2017-04-19 11:00:59

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

This is the rest of my policy that was developed on "strict" systems. It also
has no inter-dependencies with other patches. I included the interface
xdm_sigchld() in this patch as well so it can be applied on it's own, this
means that it conflicts with the login patch.

Chris, maybe even if you don't apply this patch or the login patch in the
near future you could add the xdm_sigchld() interface so that both patches
can be complete and working and not conflict.

Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
+++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
@@ -76,6 +76,8 @@ template(`gnome_role_template',`

allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 gconfd_t:dbus send_msg;
+ allow gconfd_t $3:dbus send_msg;
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")

Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
@@ -324,6 +324,7 @@ ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
')

ifdef(`distro_gentoo', `
Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170419/policy/modules/kernel/devices.if
@@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`

typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Create subdir of /dev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_subdir',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { add_entry_dir_perms create };
+ allow $1 device_t:dir search_dir_perms;
+')
Index: refpolicy-2.20170419/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170419/policy/modules/kernel/files.if
@@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file

########################################
## <summary>
+## Relabel files and dirs to etc_runtime_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabelto_etc_runtime',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file relabelto;
+ allow $1 etc_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
## Create, etc runtime objects with an automatic
## type transition.
## </summary>
@@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
')

########################################
+## <summary>
+## Create a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_pid_dir',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
## <summary>
## Search the contents of runtime process
## ID directories (/var/run).
Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
@@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`

########################################
## <summary>
+## Relabel pstore directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of a pstore filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ZZZfs_getattr_pstorefs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+allow $1 pstore_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Relabel cgroup directories.
## </summary>
## <param name="domain">
@@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`

########################################
## <summary>
+## Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Write cgroup files.
## </summary>
## <param name="domain">
@@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
-
')

rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
')

########################################
+## <summary>
+## Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
## <summary>
## Read and write character nodes on tmpfs filesystems.
## </summary>
Index: refpolicy-2.20170419/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170419/policy/modules/services/ssh.if
@@ -353,6 +353,8 @@ template(`ssh_role_template',`
allow $1_ssh_agent_t self:process { setrlimit signal };
allow $1_ssh_agent_t self:capability setgid;

+ allow $1_ssh_agent_t self:fifo_file rw_file_perms;
+
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;

allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -436,6 +438,7 @@ template(`ssh_role_template',`
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
+ xdm_sigchld($1_ssh_agent_t)
')
')

Index: refpolicy-2.20170419/policy/modules/system/fstools.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20170419/policy/modules/system/fstools.if
@@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`

allow $1 swapfile_t:file getattr;
')
+
+########################################
+## <summary>
+## Write to fsadm_log_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_write_log',`
+ gen_require(`
+ type fsadm_log_t;
+ ')
+
+ allow $1 fsadm_log_t:file write_file_perms;
+')
Index: refpolicy-2.20170419/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/init.if
+++ refpolicy-2.20170419/policy/modules/system/init.if
@@ -2966,6 +2966,7 @@ interface(`init_admin',`
init_reload($1)
init_reload_all_units($1)
init_shutdown_system($1)
+ init_start_system($1)
init_start_all_units($1)
init_start_generic_units($1)
init_stop_all_units($1)
Index: refpolicy-2.20170419/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/init.te
+++ refpolicy-2.20170419/policy/modules/system/init.te
@@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)
allow init_t initrc_t:unix_stream_socket connectto;

# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)

+# for /run/systemd/inaccessible/{chr,blk}
+allow init_t init_var_run_t:blk_file { create getattr };
+allow init_t init_var_run_t:chr_file { create getattr };
+
+# for /run/initctl
+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
+
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
+
# for systemd to manage service file symlinks
allow init_t init_var_run_t:file manage_lnk_file_perms;

@@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_relabel_generic_symlinks(init_t)

domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -170,6 +181,9 @@ files_read_etc_files(init_t)
files_rw_generic_pids(init_t)
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
+files_relabelto_etc_runtime(init_t)
+files_list_usr(init_t)
+
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs:
@@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t

fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
+fs_relabel_pstore_dirs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)

@@ -225,6 +240,8 @@ ifdef(`init_systemd',`
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;

+ allow init_t init_var_run_t:sock_file manage_sock_file_perms;
+
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
allow init_t daemon:unix_dgram_socket create_socket_perms;
allow init_t daemon:tcp_socket create_stream_socket_perms;
@@ -257,6 +274,7 @@ ifdef(`init_systemd',`
kernel_getattr_proc(init_t)
kernel_read_fs_sysctls(init_t)

+ auth_manage_var_auth(init_t)
dev_rw_autofs(init_t)
dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
@@ -318,10 +336,14 @@ ifdef(`init_systemd',`
seutil_read_file_contexts(init_t)

systemd_manage_passwd_runtime_symlinks(init_t)
+ systemd_use_passwd_agent(init_t)

# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)

+ # for systemd to read udev status
+ udev_read_pid_files(init_t)
+
optional_policy(`
clock_read_adjtime(init_t)
')
@@ -350,11 +372,19 @@ ifdef(`init_systemd',`
')
')

+fs_relabelfrom_tmpfs_symlinks(init_t)
+
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")

allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+ fs_manage_tmpfs_files(initrc_t)
+ sysnet_manage_config(initrc_t)
+
+ optional_policy(`
+ postfix_read_config(initrc_t)
+ ')
')

ifdef(`distro_gentoo',`
@@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
')

optional_policy(`
+ modutils_read_module_config(init_t)
+ modutils_read_module_deps(init_t)
+ modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
auth_rw_login_records(init_t)
')

@@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
# Going to single user mode
init_telinit(initrc_t)

+# for logsave in strict configuration
+fstools_write_log(initrc_t)
+
can_exec(initrc_t, init_script_file_type)

create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
@@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init

allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_create_pid_dir(initrc_t)
+files_setattr_pid_dirs(initrc_t)

allow initrc_t daemon:process siginh;

@@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
corenet_sendrecv_all_client_packets(initrc_t)

+dev_create_subdir(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
dev_dontaudit_read_kmsg(initrc_t)
@@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
')
')

+# for systemd
+kernel_load_module(init_t)
+
ifdef(`init_systemd',`
allow init_t self:system { status reboot halt reload };

allow init_t self:unix_dgram_socket { create_socket_perms sendto };
allow init_t self:process { setsockcreate setfscreate setrlimit };
- allow init_t self:process { getcap setcap };
+ allow init_t self:process { getcap setcap getsched setsched };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+ allow init_t self:netlink_selinux_socket create_socket_perms;
# Until systemd is fixed
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
- allow initrc_t init_t:system { status reboot halt reload };
+ allow initrc_t init_t:system { start status reboot halt reload };
allow init_t self:capability2 audit_read;
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)

manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+ allow initrc_t init_var_run_t:file create_file_perms;
+ allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
+ allow initrc_t init_var_run_t:service { start status };

manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
@@ -868,6 +917,7 @@ ifdef(`init_systemd',`
kernel_read_software_raid_state(init_t)
kernel_unmount_debugfs(init_t)
kernel_setsched(init_t)
+ kernel_rw_unix_sysctls(init_t)

auth_relabel_login_records(init_t)
auth_relabel_pam_console_data_dirs(init_t)
@@ -926,6 +976,7 @@ ifdef(`init_systemd',`
fs_list_auto_mountpoints(init_t)
fs_manage_cgroup_dirs(init_t)
fs_manage_cgroup_files(init_t)
+ fs_create_cgroup_links(init_t)
fs_manage_hugetlbfs_dirs(init_t)
fs_manage_tmpfs_dirs(init_t)
fs_mount_all_fs(init_t)
Index: refpolicy-2.20170419/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20170419/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`

########################################
## <summary>
+## Read the kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170419/policy/modules/system/userdomain.if
@@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
dontaudit $1_t user_tty_device_t:chr_file ioctl;

kernel_read_kernel_sysctls($1_t)
+ kernel_read_vm_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)

+ # for X session unlock
+ allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+ # for KDE
+ allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
+
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
@@ -108,6 +115,14 @@ template(`userdom_base_user_template',`

sysnet_read_config($1_t)

+ # kdeinit wants systemd status
+ init_get_system_status($1_t)
+
+ optional_policy(`
+ apt_read_cache($1_t)
+ apt_read_db($1_t)
+ ')
+
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
Index: refpolicy-2.20170419/policy/support/file_patterns.spt
===================================================================
--- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
+++ refpolicy-2.20170419/policy/support/file_patterns.spt
@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
define(`create_chr_files_pattern',`
allow $1 self:capability mknod;
allow $1 $2:dir add_entry_dir_perms;
- allow $1 $3:chr_file create_chr_file_perms;
+ allow $1 $3:chr_file { create_chr_file_perms setattr };
')

define(`delete_chr_files_pattern',`
Index: refpolicy-2.20170419/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170419/policy/modules/services/xserver.if
@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Allow domain to send sigchld to xdm_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:process sigchld;
+')


2017-04-19 11:51:14

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

Hello.

