While trying to get a SELinux-supporting initramfs booted up (in enforcing
mode, without unconfined domains) my current attempts are at dracut. But
dracut itself didn't work quite well on such a system as running it in
sysadm_t domain fails (some domain transitions occur which are then asked to
write files in user_tmp_t which isn't allowed for those domains).
Instead of patching those domains (ldconfig_t and depmod_t) to allow writing
& creating files in user_tmp_t (i.e. manage privileges) I drafted up a
dracut domain (dracut_t) and grant those domains manage access to
dracut_tmp_t.
To support dracut, a few changes were necessary to the policy as well
(additional interfaces).
The summary:
- Add read interface for udev rules (udev_read_rules_files)
- List module configuration option files (modutils_list_module_config)
- Add in the dracut_t policy
- Grant ldconfig_t and depmod_t the dracut_manage_tmp_files privilege
- Allow sysadm_t to run/transition to dracut_t
Applications, such as dracut or other initramfs creators, need read access to
udev rules to see if they need to pull in additional requirements for the
initramfs or not. This adds in the udev_read_rules_files() interface for
this purpose.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/udev.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..57fd764 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -132,6 +132,25 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
########################################
## <summary>
+## Read udev rules files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ read_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+
+########################################
+## <summary>
## Manage udev rules files
## </summary>
## <param name="domain">
--
1.7.3.4
Dracut, an application that creates an initramfs based on the systems'
requirements, needs to list the module configuration
files to function. This adds in this interface for this purpose.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/modutils.if | 21 +++++++++++++++++++++
policy/modules/system/modutils.te | 4 ++++
2 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 350c450..19d328a 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,6 +39,27 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
+## List the module configuration option files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 560d5d9..7607294 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dracut_manage_tmp_files(depmod_t)
+')
+
+optional_policy(`
rpm_rw_pipes(depmod_t)
rpm_manage_script_tmp_files(depmod_t)
')
--
1.7.3.4
Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
without unconfined domains. The calls to depmod, whose output is then
directed to a tmp location, is denied through this. Instead of granting
depmod (and other tools) "manage" access to user_tmp_t, we create a separate
domain for dracut (called dracut_t) and grant these tools management
access to dracut_tmp_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dracut.fc | 4 +++
dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 149 insertions(+), 0 deletions(-)
create mode 100644 dracut.fc
create mode 100644 dracut.if
create mode 100644 dracut.te
diff --git a/dracut.fc b/dracut.fc
new file mode 100644
index 0000000..fca0d67
--- /dev/null
+++ b/dracut.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/dracut.if b/dracut.if
new file mode 100644
index 0000000..929fffd
--- /dev/null
+++ b/dracut.if
@@ -0,0 +1,69 @@
+## <summary>Dracut initramfs creation tool</summary>
+
+########################################
+## <summary>
+## Execute the dracut program in the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dracut_domtrans',`
+ gen_require(`
+ type dracut_t, dracut_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+## <summary>
+## Execute dracut in the dracut domain, and
+## allow the specified role the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_run',`
+ gen_require(`
+ type dracut_t;
+ ')
+
+ dracut_domtrans($1)
+ role $2 types dracut_t;
+')
+
+########################################
+## <summary>
+## Allow domain to manage dracut temporary files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_manage_tmp_files',`
+ gen_require(`
+ type dracut_tmp_t;
+ ')
+
+ files_search_var($1)
+ files_search_tmp($1)
+
+ manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
+
diff --git a/dracut.te b/dracut.te
new file mode 100644
index 0000000..4bd6cb3
--- /dev/null
+++ b/dracut.te
@@ -0,0 +1,76 @@
+policy_module(dracut, 1.0)
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow dracut_t self:process setfscreate;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+kernel_read_system_state(dracut_t)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_read_all_executables(dracut_t)
+
+dev_read_sysfs(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_read_etc_files(dracut_t)
+files_read_kernel_modules(dracut_t)
+files_read_usr_files(dracut_t)
+files_search_pids(dracut_t)
+
+fstools_exec(dracut_t)
+
+libs_domtrans_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+
+miscfiles_read_localization(dracut_t)
+
+modutils_exec_depmod(dracut_t)
+modutils_exec_insmod(dracut_t)
+modutils_list_module_config(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+mount_exec(dracut_t)
+
+seutil_exec_setfiles(dracut_t)
+
+udev_exec(dracut_t)
+udev_read_rules_files(dracut_t)
+
+userdom_use_user_terminals(dracut_t)
+
+optional_policy(`
+ dmesg_exec(dracut_t)
+')
+
+optional_policy(`
+ lvm_exec(dracut_t)
+ lvm_read_config(dracut_t)
+')
+
--
1.7.3.4
The dracut application calls, amongst other applications, ldconfig and depmod
and gets them to write information in a temporary location created by dracut.
