From: serue@us.ibm.com (Serge E. Hallyn)
Date: Mon, 22 Dec 2008 11:11:12 -0600
Subject: [refpolicy] container policy interface
In-Reply-To: <493FE28C.5060602@redhat.com>
References: <20081203203750.GA19949@us.ibm.com>
	<20081209233311.GA31197@us.ibm.com> <493FE28C.5060602@redhat.com>
Message-ID: <20081222171111.GA17809@us.ibm.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Here is a version to start addressing your comments.  It's working so far,
except when I do a useradd from inside a container (which apt-get install
openssh-server does), I get the following:

useradd unconfined_u:unconfined_r:vs1_t:s0 5 file create system_u:object_r:vs1_file_t:s0 denied 52

Now I can create files with no problem, and in fact I can
	touch /etc/group+
but useradd always fails trying to create that file.

Is there some way to generate .if files through interfaces?

I also still need to pick a few more capabilities to always deny,
but since I also need to spend time targeting capabilities at
namespaces, i'd like to spend a bit more time working on that
so I can figure out which capabilities will always be unsafe.

-serge
-------------- next part --------------
policy_module(vs_gen,1.0.1)

attribute container_userdomain;
attribute container_domain;

allow_container_use(unconfined)

container(vs1)
container(vs2)
container(vs3)
-------------- next part --------------
/vs1/rootfs.vs1/sbin/init --      gen_context(system_u:object_r:vs1_exec_t,s0)
/vs1/rootfs.vs1    -d      gen_context(system_u:object_r:vs1_file_t,s0)
/vs1/rootfs.vs1/.+         gen_context(system_u:object_r:vs1_file_t,s0)

/vs2/rootfs.vs2/sbin/init --      gen_context(system_u:object_r:vs2_exec_t,s0)
/vs2/rootfs.vs2    -d      gen_context(system_u:object_r:vs2_file_t,s0)
/vs2/rootfs.vs2/.+         gen_context(system_u:object_r:vs2_file_t,s0)

/vs3/rootfs.vs3/sbin/init --      gen_context(system_u:object_r:vs3_exec_t,s0)
/vs3/rootfs.vs3    -d      gen_context(system_u:object_r:vs3_file_t,s0)
/vs3/rootfs.vs3/.+         gen_context(system_u:object_r:vs3_file_t,s0)
-------------- next part --------------
## <Summary> Interface for creating SELinux-protected containers. </summary>

###############################################################################
##
##  Copyright (c) International Business Machines  Corp., 2008
##
##  This program is free software;  you can redistribute it and/or modify
##  it under the terms of the GNU General Public License as published by
##  the Free Software Foundation; either version 2 of the License, or
##  (at your option) any later version.
##
##  This program is distributed in the hope that it will be useful,
##  but WITHOUT ANY WARRANTY;  without even the implied warranty of
##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
##  the GNU General Public License for more details.
##
##  You should have received a copy of the GNU General Public License
##  along with this program;  if not, write to the Free Software
##  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
################################################################################

interface(`allow_container_use',`
	gen_require(`
		type $1_t;
		role $1_r;
	')
	typeattribute $1_t container_userdomain;
	role $1_r types container_domain;
')

#######################################
## <summary>
##     Create necessary types and rules for a container.
## </summary>
## <param name="container_name">
##    <summary>
##    base name for the container.  For instance, if container name is
##    vs1, then most container data will be of type vs1_t.
##    </summary>
## </param>

# notes on the remaining gen_requires:
#
# tmpfs_t: has no manage_file_perms interface
# container_userdomain is the attribute we define ourselves
# unconfined_devpts_t: I assume the container init should somehow relabel?
# 	but I'm deferring that until devpts namespaces (in tty-next) are
# 	upstream and I can trivially test what happens with default
# 	labeling in a new devpts mount
interface(`container',`
	gen_require(`
		type tmpfs_t;
		attribute container_userdomain;
		type unconfined_devpts_t;
	');

	type $1_t;
	type $1_exec_t;
	typeattribute $1_t container_domain;
	domain_type($1_t);
	domain_auto_trans(container_userdomain,$1_exec_t,$1_t)

	type $1_file_t;
	files_type($1_file_t);
	domain_entry_file($1_t, $1_exec_t);
	can_exec($1_t, $1_exec_t)
	allow container_userdomain $1_t:dir create_dir_perms;

