This patch updates the shutdown module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/shutdown.te | 4 ++++
1 file changed, 4 insertions(+)
--- a/policy/modules/contrib/shutdown.te 2016-08-06 21:27:11.424095136 +0200
+++ b/policy/modules/contrib/shutdown.te 2016-12-19 15:19:36.371471150 +0100
@@ -27,6 +27,7 @@ files_pid_file(shutdown_var_run_t)
allow shutdown_t self:capability { dac_override kill setuid sys_nice
sys_tty_config };
allow shutdown_t self:process { setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_dgram_socket create_socket_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
@@ -35,6 +36,7 @@ files_etc_filetrans(shutdown_t, shutdown
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+kernel_mounton_proc_dirs(shutdown_t)
kernel_read_system_state(shutdown_t)
domain_use_interactive_fds(shutdown_t)
@@ -42,6 +44,8 @@ domain_use_interactive_fds(shutdown_t)
files_delete_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)
On Tue, 27 Dec 2016 23:21:26 +0100 (CET)
Guido Trentalancia via refpolicy <[email protected]> wrote:
> --- a/policy/modules/contrib/shutdown.te 2016-08-06
> 21:27:11.424095136 +0200 +++
> b/policy/modules/contrib/shutdown.te 2016-12-19
> @@ -35,6 +36,7 @@ files_etc_filetrans(shutdown_t, shutdown
> manage_files_pattern(shutdown_t, shutdown_var_run_t,
> shutdown_var_run_t) files_pid_filetrans(shutdown_t,
> shutdown_var_run_t, file)
> +kernel_mounton_proc_dirs(shutdown_t)
> kernel_read_system_state(shutdown_t)
What's that for?
Regards,
Luis Ressel
Hello.
When the system is shutting down, killall5 from sysvinit is called (of course,
on
those systems using sysvinit) to kill all processes. Killall5 then mounts and
reads
the /proc filesystem to get the list of processes.
I hope this helps.
Regards,
Guido
> On the 27th December 2016 at 23.40 Luis Ressel <[email protected]> wrote:
>
>
> On Tue, 27 Dec 2016 23:21:26 +0100 (CET)
> Guido Trentalancia via refpolicy <[email protected]> wrote:
>
> > --- a/policy/modules/contrib/shutdown.te 2016-08-06
> > 21:27:11.424095136 +0200 +++
> > b/policy/modules/contrib/shutdown.te 2016-12-19
> > @@ -35,6 +36,7 @@ files_etc_filetrans(shutdown_t, shutdown
> > manage_files_pattern(shutdown_t, shutdown_var_run_t,
> > shutdown_var_run_t) files_pid_filetrans(shutdown_t,
> > shutdown_var_run_t, file)
> > +kernel_mounton_proc_dirs(shutdown_t)
> > kernel_read_system_state(shutdown_t)
>
> What's that for?
>
> Regards,
> Luis Ressel
On 12/27/16 18:26, Guido Trentalancia via refpolicy wrote:
> Hello.
>
> When the system is shutting down, killall5 from sysvinit is called (of course,
> on
> those systems using sysvinit) to kill all processes. Killall5 then mounts and
> reads
> the /proc filesystem to get the list of processes.
If that's the case, then the patch is incomplete, as shutdown_t has no
mounting permissions.
>> On the 27th December 2016 at 23.40 Luis Ressel <[email protected]> wrote:
>>
>>
>> On Tue, 27 Dec 2016 23:21:26 +0100 (CET)
>> Guido Trentalancia via refpolicy <[email protected]> wrote:
>>
>>> --- a/policy/modules/contrib/shutdown.te 2016-08-06
>>> 21:27:11.424095136 +0200 +++
>>> b/policy/modules/contrib/shutdown.te 2016-12-19
>>> @@ -35,6 +36,7 @@ files_etc_filetrans(shutdown_t, shutdown
>>> manage_files_pattern(shutdown_t, shutdown_var_run_t,
>>> shutdown_var_run_t) files_pid_filetrans(shutdown_t,
>>> shutdown_var_run_t, file)
>>> +kernel_mounton_proc_dirs(shutdown_t)
>>> kernel_read_system_state(shutdown_t)
>>
>> What's that for?
>>
>> Regards,
>> Luis Ressel
--
Chris PeBenito
This patch updates the shutdown module for better compatibility
with sysvinit.
Requires the kernel_mount_proc() interface from the following
recently submitted init patch (v2):
http://oss.tresys.com/pipermail/refpolicy/2016-December/008873.html
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/shutdown.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff -pru a/policy/modules/contrib/shutdown.te b/policy/modules/contrib/shutdown.te
--- a/policy/modules/contrib/shutdown.te 2016-12-22 23:12:59.398081952 +0100
+++ b/policy/modules/contrib/shutdown.te 2016-12-29 22:42:10.724110198 +0100
@@ -25,8 +25,10 @@ files_pid_file(shutdown_var_run_t)
#
allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
+dontaudit shutdown_t self:capability sys_admin;
allow shutdown_t self:process { setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_dgram_socket create_socket_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
@@ -35,13 +37,17 @@ files_etc_filetrans(shutdown_t, shutdown
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+kernel_mount_proc(shutdown_t)
+kernel_mounton_proc_dirs(shutdown_t)
kernel_read_system_state(shutdown_t)
domain_use_interactive_fds(shutdown_t)
-files_delete_boot_flag(shutdown_t)
+files_create_boot_flag(shutdown_t)
files_read_generic_pids(shutdown_t)
+fs_getattr_xattr_fs(shutdown_t)
+
mls_file_write_to_clearance(shutdown_t)
term_use_all_terms(shutdown_t)