This allows those domains manage access to these locations.
Write privileges alone were not sufficient as new files were created as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/libraries.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 992d105..834b7fe 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -131,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ dracut_manage_tmp_files(ldconfig_t)
+')
+
+optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index bd5a2ea..e5adaad 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -152,6 +152,10 @@ optional_policy(`
')
optional_policy(`
+ dracut_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')
--
1.7.3.4
On Sun, 2012-06-24 at 20:03 +0200, Sven Vermeulen wrote:
> Applications, such as dracut or other initramfs creators, need read access to
> udev rules to see if they need to pull in additional requirements for the
> initramfs or not. This adds in the udev_read_rules_files() interface for
> this purpose.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/udev.if | 19 +++++++++++++++++++
> 1 files changed, 19 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 025348a..57fd764 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -132,6 +132,25 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
>
> ########################################
> ## <summary>
> +## Read udev rules files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_read_rules_files',`
> + gen_require(`
> + type udev_rules_t;
> + ')
> +
files_search_etc($1)
> + read_files_pattern($1, udev_rules_t, udev_rules_t)
> +')
> +
> +
> +########################################
> +## <summary>
> ## Manage udev rules files
> ## </summary>
> ## <param name="domain">
On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote:
> Dracut, an application that creates an initramfs based on the systems'
> requirements, needs to list the module configuration
> files to function. This adds in this interface for this purpose.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/modutils.if | 21 +++++++++++++++++++++
> policy/modules/system/modutils.te | 4 ++++
> 2 files changed, 25 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index 350c450..19d328a 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -39,6 +39,27 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ## <summary>
> +## List the module configuration option files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`modutils_list_module_config',`
> + gen_require(`
> + type modules_conf_t;
> + ')
I doubt that its listing this just for the sake of listing. You will
probably want to use "modutils_read_module_config()" instead. This also
allow caller to list.
> + list_dirs_pattern($1, modules_conf_t, modules_conf_t)
> +')
> +
> +
> +
> +########################################
> +## <summary>
> ## Read the configuration options used when
> ## loading modules.
> ## </summary>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 560d5d9..7607294 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + dracut_manage_tmp_files(depmod_t)
> +')
> +
> +optional_policy(`
> rpm_rw_pipes(depmod_t)
> rpm_manage_script_tmp_files(depmod_t)
> ')
On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote:
> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
> without unconfined domains. The calls to depmod, whose output is then
> directed to a tmp location, is denied through this. Instead of granting
> depmod (and other tools) "manage" access to user_tmp_t, we create a separate
> domain for dracut (called dracut_t) and grant these tools management
> access to dracut_tmp_t.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dracut.fc | 4 +++
> dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 149 insertions(+), 0 deletions(-)
> create mode 100644 dracut.fc
> create mode 100644 dracut.if
> create mode 100644 dracut.te
>
> diff --git a/dracut.fc b/dracut.fc
> new file mode 100644
> index 0000000..fca0d67
> --- /dev/null
> +++ b/dracut.fc
> @@ -0,0 +1,4 @@
> +#
> +# /usr
> +#
> +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
> diff --git a/dracut.if b/dracut.if
> new file mode 100644
> index 0000000..929fffd
> --- /dev/null
> +++ b/dracut.if
> @@ -0,0 +1,69 @@
> +## <summary>Dracut initramfs creation tool</summary>
> +
> +########################################
> +## <summary>
> +## Execute the dracut program in the dracut domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`dracut_domtrans',`
> + gen_require(`
> + type dracut_t, dracut_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, dracut_exec_t, dracut_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute dracut in the dracut domain, and
> +## allow the specified role the dracut domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dracut_run',`
> + gen_require(`
> + type dracut_t;
> + ')
> +
> + dracut_domtrans($1)
> + role $2 types dracut_t;
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to manage dracut temporary files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dracut_manage_tmp_files',`
> + gen_require(`
> + type dracut_tmp_t;
> + ')
> +
> + files_search_var($1)
> + files_search_tmp($1)
> +
> + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> +')
This isn't what it say's it is. I would probably make it
dracut_manage_tmp()
Allow, and dracut in description is obvious, i would make it "Manage
temporary content"
> diff --git a/dracut.te b/dracut.te
> new file mode 100644
> index 0000000..4bd6cb3
> --- /dev/null
> +++ b/dracut.te
> @@ -0,0 +1,76 @@
> +policy_module(dracut, 1.0)
> +
> +type dracut_t;
> +type dracut_exec_t;
> +application_domain(dracut_t, dracut_exec_t)
> +
> +type dracut_var_log_t;
> +logging_log_file(dracut_var_log_t)
> +
> +type dracut_tmp_t;
> +files_tmp_file(dracut_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +allow dracut_t self:process setfscreate;
> +allow dracut_t self:fifo_file rw_fifo_file_perms;
> +allow dracut_t self:unix_stream_socket create_stream_socket_perms;
> +
> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
i suspect not all these type transitions are needed.
