https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201
The following patch fixes 3 instances of the bounds issue as described in the
above bug report. There will be more as more maintainers and upstream
developers make use of systemd access control features.
Index: refpolicy-2.20170907/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/system/init.te
+++ refpolicy-2.20170907/policy/modules/system/init.te
@@ -295,6 +295,7 @@ ifdef(`init_systemd',`
fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
+ fs_read_tmpfs_symlinks(init_t)
fs_read_cgroup_files(init_t)
fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
Index: refpolicy-2.20170907/policy/modules/contrib/entropyd.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/entropyd.te
+++ refpolicy-2.20170907/policy/modules/contrib/entropyd.te
@@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
domain_use_interactive_fds(entropyd_t)
@@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
dev_write_sound(entropyd_t)
')
+ifdef(`init_systemd',`
+ init_bounded(entropyd_t, entropyd_exec_t)
+')
+
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
Index: refpolicy-2.20170907/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170907/policy/modules/contrib/tor.te
@@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_
corenet_tcp_bind_all_unreserved_ports(tor_t)
')
+ifdef(`init_systemd',`
+ init_bounded(tor_t, tor_exec_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
Index: refpolicy-2.20170907/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/system/init.if
+++ refpolicy-2.20170907/policy/modules/system/init.if
@@ -314,6 +314,31 @@ interface(`init_ranged_daemon_domain',`
')
')
+########################################
+## <summary>
+## Make a domain be bounded by init_t
+## NB init_t needs to have all the permissions of the domain in question
+## </summary>
+## <param name="domain">
+## <summary>
+## Bounded domain
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_bounded',`
+ gen_require(`
+ type init_t;
+ ')
+
+ typebounds init_t $1;
+ allow init_t $2:file entrypoint;
+')
+
#########################################
## <summary>
## Abstract socket service activation (systemd).
Index: refpolicy-2.20170907/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20170907.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20170907/policy/modules/contrib/mysql.te
@@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
@@ -149,6 +150,10 @@ optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
+ifdef(`init_systemd',`
+ init_bounded(mysqld_t, mysqld_exec_t)
+')
+
optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
On 09/11/2017 02:24 AM, Russell Coker via refpolicy wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201
>
> The following patch fixes 3 instances of the bounds issue as described in the
> above bug report. There will be more as more maintainers and upstream
> developers make use of systemd access control features.
NAK. This has already been fixed with the upcoming nnp_transition
nosuid_transition permissions in refpolicy. I'm afraid distros will
have to carry policy patches until they can roll out kernels that
support these permissions.
https://marc.info/?l=selinux&m=150151037511601&w=2
> Index: refpolicy-2.20170907/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170907/policy/modules/system/init.te
> @@ -295,6 +295,7 @@ ifdef(`init_systemd',`
> fs_manage_hugetlbfs_dirs(init_t)
> fs_getattr_tmpfs(init_t)
> fs_read_tmpfs_files(init_t)
> + fs_read_tmpfs_symlinks(init_t)
> fs_read_cgroup_files(init_t)
> fs_relabel_pstore_dirs(init_t)
> fs_dontaudit_getattr_xattr_fs(init_t)
> Index: refpolicy-2.20170907/policy/modules/contrib/entropyd.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/entropyd.te
> +++ refpolicy-2.20170907/policy/modules/contrib/entropyd.te
> @@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
>
> fs_getattr_all_fs(entropyd_t)
> fs_search_auto_mountpoints(entropyd_t)
> +fs_search_tmpfs(entropyd_t)
>
> domain_use_interactive_fds(entropyd_t)
>
> @@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
> dev_write_sound(entropyd_t)
> ')
>
> +ifdef(`init_systemd',`
> + init_bounded(entropyd_t, entropyd_exec_t)
> +')
> +
> optional_policy(`
> tunable_policy(`entropyd_use_audio',`
> alsa_read_lib(entropyd_t)
> Index: refpolicy-2.20170907/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20170907/policy/modules/contrib/tor.te
> @@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_
> corenet_tcp_bind_all_unreserved_ports(tor_t)
> ')
>
> +ifdef(`init_systemd',`
> + init_bounded(tor_t, tor_exec_t)
> +')
> +
> optional_policy(`
> seutil_sigchld_newrole(tor_t)
> ')
> Index: refpolicy-2.20170907/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170907/policy/modules/system/init.if
> @@ -314,6 +314,31 @@ interface(`init_ranged_daemon_domain',`
> ')
> ')
>
> +########################################
> +## <summary>
> +## Make a domain be bounded by init_t
> +## NB init_t needs to have all the permissions of the domain in question
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Bounded domain
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_bounded',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + typebounds init_t $1;
> + allow init_t $2:file entrypoint;
> +')
> +
> #########################################
> ## <summary>
> ## Abstract socket service activation (systemd).
> Index: refpolicy-2.20170907/policy/modules/contrib/mysql.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/mysql.te
> +++ refpolicy-2.20170907/policy/modules/contrib/mysql.te
> @@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
> +fs_search_tmpfs(mysqld_t)
> fs_rw_hugetlbfs_files(mysqld_t)
>
> files_read_etc_runtime_files(mysqld_t)
> @@ -149,6 +150,10 @@ optional_policy(`
> daemontools_service_domain(mysqld_t, mysqld_exec_t)
> ')
>
> +ifdef(`init_systemd',`
> + init_bounded(mysqld_t, mysqld_exec_t)
> +')
> +
> optional_policy(`
> seutil_sigchld_newrole(mysqld_t)
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito