2016-12-27 22:16:46

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.

At the moment it has been fully tested only with sysvinit.

Testing with other init daemons is needed before this is
released, so a "permissive" statement has been added in
order to log further needed permissions during this testing
phase (with systemd, upstart, and so on).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 26 ++++++++++++++++++++++----
3 files changed, 58 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`

########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`

########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };

+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)
@@ -190,6 +197,21 @@ seutil_read_config(init_t)

miscfiles_read_localization(init_t)

+# Before moving to an init module which does
+# not call unconfined_domain(), we test
+# to discover possible side-effects, by
+# temporarily using the "permissive"
+# statement which logs further needed
+# permissions...
+#
+# The current module has already been
+# fully tested with sysvinit.
+#
+# The following line should be removed
+# as soon as the module has been tested
+# with the other init daemons.
+permissive init_t;
+
ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
@@ -345,10 +367,6 @@ optional_policy(`
sssd_stream_connect(init_t)
')

-optional_policy(`
- unconfined_domain(init_t)
-')
-
########################################
#
# Init script local policy


2016-12-27 22:38:46

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
Guido Trentalancia via refpolicy <[email protected]> wrote:

> The aim of this patch is to start securing the init module so
> that it can run in confined mode instead of in the most unsafe
> unconfined mode.
>
> At the moment it has been fully tested only with sysvinit.
>
> Testing with other init daemons is needed before this is
> released, so a "permissive" statement has been added in
> order to log further needed permissions during this testing
> phase (with systemd, upstart, and so on).
>
> [...]
>
> +permissive init_t;

Please don't add that. Debugging statements such as this one should
only be added to local policies, not to refpol's master branch. This
statement would be a huge step backwards for everyone who isn't using
the 'unconfined' module.

Regards,
Luis

2016-12-27 22:54:58

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

Hello.

> On the 27th of December 2016 at 23.38 Luis Ressel <[email protected]> wrote:
>
>
> On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
> Guido Trentalancia via refpolicy <[email protected]> wrote:
>
> > The aim of this patch is to start securing the init module so
> > that it can run in confined mode instead of in the most unsafe
> > unconfined mode.
> >
> > At the moment it has been fully tested only with sysvinit.
> >
> > Testing with other init daemons is needed before this is
> > released, so a "permissive" statement has been added in
> > order to log further needed permissions during this testing
> > phase (with systemd, upstart, and so on).
> >
> > [...]
> >
> > +permissive init_t;
>
> Please don't add that. Debugging statements such as this one should
> only be added to local policies, not to refpol's master branch. This
> statement would be a huge step backwards for everyone who isn't using
> the 'unconfined' module.

Ok, that's fine. Consider, I have completed testing it with sysvinit, so I
don't really need to debug anything.

It comes from the following recent advice that has been posted (I was
not even aware of the existence of such statement):

http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html

but, if it is more likely to cause problems, then I can create a new patch
which just dumps the dangerous call to unconfined_domain() and that's
the end of the story.

At the end, there must be a way out of it !

Regards,

Guido

2016-12-27 23:02:30

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

On Tue, 27 Dec 2016 23:54:58 +0100 (CET)
Guido Trentalancia via refpolicy <[email protected]> wrote:

> Ok, that's fine. Consider, I have completed testing it with sysvinit,
> so I don't really need to debug anything.
>
> It comes from the following recent advice that has been posted (I was
> not even aware of the existence of such statement):
>
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html
>

Neither was I; I had to look it up before answering to your mail. :)

> but, if it is more likely to cause problems, then I can create a new
> patch which just dumps the dangerous call to unconfined_domain() and
> that's the end of the story.
>

Thanks!

> At the end, there must be a way out of it !

Yes. Personally, I never really cared about it because I don't use
'unconfined' anyway, but I definitly appreciate your effort to get rid
of it.

Regards,
Luis Ressel

2016-12-28 20:45:27

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

Originally the aim of this patch was to start securing the init
module so that it could run in confined mode instead of in the
most unsafe unconfined mode and therefore the patch was removing
the call to unconfined_domain().

However, the removal of the unconfined_domain() call has been
rejected on the basis of the fact that it can be avoided by not
loading the "unconfined" policy module (which unfortunately at
the moment, still gets added to the configuration file during
"make conf").

