This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 ++++
policy/modules/kernel/kernel.if | 18 ++++
policy/modules/kernel/kernel.te | 34 +++++++++
policy/modules/kernel/terminal.if | 20 +++++
6 files changed, 277 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
+++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100
@@ -1784,6 +1784,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
')
########################################
+## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
--- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
+++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100
@@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -343,6 +369,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +383,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +438,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
+++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
Hi,
i have some notes on this one:
2016-12-18 1:43 GMT+01:00 Guido Trentalancia via refpolicy
<[email protected]>:
> This patch adds missing permissions in the kernel module that prevent
> to run it without the unconfined module.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 56 +++++++++++++++
> policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/filesystem.if | 18 ++++
> policy/modules/kernel/kernel.if | 18 ++++
> policy/modules/kernel/kernel.te | 34 +++++++++
> policy/modules/kernel/terminal.if | 20 +++++
> 6 files changed, 277 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
> +++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100
> @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes on generic
> +## block devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
I think the common summary is 'Domain allowed access.'
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_blk_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:blk_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes for generic
> +## character device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_chr_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:chr_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr for generic character device files.
> ## </summary>
> ## <param name="domain">
> @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
>
> ########################################
> ## <summary>
> +## Mount a filesystem on sysfs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100
> @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
>
> ########################################
> ## <summary>
> +## Delete symbolic links in the
> +## root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_symlinks',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write to / dirs.
> ## </summary>
> ## <param name="domain">
> @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
>
> ########################################
> ## <summary>
> +## Delete character device nodes in
> +## the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_chr_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:chr_file delete_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Delete files in the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
>
> ########################################
> ## <summary>
> +## Execute files in the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_root_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Remove entries from the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
>
> ########################################
> ## <summary>
> +## Manage the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_root_dir',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:dir manage_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a rootfs
> +## file system.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_rootfs',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Associate to root file system.
> ## </summary>
> ## <param name="file_type">
> @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Mount a filesystem on the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
Maybe one can add the getattr permssion from the interface above here,
i noticed the pattern of mounton and getattr at several occasions
> + allow $1 etc_runtime_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit attempts to set the attributes of the etc_runtime files
> ## </summary>
> diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
> +++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100
> @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
>
> ########################################
> ## <summary>
> +## Delete tmpfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_delete_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## auto moutpoints.
> ## </summary>
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100
> @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
>
> ########################################
> ## <summary>
> +## Mount the directories in /proc.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mounton_proc_dirs',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of files in /proc.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100
> @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_mounton_proc_dirs(kernel_t)
> kernel_request_load_module(kernel_t)
>
> # Allow unlabeled network traffic
> @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> corenet_raw_send_generic_node(kernel_t)
> corenet_send_all_packets(kernel_t)
>
> +dev_mounton_sysfs(kernel_t)
> dev_read_sysfs(kernel_t)
> dev_search_usbfs(kernel_t)
> # devtmpfs handling:
> @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> dev_create_generic_chr_files(kernel_t)
> dev_delete_generic_chr_files(kernel_t)
> dev_mounton(kernel_t)
> +dev_delete_generic_symlinks(kernel_t)
> +dev_rw_generic_chr_files(kernel_t)
> +dev_setattr_generic_blk_files(kernel_t)
> +dev_setattr_generic_chr_files(kernel_t)
> +dev_getattr_fs(kernel_t)
> +dev_getattr_sysfs(kernel_t)
>
> # Mount root file system. Used when loading a policy
> # from initrd, then mounting the root filesystem
> fs_mount_all_fs(kernel_t)
> fs_unmount_all_fs(kernel_t)
>
> +fs_getattr_tmpfs(kernel_t)
> +fs_getattr_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_files(kernel_t)
> +fs_manage_tmpfs_sockets(kernel_t)
> +fs_delete_tmpfs_symlinks(kernel_t)
> +
> +selinux_getattr_fs(kernel_t)
> selinux_load_policy(kernel_t)
>
> +term_getattr_pty_fs(kernel_t)
> term_use_console(kernel_t)
> +term_use_generic_ptys(kernel_t)
>
> # for kdevtmpfs
> term_setattr_unlink_unallocated_ttys(kernel_t)
> @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> domain_signal_all_domains(kernel_t)
> domain_search_all_domains_state(kernel_t)
>
Are these root_t permissions needed for reboot into relabeling
(catchword /.autorelabel)
I tested relabeling in a debian vm with systemd and i did not need those.
Maybe a ifndef(`init_systemd',...) block is suitable.
> +files_getattr_rootfs(kernel_t)
> +files_manage_root_dir(kernel_t)
> +files_delete_root_files(kernel_t)
> +files_exec_root_files(kernel_t)
> +files_delete_root_symlinks(kernel_t)
> +files_delete_root_chr_files(kernel_t)
> files_list_root(kernel_t)
> files_list_etc(kernel_t)
> +files_getattr_etc_runtime_dirs(kernel_t)
> +files_mounton_etc_runtime_dirs(kernel_t)
> files_list_home(kernel_t)
> files_read_usr_files(kernel_t)
>
> @@ -343,6 +369,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_manage_generic_logs(kernel_t)
> logging_send_syslog_msg(kernel_t)
> ')
>
> @@ -356,6 +383,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_read_lib_files(kernel_t)
> + term_use_ptmx(kernel_t)
> + term_use_unallocated_ttys(kernel_t)
> +')
> +
> +optional_policy(`
> # nfs kernel server needs kernel UDP access. It is less risky and painful
> # to just give it everything.
> allow kernel_t self:tcp_socket create_stream_socket_perms;
> @@ -405,6 +438,7 @@ optional_policy(`
> optional_policy(`
> seutil_read_config(kernel_t)
> seutil_read_bin_policy(kernel_t)
Like the root_t permissions, is this needed for reboot relabeling?
I think on systemd systems udev_t is transitioning into the setfiles_t domain.
> + seutil_domtrans_setfiles(kernel_t)
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
> +++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100
> @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
>
> ########################################
> ## <summary>
> +## Get the attributes of the
> +## /dev/pts directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`term_getattr_pty_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the
> ## attributes of the /dev/pts directory.
> ## </summary>
> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
>
> allow $1 devpts_t:chr_file getattr;
> ')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to get the attributes
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Kindly Regards,
Christian G?ttsche
Hi.
On Sun, 18/12/2016 at 21.31 +0100, cgzones wrote:
> Hi,
> i have some notes on this one:
>
> 2016-12-18 1:43 GMT+01:00 Guido Trentalancia via refpolicy
> <[email protected]>:
> >
> > This patch adds missing permissions in the kernel module that
> > prevent
> > to run it without the unconfined module.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > ?policy/modules/kernel/files.if??????|??131
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/kernel/filesystem.if |???18 ++++
> > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > ?policy/modules/kernel/kernel.te?????|???34 +++++++++
> > ?policy/modules/kernel/terminal.if???|???20 +++++
> > ?6 files changed, 277 insertions(+)
> >
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if??2016-08-14
> > 21:24:48.932381791 +0200
> > +++ b/policy/modules/kernel/devices.if??2016-12-18
> > 01:11:02.888132347 +0100
> > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
> >
> > ?########################################
> > ?## <summary>
> > +##?????Set the attributes on generic
> > +##?????block devices.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain.
> I think the common summary is 'Domain allowed access.'
I can amend that if I create a new version of the patch.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_blk_files',`
> > +???????gen_require(`
> > +???????????????type device_t;
> > +???????')
> > +
> > +???????allow $1 device_t:blk_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Dontaudit setattr on generic block devices.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
> >
> > ?########################################
> > ?## <summary>
> > +##?????Set the attributes for generic
> > +##?????character device files.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_chr_files',`
> > +???????gen_require(`
> > +???????????????type device_t;
> > +???????')
> > +
> > +???????allow $1 device_t:chr_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Dontaudit setattr for generic character device files.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
> >
> > ?########################################
> > ?## <summary>
> > +##?????Mount a filesystem on sysfs.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allow access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`dev_mounton_sysfs',`
> > +???????gen_require(`
> > +???????????????type device_t;
> > +???????')
> > +
> > +???????allow $1 sysfs_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/files.if
> > b/policy/modules/kernel/files.if
> > --- a/policy/modules/kernel/files.if????2016-08-30
> > 13:58:35.862542184 +0200
> > +++ b/policy/modules/kernel/files.if????2016-12-17
> > 23:34:25.007517608 +0100
> > @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
> >
> > ?########################################
> > ?## <summary>
> > +##?????Delete symbolic links in the
> > +##?????root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_symlinks',`
> > +???????gen_require(`
> > +???????????????type root_t;
> > +???????')
> > +
> > +???????allow $1 root_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Do not audit attempts to write to / dirs.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
> >
> > ?########################################
> > ?## <summary>
> > +##?????Delete character device nodes in
> > +##?????the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_chr_files',`
> > +???????gen_require(`
> > +???????????????type root_t;
> > +???????')
> > +
> > +???????allow $1 root_t:chr_file delete_chr_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Delete files in the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
> >
> > ?########################################
> > ?## <summary>
> > +##?????Execute files in the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_exec_root_files',`
> > +???????gen_require(`
> > +???????????????type root_t;
> > +???????')
> > +
> > +???????allow $1 root_t:file exec_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Remove entries from the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
> >
> > ?########################################
> > ?## <summary>
> > +##?????Manage the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_manage_root_dir',`
> > +???????gen_require(`
> > +???????????????type root_t;
> > +???????')
> > +
> > +???????allow $1 root_t:dir manage_dir_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##?????Get the attributes of a rootfs
> > +##?????file system.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_rootfs',`
> > +???????gen_require(`
> > +???????????????type root_t;
> > +???????')
> > +
> > +???????allow $1 root_t:filesystem getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Associate to root file system.
> > ?## </summary>
> > ?## <param name="file_type">
> > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> > ?')
> >
> > ?########################################
> > +## <summary>
> > +##?????Get the attributes of the
> > +##?????etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_etc_runtime_dirs',`
> > +???????gen_require(`
> > +???????????????type etc_runtime_t;
> > +???????')
> > +
> > +???????allow $1 etc_runtime_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##?????Mount a filesystem on the
> > +##?????etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`files_mounton_etc_runtime_dirs',`
> > +???????gen_require(`
> > +???????????????type etc_runtime_t;
> > +???????')