> +
> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
> +logging_log_filetrans(dracut_t, dracut_var_log_t, file)
> +
> +kernel_read_system_state(dracut_t)
> +
> +corecmd_exec_bin(dracut_t)
> +corecmd_exec_shell(dracut_t)
> +corecmd_read_all_executables(dracut_t)
> +
> +dev_read_sysfs(dracut_t)
> +
> +domain_use_interactive_fds(dracut_t)
> +
> +files_create_kernel_img(dracut_t)
> +files_read_etc_files(dracut_t)
> +files_read_kernel_modules(dracut_t)
> +files_read_usr_files(dracut_t)
> +files_search_pids(dracut_t)
> +
> +fstools_exec(dracut_t)
> +
> +libs_domtrans_ldconfig(dracut_t)
> +libs_exec_ld_so(dracut_t)
> +libs_exec_lib_files(dracut_t)
> +
> +miscfiles_read_localization(dracut_t)
> +
> +modutils_exec_depmod(dracut_t)
> +modutils_exec_insmod(dracut_t)
> +modutils_list_module_config(dracut_t)
redundant this is already allowed with modutils_read_module_config()
> +modutils_read_module_config(dracut_t)
> +modutils_read_module_deps(dracut_t)
> +
> +mount_exec(dracut_t)
> +
> +seutil_exec_setfiles(dracut_t)
So you allow it to run setfiles in the dracut domain, but you dont allow
the dracut domain to relabelfrom and -to anything?
> +
> +udev_exec(dracut_t)
> +udev_read_rules_files(dracut_t)
> +
> +userdom_use_user_terminals(dracut_t)
> +
> +optional_policy(`
> + dmesg_exec(dracut_t)
> +')
> +
> +optional_policy(`
> + lvm_exec(dracut_t)
> + lvm_read_config(dracut_t)
> +')
> +
On 06/24/2012 09:42 PM, Dominick Grift wrote:
> On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote:
>> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
>> without unconfined domains. The calls to depmod, whose output is then
>> directed to a tmp location, is denied through this. Instead of granting
>> depmod (and other tools) "manage" access to user_tmp_t, we create a separate
>> domain for dracut (called dracut_t) and grant these tools management
>> access to dracut_tmp_t.
>>
>> Signed-off-by: Sven Vermeulen<[email protected]>
>> ---
>> dracut.fc | 4 +++
>> dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> 3 files changed, 149 insertions(+), 0 deletions(-)
>> create mode 100644 dracut.fc
>> create mode 100644 dracut.if
>> create mode 100644 dracut.te
>>
>> diff --git a/dracut.fc b/dracut.fc
>> new file mode 100644
>> index 0000000..fca0d67
>> --- /dev/null
>> +++ b/dracut.fc
>> @@ -0,0 +1,4 @@
>> +#
>> +# /usr
>> +#
>> +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
>> diff --git a/dracut.if b/dracut.if
>> new file mode 100644
>> index 0000000..929fffd
>> --- /dev/null
>> +++ b/dracut.if
>> @@ -0,0 +1,69 @@
>> +##<summary>Dracut initramfs creation tool</summary>
>> +
>> +########################################
>> +##<summary>
>> +## Execute the dracut program in the dracut domain.
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`dracut_domtrans',`
>> + gen_require(`
>> + type dracut_t, dracut_exec_t;
>> + ')
>> +
>> + corecmd_search_bin($1)
>> + domtrans_pattern($1, dracut_exec_t, dracut_t)
>> +')
>> +
>> +########################################
>> +##<summary>
>> +## Execute dracut in the dracut domain, and
>> +## allow the specified role the dracut domain.
