LinuxLists.cc - [refpolicy] [PATCH 1/1] devtmpfs patch

2010-08-05 19:36:20

Subject: [refpolicy] [PATCH 1/1] devtmpfs patch

This is what all i had to do in my branch to get it going. The patch is not based on refpolicy but on my own branch.
initramfs(dracut) and plymouth are mostly responsible for this mess. I forgot to remove the comments from unconfined_domain_noaudit(kernel_t)

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 f35d1d8... fde534a... M policy/modules/kernel/corecommands.te
:100644 100644 0b8a84a... e179d9b... M policy/modules/kernel/devices.if
:100644 100644 61d3f7f... 8fb22a4... M policy/modules/kernel/devices.te
:100644 100644 3809875... 60d3a0d... M policy/modules/kernel/files.if
:100644 100644 1afbf01... 1690986... M policy/modules/kernel/filesystem.te
:100644 100644 77de0fc... 53a8f58... M policy/modules/kernel/kernel.te
:100644 100644 756190f... 6cf2a03... M policy/modules/kernel/terminal.te
:100644 100644 6bfa9db... a5ddba0... M policy/modules/system/init.te
:100644 100644 56c1942... 6e46966... M policy/modules/system/selinuxutil.te
:100644 100644 fa3a66f... d2b2060... M policy/modules/system/udev.if
policy/modules/kernel/corecommands.te | 1 +
policy/modules/kernel/devices.if | 75 +++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 4 ++
policy/modules/kernel/files.if | 72 +++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/kernel/kernel.te | 30 ++++++++++++-
policy/modules/kernel/terminal.te | 1 +
policy/modules/system/init.te | 3 +-
policy/modules/system/selinuxutil.te | 3 +
policy/modules/system/udev.if | 19 ++++++++
10 files changed, 205 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index f35d1d8..fde534a 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -9,6 +9,7 @@ attribute exec_type;

type bin_t alias { ls_exec_t sbin_t };
corecmd_executable_file(bin_t)
+dev_associate(bin_t)

type shell_exec_t;
corecmd_executable_file(shell_exec_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 0b8a84a..e179d9b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -21,6 +21,25 @@ interface(`dev_node',`

########################################
## <summary>
+## Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated.
+## </summary>
+## </param>
+#
+interface(`dev_associate',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem associate;
+ fs_associate_tmpfs($1)
+')
+
+########################################
+## <summary>
## Relabel all devices.
## </summary>
## <param name="domain">
@@ -103,6 +122,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`

########################################
## <summary>
+## Mount on generic device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir mounton;
+')
+
+########################################
+## <summary>
## Add entries to directories in device
## directories.
## </summary>
@@ -444,6 +481,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`

########################################
## <summary>
+## Set attributes of generic character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set
## attributes of generic character devices.
## </summary>
@@ -500,6 +555,25 @@ interface(`dev_rw_generic_chr_files',`

########################################
## <summary>
+## Do not audit attempts to read and
+## write generic character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
## Create generic character devices.
## </summary>
## <param name="domain">
@@ -767,6 +841,7 @@ interface(`dev_filetrans',`
filetrans_pattern($1, device_t, $2, $3)

fs_associate_tmpfs($2)
+ dev_associate($2)
files_associate_tmp($2)
')

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 61d3f7f..8fb22a4 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,6 +15,8 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);

type agp_device_t;
dev_node(agp_device_t)
@@ -182,6 +184,8 @@ fs_associate_tmpfs(device_node)

files_associate_tmp(device_node)

+allow device_node device_t:filesystem associate;
+
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3809875..60d3a0d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1326,6 +1326,24 @@ interface(`files_write_all_mountpoints',`

########################################
## <summary>
+## Execute root files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ can_exec($1, root_t)
+')
+
+########################################
+## <summary>
## List root directories.
## </summary>
## <param name="domain">
@@ -1450,6 +1468,42 @@ interface(`files_dontaudit_rw_root_chr_files',`