> > +
> Maybe one can add the getattr permssion from the interface above
> here,
> i noticed the pattern of mounton and getattr at several occasions
> >
> > +???????allow $1 etc_runtime_t:dir mounton;
> > +')
> > +
> > +########################################
> > ?## <summary>
> > ?##?????Do not audit attempts to set the attributes of the
> > etc_runtime files
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/filesystem.if
> > b/policy/modules/kernel/filesystem.if
> > --- a/policy/modules/kernel/filesystem.if???????2016-11-05
> > 22:59:46.649875204 +0100
> > +++ b/policy/modules/kernel/filesystem.if???????2016-12-17
> > 22:50:22.936435441 +0100
> > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
> >
> > ?########################################
> > ?## <summary>
> > +##?????Delete tmpfs symbolic links.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain allowed access.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`fs_delete_tmpfs_symlinks',`
> > +???????gen_require(`
> > +???????????????type tmpfs_t;
> > +???????')
> > +
> > +???????allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Create, read, write, and delete
> > ?##?????auto moutpoints.
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if???2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.if???2016-12-17
> > 21:26:37.530603508 +0100
> > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
> >
> > ?########################################
> > ?## <summary>
> > +##?????Mount the directories in /proc.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`kernel_mounton_proc_dirs',`
> > +???????gen_require(`
> > +???????????????type proc_t;
> > +???????')
> > +
> > +???????allow $1 proc_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Get the attributes of files in /proc.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > --- a/policy/modules/kernel/kernel.te???2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.te???2016-12-18
> > 01:19:46.891242628 +0100
> > @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> > ?# connections with invalidated labels:
> > ?allow kernel_t unlabeled_t:packet send;
> >
> > +kernel_mounton_proc_dirs(kernel_t)
> > ?kernel_request_load_module(kernel_t)
> >
> > ?# Allow unlabeled network traffic
> > @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> > ?corenet_raw_send_generic_node(kernel_t)
> > ?corenet_send_all_packets(kernel_t)
> >
> > +dev_mounton_sysfs(kernel_t)
> > ?dev_read_sysfs(kernel_t)
> > ?dev_search_usbfs(kernel_t)
> > ?# devtmpfs handling:
> > @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> > ?dev_create_generic_chr_files(kernel_t)
> > ?dev_delete_generic_chr_files(kernel_t)
> > ?dev_mounton(kernel_t)
> > +dev_delete_generic_symlinks(kernel_t)
> > +dev_rw_generic_chr_files(kernel_t)
> > +dev_setattr_generic_blk_files(kernel_t)
> > +dev_setattr_generic_chr_files(kernel_t)
> > +dev_getattr_fs(kernel_t)
> > +dev_getattr_sysfs(kernel_t)
> >
> > ?# Mount root file system. Used when loading a policy
> > ?# from initrd, then mounting the root filesystem
> > ?fs_mount_all_fs(kernel_t)
> > ?fs_unmount_all_fs(kernel_t)
> >
> > +fs_getattr_tmpfs(kernel_t)
> > +fs_getattr_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_files(kernel_t)
> > +fs_manage_tmpfs_sockets(kernel_t)
> > +fs_delete_tmpfs_symlinks(kernel_t)
> > +
> > +selinux_getattr_fs(kernel_t)
> > ?selinux_load_policy(kernel_t)
> >
> > +term_getattr_pty_fs(kernel_t)
> > ?term_use_console(kernel_t)
> > +term_use_generic_ptys(kernel_t)
> >
> > ?# for kdevtmpfs
> > ?term_setattr_unlink_unallocated_ttys(kernel_t)
> > @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> > ?domain_signal_all_domains(kernel_t)
> > ?domain_search_all_domains_state(kernel_t)
> >
> Are these root_t permissions needed for reboot into relabeling
> (catchword /.autorelabel)
No, they are not needed during forced boot-time filesystem relabeling.
> I tested relabeling in a debian vm with systemd and i did not need
> those.
They are needed when booting an image created with dracut and using
sysvinit.
> Maybe a ifndef(`init_systemd',...) block is suitable.
At the moment, the kernel module uses unconfined_domain(kernel_t), so
those permissions are allowed anyway.
They do not depend on the kind of init daemon. They are needed because
of the initramfs image generated by dracut (in particular the dracut
"init" module).
If one uses systemd and dracut, it should execute the "init" module
from dracut.
> > +files_getattr_rootfs(kernel_t)
> > +files_manage_root_dir(kernel_t)
> > +files_delete_root_files(kernel_t)
> > +files_exec_root_files(kernel_t)
> > +files_delete_root_symlinks(kernel_t)
> > +files_delete_root_chr_files(kernel_t)
> > ?files_list_root(kernel_t)
> > ?files_list_etc(kernel_t)
> > +files_getattr_etc_runtime_dirs(kernel_t)
> > +files_mounton_etc_runtime_dirs(kernel_t)
> > ?files_list_home(kernel_t)
> > ?files_read_usr_files(kernel_t)
> >
> > @@ -343,6 +369,7 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > +???????logging_manage_generic_logs(kernel_t)
> > ????????logging_send_syslog_msg(kernel_t)
> > ?')
> >
> > @@ -356,6 +383,12 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > +???????plymouthd_read_lib_files(kernel_t)
> > +???????term_use_ptmx(kernel_t)
> > +???????term_use_unallocated_ttys(kernel_t)
> > +')
> > +
> > +optional_policy(`
> > ????????# nfs kernel server needs kernel UDP access. It is less
> > risky and painful
> > ????????# to just give it everything.
> > ????????allow kernel_t self:tcp_socket create_stream_socket_perms;
> > @@ -405,6 +438,7 @@ optional_policy(`
> > ?optional_policy(`
> > ????????seutil_read_config(kernel_t)
> > ????????seutil_read_bin_policy(kernel_t)
> Like the root_t permissions, is this needed for reboot relabeling?
No, it is not needed because of forced relabeling.
> I think on systemd systems udev_t is transitioning into the
> setfiles_t domain.
I think the permission has nothing to do with udev, but with the dracut
"selinux" module.
> >
> > +???????seutil_domtrans_setfiles(kernel_t)
> > ?')
> >
> > ?optional_policy(`
> > diff -pru a/policy/modules/kernel/terminal.if
> > b/policy/modules/kernel/terminal.if
> > --- a/policy/modules/kernel/terminal.if 2016-11-05
> > 22:59:46.651875228 +0100
> > +++ b/policy/modules/kernel/terminal.if 2016-12-17
> > 21:40:10.502811148 +0100
> > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
> >
> > ?########################################
> > ?## <summary>
> > +##?????Get the attributes of the
> > +##?????/dev/pts directory.
> > +## </summary>
> > +## <param name="domain">
> > +##?????<summary>
> > +##?????Domain.
> > +##?????</summary>
> > +## </param>
> > +#
> > +interface(`term_getattr_pty_dirs',`
> > +???????gen_require(`
> > +???????????????type devpts_t;
> > +???????')
> > +
> > +???????allow $1 devpts_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##?????Do not audit attempts to get the
> > ?##?????attributes of the /dev/pts directory.
> > ?## </summary>
> > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
> >
> > ????????allow $1 devpts_t:chr_file getattr;
> > ?')
> > +
> > ?########################################
> > ?## <summary>
> > ?##?????Do not audit attempts to get the attributes
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
Regards,
Guido
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 ++++
policy/modules/kernel/kernel.if | 18 ++++
policy/modules/kernel/kernel.te | 34 +++++++++
policy/modules/kernel/terminal.if | 20 +++++
6 files changed, 277 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
+++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100
@@ -1784,6 +1784,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
')
########################################
+## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
--- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
+++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100
@@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -343,6 +369,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +383,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +438,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
+++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
On 12/17/16 19:43, Guido Trentalancia via refpolicy wrote:
> This patch adds missing permissions in the kernel module that prevent
> to run it without the unconfined module.
I will need more clarification on these rules, especially all the new
root_t access. The only thing that should normally be root_t is /.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 56 +++++++++++++++
> policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/filesystem.if | 18 ++++
> policy/modules/kernel/kernel.if | 18 ++++
> policy/modules/kernel/kernel.te | 34 +++++++++
> policy/modules/kernel/terminal.if | 20 +++++
> 6 files changed, 277 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
> +++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100
> @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes on generic
> +## block devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_blk_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:blk_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes for generic
> +## character device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_chr_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:chr_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr for generic character device files.
> ## </summary>
> ## <param name="domain">
> @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
>
> ########################################
> ## <summary>
> +## Mount a filesystem on sysfs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100
> @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
>
> ########################################
> ## <summary>
> +## Delete symbolic links in the
> +## root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_symlinks',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write to / dirs.
> ## </summary>
> ## <param name="domain">
> @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
>
> ########################################
> ## <summary>
> +## Delete character device nodes in
> +## the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_chr_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:chr_file delete_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Delete files in the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
>
> ########################################
> ## <summary>
> +## Execute files in the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_root_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Remove entries from the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
>
> ########################################
> ## <summary>
> +## Manage the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_root_dir',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:dir manage_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a rootfs
> +## file system.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_rootfs',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Associate to root file system.
> ## </summary>
> ## <param name="file_type">
> @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Mount a filesystem on the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit attempts to set the attributes of the etc_runtime files
> ## </summary>
> diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
> +++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100
> @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
>
> ########################################
> ## <summary>
> +## Delete tmpfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_delete_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## auto moutpoints.