I believe it is very important to move *all* permission required by systemd within the appropriate ifdef block (init_systemd).

Not everybody is using systemd and many people believe it is, amongst other things, a waste of resources and SELinux permissions.

Thanks,

Guido

On the 19th of April 2017 13:00:59 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>This is the rest of my policy that was developed on "strict" systems.
>It also
>has no inter-dependencies with other patches. I included the interface
>xdm_sigchld() in this patch as well so it can be applied on it's own,
>this
>means that it conflicts with the login patch.
>
>Chris, maybe even if you don't apply this patch or the login patch in
>the
>near future you could add the xdm_sigchld() interface so that both
>patches
>can be complete and working and not conflict.
>
>Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
>+++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
>@@ -76,6 +76,8 @@ template(`gnome_role_template',`
>
> allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
>relabel_dir_perms };
> allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms
>relabel_file_perms };
>+ allow $3 gconfd_t:dbus send_msg;
>+ allow gconfd_t $3:dbus send_msg;
> userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
> userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
>
>Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
>+++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
>@@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
>+/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
> ')
>
> ifdef(`distro_gentoo', `
>Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
>+++ refpolicy-2.20170419/policy/modules/kernel/devices.if
>@@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
>
> typeattribute $1 devices_unconfined_type;
> ')
>+
>+########################################
>+## <summary>
>+## Create subdir of /dev
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`dev_create_subdir',`
>+ gen_require(`
>+ type device_t;
>+ ')
>+
>+ allow $1 device_t:dir { add_entry_dir_perms create };
>+ allow $1 device_t:dir search_dir_perms;
>+')
>Index: refpolicy-2.20170419/policy/modules/kernel/files.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
>+++ refpolicy-2.20170419/policy/modules/kernel/files.if
>@@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
>
> ########################################
> ## <summary>
>+## Relabel files and dirs to etc_runtime_t
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+## <rolecap/>
>+#
>+interface(`files_relabelto_etc_runtime',`
>+ gen_require(`
>+ type etc_runtime_t;
>+ ')
>+
>+ allow $1 etc_runtime_t:file relabelto;
>+ allow $1 etc_runtime_t:dir relabelto;
>+')
>+
>+########################################
>+## <summary>
> ## Create, etc runtime objects with an automatic
> ## type transition.
> ## </summary>
>@@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ')
>
> ########################################
>+## <summary>
>+## Create a /var/run directory.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`files_create_pid_dir',`
>+ gen_require(`
>+ type var_run_t;
>+ ')
>+
>+ allow $1 var_run_t:dir create_dir_perms;
>+')
>+
>+########################################
> ## <summary>
> ## Search the contents of runtime process
> ## ID directories (/var/run).
>Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
>+++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
>@@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`
>
> ########################################
> ## <summary>
>+## Relabel pstore directories.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`fs_relabel_pstore_dirs',`
>+ gen_require(`
>+ type pstore_t;
>+ ')
>+
>+ relabel_dirs_pattern($1, pstore_t, pstore_t)
>+')
>+
>+########################################
>+## <summary>
>+## Get the attributes of a pstore filesystem.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`ZZZfs_getattr_pstorefs',`
>+ gen_require(`
>+ type pstore_t;
>+ ')
>+
>+allow $1 pstore_t:filesystem getattr;
>+')
>+
>+########################################
>+## <summary>
> ## Relabel cgroup directories.
> ## </summary>
> ## <param name="domain">
>@@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`
>
> ########################################
> ## <summary>
>+## Create cgroup lnk_files.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`fs_create_cgroup_links',`
>+ gen_require(`
>+ type cgroup_t;
>+ ')
>+
>+ create_lnk_files_pattern($1, cgroup_t, cgroup_t)
>+ rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
>+ dev_search_sysfs($1)
>+')
>+
>+########################################
>+## <summary>
> ## Write cgroup files.
> ## </summary>
> ## <param name="domain">
>@@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
> interface(`fs_rw_cgroup_files',`
> gen_require(`
> type cgroup_t;
>-
> ')
>
> rw_files_pattern($1, cgroup_t, cgroup_t)
>@@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ')
>
> ########################################
>+## <summary>
>+## Relabelfrom tmpfs link files.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`fs_relabelfrom_tmpfs_symlinks',`
>+ gen_require(`
>+ type tmpfs_t;
>+ ')
>+
>+ allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
>+')
>+
>+########################################
> ## <summary>
> ## Read and write character nodes on tmpfs filesystems.
> ## </summary>
>Index: refpolicy-2.20170419/policy/modules/services/ssh.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
>+++ refpolicy-2.20170419/policy/modules/services/ssh.if
>@@ -353,6 +353,8 @@ template(`ssh_role_template',`
> allow $1_ssh_agent_t self:process { setrlimit signal };
> allow $1_ssh_agent_t self:capability setgid;
>
>+ allow $1_ssh_agent_t self:fifo_file rw_file_perms;
>+
> allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
>
> allow $1_ssh_agent_t self:unix_stream_socket {
>create_stream_socket_perms connectto };
>@@ -436,6 +438,7 @@ template(`ssh_role_template',`
> optional_policy(`
> xserver_use_xdm_fds($1_ssh_agent_t)
> xserver_rw_xdm_pipes($1_ssh_agent_t)
>+ xdm_sigchld($1_ssh_agent_t)
> ')
> ')
>
>Index: refpolicy-2.20170419/policy/modules/system/fstools.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
>+++ refpolicy-2.20170419/policy/modules/system/fstools.if
>@@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
>
> allow $1 swapfile_t:file getattr;
> ')
>+
>+########################################
>+## <summary>
>+## Write to fsadm_log_t
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`fstools_write_log',`
>+ gen_require(`
>+ type fsadm_log_t;
>+ ')
>+
>+ allow $1 fsadm_log_t:file write_file_perms;
>+')
>Index: refpolicy-2.20170419/policy/modules/system/init.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/init.if
>+++ refpolicy-2.20170419/policy/modules/system/init.if
>@@ -2966,6 +2966,7 @@ interface(`init_admin',`
> init_reload($1)
> init_reload_all_units($1)
> init_shutdown_system($1)
>+ init_start_system($1)
> init_start_all_units($1)
> init_start_generic_units($1)
> init_stop_all_units($1)
>Index: refpolicy-2.20170419/policy/modules/system/init.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/init.te
>+++ refpolicy-2.20170419/policy/modules/system/init.te
>@@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)
> allow init_t initrc_t:unix_stream_socket connectto;
>
> # For /var/run/shutdown.pid.
>+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
>
>+# for /run/systemd/inaccessible/{chr,blk}
>+allow init_t init_var_run_t:blk_file { create getattr };
>+allow init_t init_var_run_t:chr_file { create getattr };
>+
>+# for /run/initctl
>+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
>+
>+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
>+
> # for systemd to manage service file symlinks
> allow init_t init_var_run_t:file manage_lnk_file_perms;
>
>@@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>+dev_relabel_generic_symlinks(init_t)
>
> domain_getpgid_all_domains(init_t)
> domain_kill_all_domains(init_t)
>@@ -170,6 +181,9 @@ files_read_etc_files(init_t)
