2011-08-23 13:36:44

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 0/11] Portage-related updates

Replies to this e-mail will contain a set of Portage-related updates, many
of these have been presented earlier (think layman support, emerge-webrsync,
running Portage from cron, ...) but needed additional improvements (or even
rewrites), hence the v2.

In short, the patch set contains:

1 Introduce portage_dontaudit_use_fds
2 Use portage_dontaudit_use_fds from load_policy_t
3 Introduce rc_exec_t for /sbin/rc (instead of initrc_exec_t) for Gentoo
4 Allow gcc-config to call /sbin/rc (no transition)
5 Allow Gentoo's integrated run_init_t to call /sbin/rc (no transition)
6 Allow sysadm_t to call /sbin/rc (no transition)
7 Make portage_fetch_t a full application domain (instead of application type)
8 Introduce portage_search_conf_dirs and portage_read_tmp_files
9 Enhance gpg_t with portage_search_conf_dirs and portage_read_tmp_files
10 Allow cron to execute portage commands (incl. transition)
11 Allow portage to call GnuPG

Wkr,
Sven Vermeulen


2011-08-23 13:39:13

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 01/11] Introduce portage_dontaudit_use_fds

Support the interface to not audit portage_t:fd use (file descriptors, leaked
or not)

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 08b361b..a1bfbaa 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -293,3 +293,22 @@ interface(`portage_dontaudit_rw_tmp_files',`

dontaudit $1 portage_tmp_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## portage file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_use_fds',`
+ gen_require(`
+ type portage_t;
+ ')
+
+ dontaudit $1 portage_t:fds use;
+')
--
1.7.3.4

2011-08-23 13:39:56

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 02/11] Do not audit the use of portage' filedescriptors from load_policy_t

During build and eventual activation of the base policy, the load_policy_t
domain attempts to use a portage file descriptor. However, this serves no
purpose (the loading is done correctly and everything is logged
appropriately).

Hence, we dontaudit this use.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/selinuxutil.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index e252935..12dabe2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -199,6 +199,10 @@ ifdef(`hide_broken_symptoms',`
')
')

+optional_policy(`
+ portage_dontaudit_use_fds(load_policy_t)
+')
+
########################################
#
# Newrole local policy
--
1.7.3.4

2011-08-23 13:40:44

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all
its functions, be it executing init scripts, managing runlevels, checking state,
etc. This binary is not allowed to be labeled initrc_exec_t as that would
trigger domain transitions where this isn't necessary (or even allowed).

A suggested solution is to use a separate type declaration for /sbin/rc
(rc_exec_t) which transitions where necessary.

This patch includes support for the /sbin/rc rc_exec_t type and declares
the init_rc_exec() interface which allows domains to execute the binary
without transitioning.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.fc | 2 +-
policy/modules/system/init.if | 23 ++++++++++++++++++++++-
policy/modules/system/init.te | 4 ++++
3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..c2021e3 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,7 +38,7 @@ ifdef(`distro_gentoo', `
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)

ifdef(`distro_gentoo', `
-/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94fd8dd..b8b3337 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -455,6 +455,26 @@ interface(`init_exec',`

########################################
## <summary>
+## Execute the rc program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_rc_exec',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
## Get the process group of init.
## </summary>
## <param name="domain">
@@ -800,11 +820,12 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t, initrc_exec_t, rc_exec_t;
')

files_list_etc($1)
domtrans_pattern($1, initrc_exec_t, initrc_t)
+ domtrans_pattern($1, rc_exec_t, initrc_t)

ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 157e844..00586c6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -56,8 +56,10 @@ mls_trusted_object(initctl_t)

type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
type initrc_exec_t, init_script_file_type;
+type rc_exec_t;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
+domain_entry_file(initrc_t, rc_exec_t)
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -381,6 +383,8 @@ auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)

+init_rc_exec(initrc_t)
+
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
libs_exec_ld_so(initrc_t)
--
1.7.3.4

2011-08-23 13:41:21

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 04/11] Allow gcc-config to execute /sbin/rc without transitioning

The gcc-config application uses some functions (from /etc/init.d/functions.sh)
which are simple wrappers on top of /sbin/rc. Since this script is sourced and
the functions executed from within gcc_config_t, we allow gcc-config to
execute /sbin/rc without transitioning.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 563c598..2794531 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -103,6 +103,7 @@ files_search_pids(gcc_config_t)
# the directory it is being run from
files_list_all(gcc_config_t)