> ## </summary>
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100
> @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
>
> ########################################
> ## <summary>
> +## Mount the directories in /proc.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mounton_proc_dirs',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of files in /proc.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100
> @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_mounton_proc_dirs(kernel_t)
> kernel_request_load_module(kernel_t)
>
> # Allow unlabeled network traffic
> @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> corenet_raw_send_generic_node(kernel_t)
> corenet_send_all_packets(kernel_t)
>
> +dev_mounton_sysfs(kernel_t)
> dev_read_sysfs(kernel_t)
> dev_search_usbfs(kernel_t)
> # devtmpfs handling:
> @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> dev_create_generic_chr_files(kernel_t)
> dev_delete_generic_chr_files(kernel_t)
> dev_mounton(kernel_t)
> +dev_delete_generic_symlinks(kernel_t)
> +dev_rw_generic_chr_files(kernel_t)
> +dev_setattr_generic_blk_files(kernel_t)
> +dev_setattr_generic_chr_files(kernel_t)
> +dev_getattr_fs(kernel_t)
> +dev_getattr_sysfs(kernel_t)
>
> # Mount root file system. Used when loading a policy
> # from initrd, then mounting the root filesystem
> fs_mount_all_fs(kernel_t)
> fs_unmount_all_fs(kernel_t)
>
> +fs_getattr_tmpfs(kernel_t)
> +fs_getattr_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_files(kernel_t)
> +fs_manage_tmpfs_sockets(kernel_t)
> +fs_delete_tmpfs_symlinks(kernel_t)
> +
> +selinux_getattr_fs(kernel_t)
> selinux_load_policy(kernel_t)
>
> +term_getattr_pty_fs(kernel_t)
> term_use_console(kernel_t)
> +term_use_generic_ptys(kernel_t)
>
> # for kdevtmpfs
> term_setattr_unlink_unallocated_ttys(kernel_t)
> @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> domain_signal_all_domains(kernel_t)
> domain_search_all_domains_state(kernel_t)
>
> +files_getattr_rootfs(kernel_t)
> +files_manage_root_dir(kernel_t)
> +files_delete_root_files(kernel_t)
> +files_exec_root_files(kernel_t)
> +files_delete_root_symlinks(kernel_t)
> +files_delete_root_chr_files(kernel_t)
> files_list_root(kernel_t)
> files_list_etc(kernel_t)
> +files_getattr_etc_runtime_dirs(kernel_t)
> +files_mounton_etc_runtime_dirs(kernel_t)
> files_list_home(kernel_t)
> files_read_usr_files(kernel_t)
>
> @@ -343,6 +369,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_manage_generic_logs(kernel_t)
> logging_send_syslog_msg(kernel_t)
> ')
>
> @@ -356,6 +383,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_read_lib_files(kernel_t)
> + term_use_ptmx(kernel_t)
> + term_use_unallocated_ttys(kernel_t)
> +')
> +
> +optional_policy(`
> # nfs kernel server needs kernel UDP access. It is less risky and painful
> # to just give it everything.
> allow kernel_t self:tcp_socket create_stream_socket_perms;
> @@ -405,6 +438,7 @@ optional_policy(`
> optional_policy(`
> seutil_read_config(kernel_t)
> seutil_read_bin_policy(kernel_t)
> + seutil_domtrans_setfiles(kernel_t)
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
> +++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100
> @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
>
> ########################################
> ## <summary>
> +## Get the attributes of the
> +## /dev/pts directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain.
> +## </summary>
> +## </param>
> +#
> +interface(`term_getattr_pty_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the
> ## attributes of the /dev/pts directory.
> ## </summary>
> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
>
> allow $1 devpts_t:chr_file getattr;
> ')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to get the attributes
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello Christopher.
Thanks for getting back on this...
On Sun, 18/12/2016 at 17.30 -0500, Chris PeBenito wrote:
> On 12/17/16 19:43, Guido Trentalancia via refpolicy wrote:
> >
> > This patch adds missing permissions in the kernel module that
> > prevent
> > to run it without the unconfined module.
>
> I will need more clarification on these rules, especially all the
> new?
> root_t access.??The only thing that should normally be root_t is /.
Here are some of the most relevant permission denied errors that have
been generated:
type=AVC msg=audit(1482156395.264:6): avc:??denied??{ getattr } for??pid=1 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:7): avc:??denied??{ execute } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:8): avc:??denied??{ read } for??pid=1 comm="init" name="umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:9): avc:??denied??{ open } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482156395.264:9): avc:??denied??{ execute_no_trans } for??pid=783 comm="init" path="/bin/umount" dev="rootfs" ino=67 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
As you can see, it is trying to execute a /bin/umount executable file
that is labeled root_t (this is before switching to the new root, so
it's in the initramfs).
This is from the following two dracut initramfs modules:
98selinux/selinux-loadpolicy.sh
99base/init.sh
Eventually, no relabeling is done by dracut after loading the policy.
If you need to see other parts of the log, please let me know and I'll
post them.
I have also prepared two other patches that depend on this: a patch for
init and a patch for shutdown.
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > ?policy/modules/kernel/files.if??????|??131
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/kernel/filesystem.if |???18 ++++
> > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > ?policy/modules/kernel/kernel.te?????|???34 +++++++++
> > ?policy/modules/kernel/terminal.if???|???20 +++++
> > ?6 files changed, 277 insertions(+)
> >
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if 2016-08-14
> > 21:24:48.932381791 +0200
> > +++ b/policy/modules/kernel/devices.if 2016-12-18
> > 01:11:02.888132347 +0100
> > @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
> >
> > ?########################################
> > ?## <summary>
> > +## Set the attributes on generic
> > +## block devices.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_blk_files',`
> > + gen_require(`
> > + type device_t;
> > + ')
> > +
> > + allow $1 device_t:blk_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Dontaudit setattr on generic block devices.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
> >
> > ?########################################
> > ?## <summary>
> > +## Set the attributes for generic
> > +## character device files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dev_setattr_generic_chr_files',`
> > + gen_require(`
> > + type device_t;
> > + ')
> > +
> > + allow $1 device_t:chr_file setattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Dontaudit setattr for generic character device files.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
> >
> > ?########################################
> > ?## <summary>
> > +## Mount a filesystem on sysfs.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allow access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dev_mounton_sysfs',`
> > + gen_require(`
> > + type device_t;
> > + ')
> > +
> > + allow $1 sysfs_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/files.if
> > b/policy/modules/kernel/files.if
> > --- a/policy/modules/kernel/files.if 2016-08-30
> > 13:58:35.862542184 +0200
> > +++ b/policy/modules/kernel/files.if 2016-12-17
> > 23:34:25.007517608 +0100
> > @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
> >
> > ?########################################
> > ?## <summary>
> > +## Delete symbolic links in the
> > +## root directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_symlinks',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + allow $1 root_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Do not audit attempts to write to / dirs.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
> >
> > ?########################################
> > ?## <summary>
> > +## Delete character device nodes in
> > +## the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_delete_root_chr_files',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + allow $1 root_t:chr_file delete_chr_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Delete files in the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
> >
> > ?########################################
> > ?## <summary>
> > +## Execute files in the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_exec_root_files',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + allow $1 root_t:file exec_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Remove entries from the root directory.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
> >
> > ?########################################
> > ?## <summary>
> > +## Manage the root directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_manage_root_dir',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + allow $1 root_t:dir manage_dir_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Get the attributes of a rootfs
> > +## file system.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_rootfs',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + allow $1 root_t:filesystem getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Associate to root file system.
> > ?## </summary>
> > ?## <param name="file_type">
> > @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> > ?')
> >
> > ?########################################
> > +## <summary>
> > +## Get the attributes of the
> > +## etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_getattr_etc_runtime_dirs',`
> > + gen_require(`
> > + type etc_runtime_t;
> > + ')
> > +
> > + allow $1 etc_runtime_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Mount a filesystem on the
> > +## etc_runtime directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_mounton_etc_runtime_dirs',`
> > + gen_require(`
> > + type etc_runtime_t;
> > + ')
> > +
> > + allow $1 etc_runtime_t:dir mounton;
> > +')
> > +
> > +########################################
> > ?## <summary>
> > ?## Do not audit attempts to set the attributes of the
> > etc_runtime files
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/filesystem.if
> > b/policy/modules/kernel/filesystem.if
> > --- a/policy/modules/kernel/filesystem.if 2016-11-05
> > 22:59:46.649875204 +0100
> > +++ b/policy/modules/kernel/filesystem.if 2016-12-17
> > 22:50:22.936435441 +0100
> > @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
> >
> > ?########################################
> > ?## <summary>
> > +## Delete tmpfs symbolic links.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`fs_delete_tmpfs_symlinks',`
> > + gen_require(`
> > + type tmpfs_t;
> > + ')
> > +
> > + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Create, read, write, and delete
> > ?## auto moutpoints.
> > ?## </summary>
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if 2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.if 2016-12-17
> > 21:26:37.530603508 +0100
> > @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
> >
> > ?########################################
> > ?## <summary>
> > +## Mount the directories in /proc.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`kernel_mounton_proc_dirs',`
> > + gen_require(`
> > + type proc_t;
> > + ')
> > +
> > + allow $1 proc_t:dir mounton;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Get the attributes of files in /proc.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > --- a/policy/modules/kernel/kernel.te 2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.te 2016-12-18
> > 01:19:46.891242628 +0100
> > @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> > ?# connections with invalidated labels:
> > ?allow kernel_t unlabeled_t:packet send;
> >
> > +kernel_mounton_proc_dirs(kernel_t)
> > ?kernel_request_load_module(kernel_t)
> >
> > ?# Allow unlabeled network traffic
> > @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> > ?corenet_raw_send_generic_node(kernel_t)
> > ?corenet_send_all_packets(kernel_t)
> >
> > +dev_mounton_sysfs(kernel_t)
> > ?dev_read_sysfs(kernel_t)
> > ?dev_search_usbfs(kernel_t)
> > ?# devtmpfs handling:
> > @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> > ?dev_create_generic_chr_files(kernel_t)
> > ?dev_delete_generic_chr_files(kernel_t)
> > ?dev_mounton(kernel_t)
> > +dev_delete_generic_symlinks(kernel_t)
> > +dev_rw_generic_chr_files(kernel_t)
> > +dev_setattr_generic_blk_files(kernel_t)
> > +dev_setattr_generic_chr_files(kernel_t)
> > +dev_getattr_fs(kernel_t)
> > +dev_getattr_sysfs(kernel_t)
> >
> > ?# Mount root file system. Used when loading a policy
> > ?# from initrd, then mounting the root filesystem
> > ?fs_mount_all_fs(kernel_t)
> > ?fs_unmount_all_fs(kernel_t)
> >
> > +fs_getattr_tmpfs(kernel_t)
> > +fs_getattr_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_files(kernel_t)
> > +fs_manage_tmpfs_sockets(kernel_t)
> > +fs_delete_tmpfs_symlinks(kernel_t)
> > +
> > +selinux_getattr_fs(kernel_t)
> > ?selinux_load_policy(kernel_t)
> >
> > +term_getattr_pty_fs(kernel_t)
> > ?term_use_console(kernel_t)
> > +term_use_generic_ptys(kernel_t)
> >
> > ?# for kdevtmpfs
> > ?term_setattr_unlink_unallocated_ttys(kernel_t)
> > @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> > ?domain_signal_all_domains(kernel_t)
> > ?domain_search_all_domains_state(kernel_t)
> >
> > +files_getattr_rootfs(kernel_t)
> > +files_manage_root_dir(kernel_t)
> > +files_delete_root_files(kernel_t)
> > +files_exec_root_files(kernel_t)
> > +files_delete_root_symlinks(kernel_t)
> > +files_delete_root_chr_files(kernel_t)
> > ?files_list_root(kernel_t)
> > ?files_list_etc(kernel_t)
> > +files_getattr_etc_runtime_dirs(kernel_t)
> > +files_mounton_etc_runtime_dirs(kernel_t)
> > ?files_list_home(kernel_t)
> > ?files_read_usr_files(kernel_t)
> >
> > @@ -343,6 +369,7 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > + logging_manage_generic_logs(kernel_t)
> > ? logging_send_syslog_msg(kernel_t)
> > ?')