> files_rw_generic_pids(init_t)
> files_manage_etc_runtime_files(init_t)
> files_etc_filetrans_etc_runtime(init_t, file)
>+files_relabelto_etc_runtime(init_t)
>+files_list_usr(init_t)
>+
> # Run /etc/X11/prefdm:
> files_exec_etc_files(init_t)
> # file descriptors inherited from the rootfs:
>@@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t
>
> fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
>+fs_relabel_pstore_dirs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
>
>@@ -225,6 +240,8 @@ ifdef(`init_systemd',`
> allow init_t self:netlink_selinux_socket create_socket_perms;
> allow init_t self:unix_dgram_socket lock;
>
>+ allow init_t init_var_run_t:sock_file manage_sock_file_perms;
>+
> allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> allow init_t daemon:unix_dgram_socket create_socket_perms;
> allow init_t daemon:tcp_socket create_stream_socket_perms;
>@@ -257,6 +274,7 @@ ifdef(`init_systemd',`
> kernel_getattr_proc(init_t)
> kernel_read_fs_sysctls(init_t)
>
>+ auth_manage_var_auth(init_t)
> dev_rw_autofs(init_t)
> dev_create_generic_dirs(init_t)
> dev_manage_input_dev(init_t)
>@@ -318,10 +336,14 @@ ifdef(`init_systemd',`
> seutil_read_file_contexts(init_t)
>
> systemd_manage_passwd_runtime_symlinks(init_t)
>+ systemd_use_passwd_agent(init_t)
>
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
>+ # for systemd to read udev status
>+ udev_read_pid_files(init_t)
>+
> optional_policy(`
> clock_read_adjtime(init_t)
> ')
>@@ -350,11 +372,19 @@ ifdef(`init_systemd',`
> ')
> ')
>
>+fs_relabelfrom_tmpfs_symlinks(init_t)
>+
> ifdef(`distro_debian',`
> fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
>+ fs_manage_tmpfs_files(initrc_t)
>+ sysnet_manage_config(initrc_t)
>+
>+ optional_policy(`
>+ postfix_read_config(initrc_t)
>+ ')
> ')
>
> ifdef(`distro_gentoo',`
>@@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
>+ modutils_read_module_config(init_t)
>+ modutils_read_module_deps(init_t)
>+ modutils_read_module_objects(init_t)
>+')
>+
>+optional_policy(`
> auth_rw_login_records(init_t)
> ')
>
>@@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
> # Going to single user mode
> init_telinit(initrc_t)
>
>+# for logsave in strict configuration
>+fstools_write_log(initrc_t)
>+
> can_exec(initrc_t, init_script_file_type)
>
> create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
>@@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init
>
> allow initrc_t initrc_var_run_t:file manage_file_perms;
> files_pid_filetrans(initrc_t, initrc_var_run_t, file)
>+files_create_pid_dir(initrc_t)
>+files_setattr_pid_dirs(initrc_t)
>
> allow initrc_t daemon:process siginh;
>
>@@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
> corenet_tcp_connect_all_ports(initrc_t)
> corenet_sendrecv_all_client_packets(initrc_t)
>
>+dev_create_subdir(initrc_t)
> dev_read_rand(initrc_t)
> dev_read_urand(initrc_t)
> dev_dontaudit_read_kmsg(initrc_t)
>@@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
> ')
> ')
>
>+# for systemd
>+kernel_load_module(init_t)
>+
> ifdef(`init_systemd',`
> allow init_t self:system { status reboot halt reload };
>
> allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> allow init_t self:process { setsockcreate setfscreate setrlimit };
>- allow init_t self:process { getcap setcap };
>+ allow init_t self:process { getcap setcap getsched setsched };
> allow init_t self:unix_stream_socket { create_stream_socket_perms
>connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:netlink_audit_socket { nlmsg_relay
>create_socket_perms };
>+ allow init_t self:netlink_selinux_socket create_socket_perms;
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl
>setopt write };
> allow init_t self:udp_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t initrc_t:unix_dgram_socket create_socket_perms;
>- allow initrc_t init_t:system { status reboot halt reload };
>+ allow initrc_t init_t:system { start status reboot halt reload };
> allow init_t self:capability2 audit_read;
> manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> files_lock_filetrans(initrc_t, initrc_lock_t, file)
>
> manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
>+ allow initrc_t init_var_run_t:file create_file_perms;
>+ allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
>+ allow initrc_t init_var_run_t:service { start status };
>
> manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
> manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
>@@ -868,6 +917,7 @@ ifdef(`init_systemd',`
> kernel_read_software_raid_state(init_t)
> kernel_unmount_debugfs(init_t)
> kernel_setsched(init_t)
>+ kernel_rw_unix_sysctls(init_t)
>
> auth_relabel_login_records(init_t)
> auth_relabel_pam_console_data_dirs(init_t)
>@@ -926,6 +976,7 @@ ifdef(`init_systemd',`
> fs_list_auto_mountpoints(init_t)
> fs_manage_cgroup_dirs(init_t)
> fs_manage_cgroup_files(init_t)
>+ fs_create_cgroup_links(init_t)
> fs_manage_hugetlbfs_dirs(init_t)
> fs_manage_tmpfs_dirs(init_t)
> fs_mount_all_fs(init_t)
>Index: refpolicy-2.20170419/policy/modules/system/modutils.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
>+++ refpolicy-2.20170419/policy/modules/system/modutils.if
>@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ## <summary>
>+## Read the kernel modules.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`modutils_read_module_objects',`
>+ gen_require(`
>+ type modules_object_t;
>+ ')
>+
>+ files_list_kernel_modules($1)
>+ allow $1 modules_object_t:file read_file_perms;
>+')
>+
>+########################################
>+## <summary>
> ## Read the configuration options used when
> ## loading modules.
> ## </summary>
>Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
>+++ refpolicy-2.20170419/policy/modules/system/userdomain.if
>@@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> dontaudit $1_t user_tty_device_t:chr_file ioctl;
>
> kernel_read_kernel_sysctls($1_t)
>+ kernel_read_vm_sysctls($1_t)
> kernel_dontaudit_list_unlabeled($1_t)
> kernel_dontaudit_getattr_unlabeled_files($1_t)
> kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
>@@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
> dev_dontaudit_getattr_all_blk_files($1_t)
> dev_dontaudit_getattr_all_chr_files($1_t)
>
>+ # for X session unlock
>+ allow $1_t self:netlink_audit_socket { create_socket_perms
>nlmsg_relay };
>+
>+ # for KDE
>+ allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
>+
> # When the user domain runs ps, there will be a number of access
> # denials when ps tries to search /proc. Do not audit these denials.
> domain_dontaudit_read_all_domains_state($1_t)
>@@ -108,6 +115,14 @@ template(`userdom_base_user_template',`
>
> sysnet_read_config($1_t)
>
>+ # kdeinit wants systemd status
>+ init_get_system_status($1_t)
>+
>+ optional_policy(`
>+ apt_read_cache($1_t)
>+ apt_read_db($1_t)
>+ ')
>+
> tunable_policy(`allow_execmem',`
> # Allow loading DSOs that require executable stack.
> allow $1_t self:process execmem;
>Index: refpolicy-2.20170419/policy/support/file_patterns.spt
>===================================================================
>--- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
>+++ refpolicy-2.20170419/policy/support/file_patterns.spt
>@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
> define(`create_chr_files_pattern',`
> allow $1 self:capability mknod;
> allow $1 $2:dir add_entry_dir_perms;
>- allow $1 $3:chr_file create_chr_file_perms;
>+ allow $1 $3:chr_file { create_chr_file_perms setattr };
> ')
>
> define(`delete_chr_files_pattern',`
>Index: refpolicy-2.20170419/policy/modules/services/xserver.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/services/xserver.if
>+++ refpolicy-2.20170419/policy/modules/services/xserver.if
>@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
>+
>+########################################
>+## <summary>
>+## Allow domain to send sigchld to xdm_t
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`xdm_sigchld',`
>+ gen_require(`
>+ type xdm_t;
>+ ')
>+
>+ allow $1 xdm_t:process sigchld;
>+')
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-19 12:13:09