+init_rc_exec(gcc_config_t)
# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)

--
1.7.3.4

2011-08-23 13:41:58

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 05/11] Gentoo's integrated run_init support re-executes /sbin/rc

When an init script is launched, Gentoo's integrated run_init support will
re-execute /sbin/rc (an all-in-one binary) for various functions. The
run_init_t domain here should not be allowed to transition yet, so we allow it
to execute /sbin/rc without transitioning.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/selinuxutil.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 12dabe2..ace2010 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -406,6 +406,7 @@ ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
init_script_file_entry_type(run_init_t)
+ init_rc_exec(run_init_t)
')
')

--
1.7.3.4

2011-08-23 13:43:07

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 06/11] Allow the sysadm domain to execute /sbin/rc without transitioning

The /sbin/rc binary is used by the system administrator to manage runlevels
(add/delete), check runlevel state, etc. all which do not require a transition
to occur. Hence the /sbin/rc (now labeled rc_exec_t) is allowed to be executed
without transitioning.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 0f96353..00f8a57 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)

init_exec(sysadm_t)
+init_rc_exec(sysadm_t)

# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
--
1.7.3.4

2011-08-23 13:43:45

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 07/11] Introduce portage_fetch_t as an application domain

Enhance portage_fetch_t from an application type to a domain. Introduce the
proper portage_fetch_exec_t and add the necessary privileges to the domain
definition to allow portage_fetch_t to be used by Portage management utilities
like layman and emerge-webrsync.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 5 +++++
policy/modules/admin/portage.te | 20 ++++++++++++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 13dc979..41ce431 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -3,12 +3,14 @@
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)

/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)

/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)

@@ -22,6 +24,9 @@
/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 2794531..beeeb81 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -34,7 +34,8 @@ corecmd_shell_entry_type(portage_sandbox_t)

# portage package fetching domain
type portage_fetch_t;
-application_type(portage_fetch_t)
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)

@@ -219,8 +220,10 @@ allow portage_fetch_t self:capability { dac_override fowner fsetid };
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;

allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)

manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
@@ -240,9 +243,14 @@ kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)

corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)

corenet_all_recvfrom_unlabeled(portage_fetch_t)
corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
@@ -251,6 +259,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)

dev_dontaudit_read_rand(portage_fetch_t)

@@ -258,11 +267,15 @@ domain_use_interactive_fds(portage_fetch_t)

files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)

+logging_list_logs(portage_fetch_t)
+
term_search_ptys(portage_fetch_t)

+
miscfiles_read_localization(portage_fetch_t)

sysnet_read_config(portage_fetch_t)
@@ -271,6 +284,9 @@ sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)

+
+rsync_exec(portage_fetch_t)
+
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
--
1.7.3.4

2011-08-23 13:44:21

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 08/11] Introduce search_conf_dirs and read_tmp_files interfaces for Portage

We add support for searching through portage' configuration file locations
(which will be used in subsequent patches) for tools that provide additional
features on top of Portage and which integrate with it. For instance, gpg
(validating snapshots).

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.if | 39 +++++++++++++++++++++++++++++++++++++++
1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index a1bfbaa..4851e90 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -258,6 +258,25 @@ interface(`portage_run_gcc_config',`

########################################
## <summary>
+## Allow a domain search privileges through portage configuration
+## file directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow search privileges
+## </summary>
+## </param>
+#
+interface(`portage_search_conf_dirs',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ allow $1 portage_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## portage temporary directories.
## </summary>
@@ -277,6 +296,26 @@ interface(`portage_dontaudit_search_tmp',`

########################################
## <summary>
+## Allow a domain to read portage_tmp_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow read privileges
+## </summary>
+## </param>
+#
+interface(`portage_read_tmp_files',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ allow $1 portage_tmp_t:dir list_dir_perms;
+ allow $1 portage_tmp_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
## Do not audit attempts to read and write
## the portage temporary files.
## </summary>
--
1.7.3.4

2011-08-23 13:44:56

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 09/11] Support GnuPG integration in Portage

To support GnuPG integration in Portage (such as validating the signature of
snapshots), we need to add portage_search_conf_dirs rights (have GnuPG find its
keys in /etc/portage/gnupg) and portage_read_tmp_files (where the snapshot will
be stored and later extracted).