	corecmd_exec_bin($1_t)
	corecmd_exec_shell($1_t)
	libs_exec_lib_files($1_t)
	libs_use_ld_so($1_t)
	term_create_pty($1_t,$1_file_t)

	term_use_all_terms($1_t)

	files_mounton_non_security($1_t)
	allow $1_t self:capability sys_admin;
	files_mount_all_file_type_fs($1_t);

	allow $1_t device_t:dir { write setattr add_name };
	allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
	allow $1_t device_t:fifo_file rw_fifo_file_perms;
	dev_read_realtime_clock($1_t)
	dev_create_generic_dirs($1_t)

	allow $1_t $1_file_t:file { manage_file_perms exec_file_perms };
	allow $1_t $1_file_t:dir { manage_dir_perms mounton };
	allow $1_t $1_file_t:lnk_file manage_lnk_file_perms;
	allow $1_t $1_file_t:chr_file manage_chr_file_perms;
	allow $1_t $1_file_t:blk_file manage_blk_file_perms;
	allow $1_t $1_file_t:sock_file manage_sock_file_perms;
	allow $1_t $1_file_t:fifo_file manage_fifo_file_perms;
	allow $1_t $1_t:fifo_file manage_fifo_file_perms;
	allow $1_t $1_file_t:socket *;
	allow $1_t $1_t:process ~{setcurrent};
	allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
	allow $1_t $1_t:fd *;
	allow $1_t $1_t:socket *;
	allow $1_t $1_t:tcp_socket *;
	allow $1_t $1_t:udp_socket *;

	# from audit2allow
	storage_getattr_fixed_disk_dev($1_t)
	corenet_tcp_bind_http_port($1_t)
	corenet_tcp_connect_http_port($1_t)
	corenet_tcp_sendrecv_http_port($1_t)
	corenet_tcp_sendrecv_unspec_node($1_t)
	corenet_tcp_bind_unspec_node($1_t)
	kernel_read_ring_buffer($1_t)
	kernel_read_network_state($1_t)
	allow $1_t self:unix_dgram_socket create;
	kernel_read_device_sysctls($1_t);
	kernel_read_net_sysctls($1_t);
	kernel_rw_net_sysctls($1_t);
	kernel_read_system_state($1_t);
	kernel_read_hotplug_sysctls($1_t);
	kernel_read_kernel_sysctls($1_t);
	sysnet_read_config($1_t)
	logging_send_syslog_msg($1_t)
	dev_read_urand($1_t)
	fs_mount_tmpfs($1_t)
	fs_unmount_tmpfs($1_t)
	fs_remount_tmpfs($1_t)
	fs_manage_tmpfs_dirs($1_t)
	fs_getattr_xattr_fs($1_t)
	allow $1_t tmpfs_t:file manage_file_perms;
	dev_mount_usbfs($1_t)
	files_mount_all_file_type_fs($1_t)
	files_unmount_all_file_type_fs($1_t)
	files_mounton_all_mountpoints($1_t)
	fs_remount_xattr_fs($1_t)
	corenet_tcp_sendrecv_inaddr_any_node($1_t)
	corenet_udp_sendrecv_inaddr_any_node($1_t)
	corenet_raw_sendrecv_inaddr_any_node($1_t)
	corenet_tcp_bind_inaddr_any_node($1_t)
	corenet_udp_bind_inaddr_any_node($1_t)
	corenet_tcp_bind_ssh_port($1_t)
	corenet_tcp_connect_ssh_port($1_t)
	corenet_tcp_sendrecv_ssh_port($1_t)
	corenet_udp_bind_dhcpc_port($1_t);
	term_use_all_terms($1_t)
	dev_getattr_sysfs_dirs($1_t)
	dev_getattr_usbfs_dirs($1_t)
	dev_read_rand($1_t)
	kernel_sendrecv_unlabeled_association($1_t);
	allow $1_t self:unix_dgram_socket {create read write ioctl sendto connect };
	allow $1_t self:shm create_shm_perms;
	allow $1_t self:sem create_sem_perms;
	allow $1_t self:msgq create_msgq_perms;
	allow $1_t self:packet_socket *;
	allow $1_t self:rawip_socket *;
	allow $1_t unlabeled_t:packet recv;

	allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
')