Currently, this second version of the patch no longer removes the
call to unconfined_domain() and it only adds permissions needed
by sysvinit (most notably the ability to load the policy during
the system boot).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 7 +++++++
3 files changed, 43 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`

########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`

########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };

+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)

2016-12-30 19:24:24

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> Originally the aim of this patch was to start securing the init
> module so that it could run in confined mode instead of in the
> most unsafe unconfined mode and therefore the patch was removing
> the call to unconfined_domain().
>
> However, the removal of the unconfined_domain() call has been
> rejected on the basis of the fact that it can be avoided by not
> loading the "unconfined" policy module (which unfortunately at
> the moment, still gets added to the configuration file during
> "make conf").
>
> Currently, this second version of the patch no longer removes the
> call to unconfined_domain() and it only adds permissions needed
> by sysvinit (most notably the ability to load the policy during
> the system boot).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 7 +++++++
> 3 files changed, 43 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
> ########################################
> ## <summary>
> +## Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
> ########################################
> ## <summary>
> +## Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Unmount the proc filesystem.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
> kernel_read_system_state(init_t)
> kernel_share_state(init_t)
> kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
> selinux_set_all_booleans(init_t)
>
> term_use_all_terms(init_t)

I'm not clear why this is necessary. Sysvinit should only be loading
the policy if is not loaded yet, so these permissions should be unnecessary.

--
Chris PeBenito

2016-12-30 21:10:24

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> >
> > Originally the aim of this patch was to start securing the init
> > module so that it could run in confined mode instead of in the
> > most unsafe unconfined mode and therefore the patch was removing
> > the call to unconfined_domain().
> >
> > However, the removal of the unconfined_domain() call has been
> > rejected on the basis of the fact that it can be avoided by not
> > loading the "unconfined" policy module (which unfortunately at
> > the moment, still gets added to the configuration file during
> > "make conf").
> >
> > Currently, this second version of the patch no longer removes the
> > call to unconfined_domain() and it only adds permissions needed
> > by sysvinit (most notably the ability to load the policy during
> > the system boot).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > ?policy/modules/system/init.te????|????7 +++++++
> > ?3 files changed, 43 insertions(+)
> >
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if 2016-12-27
> > 22:41:00.650390161 +0100
> > +++ b/policy/modules/kernel/devices.if 2016-12-27
> > 22:50:19.301315139 +0100
> > @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Mount a sysfs filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dev_mount_sysfs',`
> > + gen_require(`
> > + type sysfs_t;
> > + ')
> > +
> > + allow $1 sysfs_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if 2016-12-27
> > 22:41:00.652390190 +0100
> > +++ b/policy/modules/kernel/kernel.if 2016-12-27
> > 22:51:01.009904157 +0100
> > @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Mount the proc filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`kernel_mount_proc',`
> > + gen_require(`
> > + type proc_t;
> > + ')
> > +
> > + allow $1 proc_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Unmount the proc filesystem.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/system/init.te
> > b/policy/modules/system/init.te
> > --- a/policy/modules/system/init.te 2016-12-22
> > 23:12:47.784929729 +0100
> > +++ b/policy/modules/system/init.te 2016-12-27
> > 23:05:37.731451479 +0100
> > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > ?# Modify utmp.
> > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> >
> > +kernel_mounton_proc_dirs(init_t)
> > +kernel_mount_proc(init_t)
> > ?kernel_read_system_state(init_t)
> > ?kernel_share_state(init_t)
> > ?kernel_dontaudit_search_unlabeled(init_t)
> > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > ?corecmd_exec_chroot(init_t)
> > ?corecmd_exec_bin(init_t)
> >
> > +dev_mounton_sysfs(init_t)
> > +dev_mount_sysfs(init_t)
> > ?dev_read_sysfs(init_t)
> > ?# Early devtmpfs
> > ?dev_rw_generic_chr_files(init_t)
> > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > ?files_dontaudit_rw_root_files(init_t)
> > ?files_dontaudit_rw_root_chr_files(init_t)
> >
> > +fs_getattr_xattr_fs(init_t)
> > ?fs_list_inotifyfs(init_t)
> > ?# cjp: this may be related to /dev/log
> > ?fs_write_ramfs_sockets(init_t)
> > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > ?mls_process_write_all_levels(init_t)
> > ?mls_fd_use_all_levels(init_t)
> >
> > +selinux_load_policy(init_t)
> > +selinux_mount_fs(init_t)
> > ?selinux_set_all_booleans(init_t)
> >
> > ?term_use_all_terms(init_t)
>
> I'm not clear why this is necessary.??Sysvinit should only be
> loading?
> the policy if is not loaded yet, so these permissions should be
> unnecessary.