########################################
## <summary>
+## Delete root character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Delete root directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
## Delete root files.
## </summary>
## <param name="domain">
@@ -1468,6 +1522,24 @@ interface(`files_delete_root_files',`

########################################
## <summary>
+## Delete root symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_lnk_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from root directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1afbf01..1690986 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -157,8 +157,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)

-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 77de0fc..53a8f58 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -149,6 +149,7 @@ allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms;
+allow kernel_t self:system module_request;
allow kernel_t self:fd use;

allow kernel_t debugfs_t:dir search_dir_perms;
@@ -195,13 +196,21 @@ dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+
+dev_mounton_generic_dirs(kernel_t) #byme
+dev_setattr_generic_chr_files(kernel_t) #byme
+dev_rw_generic_chr_files(kernel_t) #byme
+dev_rw_dri(kernel_t) #byme
+dev_write_kmsg(kernel_t) #byme

fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_read_anon_inodefs_files(kernel_t)

selinux_load_policy(kernel_t)

+seutil_run_setfiles(kernel_t, system_r)
+
term_use_all_terms(kernel_t)
term_use_ptmx(kernel_t)

@@ -218,6 +227,11 @@ files_list_home(kernel_t)
files_read_usr_files(kernel_t)
files_manage_mounttab(kernel_t)
files_manage_generic_spool_dirs(kernel_t)
+files_exec_root_files(kernel_t) #byme
+files_manage_root_files(kernel_t) #byme
+files_delete_root_dirs(kernel_t) #byme
+files_delete_root_lnk_files(kernel_t) #byme
+files_delete_root_chr_files(kernel_t) # byme

mcs_process_set_categories(kernel_t)
mcs_file_read_all(kernel_t)
@@ -240,6 +254,10 @@ ifdef(`distro_redhat',`
userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })

optional_policy(`
+ bluetooth_stream_connect(kernel_t) #byme
+')
+
+optional_policy(`
hotplug_search_config(kernel_t)
')

@@ -261,6 +279,10 @@ optional_policy(`
')

optional_policy(`
+ plymouthd_manage_lib_files(kernel_t) #byme
+')
+
+optional_policy(`
allow kernel_t self:tcp_socket create_stream_socket_perms;
allow kernel_t self:udp_socket create_socket_perms;

@@ -308,9 +330,13 @@ optional_policy(`
')

optional_policy(`
- unconfined_domain_noaudit(kernel_t)
+ udev_delete_db_files(kernel_t) #byme
')

+# optional_policy(`
+# unconfined_domain_noaudit(kernel_t)
+#')
+
optional_policy(`
xserver_xdm_manage_spool(kernel_t)
')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 756190f..6cf2a03 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -19,6 +19,7 @@ dev_node(console_device_t)
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+dev_associate(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6bfa9db..a5ddba0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -107,9 +107,8 @@ files_pid_filetrans(init_t, init_var_run_t, file)

allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)

-allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+allow init_t initrc_var_run_t:file { rw_file_perms setattr_file_perms};

kernel_read_system_state(init_t)
kernel_share_state(init_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 56c1942..6e46966 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -465,6 +465,9 @@ seutil_manage_config(setsebool_t)
# Setfiles local policy
#

+# dracut/initramfs: /dev/console
+dev_dontaudit_rw_generic_chr_files(setfiles_t)
+
seutil_setfiles(setfiles_t)

term_use_generic_ptys(setfiles_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fa3a66f..d2b2060 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -188,6 +188,25 @@ interface(`udev_dontaudit_search_db',`

########################################
## <summary>
+## Delete udev device table files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_delete_db_files',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ delete_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ dev_list_all_dev_nodes($1)
+')
+
+########################################
+## <summary>
## Read the udev device table.
## </summary>
## <param name="domain">
--
1.7.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100805/59a40d3c/attachment.bin