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

Also, I am already adding a permission in a patch that I recently
posted...

Please see below.

On Wed, 19/04/2017 at 21.00 +1000, Russell Coker via refpolicy
wrote:
> This is the rest of my policy that was developed on "strict"
> systems.??It also
> has no inter-dependencies with other patches.??I included the
> interface
> xdm_sigchld() in this patch as well so it can be applied on it's own,
> this
> means that it conflicts with the login patch.
>
> Chris, maybe even if you don't apply this patch or the login patch in
> the
> near future you could add the xdm_sigchld() interface so that both
> patches
> can be complete and working and not conflict.
>
> Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
> +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
> @@ -76,6 +76,8 @@ template(`gnome_role_template',`
> ?
> ? allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
> relabel_dir_perms };
> ? allow $3 { gconf_home_t gconf_tmp_t }:file {
> manage_file_perms relabel_file_perms };
> + allow $3 gconfd_t:dbus send_msg;
> + allow gconfd_t $3:dbus send_msg;
> ? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconf")
> ? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconfd")
> ?

The above permission for gconfd to chat over dbus is the same that I
have recently added in the following patch:

http://oss.tresys.com/pipermail/refpolicy/2017-April/009286.html

It is not advisable to add the same permission twice. Did you not see
the patch that I posted ?

Regards,

Guido

2017-04-19 12:23:15

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

2017-04-19 13:00 GMT+02:00 Russell Coker via refpolicy
<[email protected]>:
> This is the rest of my policy that was developed on "strict" systems. It also
> has no inter-dependencies with other patches. I included the interface
> xdm_sigchld() in this patch as well so it can be applied on it's own, this
> means that it conflicts with the login patch.
>
> Chris, maybe even if you don't apply this patch or the login patch in the
> near future you could add the xdm_sigchld() interface so that both patches
> can be complete and working and not conflict.
>
> Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
> +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
> @@ -76,6 +76,8 @@ template(`gnome_role_template',`
>
> allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
> allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
> + allow $3 gconfd_t:dbus send_msg;
> + allow gconfd_t $3:dbus send_msg;
> userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
> userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
>
> Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> @@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
> ')
>
> ifdef(`distro_gentoo', `
> Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170419/policy/modules/kernel/devices.if
> @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
>
> typeattribute $1 devices_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:dir { add_entry_dir_perms create };
> + allow $1 device_t:dir search_dir_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170419/policy/modules/kernel/files.if
> @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
>
> ########################################
> ## <summary>
> +## Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:file relabelto;
> + allow $1 etc_runtime_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
> ## Create, etc runtime objects with an automatic
> ## type transition.
> ## </summary>
> @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ')
>
> ########################################
> +## <summary>
> +## Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Search the contents of runtime process
> ## ID directories (/var/run).
> Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> @@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`
>
> ########################################
> ## <summary>
> +## Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> + relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a pstore filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ZZZfs_getattr_pstorefs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> +allow $1 pstore_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Relabel cgroup directories.
> ## </summary>
> ## <param name="domain">
> @@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`
>
> ########################################
> ## <summary>
> +## Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + rw_lnk_files_pattern($1, cgroup_t, cgroup_t)

interface states create

> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Write cgroup files.
> ## </summary>
> ## <param name="domain">
> @@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
> interface(`fs_rw_cgroup_files',`
> gen_require(`
> type cgroup_t;
> -
> ')
>
> rw_files_pattern($1, cgroup_t, cgroup_t)
> @@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ')
>
> ########################################
> +## <summary>
> +## Relabelfrom tmpfs link files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
> +')
> +
> +########################################
> ## <summary>
> ## Read and write character nodes on tmpfs filesystems.
> ## </summary>
> Index: refpolicy-2.20170419/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170419/policy/modules/services/ssh.if
> @@ -353,6 +353,8 @@ template(`ssh_role_template',`
> allow $1_ssh_agent_t self:process { setrlimit signal };
> allow $1_ssh_agent_t self:capability setgid;
>
> + allow $1_ssh_agent_t self:fifo_file rw_file_perms;
> +
> allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
>
> allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -436,6 +438,7 @@ template(`ssh_role_template',`
> optional_policy(`
> xserver_use_xdm_fds($1_ssh_agent_t)
> xserver_rw_xdm_pipes($1_ssh_agent_t)
> + xdm_sigchld($1_ssh_agent_t)
> ')
> ')
>
> Index: refpolicy-2.20170419/policy/modules/system/fstools.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170419/policy/modules/system/fstools.if
> @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
>
> allow $1 swapfile_t:file getattr;
> ')
> +
> +########################################
> +## <summary>
> +## Write to fsadm_log_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fstools_write_log',`
> + gen_require(`
> + type fsadm_log_t;
> + ')
> +
> + allow $1 fsadm_log_t:file write_file_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170419/policy/modules/system/init.if
> @@ -2966,6 +2966,7 @@ interface(`init_admin',`
> init_reload($1)
> init_reload_all_units($1)
> init_shutdown_system($1)
> + init_start_system($1)
> init_start_all_units($1)
> init_start_generic_units($1)
> init_stop_all_units($1)
> Index: refpolicy-2.20170419/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170419/policy/modules/system/init.te
> @@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)
> allow init_t initrc_t:unix_stream_socket connectto;
>
> # For /var/run/shutdown.pid.
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
>
> +# for /run/systemd/inaccessible/{chr,blk}
> +allow init_t init_var_run_t:blk_file { create getattr };
> +allow init_t init_var_run_t:chr_file { create getattr };
> +
> +# for /run/initctl
> +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
> +
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> +
> # for systemd to manage service file symlinks
> allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> @@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
> +dev_relabel_generic_symlinks(init_t)
>
> domain_getpgid_all_domains(init_t)
> domain_kill_all_domains(init_t)
> @@ -170,6 +181,9 @@ files_read_etc_files(init_t)
> files_rw_generic_pids(init_t)
> files_manage_etc_runtime_files(init_t)
> files_etc_filetrans_etc_runtime(init_t, file)
> +files_relabelto_etc_runtime(init_t)
> +files_list_usr(init_t)
> +
> # Run /etc/X11/prefdm:
> files_exec_etc_files(init_t)
> # file descriptors inherited from the rootfs:
> @@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t
>
> fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> +fs_relabel_pstore_dirs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
>
> @@ -225,6 +240,8 @@ ifdef(`init_systemd',`
> allow init_t self:netlink_selinux_socket create_socket_perms;
> allow init_t self:unix_dgram_socket lock;
>
> + allow init_t init_var_run_t:sock_file manage_sock_file_perms;
> +
> allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> allow init_t daemon:unix_dgram_socket create_socket_perms;
> allow init_t daemon:tcp_socket create_stream_socket_perms;
> @@ -257,6 +274,7 @@ ifdef(`init_systemd',`
> kernel_getattr_proc(init_t)
> kernel_read_fs_sysctls(init_t)
>
> + auth_manage_var_auth(init_t)
> dev_rw_autofs(init_t)
> dev_create_generic_dirs(init_t)
> dev_manage_input_dev(init_t)
> @@ -318,10 +336,14 @@ ifdef(`init_systemd',`
> seutil_read_file_contexts(init_t)
>
> systemd_manage_passwd_runtime_symlinks(init_t)
> + systemd_use_passwd_agent(init_t)
>
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> + # for systemd to read udev status
> + udev_read_pid_files(init_t)
> +
> optional_policy(`
> clock_read_adjtime(init_t)
> ')
> @@ -350,11 +372,19 @@ ifdef(`init_systemd',`
> ')
> ')
>
> +fs_relabelfrom_tmpfs_symlinks(init_t)
> +
> ifdef(`distro_debian',`
> fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> + fs_manage_tmpfs_files(initrc_t)
> + sysnet_manage_config(initrc_t)
> +
> + optional_policy(`
> + postfix_read_config(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`
> @@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
> + modutils_read_module_config(init_t)
> + modutils_read_module_deps(init_t)
> + modutils_read_module_objects(init_t)
> +')
> +
> +optional_policy(`
> auth_rw_login_records(init_t)
> ')
>
> @@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
> # Going to single user mode
> init_telinit(initrc_t)
>
> +# for logsave in strict configuration
> +fstools_write_log(initrc_t)
> +
> can_exec(initrc_t, init_script_file_type)
>
> create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
> @@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init
>
> allow initrc_t initrc_var_run_t:file manage_file_perms;
> files_pid_filetrans(initrc_t, initrc_var_run_t, file)
> +files_create_pid_dir(initrc_t)
> +files_setattr_pid_dirs(initrc_t)
>
> allow initrc_t daemon:process siginh;
>
> @@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
> corenet_tcp_connect_all_ports(initrc_t)
> corenet_sendrecv_all_client_packets(initrc_t)
>
> +dev_create_subdir(initrc_t)
> dev_read_rand(initrc_t)
> dev_read_urand(initrc_t)
> dev_dontaudit_read_kmsg(initrc_t)
> @@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
> ')
> ')
>
> +# for systemd
> +kernel_load_module(init_t)
> +
> ifdef(`init_systemd',`
> allow init_t self:system { status reboot halt reload };
>
> allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> allow init_t self:process { setsockcreate setfscreate setrlimit };
> - allow init_t self:process { getcap setcap };
> + allow init_t self:process { getcap setcap getsched setsched };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> + allow init_t self:netlink_selinux_socket create_socket_perms;
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> - allow initrc_t init_t:system { status reboot halt reload };
> + allow initrc_t init_t:system { start status reboot halt reload };
> allow init_t self:capability2 audit_read;
> manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> files_lock_filetrans(initrc_t, initrc_lock_t, file)
>
> manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
> + allow initrc_t init_var_run_t:file create_file_perms;
> + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
> + allow initrc_t init_var_run_t:service { start status };
>
> manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
> manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
> @@ -868,6 +917,7 @@ ifdef(`init_systemd',`
> kernel_read_software_raid_state(init_t)
> kernel_unmount_debugfs(init_t)
> kernel_setsched(init_t)
> + kernel_rw_unix_sysctls(init_t)
>
> auth_relabel_login_records(init_t)
> auth_relabel_pam_console_data_dirs(init_t)
> @@ -926,6 +976,7 @@ ifdef(`init_systemd',`
> fs_list_auto_mountpoints(init_t)
> fs_manage_cgroup_dirs(init_t)
> fs_manage_cgroup_files(init_t)
> + fs_create_cgroup_links(init_t)
> fs_manage_hugetlbfs_dirs(init_t)
> fs_manage_tmpfs_dirs(init_t)
> fs_mount_all_fs(init_t)
> Index: refpolicy-2.20170419/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20170419/policy/modules/system/modutils.if
> @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ## <summary>
> +## Read the kernel modules.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`modutils_read_module_objects',`
> + gen_require(`
> + type modules_object_t;
> + ')
> +
> + files_list_kernel_modules($1)
> + allow $1 modules_object_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read the configuration options used when
> ## loading modules.
> ## </summary>
> Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> dontaudit $1_t user_tty_device_t:chr_file ioctl;
>
> kernel_read_kernel_sysctls($1_t)
> + kernel_read_vm_sysctls($1_t)
> kernel_dontaudit_list_unlabeled($1_t)
> kernel_dontaudit_getattr_unlabeled_files($1_t)
> kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
> @@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
> dev_dontaudit_getattr_all_blk_files($1_t)
> dev_dontaudit_getattr_all_chr_files($1_t)
>
> + # for X session unlock
> + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
> +
> + # for KDE
> + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
> +
> # When the user domain runs ps, there will be a number of access
> # denials when ps tries to search /proc. Do not audit these denials.
> domain_dontaudit_read_all_domains_state($1_t)
> @@ -108,6 +115,14 @@ template(`userdom_base_user_template',`
>
> sysnet_read_config($1_t)
>
> + # kdeinit wants systemd status
> + init_get_system_status($1_t)
> +
> + optional_policy(`
> + apt_read_cache($1_t)
> + apt_read_db($1_t)
> + ')
> +
> tunable_policy(`allow_execmem',`
> # Allow loading DSOs that require executable stack.
> allow $1_t self:process execmem;
> Index: refpolicy-2.20170419/policy/support/file_patterns.spt
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
> +++ refpolicy-2.20170419/policy/support/file_patterns.spt
> @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
> define(`create_chr_files_pattern',`
> allow $1 self:capability mknod;
> allow $1 $2:dir add_entry_dir_perms;
> - allow $1 $3:chr_file create_chr_file_perms;
> + allow $1 $3:chr_file { create_chr_file_perms setattr };