The init daemon absolutely needs to load the SELinux policy !

Perhaps, it is possible to get rid of the other similar permission in
the kernel module, but surely not here, otherwise the system won't boot
!

Thanks.

Guido

2016-12-30 21:13:21

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On 12/30/2016 10:10 PM, Guido Trentalancia via refpolicy wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>
>>> Originally the aim of this patch was to start securing the init
>>> module so that it could run in confined mode instead of in the
>>> most unsafe unconfined mode and therefore the patch was removing
>>> the call to unconfined_domain().
>>>
>>> However, the removal of the unconfined_domain() call has been
>>> rejected on the basis of the fact that it can be avoided by not
>>> loading the "unconfined" policy module (which unfortunately at
>>> the moment, still gets added to the configuration file during
>>> "make conf").
>>>
>>> Currently, this second version of the patch no longer removes the
>>> call to unconfined_domain() and it only adds permissions needed
>>> by sysvinit (most notably the ability to load the policy during
>>> the system boot).
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>> policy/modules/system/init.te | 7 +++++++
>>> 3 files changed, 43 insertions(+)
>>>
>>> diff -pru a/policy/modules/kernel/devices.if
>>> b/policy/modules/kernel/devices.if
>>> --- a/policy/modules/kernel/devices.if 2016-12-27
>>> 22:41:00.650390161 +0100
>>> +++ b/policy/modules/kernel/devices.if 2016-12-27
>>> 22:50:19.301315139 +0100
>>> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Mount a sysfs filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`dev_mount_sysfs',`
>>> + gen_require(`
>>> + type sysfs_t;
>>> + ')
>>> +
>>> + allow $1 sysfs_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Associate a file to a sysfs filesystem.
>>> ## </summary>
>>> ## <param name="file_type">
>>> diff -pru a/policy/modules/kernel/kernel.if
>>> b/policy/modules/kernel/kernel.if
>>> --- a/policy/modules/kernel/kernel.if 2016-12-27
>>> 22:41:00.652390190 +0100
>>> +++ b/policy/modules/kernel/kernel.if 2016-12-27
>>> 22:51:01.009904157 +0100
>>> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Mount the proc filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`kernel_mount_proc',`
>>> + gen_require(`
>>> + type proc_t;
>>> + ')
>>> +
>>> + allow $1 proc_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Unmount the proc filesystem.
>>> ## </summary>
>>> ## <param name="domain">
>>> diff -pru a/policy/modules/system/init.te
>>> b/policy/modules/system/init.te
>>> --- a/policy/modules/system/init.te 2016-12-22
>>> 23:12:47.784929729 +0100
>>> +++ b/policy/modules/system/init.te 2016-12-27
>>> 23:05:37.731451479 +0100
>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>> # Modify utmp.
>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>
>>> +kernel_mounton_proc_dirs(init_t)
>>> +kernel_mount_proc(init_t)
>>> kernel_read_system_state(init_t)
>>> kernel_share_state(init_t)
>>> kernel_dontaudit_search_unlabeled(init_t)
>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>> corecmd_exec_chroot(init_t)
>>> corecmd_exec_bin(init_t)
>>>
>>> +dev_mounton_sysfs(init_t)
>>> +dev_mount_sysfs(init_t)
>>> dev_read_sysfs(init_t)
>>> # Early devtmpfs
>>> dev_rw_generic_chr_files(init_t)
>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>> files_dontaudit_rw_root_files(init_t)
>>> files_dontaudit_rw_root_chr_files(init_t)
>>>
>>> +fs_getattr_xattr_fs(init_t)
>>> fs_list_inotifyfs(init_t)
>>> # cjp: this may be related to /dev/log
>>> fs_write_ramfs_sockets(init_t)
>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>> mls_process_write_all_levels(init_t)
>>> mls_fd_use_all_levels(init_t)
>>>
>>> +selinux_load_policy(init_t)
>>> +selinux_mount_fs(init_t)
>>> selinux_set_all_booleans(init_t)
>>>
>>> term_use_all_terms(init_t)
>>
>> I'm not clear why this is necessary. Sysvinit should only be
>> loading
>> the policy if is not loaded yet, so these permissions should be
>> unnecessary.
>
> The init daemon absolutely needs to load the SELinux policy !

why?

