This is a revised set of portage-related patches, excluding those that have
been merged in the reference policy already.
The patchset primarily adds
- support for rc_exec_t (for Gentoo-based distributions)
- make portage_fetch_t a full application domain for layman/emerge-webrsync
- allow portage_fetch_t to execute gpg (introduces a portage_gpg_t file
type)
- allow portage commands to be ran within system cronjobs
Within Gentoo, the init system (openrc) uses a single binary (/sbin/rc)
for all its functions, be it executing init scripts, managing runlevels,
checking state, etc. This binary is not allowed to be labeled
initrc_exec_t as that would trigger domain transitions where this isn't
necessary (or even allowed).
A suggested solution is to use a separate type declaration for /sbin/rc
(rc_exec_t) which transitions where necessary.
This patch includes support for the /sbin/rc rc_exec_t type and declares
the init_rc_exec() interface which allows domains to execute the binary
without transitioning.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.fc | 2 +-
policy/modules/system/init.if | 37 +++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 8 ++++++++
3 files changed, 46 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 354ce93..c2021e3 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,7 +38,7 @@ ifdef(`distro_gentoo', `
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
-/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 94fd8dd..8d45ef7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -455,6 +455,36 @@ interface(`init_exec',`
########################################
## <summary>
+## Execute the rc application in the caller domain.
+## </summary>
+## <desc>
+## <p>
+## This is only applicable to Gentoo or distributions that use the OpenRC
+## init system.
+## </p>
+## <p>
+## The OpenRC /sbin/rc binary is used for both init scripts as well as
+## management applications and tools. When used for management purposes,
+## calling /sbin/rc should never cause a transition to initrc_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rc_exec',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
## Get the process group of init.
## </summary>
## <param name="domain">
@@ -779,6 +809,13 @@ interface(`init_spec_domtrans_script',`
files_list_etc($1)
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+ ifdef(`distro_gentoo',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+ domtrans_pattern($1, rc_exec_t, initrc_t)
+ ')
+
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 157e844..585a77e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -77,10 +77,16 @@ files_tmp_file(initrc_tmp_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
+ifdef(`distro_gentoo',`
+ type rc_exec_t;
+ domain_entry_file(initrc_t, rc_exec_t)
+')
+
ifdef(`enable_mls',`
kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
')
+
########################################
#
# Init local policy
@@ -170,6 +176,8 @@ miscfiles_read_localization(init_t)
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
+
+ init_rc_exec(initrc_t)
')
ifdef(`distro_redhat',`
--
1.7.3.4
The gcc-config application uses some functions (from
/etc/init.d/functions.sh) which are simple wrappers on top of
/sbin/rc. Since this script is sourced and the functions executed
from within gcc_config_t, we allow gcc-config to execute /sbin/rc
without transitioning.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 3d76444..fb51d36 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -120,6 +120,10 @@ userdom_use_user_terminals(gcc_config_t)
consoletype_exec(gcc_config_t)
+ifdef(`distro_gentoo',`
+ init_rc_exec(gcc_config_t)
+')
+
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
')
--
1.7.3.4
When an init script is launched, Gentoo's integrated run_init support
will re-execute /sbin/rc (an all-in-one binary) for various functions.
The run_init_t domain here should not be allowed to transition yet, so
we allow it to execute /sbin/rc without transitioning.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/selinuxutil.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..2981122 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -406,6 +406,8 @@ ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
init_script_file_entry_type(run_init_t)
+
+ init_rc_exec(run_init_t)
')
')
--
1.7.3.4
The /sbin/rc binary is used by the system administrator to manage
runlevels (add/delete), check runlevel state, etc. all which do not
require a transition to occur. Hence the /sbin/rc (now labeled
rc_exec_t) is allowed to be executed without transitioning.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fcf7605..cf84f62 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -51,6 +51,10 @@ ifdef(`direct_sysadm_daemon',`
')
')
+ifdef(`distro_gentoo',`
+ init_rc_exec(sysadm_t)
+')
+
ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
--
1.7.3.4
Enhance portage_fetch_t from an application type to a domain. Introduce
the proper portage_fetch_exec_t and add the necessary privileges to the
domain definition to allow portage_fetch_t to be used by Portage
management utilities like layman and emerge-webrsync.
We enhance portage_domtrans() to include portage_fetch_t support.