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +##</param>
>> +##<param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`dracut_run',`
>> + gen_require(`
>> + type dracut_t;
>> + ')
>> +
>> + dracut_domtrans($1)
>> + role $2 types dracut_t;
>> +')
>> +
>> +########################################
>> +##<summary>
>> +## Allow domain to manage dracut temporary files
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`dracut_manage_tmp_files',`
>> + gen_require(`
>> + type dracut_tmp_t;
>> + ')
>> +
>> + files_search_var($1)
>> + files_search_tmp($1)
>> +
>> + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
>
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"
>
>> diff --git a/dracut.te b/dracut.te
>> new file mode 100644
>> index 0000000..4bd6cb3
>> --- /dev/null
>> +++ b/dracut.te
>> @@ -0,0 +1,76 @@
>> +policy_module(dracut, 1.0)
>> +
>> +type dracut_t;
>> +type dracut_exec_t;
>> +application_domain(dracut_t, dracut_exec_t)
>> +
>> +type dracut_var_log_t;
>> +logging_log_file(dracut_var_log_t)
>> +
>> +type dracut_tmp_t;
>> +files_tmp_file(dracut_tmp_t)
>> +
>> +########################################
>> +#
>> +# Local policy
>> +#
>> +allow dracut_t self:process setfscreate;
>> +allow dracut_t self:fifo_file rw_fifo_file_perms;
>> +allow dracut_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
>
>> +
>> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
>> +logging_log_filetrans(dracut_t, dracut_var_log_t, file)
>> +
>> +kernel_read_system_state(dracut_t)
>> +
>> +corecmd_exec_bin(dracut_t)
>> +corecmd_exec_shell(dracut_t)
>> +corecmd_read_all_executables(dracut_t)
>> +
>> +dev_read_sysfs(dracut_t)
>> +
>> +domain_use_interactive_fds(dracut_t)
>> +
>> +files_create_kernel_img(dracut_t)
>> +files_read_etc_files(dracut_t)
>> +files_read_kernel_modules(dracut_t)
>> +files_read_usr_files(dracut_t)
>> +files_search_pids(dracut_t)
>> +
>> +fstools_exec(dracut_t)
>> +
>> +libs_domtrans_ldconfig(dracut_t)
>> +libs_exec_ld_so(dracut_t)
>> +libs_exec_lib_files(dracut_t)
>> +
>> +miscfiles_read_localization(dracut_t)
>> +
>> +modutils_exec_depmod(dracut_t)
>> +modutils_exec_insmod(dracut_t)
>> +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
>
>> +modutils_read_module_config(dracut_t)
>> +modutils_read_module_deps(dracut_t)
>> +
>> +mount_exec(dracut_t)
>> +
>> +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?
I believe dracut should stay as unconfined domain. Also you probably
will see other domains which are want to execute dracut. And I would
think transitions will be needed rather than just execute apps in the
dracut domain.
>
>> +
>> +udev_exec(dracut_t)
>> +udev_read_rules_files(dracut_t)
>> +
>> +userdom_use_user_terminals(dracut_t)
>> +
>> +optional_policy(`
>> + dmesg_exec(dracut_t)
>> +')
>> +
>> +optional_policy(`
>> + lvm_exec(dracut_t)
>> + lvm_read_config(dracut_t)
>> +')
>> +
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote:
> >> +seutil_exec_setfiles(dracut_t)
> > So you allow it to run setfiles in the dracut domain, but you dont allow
> > the dracut domain to relabelfrom and -to anything?
> I believe dracut should stay as unconfined domain. Also you probably
> will see other domains which are want to execute dracut. And I would
> think transitions will be needed rather than just execute apps in the
> dracut domain.
But what about MLS? MLS doesnt have the luxury of unconfined domains.
Also its easy enough to append unconfined_domain(dracut_t) for stable
releases only and in the meantime try to perfect the confined dracut
domain in test releases as much as possible.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/25/2012 04:36 AM, Dominick Grift wrote:
> On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote:
>
>>>> +seutil_exec_setfiles(dracut_t)
>>> So you allow it to run setfiles in the dracut domain, but you dont
>>> allow the dracut domain to relabelfrom and -to anything?
>> I believe dracut should stay as unconfined domain. Also you probably will
>> see other domains which are want to execute dracut. And I would think
>> transitions will be needed rather than just execute apps in the dracut
>> domain.