>
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't boot
> !
>
> Thanks.
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/b0709e1c/attachment.bin

2016-12-31 17:42:32

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

Hello again.

On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> >
> > On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> > >
> > >
> > > Originally the aim of this patch was to start securing the init
> > > module so that it could run in confined mode instead of in the
> > > most unsafe unconfined mode and therefore the patch was removing
> > > the call to unconfined_domain().
> > >
> > > However, the removal of the unconfined_domain() call has been
> > > rejected on the basis of the fact that it can be avoided by not
> > > loading the "unconfined" policy module (which unfortunately at
> > > the moment, still gets added to the configuration file during
> > > "make conf").
> > >
> > > Currently, this second version of the patch no longer removes the
> > > call to unconfined_domain() and it only adds permissions needed
> > > by sysvinit (most notably the ability to load the policy during
> > > the system boot).
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > > ?policy/modules/system/init.te????|????7 +++++++
> > > ?3 files changed, 43 insertions(+)

[...]

> > > diff -pru a/policy/modules/system/init.te
> > > b/policy/modules/system/init.te
> > > --- a/policy/modules/system/init.te 2016-12-22
> > > 23:12:47.784929729 +0100
> > > +++ b/policy/modules/system/init.te 2016-12-27
> > > 23:05:37.731451479 +0100
> > > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > > ?# Modify utmp.
> > > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> > >
> > > +kernel_mounton_proc_dirs(init_t)
> > > +kernel_mount_proc(init_t)
> > > ?kernel_read_system_state(init_t)
> > > ?kernel_share_state(init_t)
> > > ?kernel_dontaudit_search_unlabeled(init_t)
> > > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > > ?corecmd_exec_chroot(init_t)
> > > ?corecmd_exec_bin(init_t)
> > >
> > > +dev_mounton_sysfs(init_t)
> > > +dev_mount_sysfs(init_t)
> > > ?dev_read_sysfs(init_t)
> > > ?# Early devtmpfs
> > > ?dev_rw_generic_chr_files(init_t)
> > > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > > ?files_dontaudit_rw_root_files(init_t)
> > > ?files_dontaudit_rw_root_chr_files(init_t)
> > >
> > > +fs_getattr_xattr_fs(init_t)
> > > ?fs_list_inotifyfs(init_t)
> > > ?# cjp: this may be related to /dev/log
> > > ?fs_write_ramfs_sockets(init_t)
> > > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > > ?mls_process_write_all_levels(init_t)
> > > ?mls_fd_use_all_levels(init_t)
> > >
> > > +selinux_load_policy(init_t)
> > > +selinux_mount_fs(init_t)
> > > ?selinux_set_all_booleans(init_t)
> > >
> > > ?term_use_all_terms(init_t)
> >
> > I'm not clear why this is necessary.??Sysvinit should only be
> > loading?
> > the policy if is not loaded yet, so these permissions should be
> > unnecessary.
>
> The init daemon absolutely needs to load the SELinux policy !
>
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't
> boot
> ?!

How about this patch ?

The selinux_load_policy() permission is absolutely necessary for the
init_t domain, when using sysvinit.

Regards,

Guido

2016-12-31 19:52:09

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] init: support sysvinit

Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 8 ++++++++
3 files changed, 44 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-31 20:22:50.106586282 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`

########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-31 20:22:50.157588150 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`

########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2016-12-31 20:24:06.184371379 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };

+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)
@@ -186,6 +193,7 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)

+seutil_read_bin_policy(init_t)
seutil_read_config(init_t)

miscfiles_read_localization(init_t)

2017-01-02 00:04:39

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] init: support sysvinit

Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy when not using the initramfs).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 14 ++++++++++++++
3 files changed, 50 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2017-01-02 00:53:06.394093456 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`

########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2017-01-02 00:53:06.411094078 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`

########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2017-01-02 01:00:14.377761326 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };

+kernel_mount_proc(init_t)
+kernel_mounton_proc_dirs(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