Providing a different interface (portage_fetch_domtrans) is possible
too, but since every application and role that needs to deal with
portage needs to deal with the fetching as well, and vice versa, we keep
this in portage_domtrans.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 5 +++++
policy/modules/admin/portage.if | 2 ++
policy/modules/admin/portage.te | 32 +++++++++++++++++++++++---------
3 files changed, 30 insertions(+), 9 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 13dc979..d5ea7b5 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -3,10 +3,12 @@
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
@@ -22,6 +24,9 @@
/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 3dd9f65..9f7d652 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -16,6 +16,7 @@
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
+ type portage_fetch_t, portage_fetch_exec_t;
')
files_search_usr($1)
@@ -23,6 +24,7 @@ interface(`portage_domtrans',`
# transition to portage
domtrans_pattern($1, portage_exec_t, portage_t)
+ domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
')
########################################
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index fb51d36..c309d84 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -34,7 +34,8 @@ corecmd_shell_entry_type(portage_sandbox_t)
# portage package fetching domain
type portage_fetch_t;
-application_type(portage_fetch_t)
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
@@ -218,10 +219,15 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
# - for rsync and distfile fetching
#
-allow portage_fetch_t self:capability { dac_override fowner fsetid };
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+
+allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
@@ -233,19 +239,19 @@ manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
-# portage makes home dir the portage tmp dir, so
-# wget looks for .wgetrc there
-dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
-# rsync server timestamp check
-allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
corenet_all_recvfrom_unlabeled(portage_fetch_t)
corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
@@ -254,6 +260,8 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
+corenet_tcp_connect_rsync_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
@@ -261,9 +269,12 @@ domain_use_interactive_fds(portage_fetch_t)
files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
+logging_list_logs(portage_fetch_t)
+
term_search_ptys(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
@@ -274,6 +285,9 @@ sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+
+rsync_exec(portage_fetch_t)
+
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
--
1.7.3.4
Some applications might want to execute gpg without requiring a
transition. A possible use case is to allow applications to validate
signatures (made by GnuPG). As long as the application doesn't need to
generate signatures itself and its trustdb is not marked as
gpg_secret_t, it suffices to grant it gpg_exec().
Note that it does require the application to have read/write rights in
the directory where the trustdb is stored (as gpg tries to generate lock
files where the trustdb file is located).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/gpg.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 40e0a2a..6d50300 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -87,6 +87,24 @@ interface(`gpg_domtrans',`
########################################
## <summary>
+## Execute the gpg application without transitioning
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute gpg
+## </summary>
+## </param>
+#
+interface(`gpg_exec',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ can_exec($1, gpg_exec_t)
+')
+
+########################################
+## <summary>
## Send generic signals to user gpg processes.
## </summary>
## <param name="domain">
--
1.7.3.4
We allow portage to call gpg. However, this requires that the location
where the trustdb is stored is marked as a read/write type. The default
location used within Gentoo is /etc/portage/gpg, which would lead to
portage_conf_t. However, this type should remain a read-only type.
As such, we introduce a type called portage_gpg_t for this location and
grant portage_fetch_t the necessary rights on this type.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 1 +
policy/modules/admin/portage.te | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index d5ea7b5..af2d51f 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -1,6 +1,7 @@
/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index c309d84..429ffb0 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -57,6 +57,9 @@ files_type(portage_conf_t)
type portage_cache_t;
files_type(portage_cache_t)
+type portage_gpg_t;
+files_type(portage_gpg_t)
+
type portage_log_t;
logging_log_file(portage_log_t)
@@ -228,8 +231,9 @@ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
allow portage_fetch_t portage_tmp_t:file manage_file_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+allow portage_fetch_t portage_gpg_t:file manage_file_perms;
-allow portage_fetch_t portage_conf_t:dir list_dir_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
@@ -299,6 +303,10 @@ tunable_policy(`portage_use_nfs',`
fs_manage_nfs_symlinks(portage_fetch_t)
')
+optional_policy(`
+ gpg_exec(portage_fetch_t)
+')
+
##########################################
#
# Portage sandbox domain
--
1.7.3.4
Many users use portage from within cron (for instance to update the
portage tree or even automatically update their system). As such, we
allow to run portage from the (system) cronjob domains.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 429ffb0..32fbd7d 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -198,6 +198,11 @@ optional_policy(`
')
optional_policy(`
+ cron_system_entry(portage_t, portage_exec_t)
+ cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+')
+
+optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
--
1.7.3.4
On 09/03/11 10:18, Sven Vermeulen wrote:
> This is a revised set of portage-related patches, excluding those that have
> been merged in the reference policy already.
>
> The patchset primarily adds
> - support for rc_exec_t (for Gentoo-based distributions)
> - make portage_fetch_t a full application domain for layman/emerge-webrsync
> - allow portage_fetch_t to execute gpg (introduces a portage_gpg_t file
> type)
> - allow portage commands to be ran within system cronjobs
Merged, with some adjustments. It needs one further change (see other email).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 09/03/11 10:21, Sven Vermeulen wrote:
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 3dd9f65..9f7d652 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -16,6 +16,7 @@
> interface(`portage_domtrans',`
> gen_require(`
> type portage_t, portage_exec_t;
> + type portage_fetch_t, portage_fetch_exec_t;
> ')
>
> files_search_usr($1)
> @@ -23,6 +24,7 @@ interface(`portage_domtrans',`
>
> # transition to portage
> domtrans_pattern($1, portage_exec_t, portage_t)
> + domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
> ')
This needs to be moved into its own interface. Otherwise there is no option to only run portage or only run fetch.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com