> >
> > @@ -356,6 +383,12 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > + plymouthd_read_lib_files(kernel_t)
> > + term_use_ptmx(kernel_t)
> > + term_use_unallocated_ttys(kernel_t)
> > +')
> > +
> > +optional_policy(`
> > ? # nfs kernel server needs kernel UDP access. It is less
> > risky and painful
> > ? # to just give it everything.
> > ? allow kernel_t self:tcp_socket create_stream_socket_perms;
> > @@ -405,6 +438,7 @@ optional_policy(`
> > ?optional_policy(`
> > ? seutil_read_config(kernel_t)
> > ? seutil_read_bin_policy(kernel_t)
> > + seutil_domtrans_setfiles(kernel_t)
> > ?')
> >
> > ?optional_policy(`
> > diff -pru a/policy/modules/kernel/terminal.if
> > b/policy/modules/kernel/terminal.if
> > --- a/policy/modules/kernel/terminal.if 2016-11-05
> > 22:59:46.651875228 +0100
> > +++ b/policy/modules/kernel/terminal.if 2016-12-17
> > 21:40:10.502811148 +0100
> > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Get the attributes of the
> > +## /dev/pts directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`term_getattr_pty_dirs',`
> > + gen_require(`
> > + type devpts_t;
> > + ')
> > +
> > + allow $1 devpts_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Do not audit attempts to get the
> > ?## attributes of the /dev/pts directory.
> > ?## </summary>
> > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
> >
> > ? allow $1 devpts_t:chr_file getattr;
> > ?')
> > +
> > ?########################################
> > ?## <summary>
> > ?## Do not audit attempts to get the attributes
Regards,
Guido
On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
wrote:
[...]
> > > This patch adds missing permissions in the kernel module that
> > > prevent
> > > to run it without the unconfined module.
> >
> > I will need more clarification on these rules, especially all the
> > new?
> > root_t access.??The only thing that should normally be root_t is /.
[...]
> As you can see, it is trying to execute a /bin/umount executable file
> that is labeled root_t (this is before switching to the new root, so
> it's in the initramfs).
>
> This is from the following two dracut initramfs modules:
>
> 98selinux/selinux-loadpolicy.sh
> 99base/init.sh
>
> Eventually, no relabeling is done by dracut after loading the policy.
I don't know if it makes sense, but it is a bit like the chicken or egg
problem !
Even if you relabel from initramfs after loading the policy, you still
have to execute setfiles as root_t ! So, it doesn't make much sense to
relabel (and enlarge the initramfs) just for executing umount and a few
other core utilities.
[...]
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > > ?policy/modules/kernel/files.if??????|??131
> > > ++++++++++++++++++++++++++++++++++++
> > > ?policy/modules/kernel/filesystem.if |???18 ++++
> > > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > > ?policy/modules/kernel/kernel.te?????|???34 +++++++++
> > > ?policy/modules/kernel/terminal.if???|???20 +++++
> > > ?6 files changed, 277 insertions(+)
[...]
Regards,
Guido
On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
> wrote:
>
> [...]
>
>>>> This patch adds missing permissions in the kernel module that
>>>> prevent
>>>> to run it without the unconfined module.
>>>
>>> I will need more clarification on these rules, especially all the
>>> new
>>> root_t access. The only thing that should normally be root_t is /.
>
> [...]
>
>> As you can see, it is trying to execute a /bin/umount executable file
>> that is labeled root_t (this is before switching to the new root, so
>> it's in the initramfs).
>>
>> This is from the following two dracut initramfs modules:
>>
>> 98selinux/selinux-loadpolicy.sh
>> 99base/init.sh
>>
>> Eventually, no relabeling is done by dracut after loading the policy.
>
> I don't know if it makes sense, but it is a bit like the chicken or egg
> problem !
>
> Even if you relabel from initramfs after loading the policy, you still
> have to execute setfiles as root_t ! So, it doesn't make much sense to
> relabel (and enlarge the initramfs) just for executing umount and a few
> other core utilities.
It's too bad dracut seems to generate sloppy initramfs. It is a lot of
unnecessary access to force on anyone that doesn't use dracut. I'm
tempted to make it tunable.
--
Chris PeBenito
IIRC Fedora at least has a SystemD unit which runs very early in the
boot to relabel the filesystem.
Thanks,
- Naftuli Kay
On Wed, Dec 21, 2016 at 11:25 AM, Chris PeBenito via refpolicy
<[email protected]> wrote:
> On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>
>> [...]
>>
>>>>> This patch adds missing permissions in the kernel module that
>>>>> prevent
>>>>> to run it without the unconfined module.
>>>>
>>>> I will need more clarification on these rules, especially all the
>>>> new
>>>> root_t access. The only thing that should normally be root_t is /.
>>
>> [...]
>>
>>> As you can see, it is trying to execute a /bin/umount executable file
>>> that is labeled root_t (this is before switching to the new root, so
>>> it's in the initramfs).
>>>
>>> This is from the following two dracut initramfs modules:
>>>
>>> 98selinux/selinux-loadpolicy.sh
>>> 99base/init.sh
>>>
>>> Eventually, no relabeling is done by dracut after loading the policy.
>>
>> I don't know if it makes sense, but it is a bit like the chicken or egg
>> problem !
>>
>> Even if you relabel from initramfs after loading the policy, you still
>> have to execute setfiles as root_t ! So, it doesn't make much sense to
>> relabel (and enlarge the initramfs) just for executing umount and a few
>> other core utilities.
>
> It's too bad dracut seems to generate sloppy initramfs. It is a lot of
> unnecessary access to force on anyone that doesn't use dracut. I'm
> tempted to make it tunable.
>
>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello again.
The initramfs is just a gzipped cpio archive, which therefore hasn't extended attributes...
Dracut is kernel.org official and widely used.
I am neutral about making it tuneable, but since you proposed it, I'll offer my help to change the patch...
Do you fancy the name "boot_initramfs" for the boolean that you suggested di ?
Please let me know and I'll prepare a new version of this patch.
Regards,
Guido
On the 21st December 2016 20:25:04 CET, Chris PeBenito <[email protected]> wrote:
>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>
>> [...]
>>
>>>>> This patch adds missing permissions in the kernel module that
>>>>> prevent
>>>>> to run it without the unconfined module.
>>>>
>>>> I will need more clarification on these rules, especially all the
>>>> new
>>>> root_t access. The only thing that should normally be root_t is /.
>>
>> [...]
>>
>>> As you can see, it is trying to execute a /bin/umount executable
>file
>>> that is labeled root_t (this is before switching to the new root, so
>>> it's in the initramfs).
>>>
>>> This is from the following two dracut initramfs modules:
>>>
>>> 98selinux/selinux-loadpolicy.sh
>>> 99base/init.sh
>>>
>>> Eventually, no relabeling is done by dracut after loading the
>policy.
>>
>> I don't know if it makes sense, but it is a bit like the chicken or
>egg
>> problem !
>>
>> Even if you relabel from initramfs after loading the policy, you
>still
>> have to execute setfiles as root_t ! So, it doesn't make much sense
>to
>> relabel (and enlarge the initramfs) just for executing umount and a
>few
>> other core utilities.
>
>It's too bad dracut seems to generate sloppy initramfs. It is a lot of
>
>unnecessary access to force on anyone that doesn't use dracut. I'm
>tempted to make it tunable.
Another naming option would be more simply "allow_initramfs".
Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened.
I look forward to hearing from you about this.
Regards,
Guido
On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy <[email protected]> wrote:
>Hello again.
>
>The initramfs is just a gzipped cpio archive, which therefore hasn't
>extended attributes...
>
>Dracut is kernel.org official and widely used.
>
>I am neutral about making it tuneable, but since you proposed it, I'll
>offer my help to change the patch...
>
>Do you fancy the name "boot_initramfs" for the boolean that you
>suggested di ?
>
>Please let me know and I'll prepare a new version of this patch.
>
>Regards,
>
>Guido
>
>
>
>On the 21st December 2016 20:25:04 CET, Chris PeBenito
><[email protected]> wrote:
>>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via
>refpolicy
>>> wrote:
>>>
>>> [...]
>>>
>>>>>> This patch adds missing permissions in the kernel module that
>>>>>> prevent
>>>>>> to run it without the unconfined module.
>>>>>
>>>>> I will need more clarification on these rules, especially all the
>>>>> new
>>>>> root_t access. The only thing that should normally be root_t is
>/.
>>>
>>> [...]
>>>
>>>> As you can see, it is trying to execute a /bin/umount executable
>>file
>>>> that is labeled root_t (this is before switching to the new root,
>so
>>>> it's in the initramfs).
>>>>
>>>> This is from the following two dracut initramfs modules:
>>>>
>>>> 98selinux/selinux-loadpolicy.sh
>>>> 99base/init.sh
>>>>
>>>> Eventually, no relabeling is done by dracut after loading the
>>policy.
>>>
>>> I don't know if it makes sense, but it is a bit like the chicken or
>>egg
>>> problem !
>>>
>>> Even if you relabel from initramfs after loading the policy, you
>>still
>>> have to execute setfiles as root_t ! So, it doesn't make much sense
>>to
>>> relabel (and enlarge the initramfs) just for executing umount and a
>>few
>>> other core utilities.
>>
>>It's too bad dracut seems to generate sloppy initramfs. It is a lot
>of
>>
>>unnecessary access to force on anyone that doesn't use dracut. I'm
>>tempted to make it tunable.
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
> The initramfs is just a gzipped cpio archive, which therefore hasn't extended attributes...
Aha, that explains it.
Thanks,
- Naftuli Kay
On Wed, Dec 21, 2016 at 12:39 PM, Guido Trentalancia via refpolicy
<[email protected]> wrote:
> Another naming option would be more simply "allow_initramfs".
>
> Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened.
>
> I look forward to hearing from you about this.
>
> Regards,
>
> Guido
>
> On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy <[email protected]> wrote:
>>Hello again.
>>
>>The initramfs is just a gzipped cpio archive, which therefore hasn't
>>extended attributes...
>>
>>Dracut is kernel.org official and widely used.
