt }; allow wazuh_t self:udp_socket { bind connect create getattr ioctl setopt }; allow wazuh_t node_t:tcp_socket node_bind; allow wazuh_t node_t:udp_socket node_bind; #============== Permissions for wazuh-analysisd to run allow wazuh_t self:process { getattr getpgid getsession setrlimit setsched }; allow wazuh_t wazuh_etc_t:file { create getattr append rename setattr link unlink write ioctl lock map}; #============== Permissions for wazuh-remoted to use sockets allow wazuh_t wazuh_var_t:sock_file { write getattr create setattr unlink} ; allow wazuh_t wazuh_t:unix_stream_socket {connectto ioctl}; allow wazuh_t wazuh_port_t:tcp_socket {name_connect name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr}; allow wazuh_t wazuh_t:tcp_socket {accept bind name_connect name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr}; allow wazuh_t wazuh_port_t:udp_socket {name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr}; allow wazuh_t wazuh_t:udp_socket {accept name_bind create write connect recvfrom sendto send_msg setopt ioctl setattr getattr}; allow wazuh_t wazuh_t:unix_dgram_socket { write create ioctl sendto bind getopt connect}; #============== Permissions for wazuh-syscheckd to monitor files and directories and for wazuh-logcollector to logs files files_read_all_files(wazuh_t) files_read_all_chr_files(wazuh_t) files_read_all_symlinks(wazuh_t) fs_getattr_all_chr_files(wazuh_t) dev_getattr_all_chr_files(wazuh_t) allow wazuh_t gssproxy_var_lib_t:sock_file { getattr }; allow wazuh_t fixed_disk_device_t:blk_file { getattr }; allow wazuh_t devlog_t:sock_file { write getattr create setattr unlink}; #============== Permissions for rootcheck to monitor ports corenet_udp_bind_all_ports(wazuh_t) corenet_tcp_bind_all_ports(wazuh_t) #============== Permissions for wazuh-modulesd to run allow wazuh_t proc_net_t:file { getattr }; allow wazuh_t self:netlink_route_socket {create getattr bind nlmsg_read write}; # Permissions for wazuh-modulesd to run SCA scans allow wazuh_t sshd_exec_t:file { execute execute_no_trans }; allow wazuh_t useradd_exec_t:file { execute execute_no_trans}; allow wazuh_t rpm_exec_t:file { execute execute_no_trans ioctl}; allow wazuh_t systemd_systemctl_exec_t:file { execute execute_no_trans}; allow wazuh_t insmod_exec_t:file { execute execute_no_trans }; allow wazuh_t iptables_exec_t:file { execute execute_no_trans }; allow wazuh_t crontab_exec_t:file { execute execute_no_trans }; allow wazuh_t journalctl_exec_t:file { execute execute_no_trans}; allow wazuh_t mount_exec_t:file { execute execute_no_trans getattr}; allow wazuh_t rpm_log_t:file { getattr append}; allow wazuh_t rpm_var_lib_t:file { write create setattr unlink rename}; allow wazuh_t rpm_var_lib_t:dir { write add_name remove_name}; allow wazuh_t cert_t:dir { search write create add_name remove_name rmdir}; allow wazuh_t cert_t:file { lock write}; allow wazuh_t tmp_t:dir { search write create add_name remove_name rmdir}; allow wazuh_t unlabeled_t:file { getattr }; allow wazuh_t security_t:security compute_av; allow wazuh_t security_t:file {write}; allow wazuh_t security_t:dir {write}; allow wazuh_t init_t:unix_stream_socket {connectto ioctl getattr}; allow wazuh_t init_t:system { status }; allow wazuh_t init_t:service { status }; allow wazuh_t system_dbusd_t:dbus send_msg; allow wazuh_t tmpfs_t:filesystem { getattr }; allow wazuh_t cgroup_t:filesystem { getattr }; allow wazuh_t configfs_t:filesystem { getattr }; allow wazuh_t device_t:filesystem { getattr }; allow wazuh_t hugetlbfs_t:filesystem { getattr }; allow wazuh_t proc_t:filesystem { getattr }; allow wazuh_t pstore_t:filesystem { getattr }; allow wazuh_t sysfs_t:filesystem { getattr }; allow wazuh_t fs_t:filesystem { getattr }; allow wazuh_t self:rawip_socket {bind setopt getopt create }; allow wazuh_t kernel_t:unix_dgram_socket sendto; allow wazuh_t auditd_unit_file_t:service { status }; allow wazuh_t crond_unit_file_t:service { status }; allow wazuh_t systemd_unit_file_t:service { status start}; allow wazuh_t mount_var_run_t:dir { getattr write search write}; allow wazuh_t var_run_t:dir { getattr search write add_name remove_name}; allow wazuh_t var_run_t:file { getattr write lock create unlink}; allow wazuh_t sysctl_net_t:dir search; allow wazuh_t sysctl_net_t:file { getattr }; allow wazuh_t usermodehelper_t:file { getattr }; allow wazuh_t self:netlink_audit_socket {create setopt bind nlmsg_read write}; allow wazuh_t self:netlink_tcpdiag_socket {create getattr setopt bind nlmsg_read write}; allow wazuh_t kernel_t:system module_request; allow dhcpc_t unlabeled_t:file {getattr }; #============== Permissions for wazuh-execd to run AR allow wazuh_t self:capability { chown dac_override fowner fsetid kill net_bind_service net_raw setgid setuid sys_chroot sys_resource sys_ptrace}; allow wazuh_t etc_t:dir { getattr search write add_name remove_name}; allow sshd_t var_t:file { getattr create append ioctl lock setattr write}; allow wazuh_t firewalld_t:dbus send_msg; allow firewalld_t wazuh_t:dbus send_msg; allow wazuh_t firewalld_t:process { getattr getpgid getsession signull }; allow iptables_t var_run_t:file { lock}; allow wazuh_t system_dbusd_t:unix_stream_socket connectto; allow wazuh_t http_port_t:tcp_socket {name_bind name_connect write }; #============== Permissions to assign new contexts allow unconfined_t wazuh_var_t:dir {getattr search relabelto}; allow unconfined_t wazuh_var_t:file {getattr relabelto}; allow unconfined_t wazuh_var_t:sock_file {getattr relabelto}; allow unconfined_t wazuh_lib_t:dir {getattr search relabelto}; allow unconfined_t wazuh_lib_t:file {getattr relabelto}; allow unconfined_t wazuh_etc_t:dir {getattr search relabelto}; allow unconfined_t wazuh_etc_t:file {getattr write relabelto}; ```

DoD

• [ ] Re-write the policy, adding/removing sections as required
• [ ] Test that all the Wazuh agent/manager features work as expected

[sebasfalcone]

Issue blocked

It seems like this feature has not worked since 4.5 at least

I will discuss with management if we should proceed with these changes since this should be refactored in 5.0 nevertheless

Size change

Size changed to huge, in order to fix and validate this we should see every module and check for its requirements