+dev_mount_sysfs(init_t)
+dev_mounton_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,13 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again
+selinux_get_fs_mount(init_t)
+# the following one is needed for sysvinit without initramfs
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)
@@ -186,6 +198,8 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)

+# the following one is needed for sysvinit without initramfs
+seutil_read_bin_policy(init_t)
seutil_read_config(init_t)

miscfiles_read_localization(init_t)

2017-01-02 17:55:07

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
> wrote:
>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>
>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>
>>>>
>>>> Originally the aim of this patch was to start securing the init
>>>> module so that it could run in confined mode instead of in the
>>>> most unsafe unconfined mode and therefore the patch was removing
>>>> the call to unconfined_domain().
>>>>
>>>> However, the removal of the unconfined_domain() call has been
>>>> rejected on the basis of the fact that it can be avoided by not
>>>> loading the "unconfined" policy module (which unfortunately at
>>>> the moment, still gets added to the configuration file during
>>>> "make conf").
>>>>
>>>> Currently, this second version of the patch no longer removes the
>>>> call to unconfined_domain() and it only adds permissions needed
>>>> by sysvinit (most notably the ability to load the policy during
>>>> the system boot).
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>> ---
>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>> policy/modules/system/init.te | 7 +++++++
>>>> 3 files changed, 43 insertions(+)
>
> [...]
>
>>>> diff -pru a/policy/modules/system/init.te
>>>> b/policy/modules/system/init.te
>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>> 23:12:47.784929729 +0100
>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>> 23:05:37.731451479 +0100
>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>> # Modify utmp.
>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>
>>>> +kernel_mounton_proc_dirs(init_t)
>>>> +kernel_mount_proc(init_t)
>>>> kernel_read_system_state(init_t)
>>>> kernel_share_state(init_t)
>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>> corecmd_exec_chroot(init_t)
>>>> corecmd_exec_bin(init_t)
>>>>
>>>> +dev_mounton_sysfs(init_t)
>>>> +dev_mount_sysfs(init_t)
>>>> dev_read_sysfs(init_t)
>>>> # Early devtmpfs
>>>> dev_rw_generic_chr_files(init_t)
>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>> files_dontaudit_rw_root_files(init_t)
>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>
>>>> +fs_getattr_xattr_fs(init_t)
>>>> fs_list_inotifyfs(init_t)
>>>> # cjp: this may be related to /dev/log
>>>> fs_write_ramfs_sockets(init_t)
>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>> mls_process_write_all_levels(init_t)
>>>> mls_fd_use_all_levels(init_t)
>>>>
>>>> +selinux_load_policy(init_t)
>>>> +selinux_mount_fs(init_t)
>>>> selinux_set_all_booleans(init_t)
>>>>
>>>> term_use_all_terms(init_t)
>>>
>>> I'm not clear why this is necessary. Sysvinit should only be
>>> loading
>>> the policy if is not loaded yet, so these permissions should be
>>> unnecessary.
>>
>> The init daemon absolutely needs to load the SELinux policy !
>>
>> Perhaps, it is possible to get rid of the other similar permission in
>> the kernel module, but surely not here, otherwise the system won't
>> boot
>> !
>
> How about this patch ?
>
> The selinux_load_policy() permission is absolutely necessary for the
> init_t domain, when using sysvinit.

I still run sysvinit systems. It isn't.


--
Chris PeBenito

2017-01-02 18:05:17

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization!

The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.

Regards,

Guido

On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <[email protected]> wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>> ---
>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>> policy/modules/system/init.te | 7 +++++++
>>>>> 3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>> # Modify utmp.
>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>> kernel_read_system_state(init_t)
>>>>> kernel_share_state(init_t)
>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>> corecmd_exec_chroot(init_t)
>>>>> corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>> dev_read_sysfs(init_t)
>>>>> # Early devtmpfs
>>>>> dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>> files_dontaudit_rw_root_files(init_t)
>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>> fs_list_inotifyfs(init_t)
>>>>> # cjp: this may be related to /dev/log
>>>>> fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>> mls_process_write_all_levels(init_t)
>>>>> mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>> selinux_set_all_booleans(init_t)
>>>>>
>>>>> term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>> !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems. It isn't.

2017-01-02 18:13:17

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
[email protected]> wrote:

On systems using sysvinit and not using initramfs, the init daemon from
sysvinit needs to load the policy or it aborts the system initalization!