>>
>>I am neutral about making it tuneable, but since you proposed it, I'll
>>offer my help to change the patch...
>>
>>Do you fancy the name "boot_initramfs" for the boolean that you
>>suggested di ?
>>
>>Please let me know and I'll prepare a new version of this patch.
>>
>>Regards,
>>
>>Guido
>>
>>
>>
>>On the 21st December 2016 20:25:04 CET, Chris PeBenito
>><[email protected]> wrote:
>>>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via
>>refpolicy
>>>> wrote:
>>>>
>>>> [...]
>>>>
>>>>>>> This patch adds missing permissions in the kernel module that
>>>>>>> prevent
>>>>>>> to run it without the unconfined module.
>>>>>>
>>>>>> I will need more clarification on these rules, especially all the
>>>>>> new
>>>>>> root_t access. The only thing that should normally be root_t is
>>/.
>>>>
>>>> [...]
>>>>
>>>>> As you can see, it is trying to execute a /bin/umount executable
>>>file
>>>>> that is labeled root_t (this is before switching to the new root,
>>so
>>>>> it's in the initramfs).
>>>>>
>>>>> This is from the following two dracut initramfs modules:
>>>>>
>>>>> 98selinux/selinux-loadpolicy.sh
>>>>> 99base/init.sh
>>>>>
>>>>> Eventually, no relabeling is done by dracut after loading the
>>>policy.
>>>>
>>>> I don't know if it makes sense, but it is a bit like the chicken or
>>>egg
>>>> problem !
>>>>
>>>> Even if you relabel from initramfs after loading the policy, you
>>>still
>>>> have to execute setfiles as root_t ! So, it doesn't make much sense
>>>to
>>>> relabel (and enlarge the initramfs) just for executing umount and a
>>>few
>>>> other core utilities.
>>>
>>>It's too bad dracut seems to generate sloppy initramfs. It is a lot
>>of
>>>
>>>unnecessary access to force on anyone that doesn't use dracut. I'm
>>>tempted to make it tunable.
>>
>>_______________________________________________
>>refpolicy mailing list
>>refpolicy at oss.tresys.com
>>http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On 12/21/16 15:39, Guido Trentalancia via refpolicy wrote:
> Another naming option would be more simply "allow_initramfs".
I'd prefer kernel_dracut_initramfs.
> Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened.
I'd also keep it false by default for refpolicy. Then individual
distros can turn it to true by default if they use it.
> I look forward to hearing from you about this.
> On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy <[email protected]> wrote:
>> Hello again.
>>
>> The initramfs is just a gzipped cpio archive, which therefore hasn't
>> extended attributes...
>>
>> Dracut is kernel.org official and widely used.
>>
>> I am neutral about making it tuneable, but since you proposed it, I'll
>> offer my help to change the patch...
>>
>> Do you fancy the name "boot_initramfs" for the boolean that you
>> suggested di ?
>>
>> Please let me know and I'll prepare a new version of this patch.
>>
>> Regards,
>>
>> Guido
>>
>>
>>
>> On the 21st December 2016 20:25:04 CET, Chris PeBenito
>> <[email protected]> wrote:
>>> On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via
>> refpolicy
>>>> wrote:
>>>>
>>>> [...]
>>>>
>>>>>>> This patch adds missing permissions in the kernel module that
>>>>>>> prevent
>>>>>>> to run it without the unconfined module.
>>>>>>
>>>>>> I will need more clarification on these rules, especially all the
>>>>>> new
>>>>>> root_t access. The only thing that should normally be root_t is
>> /.
>>>>
>>>> [...]
>>>>
>>>>> As you can see, it is trying to execute a /bin/umount executable
>>> file
>>>>> that is labeled root_t (this is before switching to the new root,
>> so
>>>>> it's in the initramfs).
>>>>>
>>>>> This is from the following two dracut initramfs modules:
>>>>>
>>>>> 98selinux/selinux-loadpolicy.sh
>>>>> 99base/init.sh
>>>>>
>>>>> Eventually, no relabeling is done by dracut after loading the
>>> policy.
>>>>
>>>> I don't know if it makes sense, but it is a bit like the chicken or
>>> egg
>>>> problem !
>>>>
>>>> Even if you relabel from initramfs after loading the policy, you
>>> still
>>>> have to execute setfiles as root_t ! So, it doesn't make much sense
>>> to
>>>> relabel (and enlarge the initramfs) just for executing umount and a
>>> few
>>>> other core utilities.
>>>
>>> It's too bad dracut seems to generate sloppy initramfs. It is a lot
>> of
>>>
>>> unnecessary access to force on anyone that doesn't use dracut. I'm
>>> tempted to make it tunable.
--
Chris PeBenito
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
The second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
This third version of the patch, makes the permissions related to
booting an initramfs tuneable policy.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 ++++
policy/modules/kernel/kernel.if | 18 ++++
policy/modules/kernel/kernel.te | 45 ++++++++++++
policy/modules/kernel/terminal.if | 20 +++++
6 files changed, 288 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
+++ b/policy/modules/kernel/devices.if 2016-12-22 00:32:08.268156971 +0100
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',`
')
########################################
+## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if 2016-12-22 00:32:08.270156995 +0100
@@ -1784,6 +1784,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
')
########################################
+## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
--- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
+++ b/policy/modules/kernel/filesystem.if 2016-12-22 00:32:08.271157007 +0100
@@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-22 00:32:08.272157018 +0100
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.te 2016-12-22 00:38:37.515792724 +0100
@@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
## </desc>
gen_bool(secure_mode_insmod, false)
+## <desc>
+## <p>
+## Allows booting an initramfs (e.g.
+## dracut).
+## </p>
+## </desc>
+gen_bool(kernel_dracut_initramfs, false)
+
# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
@@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+tunable_policy(`kernel_dracut_initramfs',`
+ files_getattr_rootfs(kernel_t)
+ files_manage_root_dir(kernel_t)
+ files_delete_root_files(kernel_t)
+ files_exec_root_files(kernel_t)
+ files_delete_root_symlinks(kernel_t)
+ files_delete_root_chr_files(kernel_t)
+')
+
mcs_process_set_categories(kernel_t)
mls_process_read_all_levels(kernel_t)
@@ -343,6 +380,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +394,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +449,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
+++ b/policy/modules/kernel/terminal.if 2016-12-22 00:32:08.274157042 +0100
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
On 12/22/16 16:05, Guido Trentalancia via refpolicy wrote:
> This patch adds missing permissions in the kernel module that prevent
> to run it without the unconfined module.
>
> The second version improves the comment section of new interfaces:
> "Domain" is replaced by "Domain allowed access".
>
> This third version of the patch, makes the permissions related to
> booting an initramfs tuneable policy.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 56 +++++++++++++++
> policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/filesystem.if | 18 ++++
> policy/modules/kernel/kernel.if | 18 ++++
> policy/modules/kernel/kernel.te | 45 ++++++++++++
> policy/modules/kernel/terminal.if | 20 +++++
> 6 files changed, 288 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
> +++ b/policy/modules/kernel/devices.if 2016-12-22 00:32:08.268156971 +0100
> @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes on generic
> +## block devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_blk_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:blk_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes for generic
> +## character device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_chr_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:chr_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr for generic character device files.
> ## </summary>
> ## <param name="domain">
> @@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',`
> ')
>
> ########################################
> +## <summary>
> +## Mount a filesystem on sysfs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if 2016-12-22 00:32:08.270156995 +0100
> @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
>
> ########################################
> ## <summary>
> +## Delete symbolic links in the
> +## root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_symlinks',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write to / dirs.
> ## </summary>
> ## <param name="domain">
> @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
>
> ########################################
> ## <summary>
> +## Delete character device nodes in
> +## the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_chr_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:chr_file delete_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Delete files in the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
>
> ########################################
> ## <summary>
> +## Execute files in the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_root_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Remove entries from the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
>
> ########################################
> ## <summary>
> +## Manage the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_root_dir',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:dir manage_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a rootfs
> +## file system.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_rootfs',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Associate to root file system.
> ## </summary>
> ## <param name="file_type">
> @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Mount a filesystem on the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit attempts to set the attributes of the etc_runtime files
> ## </summary>
> diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
> +++ b/policy/modules/kernel/filesystem.if 2016-12-22 00:32:08.271157007 +0100
> @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
>
> ########################################
> ## <summary>
> +## Delete tmpfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_delete_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## auto moutpoints.
> ## </summary>
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-22 00:32:08.272157018 +0100
> @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
>
> ########################################
> ## <summary>
> +## Mount the directories in /proc.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mounton_proc_dirs',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of files in /proc.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.te 2016-12-22 00:38:37.515792724 +0100
> @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
> ## </desc>
> gen_bool(secure_mode_insmod, false)
>
> +## <desc>
> +## <p>
> +## Allows booting an initramfs (e.g.
> +## dracut).
> +## </p>
> +## </desc>
> +gen_bool(kernel_dracut_initramfs, false)
> +
> # assertion related attributes
> attribute can_load_kernmodule;
> attribute can_receive_kernel_messages;
> @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
It would seem that all of the below new rules should also go in the new
conditional too. If they are not part of dracut initramfs, then what
are they from?