why setattr in create pattern?

> ')
>
> define(`delete_chr_files_pattern',`
> Index: refpolicy-2.20170419/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170419/policy/modules/services/xserver.if
> @@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Allow domain to send sigchld to xdm_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdm_sigchld',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:process sigchld;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-19 13:22:48

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19/04/2017 at 21.00 +1000, Russell Coker via refpolicy
wrote:
> This is the rest of my policy that was developed on "strict"
> systems.??It also
> has no inter-dependencies with other patches.??I included the
> interface
> xdm_sigchld() in this patch as well so it can be applied on it's own,
> this
> means that it conflicts with the login patch.
>
> Chris, maybe even if you don't apply this patch or the login patch in
> the
> near future you could add the xdm_sigchld() interface so that both
> patches
> can be complete and working and not conflict.
>
> Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
> +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
> @@ -76,6 +76,8 @@ template(`gnome_role_template',`
> ?
> ? allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
> relabel_dir_perms };
> ? allow $3 { gconf_home_t gconf_tmp_t }:file {
> manage_file_perms relabel_file_perms };
> + allow $3 gconfd_t:dbus send_msg;
> + allow gconfd_t $3:dbus send_msg;
> ? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconf")
> ? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconfd")
> ?
> Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> @@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> ?/usr/lib/ConsoleKit/.* -- gen_context(system_u
> :object_r:bin_t,s0)
> ?/usr/lib/gdm3/.* -- gen_context(system_u:objec
> t_r:bin_t,s0)
> ?/usr/lib/udisks/.* -- gen_context(system_u:obj
> ect_r:bin_t,s0)
> +/usr/share/bug/.* -- gen_context(system_u:obje
> ct_r:bin_t,s0)
> ?')
> ?
> ?ifdef(`distro_gentoo', `
> Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170419/policy/modules/kernel/devices.if
> @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
> ?
> ? typeattribute $1 devices_unconfined_type;
> ?')
> +
> +########################################
> +## <summary>
> +##??????Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +##??????<summary>
> +##??????Domain allowed access.
> +##??????</summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:dir { add_entry_dir_perms create };
> + allow $1 device_t:dir search_dir_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170419/policy/modules/kernel/files.if
> @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
> ?
> ?########################################
> ?## <summary>
> +## Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:file relabelto;
> + allow $1 etc_runtime_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
> ?## Create, etc runtime objects with an automatic
> ?## type transition.
> ?## </summary>
> @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ?')
> ?
> ?########################################
> +## <summary>
> +## Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
> ?## <summary>
> ?## Search the contents of runtime process
> ?## ID directories (/var/run).
> Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> @@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`
> ?
> ?########################################
> ?## <summary>
> +##?????Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +##?????<summary>
> +##?????Domain allowed access.
> +##?????</summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> + relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> +##??????Get the attributes of a pstore filesystem.
> +## </summary>
> +## <param name="domain">
> +##??????<summary>
> +##??????Domain allowed access.
> +##??????</summary>
> +## </param>
> +#
> +interface(`ZZZfs_getattr_pstorefs',`

The interface above has an odd name and however it is not being used
anywhere, so you might probably need to remove it.

> + gen_require(`
> + type pstore_t;
> + ')
> +
> +allow $1 pstore_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ?## Relabel cgroup directories.
> ?## </summary>
> ?## <param name="domain">
> @@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`
> ?
> ?########################################
> ?## <summary>
> +##?????Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +##?????<summary>
> +##?????Domain allowed access.
> +##?????</summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ?## Write cgroup files.
> ?## </summary>
> ?## <param name="domain">
> @@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
> ?interface(`fs_rw_cgroup_files',`
> ? gen_require(`
> ? type cgroup_t;
> -
> ? ')
> ?
> ? rw_files_pattern($1, cgroup_t, cgroup_t)
> @@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ?')
> ?
> ?########################################
> +## <summary>
> +## Relabelfrom tmpfs link files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
> +')
> +
> +########################################
> ?## <summary>
> ?## Read and write character nodes on tmpfs filesystems.
> ?## </summary>
> Index: refpolicy-2.20170419/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170419/policy/modules/services/ssh.if
> @@ -353,6 +353,8 @@ template(`ssh_role_template',`
> ? allow $1_ssh_agent_t self:process { setrlimit signal };
> ? allow $1_ssh_agent_t self:capability setgid;
> ?
> + allow $1_ssh_agent_t self:fifo_file rw_file_perms;
> +
> ? allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
> ?
> ? allow $1_ssh_agent_t self:unix_stream_socket {
> create_stream_socket_perms connectto };
> @@ -436,6 +438,7 @@ template(`ssh_role_template',`
> ? optional_policy(`
> ? xserver_use_xdm_fds($1_ssh_agent_t)
> ? xserver_rw_xdm_pipes($1_ssh_agent_t)
> + xdm_sigchld($1_ssh_agent_t)
> ? ')
> ?')
> ?
> Index: refpolicy-2.20170419/policy/modules/system/fstools.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170419/policy/modules/system/fstools.if
> @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
> ?
> ? allow $1 swapfile_t:file getattr;
> ?')
> +
> +########################################
> +## <summary>
> +## Write to fsadm_log_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fstools_write_log',`
> + gen_require(`
> + type fsadm_log_t;
> + ')
> +
> + allow $1 fsadm_log_t:file write_file_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170419/policy/modules/system/init.if
> @@ -2966,6 +2966,7 @@ interface(`init_admin',`
> ? init_reload($1)
> ? init_reload_all_units($1)
> ? init_shutdown_system($1)
> + init_start_system($1)
> ? init_start_all_units($1)
> ? init_start_generic_units($1)
> ? init_stop_all_units($1)
> Index: refpolicy-2.20170419/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170419/policy/modules/system/init.te
> @@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)

As already explained, we already tested an essential init daemon
(sysvinit) in unconfined mode quite recently and we ended up with a
very concise diff:

http://oss.tresys.com/pipermail/refpolicy/2017-January/008969.html

The daemon hasn't changed since, so I am pretty sure most, if not all,
init_t permissions that you are adding here strictly refer to systemd:
please enclose them into an init_systemd ifdef block.

Thanks.