The call to selinux_init_load_policy is in the latest sysvinit source code
at src/init.c.


All my machines use sysvinit. And none of the initramfs' have anything
SELinux related. Sysvinit loads the policy for me and it all works fine.

If sysvinit is loading the policy because it isn't in the initramfs then by
definition there is no policy yet at all so how can this rule make any
difference at all?

This rule is absolutely not required on sysvinit systems I'm not sure why
you need it but you're gonna have to give us more info if you want help
figuring out why.

-- Jason

Regards,

Guido

On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <[email protected]>
wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>> ---
>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>> policy/modules/system/init.te | 7 +++++++
>>>>> 3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>> # Modify utmp.
>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>> kernel_read_system_state(init_t)
>>>>> kernel_share_state(init_t)
>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>> corecmd_exec_chroot(init_t)
>>>>> corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>> dev_read_sysfs(init_t)
>>>>> # Early devtmpfs
>>>>> dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>> files_dontaudit_rw_root_files(init_t)
>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>> fs_list_inotifyfs(init_t)
>>>>> # cjp: this may be related to /dev/log
>>>>> fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>> mls_process_write_all_levels(init_t)
>>>>> mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>> selinux_set_all_booleans(init_t)
>>>>>
>>>>> term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>> !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems. It isn't.

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/3d64c4c4/attachment-0001.html

2017-01-02 18:19:22

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
> On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization!

How does that work? The policy is obviously already loaded because else
you would not need this permission. So it is "re-loading" the policy?

Allowing init to load_policy is not a good idea IMHO

>
> The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.
>
> Regards,
>
> Guido
>
> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <[email protected]> wrote:
>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>> 3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>> # Modify utmp.
>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>> kernel_read_system_state(init_t)
>>>>>> kernel_share_state(init_t)
>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>> corecmd_exec_chroot(init_t)
>>>>>> corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>> dev_read_sysfs(init_t)
>>>>>> # Early devtmpfs
>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>> fs_list_inotifyfs(init_t)
>>>>>> # cjp: this may be related to /dev/log
>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>> mls_process_write_all_levels(init_t)
>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>> selinux_set_all_booleans(init_t)
>>>>>>
>>>>>> term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>> in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>> !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>> I still run sysvinit systems. It isn't.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/7fdd76fd/attachment.bin

2017-01-02 18:19:31

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

Hello!

I think you and Christopher are right, because on systems not using initramfs, when sysvinit loads the policy it is still running as kernel_t and has not transitioned yet to init_t.
However, in such scenario I suspect the kernel module needs selinux_get_fs_mount so that sysvinit can check if selinux is enabled as in a popular patch that circulated after version 2.88dsf.

Regards,

Guido

On the 02nd of January 2017 19:13:17 CET, Jason Zaman <[email protected]> wrote:
>On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>On systems using sysvinit and not using initramfs, the init daemon from
>sysvinit needs to load the policy or it aborts the system
>initalization!
>
>The call to selinux_init_load_policy is in the latest sysvinit source
>code
>at src/init.c.
>
>
>All my machines use sysvinit. And none of the initramfs' have anything
>SELinux related. Sysvinit loads the policy for me and it all works
>fine.
>
>If sysvinit is loading the policy because it isn't in the initramfs
>then by
>definition there is no policy yet at all so how can this rule make any
>difference at all?
>
>This rule is absolutely not required on sysvinit systems I'm not sure
>why
>you need it but you're gonna have to give us more info if you want help
>figuring out why.
>
>-- Jason
>
>Regards,
>
>Guido
>
>On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><[email protected]>
>wrote:
>>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>> 3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>> # Modify utmp.
>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>> kernel_read_system_state(init_t)
>>>>>> kernel_share_state(init_t)
>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>> corecmd_exec_chroot(init_t)
>>>>>> corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>> dev_read_sysfs(init_t)
>>>>>> # Early devtmpfs
>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>> fs_list_inotifyfs(init_t)
>>>>>> # cjp: this may be related to /dev/log
>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>> mls_process_write_all_levels(init_t)
>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>> selinux_set_all_booleans(init_t)
>>>>>>
>>>>>> term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>>in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>> !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>>I still run sysvinit systems. It isn't.
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-01-02 18:26:21

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

On systems using initramfs and sysvinit that is a bug in refpolicy due to the missing selinux_get_fs_mount(init_t).