> +kernel_mounton_proc_dirs(kernel_t)
> kernel_request_load_module(kernel_t)
>
> # Allow unlabeled network traffic
> @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> corenet_raw_send_generic_node(kernel_t)
> corenet_send_all_packets(kernel_t)
>
> +dev_mounton_sysfs(kernel_t)
> dev_read_sysfs(kernel_t)
> dev_search_usbfs(kernel_t)
> # devtmpfs handling:
> @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
> dev_create_generic_chr_files(kernel_t)
> dev_delete_generic_chr_files(kernel_t)
> dev_mounton(kernel_t)
> +dev_delete_generic_symlinks(kernel_t)
> +dev_rw_generic_chr_files(kernel_t)
> +dev_setattr_generic_blk_files(kernel_t)
> +dev_setattr_generic_chr_files(kernel_t)
> +dev_getattr_fs(kernel_t)
> +dev_getattr_sysfs(kernel_t)
>
> # Mount root file system. Used when loading a policy
> # from initrd, then mounting the root filesystem
> fs_mount_all_fs(kernel_t)
> fs_unmount_all_fs(kernel_t)
>
> +fs_getattr_tmpfs(kernel_t)
> +fs_getattr_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_files(kernel_t)
> +fs_manage_tmpfs_sockets(kernel_t)
> +fs_delete_tmpfs_symlinks(kernel_t)
> +
> +selinux_getattr_fs(kernel_t)
> selinux_load_policy(kernel_t)
>
> +term_getattr_pty_fs(kernel_t)
> term_use_console(kernel_t)
> +term_use_generic_ptys(kernel_t)
>
> # for kdevtmpfs
> term_setattr_unlink_unallocated_ttys(kernel_t)
> @@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t
>
> files_list_root(kernel_t)
> files_list_etc(kernel_t)
> +files_getattr_etc_runtime_dirs(kernel_t)
> +files_mounton_etc_runtime_dirs(kernel_t)
> files_list_home(kernel_t)
> files_read_usr_files(kernel_t)
>
> +tunable_policy(`kernel_dracut_initramfs',`
> + files_getattr_rootfs(kernel_t)
> + files_manage_root_dir(kernel_t)
> + files_delete_root_files(kernel_t)
> + files_exec_root_files(kernel_t)
> + files_delete_root_symlinks(kernel_t)
> + files_delete_root_chr_files(kernel_t)
> +')
> +
> mcs_process_set_categories(kernel_t)
>
> mls_process_read_all_levels(kernel_t)
> @@ -343,6 +380,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_manage_generic_logs(kernel_t)
> logging_send_syslog_msg(kernel_t)
> ')
>
> @@ -356,6 +394,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_read_lib_files(kernel_t)
> + term_use_ptmx(kernel_t)
> + term_use_unallocated_ttys(kernel_t)
> +')
> +
> +optional_policy(`
> # nfs kernel server needs kernel UDP access. It is less risky and painful
> # to just give it everything.
> allow kernel_t self:tcp_socket create_stream_socket_perms;
> @@ -405,6 +449,7 @@ optional_policy(`
> optional_policy(`
> seutil_read_config(kernel_t)
> seutil_read_bin_policy(kernel_t)
> + seutil_domtrans_setfiles(kernel_t)
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
> +++ b/policy/modules/kernel/terminal.if 2016-12-22 00:32:08.274157042 +0100
> @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
>
> ########################################
> ## <summary>
> +## Get the attributes of the
> +## /dev/pts directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`term_getattr_pty_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the
> ## attributes of the /dev/pts directory.
> ## </summary>
> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
>
> allow $1 devpts_t:chr_file getattr;
> ')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to get the attributes
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello.
On Thu, 22/12/2016 at 16.17 -0500, Chris PeBenito wrote:
> On 12/22/16 16:05, Guido Trentalancia via refpolicy wrote:
> >
> > This patch adds missing permissions in the kernel module that
> > prevent
> > to run it without the unconfined module.
> >
> > The second version improves the comment section of new interfaces:
> > "Domain" is replaced by "Domain allowed access".
> >
> > This third version of the patch, makes the permissions related to
> > booting an initramfs tuneable policy.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/devices.if????|???56 +++++++++++++++
> > ?policy/modules/kernel/files.if??????|??131
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/kernel/filesystem.if |???18 ++++
> > ?policy/modules/kernel/kernel.if?????|???18 ++++
> > ?policy/modules/kernel/kernel.te?????|???45 ++++++++++++
> > ?policy/modules/kernel/terminal.if???|???20 +++++
> > ?6 files changed, 288 insertions(+)
[...]
> > diff -pru a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > --- a/policy/modules/kernel/kernel.te 2016-12-07
> > 13:39:08.669449296 +0100
> > +++ b/policy/modules/kernel/kernel.te 2016-12-22
> > 00:38:37.515792724 +0100
> > @@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
> > ?## </desc>
> > ?gen_bool(secure_mode_insmod, false)
> >
> > +## <desc>
> > +## <p>
> > +## Allows booting an initramfs (e.g.
> > +## dracut).
> > +## </p>
> > +## </desc>
> > +gen_bool(kernel_dracut_initramfs, false)
> > +
> > ?# assertion related attributes
> > ?attribute can_load_kernmodule;
> > ?attribute can_receive_kernel_messages;
> > @@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
> > ?# connections with invalidated labels:
> > ?allow kernel_t unlabeled_t:packet send;
>
> It would seem that all of the below new rules should also go in the
> new?
> conditional too.??If they are not part of dracut initramfs, then
> what?
> are they from?
I am not sure the other permissions are only needed for initramfs.
Many of them are related to devtmpfs (see the existing comments).
The only one that is only related to initramfs with a good probability
is?seutil_domtrans_setfiles(kernel_t), which is a critical (the others
aren't critical). Should I create a new patch with that added to the
tuneable block ?
Consider that the existing module was working fine because it has the
unconfined module, which is a big security hole ! Perhaps, we can get
rid of that ?!?
> > +kernel_mounton_proc_dirs(kernel_t)
> > ?kernel_request_load_module(kernel_t)
> >
> > ?# Allow unlabeled network traffic
> > @@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> > ?corenet_raw_send_generic_node(kernel_t)
> > ?corenet_send_all_packets(kernel_t)
> >
> > +dev_mounton_sysfs(kernel_t)
> > ?dev_read_sysfs(kernel_t)
> > ?dev_search_usbfs(kernel_t)
> > ?# devtmpfs handling:
> > @@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
> > ?dev_create_generic_chr_files(kernel_t)
> > ?dev_delete_generic_chr_files(kernel_t)
> > ?dev_mounton(kernel_t)
> > +dev_delete_generic_symlinks(kernel_t)
> > +dev_rw_generic_chr_files(kernel_t)
> > +dev_setattr_generic_blk_files(kernel_t)
> > +dev_setattr_generic_chr_files(kernel_t)
> > +dev_getattr_fs(kernel_t)
> > +dev_getattr_sysfs(kernel_t)
> >
> > ?# Mount root file system. Used when loading a policy
> > ?# from initrd, then mounting the root filesystem
> > ?fs_mount_all_fs(kernel_t)
> > ?fs_unmount_all_fs(kernel_t)
> >
> > +fs_getattr_tmpfs(kernel_t)
> > +fs_getattr_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_dirs(kernel_t)
> > +fs_manage_tmpfs_files(kernel_t)
> > +fs_manage_tmpfs_sockets(kernel_t)
> > +fs_delete_tmpfs_symlinks(kernel_t)
> > +
> > +selinux_getattr_fs(kernel_t)
> > ?selinux_load_policy(kernel_t)
> >
> > +term_getattr_pty_fs(kernel_t)
> > ?term_use_console(kernel_t)
> > +term_use_generic_ptys(kernel_t)
> >
> > ?# for kdevtmpfs
> > ?term_setattr_unlink_unallocated_ttys(kernel_t)
> > @@ -291,9 +317,20 @@ domain_search_all_domains_state(kernel_t
> >
> > ?files_list_root(kernel_t)
> > ?files_list_etc(kernel_t)
> > +files_getattr_etc_runtime_dirs(kernel_t)
> > +files_mounton_etc_runtime_dirs(kernel_t)
> > ?files_list_home(kernel_t)
> > ?files_read_usr_files(kernel_t)
> >
> > +tunable_policy(`kernel_dracut_initramfs',`
> > + files_getattr_rootfs(kernel_t)
> > + files_manage_root_dir(kernel_t)
> > + files_delete_root_files(kernel_t)
> > + files_exec_root_files(kernel_t)
> > + files_delete_root_symlinks(kernel_t)
> > + files_delete_root_chr_files(kernel_t)
> > +')
> > +
> > ?mcs_process_set_categories(kernel_t)
> >
> > ?mls_process_read_all_levels(kernel_t)
> > @@ -343,6 +380,7 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > + logging_manage_generic_logs(kernel_t)
> > ? logging_send_syslog_msg(kernel_t)
> > ?')
> >
> > @@ -356,6 +394,12 @@ optional_policy(`
> > ?')
> >
> > ?optional_policy(`
> > + plymouthd_read_lib_files(kernel_t)
> > + term_use_ptmx(kernel_t)
> > + term_use_unallocated_ttys(kernel_t)
> > +')
> > +
> > +optional_policy(`
> > ? # nfs kernel server needs kernel UDP access. It is less
> > risky and painful
> > ? # to just give it everything.
> > ? allow kernel_t self:tcp_socket create_stream_socket_perms;
> > @@ -405,6 +449,7 @@ optional_policy(`
> > ?optional_policy(`
> > ? seutil_read_config(kernel_t)
> > ? seutil_read_bin_policy(kernel_t)
> > + seutil_domtrans_setfiles(kernel_t)
> > ?')
> >
> > ?optional_policy(`
> > diff -pru a/policy/modules/kernel/terminal.if
> > b/policy/modules/kernel/terminal.if
> > --- a/policy/modules/kernel/terminal.if 2016-11-05
> > 22:59:46.651875228 +0100
> > +++ b/policy/modules/kernel/terminal.if 2016-12-22
> > 00:32:08.274157042 +0100
> > @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Get the attributes of the
> > +## /dev/pts directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`term_getattr_pty_dirs',`
> > + gen_require(`
> > + type devpts_t;
> > + ')
> > +
> > + allow $1 devpts_t:dir getattr;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Do not audit attempts to get the
> > ?## attributes of the /dev/pts directory.
> > ?## </summary>
> > @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
> >
> > ? allow $1 devpts_t:chr_file getattr;
> > ?')
> > +
> > ?########################################
> > ?## <summary>
> > ?## Do not audit attempts to get the attributes
Regards,
Guido
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
The second version improved the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
The third version introduced a new "kernel_dracut_initramfs" boolean
and tuneable policy controlled by it, so that permissions needed when
booting an initramfs (generated for example by dracut) are not always
granted (this is an idea of Christopher PeBenito).
This fourth version of the patch moves the critical permission to run
setfiles to the initramfs tuneable policy and completely removes the
unconfined_domain() interface so that the kernel always run in
confined mode for maximum security.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 ++++
policy/modules/kernel/kernel.if | 18 ++++
policy/modules/kernel/kernel.te | 50 ++++++++++++-
policy/modules/kernel/terminal.if | 20 +++++
6 files changed, 290 insertions(+), 3 deletions(-)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
+++ b/policy/modules/kernel/devices.if 2016-12-23 23:55:15.642874556 +0100
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3896,6 +3934,24 @@ interface(`dev_manage_smartcard',`
')
########################################
+## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if 2016-12-23 23:55:15.658874802 +0100
@@ -1784,6 +1784,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
')
########################################
+## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
--- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
+++ b/policy/modules/kernel/filesystem.if 2016-12-23 23:55:15.660874832 +0100
@@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-23 23:55:15.662874863 +0100
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
--- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
+++ b/policy/modules/kernel/kernel.te 2016-12-23 23:59:54.394134535 +0100
@@ -12,6 +12,14 @@ policy_module(kernel, 1.21.2)
## </desc>
gen_bool(secure_mode_insmod, false)
+## <desc>
+## <p>
+## Allows booting an initramfs (e.g.