> ?allow init_t initrc_t:unix_stream_socket connectto;
> ?
> ?# For /var/run/shutdown.pid.
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> ?allow init_t init_var_run_t:file manage_file_perms;
> ?files_pid_filetrans(init_t, init_var_run_t, file)
> ?
> +# for /run/systemd/inaccessible/{chr,blk}
> +allow init_t init_var_run_t:blk_file { create getattr };
> +allow init_t init_var_run_t:chr_file { create getattr };
> +
> +# for /run/initctl
> +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
> +
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> +
> ?# for systemd to manage service file symlinks
> ?allow init_t init_var_run_t:file manage_lnk_file_perms;
> ?
> @@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
> ?dev_read_sysfs(init_t)
> ?# Early devtmpfs
> ?dev_rw_generic_chr_files(init_t)
> +dev_relabel_generic_symlinks(init_t)
> ?
> ?domain_getpgid_all_domains(init_t)
> ?domain_kill_all_domains(init_t)
> @@ -170,6 +181,9 @@ files_read_etc_files(init_t)
> ?files_rw_generic_pids(init_t)
> ?files_manage_etc_runtime_files(init_t)
> ?files_etc_filetrans_etc_runtime(init_t, file)
> +files_relabelto_etc_runtime(init_t)
> +files_list_usr(init_t)
> +
> ?# Run /etc/X11/prefdm:
> ?files_exec_etc_files(init_t)
> ?# file descriptors inherited from the rootfs:
> @@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t
> ?
> ?fs_getattr_xattr_fs(init_t)
> ?fs_list_inotifyfs(init_t)
> +fs_relabel_pstore_dirs(init_t)
> ?# cjp: this may be related to /dev/log
> ?fs_write_ramfs_sockets(init_t)
> ?
> @@ -225,6 +240,8 @@ ifdef(`init_systemd',`
> ? allow init_t self:netlink_selinux_socket
> create_socket_perms;
> ? allow init_t self:unix_dgram_socket lock;
> ?
> + allow init_t init_var_run_t:sock_file
> manage_sock_file_perms;
> +
> ? allow init_t daemon:unix_stream_socket
> create_stream_socket_perms;
> ? allow init_t daemon:unix_dgram_socket create_socket_perms;
> ? allow init_t daemon:tcp_socket create_stream_socket_perms;
> @@ -257,6 +274,7 @@ ifdef(`init_systemd',`
> ? kernel_getattr_proc(init_t)
> ? kernel_read_fs_sysctls(init_t)
> ?
> + auth_manage_var_auth(init_t)
> ? dev_rw_autofs(init_t)
> ? dev_create_generic_dirs(init_t)
> ? dev_manage_input_dev(init_t)
> @@ -318,10 +336,14 @@ ifdef(`init_systemd',`
> ? seutil_read_file_contexts(init_t)
> ?
> ? systemd_manage_passwd_runtime_symlinks(init_t)
> + systemd_use_passwd_agent(init_t)
> ?
> ? # udevd is a "systemd kobject uevent socket activated
> daemon"
> ? udev_create_kobject_uevent_sockets(init_t)
> ?
> + # for systemd to read udev status
> + udev_read_pid_files(init_t)
> +
> ? optional_policy(`
> ? clock_read_adjtime(init_t)
> ? ')
> @@ -350,11 +372,19 @@ ifdef(`init_systemd',`
> ? ')
> ?')
> ?
> +fs_relabelfrom_tmpfs_symlinks(init_t)
> +
> ?ifdef(`distro_debian',`
> ? fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> ?
> ? allow init_t initrc_var_run_t:file manage_file_perms;
> ? fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> + fs_manage_tmpfs_files(initrc_t)
> + sysnet_manage_config(initrc_t)
> +
> + optional_policy(`
> + postfix_read_config(initrc_t)
> + ')
> ?')
> ?
> ?ifdef(`distro_gentoo',`
> @@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
> ?')
> ?
> ?optional_policy(`
> + modutils_read_module_config(init_t)
> + modutils_read_module_deps(init_t)
> + modutils_read_module_objects(init_t)
> +')
> +
> +optional_policy(`
> ? auth_rw_login_records(init_t)
> ?')
> ?
> @@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
> ?# Going to single user mode
> ?init_telinit(initrc_t)
> ?
> +# for logsave in strict configuration
> +fstools_write_log(initrc_t)
> +
> ?can_exec(initrc_t, init_script_file_type)
> ?
> ?create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
> @@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init
> ?
> ?allow initrc_t initrc_var_run_t:file manage_file_perms;
> ?files_pid_filetrans(initrc_t, initrc_var_run_t, file)
> +files_create_pid_dir(initrc_t)
> +files_setattr_pid_dirs(initrc_t)
> ?
> ?allow initrc_t daemon:process siginh;
> ?
> @@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
> ?corenet_tcp_connect_all_ports(initrc_t)
> ?corenet_sendrecv_all_client_packets(initrc_t)
> ?
> +dev_create_subdir(initrc_t)
> ?dev_read_rand(initrc_t)
> ?dev_read_urand(initrc_t)
> ?dev_dontaudit_read_kmsg(initrc_t)
> @@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
> ? ')
> ?')
> ?
> +# for systemd
> +kernel_load_module(init_t)
> +
> ?ifdef(`init_systemd',`
> ? allow init_t self:system { status reboot halt reload };
> ?
> ? allow init_t self:unix_dgram_socket { create_socket_perms
> sendto };
> ? allow init_t self:process { setsockcreate setfscreate
> setrlimit };
> - allow init_t self:process { getcap setcap };
> + allow init_t self:process { getcap setcap getsched setsched
> };
> ? allow init_t self:unix_stream_socket {
> create_stream_socket_perms connectto };
> ? allow init_t self:netlink_kobject_uevent_socket
> create_socket_perms;
> ? allow init_t self:netlink_audit_socket { nlmsg_relay
> create_socket_perms };
> + allow init_t self:netlink_selinux_socket
> create_socket_perms;
> ? # Until systemd is fixed
> ? allow daemon init_t:socket_class_set { getopt read getattr
> ioctl setopt write };
> ? allow init_t self:udp_socket create_socket_perms;
> ? allow init_t self:netlink_route_socket
> create_netlink_socket_perms;
> ? allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> - allow initrc_t init_t:system { status reboot halt reload };
> + allow initrc_t init_t:system { start status reboot halt
> reload };
> ? allow init_t self:capability2 audit_read;
> ? manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> ? files_lock_filetrans(initrc_t, initrc_lock_t, file)
> ?
> ? manage_dirs_pattern(initrc_t, init_var_run_t,
> init_var_run_t)
> + allow initrc_t init_var_run_t:file create_file_perms;
> + allow initrc_t init_var_run_t:lnk_file
> create_lnk_file_perms;
> + allow initrc_t init_var_run_t:service { start status };
> ?
> ? manage_dirs_pattern(initrc_t, initrc_var_run_t,
> initrc_var_run_t)
> ? manage_chr_files_pattern(initrc_t, initrc_var_run_t,
> initrc_var_run_t)
> @@ -868,6 +917,7 @@ ifdef(`init_systemd',`
> ? kernel_read_software_raid_state(init_t)
> ? kernel_unmount_debugfs(init_t)
> ? kernel_setsched(init_t)
> + kernel_rw_unix_sysctls(init_t)
> ?
> ? auth_relabel_login_records(init_t)
> ? auth_relabel_pam_console_data_dirs(init_t)
> @@ -926,6 +976,7 @@ ifdef(`init_systemd',`
> ? fs_list_auto_mountpoints(init_t)
> ? fs_manage_cgroup_dirs(init_t)
> ? fs_manage_cgroup_files(init_t)
> + fs_create_cgroup_links(init_t)
> ? fs_manage_hugetlbfs_dirs(init_t)
> ? fs_manage_tmpfs_dirs(init_t)
> ? fs_mount_all_fs(init_t)
> Index: refpolicy-2.20170419/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20170419/policy/modules/system/modutils.if
> @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
> ?
> ?########################################
> ?## <summary>
> +## Read the kernel modules.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`modutils_read_module_objects',`
> + gen_require(`
> + type modules_object_t;
> + ')
> +
> + files_list_kernel_modules($1)
> + allow $1 modules_object_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ?## Read the configuration options used when
> ?## loading modules.
> ?## </summary>
> Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> ? dontaudit $1_t user_tty_device_t:chr_file ioctl;
> ?
> ? kernel_read_kernel_sysctls($1_t)
> + kernel_read_vm_sysctls($1_t)

What is this for ?

> ? kernel_dontaudit_list_unlabeled($1_t)
> ? kernel_dontaudit_getattr_unlabeled_files($1_t)
> ? kernel_dontaudit_getattr_unlabeled_symlinks($1_t)

[...]

Regards,

Guido

2017-04-19 13:34:17

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19 Apr 2017 09:51:14 PM Guido Trentalancia via refpolicy wrote:
> I believe it is very important to move *all* permission required by systemd
> within the appropriate ifdef block (init_systemd).
>
> Not everybody is using systemd and many people believe it is, amongst other
> things, a waste of resources and SELinux permissions.