>
> But what about MLS? MLS doesnt have the luxury of unconfined domains.
>
> Also its easy enough to append unconfined_domain(dracut_t) for stable
> releases only and in the meantime try to perfect the confined dracut domain
> in test releases as much as possible.
>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
If we are only going to allow dracut to fix the labels on /dev and /run you
can add the rules for relabelfrom/relabelto, If it needs to do more maybe a
transition to setfiles_t is necessary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/oasIACgkQrlYvE4MpobPBdACgy4uhK1mxovyBhzgqcJA9OZTc
NX4AoI5Le6yrK8B9b3VmCvQNlgjN5e1J
=77/O
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/24/2012 02:05 PM, Sven Vermeulen wrote:
> The dracut application calls, amongst other applications, ldconfig and
> depmod and gets them to write information in a temporary location created
> by dracut. This allows those domains manage access to these locations.
>
> Write privileges alone were not sufficient as new files were created as
> well.
>
> Signed-off-by: Sven Vermeulen <[email protected]> ---
> policy/modules/system/libraries.te | 4 ++++ 1 files changed, 4
> insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/libraries.te
> b/policy/modules/system/libraries.te index 992d105..834b7fe 100644 ---
> a/policy/modules/system/libraries.te +++
> b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@
> optional_policy(` ')
>
> optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') +
> +optional_policy(` puppet_rw_tmp(ldconfig_t) ')
>
>
Don't transition to ldconfig_t, it is a crappy domain with little value. Just
add the filename trans rules for dacut and then we don't end up with this kind
of nonsence.
I wish ldconfig_t and consoletype_t... and any other domain invented to
maintain labeling would just dissapear, they just generate bug reports without
adding any security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/oazgACgkQrlYvE4MpobNPMQCg1OJ8RGrrsYMa9a+w+JTQEmxI
VDEAoNE6D3FgqKlxgLHqRuEPNA0N4wj6
=gp0p
-----END PGP SIGNATURE-----
On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +########################################
> > +## <summary>
> > +## Allow domain to manage dracut temporary files
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dracut_manage_tmp_files',`
> > + gen_require(`
> > + type dracut_tmp_t;
> > + ')
> > +
> > + files_search_var($1)
> > + files_search_tmp($1)
> > +
> > + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
>
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"
Ok
> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
I think they were. Dracut generated a temporary directory in which it
positioned whatever information it needed to generate an initramfs. I'm not
sure about the lnk_file, so I'll try again to verify (I'll just add in a
temporary auditallow to make sure locally ;-)
> > +modutils_exec_depmod(dracut_t)
> > +modutils_exec_insmod(dracut_t)
> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
Ok
> > +modutils_read_module_config(dracut_t)
> > +modutils_read_module_deps(dracut_t)
> > +
> > +mount_exec(dracut_t)
> > +
> > +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?
It's not about executing; dracut uses "ldd" to scan for libraries it needs
in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
files. Hence, the need for _exec (but not for _domtrans or functionality).
Wkr,
Sven Vermeulen
On Mon, Jun 25, 2012 at 10:24:24AM +0200, Miroslav Grepl wrote:
> I believe dracut should stay as unconfined domain. Also you probably
> will see other domains which are want to execute dracut. And I would
> think transitions will be needed rather than just execute apps in the
> dracut domain.
I don't mind people or organizations opting to use unconfined domains, but I
strive to run all applications, services and users in a confined manner. It
is easy enough, like Dominick said, to add an optional unconfined_domain()
to make us all happy ;-)
Wkr,
Sven Vermeulen
> > > +seutil_exec_setfiles(dracut_t)
> > So you allow it to run setfiles in the dracut domain, but you dont allow
> > the dracut domain to relabelfrom and -to anything?
>
> It's not about executing; dracut uses "ldd" to scan for libraries it needs
> in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
> files. Hence, the need for _exec (but not for _domtrans or functionality).
>
I think you want mmap ( create a seutil_check_exec_setfiles() or
something)
mmap provides only execute
exec provides execute as well as execute_no_trans
i think that , if i understand you correctly, it doesnt need the
execute_no_trans
On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote:
> > > > +seutil_exec_setfiles(dracut_t)
> > > So you allow it to run setfiles in the dracut domain, but you dont allow
> > > the dracut domain to relabelfrom and -to anything?
> >
> > It's not about executing; dracut uses "ldd" to scan for libraries it needs
> > in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
> > files. Hence, the need for _exec (but not for _domtrans or functionality).