Regards,

Guido

On the 02nd of January 2017 19:19:22 CET, Dominick Grift via refpolicy <[email protected]> wrote:
>On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
>> On systems using sysvinit and not using initramfs, the init daemon
>from sysvinit needs to load the policy or it aborts the system
>initalization!
>
>How does that work? The policy is obviously already loaded because else
>you would not need this permission. So it is "re-loading" the policy?
>
>Allowing init to load_policy is not a good idea IMHO
>
>>
>> The call to selinux_init_load_policy is in the latest sysvinit source
>code at src/init.c.
>>
>> Regards,
>>
>> Guido
>>
>> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><[email protected]> wrote:
>>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>>> Hello again.
>>>>
>>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>>> wrote:
>>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>>
>>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>>
>>>>>>>
>>>>>>> Originally the aim of this patch was to start securing the init
>>>>>>> module so that it could run in confined mode instead of in the
>>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>>> the call to unconfined_domain().
>>>>>>>
>>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>>> the moment, still gets added to the configuration file during
>>>>>>> "make conf").
>>>>>>>
>>>>>>> Currently, this second version of the patch no longer removes
>the
>>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>>> the system boot).
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>>> ---
>>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>>> 3 files changed, 43 insertions(+)
>>>>
>>>> [...]
>>>>
>>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>>> b/policy/modules/system/init.te
>>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>>> 23:12:47.784929729 +0100
>>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>>> 23:05:37.731451479 +0100
>>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>> # Modify utmp.
>>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>>
>>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>>> +kernel_mount_proc(init_t)
>>>>>>> kernel_read_system_state(init_t)
>>>>>>> kernel_share_state(init_t)
>>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>> corecmd_exec_chroot(init_t)
>>>>>>> corecmd_exec_bin(init_t)
>>>>>>>
>>>>>>> +dev_mounton_sysfs(init_t)
>>>>>>> +dev_mount_sysfs(init_t)
>>>>>>> dev_read_sysfs(init_t)
>>>>>>> # Early devtmpfs
>>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>>
>>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>> fs_list_inotifyfs(init_t)
>>>>>>> # cjp: this may be related to /dev/log
>>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>> mls_process_write_all_levels(init_t)
>>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>>
>>>>>>> +selinux_load_policy(init_t)
>>>>>>> +selinux_mount_fs(init_t)
>>>>>>> selinux_set_all_booleans(init_t)
>>>>>>>
>>>>>>> term_use_all_terms(init_t)
>>>>>>
>>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>>> loading
>>>>>> the policy if is not loaded yet, so these permissions should be
>>>>>> unnecessary.
>>>>>
>>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>>
>>>>> Perhaps, it is possible to get rid of the other similar permission
>>> in
>>>>> the kernel module, but surely not here, otherwise the system won't
>>>>> boot
>>>>> !
>>>>
>>>> How about this patch ?
>>>>
>>>> The selinux_load_policy() permission is absolutely necessary for
>the
>>>> init_t domain, when using sysvinit.
>>>
>>> I still run sysvinit systems. It isn't.
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>

2017-01-02 21:11:32

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH v5] init: support sysvinit

Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.

Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)

diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2017-01-02 21:08:19.963436591 +0100
@@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)

+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)

+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again when using the initramfs
+selinux_get_fs_mount(init_t)
selinux_set_all_booleans(init_t)

term_use_all_terms(init_t)

2017-01-04 00:36:19

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v5] init: support sysvinit

On 01/02/17 16:11, Guido Trentalancia via refpolicy wrote:
> Add a permission needed for the correct functioning of sysvinit
> on systems using the initramfs.
>
> Without the selinux_get_fs_mount() interface call, the call to
> libselinux:is_selinux_enabled() fails and sysvinit tries to do
> the initial policy load again.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
> +++ b/policy/modules/system/init.te 2017-01-02 21:08:19.963436591 +0100
> @@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +# the following one is needed for libselinux:is_selinux_enabled()
> +# otherwise the call fails and sysvinit tries to load the policy
> +# again when using the initramfs
> +selinux_get_fs_mount(init_t)
> selinux_set_all_booleans(init_t)
>
> term_use_all_terms(init_t)

Merged.

--
Chris PeBenito