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/gpg.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9050e8c..bde06f6 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -147,6 +147,11 @@ optional_policy(`
')

optional_policy(`
+ portage_search_conf_dirs(gpg_t)
+ portage_read_tmp_files(gpg_t)
+')
+
+optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
--
1.7.3.4

2011-08-23 13:46:06

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 10/11] Allow cron to execute portage commands

Many users use portage from within cron (for instance to update the portage
tree or even automatically update their system). As such, we allow to run
portage from the system_cronjob_t domain.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/cron.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f22d27c..5ba27b7 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -472,6 +472,10 @@ optional_policy(`
')

optional_policy(`
+ portage_run(system_cronjob_t, system_r)
+')
+
+optional_policy(`
postfix_read_config(system_cronjob_t)
')

--
1.7.3.4

2011-08-23 13:46:38

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 11/11] Allow portage to call GnuPG

Allow the portage domain to transition to the gpg_t domain (used for instance
when validating signed manifests)

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index beeeb81..af2d00e 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -192,6 +192,10 @@ optional_policy(`
')

optional_policy(`
+ gpg_domtrans(portage_t)
+')
+
+optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
--
1.7.3.4

2011-08-25 11:36:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 10/11] Allow cron to execute portage commands

On 08/23/11 09:46, Sven Vermeulen wrote:
> Many users use portage from within cron (for instance to update the portage
> tree or even automatically update their system). As such, we allow to run
> portage from the system_cronjob_t domain.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/services/cron.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
> index f22d27c..5ba27b7 100644
> --- a/policy/modules/services/cron.te
> +++ b/policy/modules/services/cron.te
> @@ -472,6 +472,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + portage_run(system_cronjob_t, system_r)
> +')
> +
> +optional_policy(`
> postfix_read_config(system_cronjob_t)
> ')

This should be cron_system_entry() in portage.te.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-25 11:37:11

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 11/11] Allow portage to call GnuPG

On 08/23/11 09:46, Sven Vermeulen wrote:
> Allow the portage domain to transition to the gpg_t domain (used for instance
> when validating signed manifests)
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/portage.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index beeeb81..af2d00e 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -192,6 +192,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gpg_domtrans(portage_t)
> +')
> +
> +optional_policy(`
> modutils_domtrans_depmod(portage_t)
> modutils_domtrans_update_mods(portage_t)
> #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;

Is this really necessary? Gpg_t is oriented towards users; gpg_exec()
doesn't work?

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-25 11:40:23

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

On 08/23/11 09:40, Sven Vermeulen wrote:
> Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc) for all
> its functions, be it executing init scripts, managing runlevels, checking state,
> etc. This binary is not allowed to be labeled initrc_exec_t as that would
> trigger domain transitions where this isn't necessary (or even allowed).
>
> A suggested solution is to use a separate type declaration for /sbin/rc
> (rc_exec_t) which transitions where necessary.
>
> This patch includes support for the /sbin/rc rc_exec_t type and declares
> the init_rc_exec() interface which allows domains to execute the binary
> without transitioning.

I think the overall implementation is fine, except everything in this
patch should be in distro_gentoo blocks, except for the init_rc_exec()
implementation.

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/init.fc | 2 +-
> policy/modules/system/init.if | 23 ++++++++++++++++++++++-
> policy/modules/system/init.te | 4 ++++
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index 354ce93..c2021e3 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -38,7 +38,7 @@ ifdef(`distro_gentoo', `
> /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
>
> ifdef(`distro_gentoo', `
> -/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
> +/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
> /sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 94fd8dd..b8b3337 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -455,6 +455,26 @@ interface(`init_exec',`
>
> ########################################
> ## <summary>
> +## Execute the rc program in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_rc_exec',`
> + gen_require(`
> + type rc_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, rc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Get the process group of init.
> ## </summary>
> ## <param name="domain">
> @@ -800,11 +820,12 @@ interface(`init_spec_domtrans_script',`
> #
> interface(`init_domtrans_script',`
> gen_require(`
> - type initrc_t, initrc_exec_t;
> + type initrc_t, initrc_exec_t, rc_exec_t;
> ')
>
> files_list_etc($1)
> domtrans_pattern($1, initrc_exec_t, initrc_t)
> + domtrans_pattern($1, rc_exec_t, initrc_t)
>
> ifdef(`enable_mcs',`
> range_transition $1 initrc_exec_t:process s0;
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 157e844..00586c6 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -56,8 +56,10 @@ mls_trusted_object(initctl_t)
>
> type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
> type initrc_exec_t, init_script_file_type;
> +type rc_exec_t;
> domain_type(initrc_t)
> domain_entry_file(initrc_t, initrc_exec_t)
> +domain_entry_file(initrc_t, rc_exec_t)
> role system_r types initrc_t;
> # should be part of the true block
> # of the below init_upstart tunable
> @@ -381,6 +383,8 @@ auth_delete_pam_pid(initrc_t)
> auth_delete_pam_console_data(initrc_t)
> auth_use_nsswitch(initrc_t)
>
> +init_rc_exec(initrc_t)
> +
> libs_rw_ld_so_cache(initrc_t)
> libs_exec_lib_files(initrc_t)
> libs_exec_ld_so(initrc_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-25 11:46:54