> >
>
> I think you want mmap ( create a seutil_check_exec_setfiles() or
> something)
>
> mmap provides only execute
> exec provides execute as well as execute_no_trans
>
> i think that , if i understand you correctly, it doesnt need the
> execute_no_trans
>
but nevertheless, push comes to shove, dracut should probably optionally
be allowed to (really) execute setfiles and be allowed to
dev_relabel_all_devices
In at least old fedora it mounts /sysroot/dev, restores context of /dev
and then loads policy (if i am not mistaken)
>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/25/2012 10:53 AM, Dominick Grift wrote:
> On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote:
>>>>> +seutil_exec_setfiles(dracut_t)
>>>> So you allow it to run setfiles in the dracut domain, but you dont
>>>> allow the dracut domain to relabelfrom and -to anything?
>>>
>>> It's not about executing; dracut uses "ldd" to scan for libraries it
>>> needs in the initramfs. But using "ldd" means that ldd (underlyingly)
>>> executes the files. Hence, the need for _exec (but not for _domtrans or
>>> functionality).
>>>
>>
>> I think you want mmap ( create a seutil_check_exec_setfiles() or
>> something)
>>
>> mmap provides only execute exec provides execute as well as
>> execute_no_trans
>>
>> i think that , if i understand you correctly, it doesnt need the
>> execute_no_trans
>>
>
> but nevertheless, push comes to shove, dracut should probably optionally be
> allowed to (really) execute setfiles and be allowed to
> dev_relabel_all_devices
>
> In at least old fedora it mounts /sysroot/dev, restores context of /dev and
> then loads policy (if i am not mistaken)
>
>>
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Yes although I think that is being done by systemd or systemd-udev now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/og9cACgkQrlYvE4MpobOgFQCfc/1HkxLjTKynRsy9qtG8LaN+
ZRwAnA6TgB/A1Z3Mv6m7Gv5yJZXwql12
=J4oz
-----END PGP SIGNATURE-----
On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote:
> > I think you want mmap ( create a seutil_check_exec_setfiles() or
> > something)
> >
> > mmap provides only execute
> > exec provides execute as well as execute_no_trans
> >
> > i think that , if i understand you correctly, it doesnt need the
> > execute_no_trans
> >
>
> but nevertheless, push comes to shove, dracut should probably optionally
> be allowed to (really) execute setfiles and be allowed to
> dev_relabel_all_devices
>
> In at least old fedora it mounts /sysroot/dev, restores context of /dev
> and then loads policy (if i am not mistaken)
Thanks for the mmap hint, didn't know there was something like that.
Regarding the policy allowing executing - dracut_t is about the dracut
application. The initramfs itself doesn't run in dracut_t, but in init_t or
kernel_t (depending on when the policy itself is loaded)...
Wkr,
Sven Vermeulen
A. On Mon, 2012-06-25 at 18:29 +0200, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote:
> > > I think you want mmap ( create a seutil_check_exec_setfiles() or
> > > something)
> > >
> > > mmap provides only execute
> > > exec provides execute as well as execute_no_trans
> > >
> > > i think that , if i understand you correctly, it doesnt need the
> > > execute_no_trans
> > >
> >
> > but nevertheless, push comes to shove, dracut should probably optionally
> > be allowed to (really) execute setfiles and be allowed to
> > dev_relabel_all_devices
> >
> > In at least old fedora it mounts /sysroot/dev, restores context of /dev
> > and then loads policy (if i am not mistaken)
>
> Thanks for the mmap hint, didn't know there was something like that.
>
> Regarding the policy allowing executing - dracut_t is about the dracut
> application. The initramfs itself doesn't run in dracut_t, but in init_t or
> kernel_t (depending on when the policy itself is loaded)...
Whoops yes thats right, kernel_t i guess...
On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
Indeed, dir is sufficient on the type transition. Dracut creates a temporary
working directory in /var/tmp in which it pregenerates its initramfs
environment.
The manage_* stuff needs to be elaborated a bit though (including chr_file
support at least).
> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
It's not.
In modutils_read_module_config, you have search privileges in the directory,
but not listing privileges. Dracut needs listing privileges, as it uses
something like "find /etc/modprobe.d" in its internal operations.
I could add in list_dirs_pattern() in the modutils_read_module_config(), but
then that would enlarge the privileges for other domains that have this
(which is about 12 domains on my system).
Wkr,
Sven Vermeulen