Are you running without unconfined.pp? If not then the below is a list of the
waste of SE Linux permissions which vastly exceeds what might be added for
systemd.

policy/modules/admin/usermanage.te: unconfined_domain(useradd_t)
policy/modules/admin/bootloader.te: unconfined_domain(bootloader_t)
policy/modules/contrib/ada.te: unconfined_domain(ada_t)
policy/modules/contrib/livecd.te: unconfined_domain_noaudit(livecd_t)
policy/modules/contrib/mono.te: unconfined_domain(mono_t)
policy/modules/contrib/wine.te: unconfined_domain(wine_t)
policy/modules/contrib/puppet.te: unconfined_domain(puppet_t)
policy/modules/contrib/sendmail.te: unconfined_domain(unconfined_sendmail_t)
policy/modules/contrib/samba.te:
unconfined_domain(samba_unconfined_script_t)
policy/modules/contrib/inetd.te: unconfined_domain(inetd_t)
policy/modules/contrib/inetd.te: unconfined_domain(inetd_child_t)
policy/modules/contrib/anaconda.te: unconfined_domain_noaudit(anaconda_t)
policy/modules/contrib/firstboot.te: unconfined_domain(firstboot_t)
policy/modules/contrib/nagios.te:
unconfined_domain(nagios_unconfined_plugin_t)
policy/modules/contrib/prelink.te: unconfined_domain(prelink_t)
policy/modules/contrib/qemu.te: unconfined_domain(unconfined_qemu_t)
policy/modules/contrib/apache.te:
unconfined_domain(httpd_unconfined_script_t)
policy/modules/contrib/apt.te: unconfined_domain(apt_t)
policy/modules/contrib/cron.te: unconfined_domain(unconfined_cronjob_t)
policy/modules/contrib/java.te: unconfined_domain_noaudit(unconfined_java_t)
policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_t)
policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_script_t)
policy/modules/contrib/munin.te:
unconfined_domain(unconfined_munin_plugin_t)
policy/modules/kernel/kernel.te: unconfined_domain_noaudit(kernel_t)
policy/modules/services/xserver.te: unconfined_domain(xdm_t)
policy/modules/services/xserver.te: unconfined_domain_noaudit(xserver_t)
policy/modules/system/authlogin.te: unconfined_domain(chkpwd_t)
policy/modules/system/authlogin.te: unconfined_domain(pam_t)
policy/modules/system/authlogin.te:
unconfined_domain(pam_console_t)
policy/modules/system/authlogin.te: unconfined_domain(updpwd_t)
policy/modules/system/authlogin.te: unconfined_domain(utempter_t)
policy/modules/system/getty.te: unconfined_domain(getty_t)
policy/modules/system/libraries.te: unconfined_domain(ldconfig_t)
policy/modules/system/libraries.te: unconfined_domain(ldconfig_t)
policy/modules/system/locallogin.te:
unconfined_domain(local_login_t)
policy/modules/system/sysnetwork.te: unconfined_domain(dhcpc_t)
policy/modules/system/sysnetwork.te: unconfined_domain(ifconfig_t)
policy/modules/system/unconfined.if:interface(`unconfined_domain_noaudit',`
policy/modules/system/unconfined.if:interface(`unconfined_domain',`
policy/modules/system/unconfined.if: unconfined_domain_noaudit($1)
policy/modules/system/init.te: unconfined_domain(init_t)
policy/modules/system/init.te: unconfined_domain(initrc_t)
policy/modules/system/logging.te: unconfined_domain(auditd_t)
policy/modules/system/logging.te: unconfined_domain(klogd_t)
policy/modules/system/logging.te: unconfined_domain(syslogd_t)
policy/modules/system/fstools.te: unconfined_domain(fsadm_t)
policy/modules/system/lvm.te: unconfined_domain(clvmd_t)
policy/modules/system/lvm.te: unconfined_domain(lvm_t)
policy/modules/system/mount.te: unconfined_domain(mount_t)
policy/modules/system/mount.te: unconfined_domain(unconfined_mount_t)
policy/modules/system/selinuxutil.te:
unconfined_domain(checkpolicy_t)
policy/modules/system/selinuxutil.te:
unconfined_domain(load_policy_t)
policy/modules/system/selinuxutil.te: unconfined_domain(newrole_t)
policy/modules/system/selinuxutil.te:
unconfined_domain(restorecond_t)
policy/modules/system/selinuxutil.te: unconfined_domain(run_init_t)
policy/modules/system/selinuxutil.te: unconfined_domain(semanage_t)
policy/modules/system/selinuxutil.te: unconfined_domain(setfiles_t)
policy/modules/system/udev.te: unconfined_domain(udev_t)
policy/modules/system/unconfined.te:unconfined_domain(unconfined_t)
policy/modules/system/unconfined.te:unconfined_domain_noaudit(unconfined_execmem_t)

> Thanks,
>
> Guido
>
> On the 19th of April 2017 13:00:59 CEST, Russell Coker via refpolicy
<[email protected]> wrote:
> >This is the rest of my policy that was developed on "strict" systems.
> >It also
> >has no inter-dependencies with other patches. I included the interface
> >xdm_sigchld() in this patch as well so it can be applied on it's own,
> >this
> >means that it conflicts with the login patch.
> >
> >Chris, maybe even if you don't apply this patch or the login patch in
> >the
> >near future you could add the xdm_sigchld() interface so that both
> >patches
> >can be complete and working and not conflict.
> >
> >Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
>
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-19 13:36:03

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19 Apr 2017 10:13:09 PM Guido Trentalancia via refpolicy wrote:
> > allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
> > relabel_dir_perms };
> > allow $3 { gconf_home_t gconf_tmp_t }:file {
> > manage_file_perms relabel_file_perms };
> > + allow $3 gconfd_t:dbus send_msg;
> > + allow gconfd_t $3:dbus send_msg;
> > userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> > ".gconf")
> > userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> > ".gconfd")
> >
>
> The above permission for gconfd to chat over dbus is the same that I
> have recently added in the following patch:
>
> http://oss.tresys.com/pipermail/refpolicy/2017-April/009286.html
>
> It is not advisable to add the same permission twice. Did you not see
> the patch that I posted ?

I don't have time to read all the patches that are applied.

I generate my patches against the git repository which doesn't appear to have
a patch for this.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-19 13:44:58

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

Hello.

I do not agree with you...

I have removed the unconfined permissions from several modules and,
most importantly, I am not using most of the modules that you quoted
(you have probably not considered the latter).

Therefore, I am using a simple and essential system and the systemd
permissions are heavy.

I use sysvinit because it is essential and gets away with the minimum
permissions: it does it job well, it complies to standards and
interchangeability and even more importantly it sticks to that, without
interfering with other tasks that are not required to an init daemon.

I do not understand the reason why everyone should be forced to adopt
such permissions when there is an appropriate ifdef statement called
"init_systemd" !

I really hope the patch will be changed to make use of the appropriate
ifdef statements.

