While trying to get a SELinux-supporting initramfs booted up (in enforcing
mode, without unconfined domains) my current attempts are at dracut. But
dracut itself didn't work quite well on such a system as running it in
sysadm_t domain fails (some domain transitions occur which are then asked to
write files in user_tmp_t which isn't allowed for those domains).
Instead of patching those domains (ldconfig_t and depmod_t) to allow writing
& creating files in user_tmp_t (i.e. manage privileges) I drafted up a
dracut domain (dracut_t) and grant those domains manage access to
dracut_tmp_t.
To support dracut, a few changes were necessary to the policy as well
(additional interfaces).
The summary:
- Add read interface for udev rules (udev_read_rules_files)
- List module configuration option files (modutils_list_module_config)
- Add in the dracut_t policy
- Grant ldconfig_t and depmod_t the dracut_manage_tmp_files privilege
- Allow sysadm_t to run/transition to dracut_t
Applications, such as dracut or other initramfs creators, need read access to udev rules to see if they need to pull in
additional requirements for the initramfs or not. This adds in the udev_read_rules_files() interface for this purpose.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/udev.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..3d0f1f0 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -132,6 +132,24 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
########################################
## <summary>
+## Read udev rules files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ read_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+## <summary>
## Manage udev rules files
## </summary>
## <param name="domain">
--
1.7.3.4
Dracut, an application that creates an initramfs based on the systems' requirements, needs to list the module configuration
files to function. This adds in this interface for this purpose.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/modutils.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 350c450..2ed57a9 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
+## List the module configuration option files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
--
1.7.3.4
Running dracut out of the sysadm_t domain doesn't (fully) work on a policy without unconfined domains. The calls to depmod,
whose output is then directed to a tmp location, is denied through this. Instead of granting depmod (and other tools)
"manage" access to user_tmp_t, we create a separate domain for dracut (called dracut_t) and grant these tools management
access to dracut_tmp_t.
This adds in the dracut policy
Signed-off-by: Sven Vermeulen <[email protected]>
---
dracut.fc | 4 +++
dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++
dracut.te | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 152 insertions(+), 0 deletions(-)
create mode 100644 dracut.fc
create mode 100644 dracut.if
create mode 100644 dracut.te
diff --git a/dracut.fc b/dracut.fc
new file mode 100644
index 0000000..8e411eb
--- /dev/null
+++ b/dracut.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/dracut.if b/dracut.if
new file mode 100644
index 0000000..929fffd
--- /dev/null
+++ b/dracut.if
@@ -0,0 +1,69 @@
+## <summary>Dracut initramfs creation tool</summary>
+
+########################################
+## <summary>
+## Execute the dracut program in the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dracut_domtrans',`
+ gen_require(`
+ type dracut_t, dracut_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+## <summary>
+## Execute dracut in the dracut domain, and
+## allow the specified role the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_run',`
+ gen_require(`
+ type dracut_t;
+ ')
+
+ dracut_domtrans($1)
+ role $2 types dracut_t;
+')
+
+########################################
+## <summary>
+## Allow domain to manage dracut temporary files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_manage_tmp_files',`
+ gen_require(`
+ type dracut_tmp_t;
+ ')
+
+ files_search_var($1)
+ files_search_tmp($1)
+
+ manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
+
diff --git a/dracut.te b/dracut.te
new file mode 100644
index 0000000..f83eecd
--- /dev/null
+++ b/dracut.te
@@ -0,0 +1,79 @@
+policy_module(localmod, 1.0)
+
+require {
+ type depmod_t;
+ type sysadm_t;
+ type ldconfig_t;
+ role sysadm_r;
+}
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow dracut_t self:process setfscreate;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+kernel_read_system_state(dracut_t)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_read_all_executables(dracut_t)
+
+dev_read_sysfs(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_read_kernel_modules(dracut_t)
+files_read_etc_files(dracut_t)
+files_read_usr_files(dracut_t)
+files_search_pids(dracut_t)
+
+fstools_domtrans(dracut_t)
+
+libs_domtrans_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+
+lvm_domtrans(dracut_t)
+lvm_read_config(dracut_t)
+
+miscfiles_read_localization(dracut_t)
+
+modutils_domtrans_depmod(dracut_t)
+modutils_domtrans_insmod(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_list_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+mount_domtrans(dracut_t)
+
+udev_domtrans(dracut_t)
+udev_read_rules_files(dracut_t)
+
+userdom_use_user_terminals(dracut_t)
+
+optional_policy(`
+ dmesg_domtrans(dracut_t)
+')
+
--
1.7.3.4
The dracut application calls, amongst other applications, ldconfig and depmod and gets them to write information in a
temporary location created by dracut. This allows those domains manage access to these locations.
Write privileges alone were not sufficient as new files were created as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/libraries.te | 4 ++++
policy/modules/system/modutils.te | 4 ++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 5a16f99..50332d3 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -131,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ dracut_manage_tmp_files(ldconfig_t)
+')
+
+optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a8d6741..16cfe82 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dracut_manage_tmp_files(depmod_t)
+')
+
+optional_policy(`
rpm_rw_pipes(depmod_t)
rpm_manage_script_tmp_files(depmod_t)
')
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 64e45ad..9d8872d 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -148,6 +148,10 @@ optional_policy(`
')
optional_policy(`
+ dracut_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
--
1.7.3.4
On Wed, Jan 04, 2012 at 09:02:47PM +0100, Sven Vermeulen wrote:
> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy without unconfined domains. The calls to depmod,
> whose output is then directed to a tmp location, is denied through this. Instead of granting depmod (and other tools)
> "manage" access to user_tmp_t, we create a separate domain for dracut (called dracut_t) and grant these tools management
> access to dracut_tmp_t.
[...]
Looks like I was a bit too overzealous here, many of the _domtrans can
actually be changed to _exec calls. They are never really executed, but used
by ldd (which does mean the files are somewhat executed, hence the reports)
to find out which libraries need to be pulled in as well.
I'll draft up a new patch "batch" soon when I've cleaned those out.
Wkr,
Sven Vermeulen