+## dracut).
+## </p>
+## </desc>
+gen_bool(kernel_dracut_initramfs, false)
+
# assertion related attributes
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
@@ -239,6 +247,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +267,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +278,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -291,6 +317,8 @@ domain_search_all_domains_state(kernel_t
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -301,6 +329,15 @@ mls_process_write_all_levels(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+tunable_policy(`kernel_dracut_initramfs',`
+ files_getattr_rootfs(kernel_t)
+ files_manage_root_dir(kernel_t)
+ files_delete_root_files(kernel_t)
+ files_exec_root_files(kernel_t)
+ files_delete_root_symlinks(kernel_t)
+ files_delete_root_chr_files(kernel_t)
+')
+
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
@@ -343,6 +380,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +394,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,10 +449,10 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
-')
-optional_policy(`
- unconfined_domain_noaudit(kernel_t)
+ tunable_policy(`kernel_dracut_initramfs',`
+ seutil_domtrans_setfiles(kernel_t)
+ ')
')
########################################
diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
+++ b/policy/modules/kernel/terminal.if 2016-12-23 23:55:15.694875353 +0100
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
> This patch adds missing permissions in the kernel module that prevent
> to run it without the unconfined module.
>
> This second version improves the comment section of new interfaces:
> "Domain" is replaced by "Domain allowed access".
I thought that all of the added rules were for the initramfs. Since
only a few are, I'm fine without the tunable, so I merged this version
of the patch.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/devices.if | 56 +++++++++++++++
> policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/filesystem.if | 18 ++++
> policy/modules/kernel/kernel.if | 18 ++++
> policy/modules/kernel/kernel.te | 34 +++++++++
> policy/modules/kernel/terminal.if | 20 +++++
> 6 files changed, 277 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-08-14 21:24:48.932381791 +0200
> +++ b/policy/modules/kernel/devices.if 2016-12-18 01:11:02.888132347 +0100
> @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes on generic
> +## block devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_blk_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:blk_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr on generic block devices.
> ## </summary>
> ## <param name="domain">
> @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic
>
> ########################################
> ## <summary>
> +## Set the attributes for generic
> +## character device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_setattr_generic_chr_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:chr_file setattr;
> +')
> +
> +########################################
> +## <summary>
> ## Dontaudit setattr for generic character device files.
> ## </summary>
> ## <param name="domain">
> @@ -3897,6 +3954,24 @@ interface(`dev_manage_smartcard',`
>
> ########################################
> ## <summary>
> +## Mount a filesystem on sysfs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if 2016-12-17 23:34:25.007517608 +0100
> @@ -1784,6 +1784,25 @@ interface(`files_list_root',`
>
> ########################################
> ## <summary>
> +## Delete symbolic links in the
> +## root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_symlinks',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write to / dirs.
> ## </summary>
> ## <param name="domain">
> @@ -1912,6 +1931,25 @@ interface(`files_dontaudit_rw_root_chr_f
>
> ########################################
> ## <summary>
> +## Delete character device nodes in
> +## the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_root_chr_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:chr_file delete_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Delete files in the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1930,6 +1968,24 @@ interface(`files_delete_root_files',`
>
> ########################################
> ## <summary>
> +## Execute files in the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_root_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Remove entries from the root directory.
> ## </summary>
> ## <param name="domain">
> @@ -1948,6 +2004,43 @@ interface(`files_delete_root_dir_entry',
>
> ########################################
> ## <summary>
> +## Manage the root directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_root_dir',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:dir manage_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a rootfs
> +## file system.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_rootfs',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + allow $1 root_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Associate to root file system.
> ## </summary>
> ## <param name="file_type">
> @@ -3054,6 +3147,44 @@ interface(`files_delete_boot_flag',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Mount a filesystem on the
> +## etc_runtime directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_runtime_dirs',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit attempts to set the attributes of the etc_runtime files
> ## </summary>
> diff -pru a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> --- a/policy/modules/kernel/filesystem.if 2016-11-05 22:59:46.649875204 +0100
> +++ b/policy/modules/kernel/filesystem.if 2016-12-17 22:50:22.936435441 +0100
> @@ -4283,6 +4283,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',
>
> ########################################
> ## <summary>
> +## Delete tmpfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_delete_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## auto moutpoints.
> ## </summary>
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-17 21:26:37.530603508 +0100
> @@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_d
>
> ########################################
> ## <summary>
> +## Mount the directories in /proc.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mounton_proc_dirs',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of files in /proc.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> --- a/policy/modules/kernel/kernel.te 2016-12-07 13:39:08.669449296 +0100
> +++ b/policy/modules/kernel/kernel.te 2016-12-18 01:19:46.891242628 +0100
> @@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_mounton_proc_dirs(kernel_t)
> kernel_request_load_module(kernel_t)
>
> # Allow unlabeled network traffic
> @@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
> corenet_raw_send_generic_node(kernel_t)
> corenet_send_all_packets(kernel_t)
>
> +dev_mounton_sysfs(kernel_t)
> dev_read_sysfs(kernel_t)
> dev_search_usbfs(kernel_t)
> # devtmpfs handling:
> @@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
> dev_create_generic_chr_files(kernel_t)
> dev_delete_generic_chr_files(kernel_t)
> dev_mounton(kernel_t)
> +dev_delete_generic_symlinks(kernel_t)
> +dev_rw_generic_chr_files(kernel_t)
> +dev_setattr_generic_blk_files(kernel_t)
> +dev_setattr_generic_chr_files(kernel_t)
> +dev_getattr_fs(kernel_t)
> +dev_getattr_sysfs(kernel_t)
>
> # Mount root file system. Used when loading a policy
> # from initrd, then mounting the root filesystem
> fs_mount_all_fs(kernel_t)
> fs_unmount_all_fs(kernel_t)
>
> +fs_getattr_tmpfs(kernel_t)
> +fs_getattr_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_dirs(kernel_t)
> +fs_manage_tmpfs_files(kernel_t)
> +fs_manage_tmpfs_sockets(kernel_t)
> +fs_delete_tmpfs_symlinks(kernel_t)
> +
> +selinux_getattr_fs(kernel_t)
> selinux_load_policy(kernel_t)
>
> +term_getattr_pty_fs(kernel_t)
> term_use_console(kernel_t)
> +term_use_generic_ptys(kernel_t)
>
> # for kdevtmpfs
> term_setattr_unlink_unallocated_ttys(kernel_t)
> @@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
> domain_signal_all_domains(kernel_t)
> domain_search_all_domains_state(kernel_t)
>
> +files_getattr_rootfs(kernel_t)
> +files_manage_root_dir(kernel_t)
> +files_delete_root_files(kernel_t)
> +files_exec_root_files(kernel_t)
> +files_delete_root_symlinks(kernel_t)
> +files_delete_root_chr_files(kernel_t)
> files_list_root(kernel_t)
> files_list_etc(kernel_t)
> +files_getattr_etc_runtime_dirs(kernel_t)
> +files_mounton_etc_runtime_dirs(kernel_t)
> files_list_home(kernel_t)
> files_read_usr_files(kernel_t)
>
> @@ -343,6 +369,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + logging_manage_generic_logs(kernel_t)
> logging_send_syslog_msg(kernel_t)
> ')
>
> @@ -356,6 +383,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_read_lib_files(kernel_t)
> + term_use_ptmx(kernel_t)
> + term_use_unallocated_ttys(kernel_t)
> +')
> +
> +optional_policy(`
> # nfs kernel server needs kernel UDP access. It is less risky and painful
> # to just give it everything.
> allow kernel_t self:tcp_socket create_stream_socket_perms;
> @@ -405,6 +438,7 @@ optional_policy(`
> optional_policy(`
> seutil_read_config(kernel_t)
> seutil_read_bin_policy(kernel_t)
> + seutil_domtrans_setfiles(kernel_t)
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> --- a/policy/modules/kernel/terminal.if 2016-11-05 22:59:46.651875228 +0100
> +++ b/policy/modules/kernel/terminal.if 2016-12-17 21:40:10.502811148 +0100
> @@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
>
> ########################################
> ## <summary>
> +## Get the attributes of the
> +## /dev/pts directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`term_getattr_pty_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the
> ## attributes of the /dev/pts directory.
> ## </summary>
> @@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
>
> allow $1 devpts_t:chr_file getattr;
> ')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to get the attributes
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Hello Christopher.
Thanks for merging this. We should now have a fully functional kernel module
that,
as such, should not need the unconfined_domain interface calls anymore.
Unfortunately, version 2 of this patch did not actually removed such interface
call.
Now, we have two options:
- remove it in a new simple patch today or tomorrow;
- wait to remove it until after the next release, so that we can benefit from
some
more development-stage testing, just in case some kernel installation around
needs some other permission which did not show up in the tests that I carried
out.
For sure, we shall strive to get rid of it, for maximum security.
> On the 27th of December 2016 at 16.52 Chris PeBenito <[email protected]>
> wrote:
>
>
> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
> > This patch adds missing permissions in the kernel module that prevent
> > to run it without the unconfined module.
> >
> > This second version improves the comment section of new interfaces:
> > "Domain" is replaced by "Domain allowed access".
>
> I thought that all of the added rules were for the initramfs. Since
> only a few are, I'm fine without the tunable, so I merged this version
> of the patch.
>
>
>
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/kernel/devices.if | 56 +++++++++++++++
> > policy/modules/kernel/files.if | 131
> > ++++++++++++++++++++++++++++++++++++
> > policy/modules/kernel/filesystem.if | 18 ++++
> > policy/modules/kernel/kernel.if | 18 ++++
> > policy/modules/kernel/kernel.te | 34 +++++++++
> > policy/modules/kernel/terminal.if | 20 +++++
> > 6 files changed, 277 insertions(+)
[...]
Regards,
Guido
Maybe we can crib from dwalsh:
https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html
During the development phase between releases implement the unconfined
domains via a permissive statement, which causes audits, instead of
using the almost almighty unconfined_domain_noaudit interface?
Kindly Regards,
Christian G?ttsche
2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy
<[email protected]>:
> Hello Christopher.
>
> Thanks for merging this. We should now have a fully functional kernel module
> that,
> as such, should not need the unconfined_domain interface calls anymore.
>
> Unfortunately, version 2 of this patch did not actually removed such interface
> call.