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 01/11] Introduce portage_dontaudit_use_fds

On 08/23/11 09:39, Sven Vermeulen wrote:
> Support the interface to not audit portage_t:fd use (file descriptors, leaked
> or not)

Merged.

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/portage.if | 19 +++++++++++++++++++
> 1 files changed, 19 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 08b361b..a1bfbaa 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -293,3 +293,22 @@ interface(`portage_dontaudit_rw_tmp_files',`
>
> dontaudit $1 portage_tmp_t:file rw_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to use
> +## portage file descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`portage_dontaudit_use_fds',`
> + gen_require(`
> + type portage_t;
> + ')
> +
> + dontaudit $1 portage_t:fds use;
> +')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-25 11:47:27

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 02/11] Do not audit the use of portage' filedescriptors from load_policy_t

On 08/23/11 09:39, Sven Vermeulen wrote:
> During build and eventual activation of the base policy, the load_policy_t
> domain attempts to use a portage file descriptor. However, this serves no
> purpose (the loading is done correctly and everything is logged
> appropriately).
>
> Hence, we dontaudit this use.

Merged.

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/selinuxutil.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index e252935..12dabe2 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -199,6 +199,10 @@ ifdef(`hide_broken_symptoms',`
> ')
> ')
>
> +optional_policy(`
> + portage_dontaudit_use_fds(load_policy_t)
> +')
> +
> ########################################
> #
> # Newrole local policy


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-25 20:11:00

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

On Thu, Aug 25, 2011 at 1:40 PM, Christopher J. PeBenito
<[email protected]> wrote:
> I think the overall implementation is fine, except everything in this
> patch should be in distro_gentoo blocks, except for the init_rc_exec()
> implementation.

Ok, I assume the exception also holds for the pure type definition
(type rc_exec_t)? Since the init_rc_exec() interface requires it, I
assume that I cannot just put that behind an ifdef(`distro_gentoo')
one, right?

Wkr,
Sven Vermeulen

2011-08-30 12:20:28

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

On 08/25/11 16:11, Sven Vermeulen wrote:
> On Thu, Aug 25, 2011 at 1:40 PM, Christopher J. PeBenito
> <[email protected]> wrote:
>> I think the overall implementation is fine, except everything in this
>> patch should be in distro_gentoo blocks, except for the init_rc_exec()
>> implementation.
>
> Ok, I assume the exception also holds for the pure type definition
> (type rc_exec_t)? Since the init_rc_exec() interface requires it, I
> assume that I cannot just put that behind an ifdef(`distro_gentoo')
> one, right?

Thats fine.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2011-08-30 13:30:13

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/11] Introduce rc_exec_t as secundary entry file for initrc_t

On 08/30/11 08:20, Christopher J. PeBenito wrote:
> On 08/25/11 16:11, Sven Vermeulen wrote:
>> On Thu, Aug 25, 2011 at 1:40 PM, Christopher J. PeBenito
>> <[email protected]> wrote:
>>> I think the overall implementation is fine, except everything in this
>>> patch should be in distro_gentoo blocks, except for the init_rc_exec()
>>> implementation.
>>
>> Ok, I assume the exception also holds for the pure type definition
>> (type rc_exec_t)? Since the init_rc_exec() interface requires it, I
>> assume that I cannot just put that behind an ifdef(`distro_gentoo')
>> one, right?
>
> Thats fine.

Actually, you can put the definition in the distro_gentoo. We already have
examples of interfaces that reference types that are optionally declared.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com