Regards,

Guido

On Wed, 19/04/2017 at 23.34 +1000, Russell Coker wrote:
> On Wed, 19 Apr 2017 09:51:14 PM Guido Trentalancia via refpolicy
> wrote:
> > I believe it is very important to move *all* permission required by
> systemd
> > within the appropriate ifdef block (init_systemd).
> >?
> > Not everybody is using systemd and many people believe it is,
> amongst other
> > things, a waste of resources and SELinux permissions.
>
> Are you running without unconfined.pp?? If not then the below is a
> list of the?
> waste of SE Linux permissions which vastly exceeds what might be
> added for?
> systemd.
>
> policy/modules/admin/usermanage.te:????????????
> unconfined_domain(useradd_t)
> policy/modules/admin/bootloader.te:????????????
> unconfined_domain(bootloader_t)
> policy/modules/contrib/ada.te:? unconfined_domain(ada_t)
> policy/modules/contrib/livecd.te:??????
> unconfined_domain_noaudit(livecd_t)
> policy/modules/contrib/mono.te: unconfined_domain(mono_t)
> policy/modules/contrib/wine.te: unconfined_domain(wine_t)
> policy/modules/contrib/puppet.te:?????? unconfined_domain(puppet_t)
> policy/modules/contrib/sendmail.te:????
> unconfined_domain(unconfined_sendmail_t)
> policy/modules/contrib/samba.te:????????
> unconfined_domain(samba_unconfined_script_t)
> policy/modules/contrib/inetd.te:???????????????
> unconfined_domain(inetd_t)
> policy/modules/contrib/inetd.te:???????
> unconfined_domain(inetd_child_t)
> policy/modules/contrib/anaconda.te:????
> unconfined_domain_noaudit(anaconda_t)
> policy/modules/contrib/firstboot.te:???
> unconfined_domain(firstboot_t)
> policy/modules/contrib/nagios.te:???????
> unconfined_domain(nagios_unconfined_plugin_t)
> policy/modules/contrib/prelink.te:????? unconfined_domain(prelink_t)
> policy/modules/contrib/qemu.te: unconfined_domain(unconfined_qemu_t)
> policy/modules/contrib/apache.te:???????
> unconfined_domain(httpd_unconfined_script_t)
> policy/modules/contrib/apt.te:? unconfined_domain(apt_t)
> policy/modules/contrib/cron.te:
> unconfined_domain(unconfined_cronjob_t)
> policy/modules/contrib/java.te:
> unconfined_domain_noaudit(unconfined_java_t)
> policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_t)
> policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_script_t)
> policy/modules/contrib/munin.te:????????
> unconfined_domain(unconfined_munin_plugin_t)
> policy/modules/kernel/kernel.te:???????
> unconfined_domain_noaudit(kernel_t)
> policy/modules/services/xserver.te:???? unconfined_domain(xdm_t)
> policy/modules/services/xserver.te:????
> unconfined_domain_noaudit(xserver_t)
> policy/modules/system/authlogin.te:????????????
> unconfined_domain(chkpwd_t)
> policy/modules/system/authlogin.te:????????????
> unconfined_domain(pam_t)
> policy/modules/system/authlogin.te:?????????????
> unconfined_domain(pam_console_t)
> policy/modules/system/authlogin.te:????????????
> unconfined_domain(updpwd_t)
> policy/modules/system/authlogin.te:????????????
> unconfined_domain(utempter_t)
> policy/modules/system/getty.te:???????? unconfined_domain(getty_t)
> policy/modules/system/libraries.te:????????????
> unconfined_domain(ldconfig_t)
> policy/modules/system/libraries.te:???? unconfined_domain(ldconfig_t)
> policy/modules/system/locallogin.te:????????????
> unconfined_domain(local_login_t)
> policy/modules/system/sysnetwork.te:???????????
> unconfined_domain(dhcpc_t)
> policy/modules/system/sysnetwork.te:???????????
> unconfined_domain(ifconfig_t)
> policy/modules/system/unconfined.if:interface(`unconfined_domain_noau
> dit',`
> policy/modules/system/unconfined.if:interface(`unconfined_domain',`
> policy/modules/system/unconfined.if:??? unconfined_domain_noaudit($1)
> policy/modules/system/init.te:? unconfined_domain(init_t)
> policy/modules/system/init.te:? unconfined_domain(initrc_t)
> policy/modules/system/logging.te:??????????????
> unconfined_domain(auditd_t)
> policy/modules/system/logging.te:??????????????
> unconfined_domain(klogd_t)
> policy/modules/system/logging.te:??????????????
> unconfined_domain(syslogd_t)
> policy/modules/system/fstools.te:??????????????
> unconfined_domain(fsadm_t)
> policy/modules/system/lvm.te:?????????? unconfined_domain(clvmd_t)
> policy/modules/system/lvm.te:?????????? unconfined_domain(lvm_t)
> policy/modules/system/mount.te:???????? unconfined_domain(mount_t)
> policy/modules/system/mount.te: unconfined_domain(unconfined_mount_t)
> policy/modules/system/selinuxutil.te:???????????
> unconfined_domain(checkpolicy_t)
> policy/modules/system/selinuxutil.te:???????????
> unconfined_domain(load_policy_t)
> policy/modules/system/selinuxutil.te:??????????
> unconfined_domain(newrole_t)
> policy/modules/system/selinuxutil.te:???????????
> unconfined_domain(restorecond_t)
> policy/modules/system/selinuxutil.te:??????????
> unconfined_domain(run_init_t)
> policy/modules/system/selinuxutil.te:??????????
> unconfined_domain(semanage_t)
> policy/modules/system/selinuxutil.te:??????????
> unconfined_domain(setfiles_t)
> policy/modules/system/udev.te:????????? unconfined_domain(udev_t)
> policy/modules/system/unconfined.te:unconfined_domain(unconfined_t)
> policy/modules/system/unconfined.te:unconfined_domain_noaudit(unconfi
> ned_execmem_t)
>
> > Thanks,
> >?
> > Guido
> >?
> > On the 19th of April 2017 13:00:59 CEST, Russell Coker via
> refpolicy?
> <[email protected]> wrote:
> > >This is the rest of my policy that was developed on "strict"
> systems.
> > >It also
> > >has no inter-dependencies with other patches.? I included the
> interface
> > >xdm_sigchld() in this patch as well so it can be applied on it's
> own,
> > >this
> > >means that it conflicts with the login patch.
> > >
> > >Chris, maybe even if you don't apply this patch or the login patch
> in
> > >the
> > >near future you could add the xdm_sigchld() interface so that both
> > >patches
> > >can be complete and working and not conflict.
> > >
> > >Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
> >?
> --?
> My Main Blog???????? http://etbe.coker.com.au/
> My Documents Blog??? http://doc.coker.com.au/

2017-04-19 13:47:15

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19/04/2017 at 23.36 +1000, Russell Coker wrote:
> On Wed, 19 Apr 2017 10:13:09 PM Guido Trentalancia via refpolicy
> wrote:
> > >?????? allow $3 { gconf_home_t gconf_tmp_t }:dir {
> manage_dir_perms
> > > relabel_dir_perms };
> > >?????? allow $3 { gconf_home_t gconf_tmp_t }:file {
> > > manage_file_perms relabel_file_perms };
> > > +???? allow $3 gconfd_t:dbus send_msg;
> > > +???? allow gconfd_t $3:dbus send_msg;
> > >?????? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> > > ".gconf")
> > >?????? userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> > > ".gconfd")
> > >??
> >?
> > The above permission for gconfd to chat over dbus is the same that
> I
> > have recently added in the following patch:
> >?
> > http://oss.tresys.com/pipermail/refpolicy/2017-April/009286.html
> >?
> > It is not advisable to add the same permission twice. Did you not
> see
> > the patch that I posted ?
>
> I don't have time to read all the patches that are applied.
>
> I generate my patches against the git repository which doesn't appear
> to have?
> a patch for this.

Yes, that's fine, I also lack the time to read everything.

But now, you understand that I did submit such patch before you
submitted yours...

Regards,

Guido

2017-04-19 13:49:10

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19 Apr 2017 10:23:15 PM Christian G?ttsche wrote:
> > Index: refpolicy-2.20170419/policy/support/file_patterns.spt
> >
===================================================================
> > --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
> > +++ refpolicy-2.20170419/policy/support/file_patterns.spt
> > @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
> >
> > define(`create_chr_files_pattern',`
> > allow $1 self:capability mknod;
> > allow $1 $2:dir add_entry_dir_perms;
> >
> > - allow $1 $3:chr_file create_chr_file_perms;
> > + allow $1 $3:chr_file { create_chr_file_perms setattr };
>
> why setattr in create pattern?

I don't think it makes sense to allow creating an object without setattr, the
creater can always control the Unix permissions via the mode parameter to
mknod anyway.

I think that the aims in designing policy should not be about having the fiddly
details exposed all the time but in making it easy to achieve reasonable
security aims when writing policy. Having multiple patterns for such things
isn't going to help things, it will just make people not use patterns because
it takes too many needless lines of policy that give a result that's not
clear.

I'm all for creating more restrictive macros and patterns when it actually
does some good. For example the rw_inherited_*_perms macros provide real
benefits. But I don't think that creating a device node without setattr is
helping.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-19 15:08:58

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

On Wed, 19 Apr 2017 11:22:48 PM Guido Trentalancia via refpolicy wrote:
> > +########################################
> > +## <summary>
> > +## Get the attributes of a pstore filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`ZZZfs_getattr_pstorefs',`
>
> The interface above has an odd name and however it is not being used
> anywhere, so you might probably need to remove it.

Yes. When I see that a patch has something that shouldn't be there I edit it
and put in ZZZ. Then I apply the patch and use "quilt edit" to edit the
source file in question to delete the unwanted part. In this case I forgot to
delete an interface.

> > --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> > +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> > @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> > dontaudit $1_t user_tty_device_t:chr_file ioctl;
> >
> > kernel_read_kernel_sysctls($1_t)
> > + kernel_read_vm_sysctls($1_t)
>
> What is this for ?

Not sure. I'll remove it for more checks. Maybe it should have been for
overcommit.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-19 15:12:46

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] second strict patch

Safe.

On the 19th of April 2017 17:08:58 CEST, Russell Coker <[email protected]> wrote:
>On Wed, 19 Apr 2017 11:22:48 PM Guido Trentalancia via refpolicy wrote:
>> > +########################################
>> > +## <summary>
>> > +## Get the attributes of a pstore filesystem.
>> > +## </summary>
>> > +## <param name="domain">
>> > +## <summary>
>> > +## Domain allowed access.
>> > +## </summary>
>> > +## </param>
>> > +#
>> > +interface(`ZZZfs_getattr_pstorefs',`
>>
>> The interface above has an odd name and however it is not being used
>> anywhere, so you might probably need to remove it.
>
>Yes. When I see that a patch has something that shouldn't be there I
>edit it
>and put in ZZZ. Then I apply the patch and use "quilt edit" to edit
>the
>source file in question to delete the unwanted part. In this case I
>forgot to
>delete an interface.
>
>> > --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
>> > +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
>> > @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
>> > dontaudit $1_t user_tty_device_t:chr_file ioctl;
>> >
>> > kernel_read_kernel_sysctls($1_t)
>> > + kernel_read_vm_sysctls($1_t)
>>
>> What is this for ?
>
>Not sure. I'll remove it for more checks. Maybe it should have been
>for
>overcommit.