>
> Now, we have two options:
>
> - remove it in a new simple patch today or tomorrow;
> - wait to remove it until after the next release, so that we can benefit from
> some
> more development-stage testing, just in case some kernel installation around
> needs some other permission which did not show up in the tests that I carried
> out.
>
> For sure, we shall strive to get rid of it, for maximum security.
>
>> On the 27th of December 2016 at 16.52 Chris PeBenito <[email protected]>
>> wrote:
>>
>>
>> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
>> > This patch adds missing permissions in the kernel module that prevent
>> > to run it without the unconfined module.
>> >
>> > This second version improves the comment section of new interfaces:
>> > "Domain" is replaced by "Domain allowed access".
>>
>> I thought that all of the added rules were for the initramfs. Since
>> only a few are, I'm fine without the tunable, so I merged this version
>> of the patch.
>>
>>
>>
>> > Signed-off-by: Guido Trentalancia <[email protected]>
>> > ---
>> > policy/modules/kernel/devices.if | 56 +++++++++++++++
>> > policy/modules/kernel/files.if | 131
>> > ++++++++++++++++++++++++++++++++++++
>> > policy/modules/kernel/filesystem.if | 18 ++++
>> > policy/modules/kernel/kernel.if | 18 ++++
>> > policy/modules/kernel/kernel.te | 34 +++++++++
>> > policy/modules/kernel/terminal.if | 20 +++++
>> > 6 files changed, 277 insertions(+)
>
> [...]
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello.
> On the 27th December 2016 at 21.32 cgzones <[email protected]> wrote:
>
>
> Maybe we can crib from dwalsh:
> https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html
>
> During the development phase between releases implement the unconfined
> domains via a permissive statement, which causes audits, instead of
> using the almost almighty unconfined_domain_noaudit interface?
Yes, this sounds a good idea to me. I didn't know about this option, thanks for
pointing it out.
We could keep that for a month or two and see what feedback comes from git users
and developers.
I just don't know the timeline for the next release...
> Kindly Regards,
> Christian G?ttsche
Regards,
Guido
> 2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy
> <[email protected]>:
> > Hello Christopher.
> >
> > Thanks for merging this. We should now have a fully functional kernel module
> > that,
> > as such, should not need the unconfined_domain interface calls anymore.
> >
> > Unfortunately, version 2 of this patch did not actually removed such
> > interface
> > call.
> >
> > Now, we have two options:
> >
> > - remove it in a new simple patch today or tomorrow;
> > - wait to remove it until after the next release, so that we can benefit
> > from
> > some
> > more development-stage testing, just in case some kernel installation
> > around
> > needs some other permission which did not show up in the tests that I
> > carried
> > out.
> >
> > For sure, we shall strive to get rid of it, for maximum security.
> >
> >> On the 27th of December 2016 at 16.52 Chris PeBenito <[email protected]>
> >> wrote:
> >>
> >>
> >> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
> >> > This patch adds missing permissions in the kernel module that prevent
> >> > to run it without the unconfined module.
> >> >
> >> > This second version improves the comment section of new interfaces:
> >> > "Domain" is replaced by "Domain allowed access".
> >>
> >> I thought that all of the added rules were for the initramfs. Since
> >> only a few are, I'm fine without the tunable, so I merged this version
> >> of the patch.
> >>
> >>
> >>
> >> > Signed-off-by: Guido Trentalancia <[email protected]>
> >> > ---
> >> > policy/modules/kernel/devices.if | 56 +++++++++++++++
> >> > policy/modules/kernel/files.if | 131
> >> > ++++++++++++++++++++++++++++++++++++
> >> > policy/modules/kernel/filesystem.if | 18 ++++
> >> > policy/modules/kernel/kernel.if | 18 ++++
> >> > policy/modules/kernel/kernel.te | 34 +++++++++
> >> > policy/modules/kernel/terminal.if | 20 +++++
> >> > 6 files changed, 277 insertions(+)
On 12/27/16 15:42, Guido Trentalancia via refpolicy wrote:
> Hello.
>
>> On the 27th December 2016 at 21.32 cgzones <[email protected]> wrote:
>>
>>
>> Maybe we can crib from dwalsh:
>> https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html
>>
>> During the development phase between releases implement the unconfined
>> domains via a permissive statement, which causes audits, instead of
>> using the almost almighty unconfined_domain_noaudit interface?
>
> Yes, this sounds a good idea to me. I didn't know about this option, thanks for
> pointing it out.
>
> We could keep that for a month or two and see what feedback comes from git users
> and developers.
>
> I just don't know the timeline for the next release...
A few things:
1. There is no goal to eliminate all unconfined domains. Any domains
(with the exception of unconfined_t) should only be optionally
unconfined. If you don't want unconfined domains, remove the unconfined
module. The existing unconfined domains are there on purpose, not
because the policies are "incomplete".
2. Permissive domains are not allowed upstream in refpolicy, at any time.
3. I'm trying to get on a roughly quarterly release schedule, so the
next release is in approximately one month.
>> 2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy
>> <[email protected]>:
>>> Hello Christopher.
>>>
>>> Thanks for merging this. We should now have a fully functional kernel module
>>> that,
>>> as such, should not need the unconfined_domain interface calls anymore.
>>>
>>> Unfortunately, version 2 of this patch did not actually removed such
>>> interface
>>> call.
>>>
>>> Now, we have two options:
>>>
>>> - remove it in a new simple patch today or tomorrow;
>>> - wait to remove it until after the next release, so that we can benefit
>>> from
>>> some
>>> more development-stage testing, just in case some kernel installation
>>> around
>>> needs some other permission which did not show up in the tests that I
>>> carried
>>> out.
>>>
>>> For sure, we shall strive to get rid of it, for maximum security.
>>>
>>>> On the 27th of December 2016 at 16.52 Chris PeBenito <[email protected]>
>>>> wrote:
>>>>
>>>>
>>>> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
>>>>> This patch adds missing permissions in the kernel module that prevent
>>>>> to run it without the unconfined module.
>>>>>
>>>>> This second version improves the comment section of new interfaces:
>>>>> "Domain" is replaced by "Domain allowed access".
>>>>
>>>> I thought that all of the added rules were for the initramfs. Since
>>>> only a few are, I'm fine without the tunable, so I merged this version
>>>> of the patch.
>>>>
>>>>
>>>>
>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>> ---
>>>>> policy/modules/kernel/devices.if | 56 +++++++++++++++
>>>>> policy/modules/kernel/files.if | 131
>>>>> ++++++++++++++++++++++++++++++++++++
>>>>> policy/modules/kernel/filesystem.if | 18 ++++
>>>>> policy/modules/kernel/kernel.if | 18 ++++
>>>>> policy/modules/kernel/kernel.te | 34 +++++++++
>>>>> policy/modules/kernel/terminal.if | 20 +++++
>>>>> 6 files changed, 277 insertions(+)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Of course I know that I can simply remove the "unconfined" module locally.
The point is that unconfined_domain() is very dangerous, eventually as dangerous as "permissive".
I still cannot think of a valid reason for keeping those calls...
Regards,
Guido
On the 28th of December 2016 19:38:29 CET, Chris PeBenito <[email protected]> wrote:
>On 12/27/16 15:42, Guido Trentalancia via refpolicy wrote:
>> Hello.
>>
>>> On the 27th December 2016 at 21.32 cgzones <[email protected]>
>wrote:
>>>
>>>
>>> Maybe we can crib from dwalsh:
>>>
>https://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00014.html
>>>
>>> During the development phase between releases implement the
>unconfined
>>> domains via a permissive statement, which causes audits, instead of
>>> using the almost almighty unconfined_domain_noaudit interface?
>>
>> Yes, this sounds a good idea to me. I didn't know about this option,
>thanks for
>> pointing it out.
>>
>> We could keep that for a month or two and see what feedback comes
>from git users
>> and developers.
>>
>> I just don't know the timeline for the next release...
>
>A few things:
>
>1. There is no goal to eliminate all unconfined domains. Any domains
>(with the exception of unconfined_t) should only be optionally
>unconfined. If you don't want unconfined domains, remove the
>unconfined
>module. The existing unconfined domains are there on purpose, not
>because the policies are "incomplete".
>
>2. Permissive domains are not allowed upstream in refpolicy, at any
>time.
>
>3. I'm trying to get on a roughly quarterly release schedule, so the
>next release is in approximately one month.
>
>
>
>>> 2016-12-27 21:22 GMT+01:00 Guido Trentalancia via refpolicy
>>> <[email protected]>:
>>>> Hello Christopher.
>>>>
>>>> Thanks for merging this. We should now have a fully functional
>kernel module
>>>> that,
>>>> as such, should not need the unconfined_domain interface calls
>anymore.
>>>>
>>>> Unfortunately, version 2 of this patch did not actually removed
>such
>>>> interface
>>>> call.
>>>>
>>>> Now, we have two options:
>>>>
>>>> - remove it in a new simple patch today or tomorrow;
>>>> - wait to remove it until after the next release, so that we can
>benefit
>>>> from
>>>> some
>>>> more development-stage testing, just in case some kernel
>installation
>>>> around
>>>> needs some other permission which did not show up in the tests
>that I
>>>> carried
>>>> out.
>>>>
>>>> For sure, we shall strive to get rid of it, for maximum security.
>>>>
>>>>> On the 27th of December 2016 at 16.52 Chris PeBenito
><[email protected]>
>>>>> wrote:
>>>>>
>>>>>
>>>>> On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote:
>>>>>> This patch adds missing permissions in the kernel module that
>prevent
>>>>>> to run it without the unconfined module.
>>>>>>
>>>>>> This second version improves the comment section of new
>interfaces:
>>>>>> "Domain" is replaced by "Domain allowed access".
>>>>>
>>>>> I thought that all of the added rules were for the initramfs.
>Since
>>>>> only a few are, I'm fine without the tunable, so I merged this
>version
>>>>> of the patch.
>>>>>
>>>>>
>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>>>> policy/modules/kernel/devices.if | 56 +++++++++++++++
>>>>>> policy/modules/kernel/files.if | 131
>>>>>> ++++++++++++++++++++++++++++++++++++
>>>>>> policy/modules/kernel/filesystem.if | 18 ++++
>>>>>> policy/modules/kernel/kernel.if | 18 ++++
>>>>>> policy/modules/kernel/kernel.te | 34 +++++++++
>>>>>> policy/modules/kernel/terminal.if | 20 +++++
>>>>>> 6 files changed, 277 insertions(+)
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>