From: serue@us.ibm.com (Serge E. Hallyn)
Date: Mon, 22 Dec 2008 11:11:12 -0600
Subject: [refpolicy] container policy interface
In-Reply-To: <493FE28C.5060602@redhat.com>
References: <20081203203750.GA19949@us.ibm.com>
<20081209233311.GA31197@us.ibm.com> <493FE28C.5060602@redhat.com>
Message-ID: <20081222171111.GA17809@us.ibm.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Here is a version to start addressing your comments. It's working so far,
except when I do a useradd from inside a container (which apt-get install
openssh-server does), I get the following:
useradd unconfined_u:unconfined_r:vs1_t:s0 5 file create system_u:object_r:vs1_file_t:s0 denied 52
Now I can create files with no problem, and in fact I can
touch /etc/group+
but useradd always fails trying to create that file.
Is there some way to generate .if files through interfaces?
I also still need to pick a few more capabilities to always deny,
but since I also need to spend time targeting capabilities at
namespaces, i'd like to spend a bit more time working on that
so I can figure out which capabilities will always be unsafe.
-serge
-------------- next part --------------
policy_module(vs_gen,1.0.1)
attribute container_userdomain;
attribute container_domain;
allow_container_use(unconfined)
container(vs1)
container(vs2)
container(vs3)
-------------- next part --------------
/vs1/rootfs.vs1/sbin/init -- gen_context(system_u:object_r:vs1_exec_t,s0)
/vs1/rootfs.vs1 -d gen_context(system_u:object_r:vs1_file_t,s0)
/vs1/rootfs.vs1/.+ gen_context(system_u:object_r:vs1_file_t,s0)
/vs2/rootfs.vs2/sbin/init -- gen_context(system_u:object_r:vs2_exec_t,s0)
/vs2/rootfs.vs2 -d gen_context(system_u:object_r:vs2_file_t,s0)
/vs2/rootfs.vs2/.+ gen_context(system_u:object_r:vs2_file_t,s0)
/vs3/rootfs.vs3/sbin/init -- gen_context(system_u:object_r:vs3_exec_t,s0)
/vs3/rootfs.vs3 -d gen_context(system_u:object_r:vs3_file_t,s0)
/vs3/rootfs.vs3/.+ gen_context(system_u:object_r:vs3_file_t,s0)
-------------- next part --------------
## Interface for creating SELinux-protected containers.
###############################################################################
##
## Copyright (c) International Business Machines Corp., 2008
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
## the GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
##
################################################################################
interface(`allow_container_use',`
gen_require(`
type $1_t;
role $1_r;
')
typeattribute $1_t container_userdomain;
role $1_r types container_domain;
')
#######################################
##
## Create necessary types and rules for a container.
##
##
##
## base name for the container. For instance, if container name is
## vs1, then most container data will be of type vs1_t.
##
##
# notes on the remaining gen_requires:
#
# tmpfs_t: has no manage_file_perms interface
# container_userdomain is the attribute we define ourselves
# unconfined_devpts_t: I assume the container init should somehow relabel?
# but I'm deferring that until devpts namespaces (in tty-next) are
# upstream and I can trivially test what happens with default
# labeling in a new devpts mount
interface(`container',`
gen_require(`
type tmpfs_t;
attribute container_userdomain;
type unconfined_devpts_t;
');
type $1_t;
type $1_exec_t;
typeattribute $1_t container_domain;
domain_type($1_t);
domain_auto_trans(container_userdomain,$1_exec_t,$1_t)
type $1_file_t;
files_type($1_file_t);
domain_entry_file($1_t, $1_exec_t);
can_exec($1_t, $1_exec_t)
allow container_userdomain $1_t:dir create_dir_perms;
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
libs_exec_lib_files($1_t)
libs_use_ld_so($1_t)
term_create_pty($1_t,$1_file_t)
term_use_all_terms($1_t)
files_mounton_non_security($1_t)
allow $1_t self:capability sys_admin;
files_mount_all_file_type_fs($1_t);
allow $1_t device_t:dir { write setattr add_name };
allow $1_t device_t:fifo_file { create rw_fifo_file_perms };
allow $1_t device_t:fifo_file rw_fifo_file_perms;
dev_read_realtime_clock($1_t)
dev_create_generic_dirs($1_t)
allow $1_t $1_file_t:file { manage_file_perms exec_file_perms };
allow $1_t $1_file_t:dir { manage_dir_perms mounton };
allow $1_t $1_file_t:lnk_file manage_lnk_file_perms;
allow $1_t $1_file_t:chr_file manage_chr_file_perms;
allow $1_t $1_file_t:blk_file manage_blk_file_perms;
allow $1_t $1_file_t:sock_file manage_sock_file_perms;
allow $1_t $1_file_t:fifo_file manage_fifo_file_perms;
allow $1_t $1_t:fifo_file manage_fifo_file_perms;
allow $1_t $1_file_t:socket *;
allow $1_t $1_t:process ~{setcurrent};
allow $1_t $1_t:capability ~{audit_write audit_control sys_module};
allow $1_t $1_t:fd *;
allow $1_t $1_t:socket *;
allow $1_t $1_t:tcp_socket *;
allow $1_t $1_t:udp_socket *;
# from audit2allow
storage_getattr_fixed_disk_dev($1_t)
corenet_tcp_bind_http_port($1_t)
corenet_tcp_connect_http_port($1_t)
corenet_tcp_sendrecv_http_port($1_t)
corenet_tcp_sendrecv_unspec_node($1_t)
corenet_tcp_bind_unspec_node($1_t)
kernel_read_ring_buffer($1_t)
kernel_read_network_state($1_t)
allow $1_t self:unix_dgram_socket create;
kernel_read_device_sysctls($1_t);
kernel_read_net_sysctls($1_t);
kernel_rw_net_sysctls($1_t);
kernel_read_system_state($1_t);
kernel_read_hotplug_sysctls($1_t);
kernel_read_kernel_sysctls($1_t);
sysnet_read_config($1_t)
logging_send_syslog_msg($1_t)
dev_read_urand($1_t)
fs_mount_tmpfs($1_t)
fs_unmount_tmpfs($1_t)
fs_remount_tmpfs($1_t)
fs_manage_tmpfs_dirs($1_t)
fs_getattr_xattr_fs($1_t)
allow $1_t tmpfs_t:file manage_file_perms;
dev_mount_usbfs($1_t)
files_mount_all_file_type_fs($1_t)
files_unmount_all_file_type_fs($1_t)
files_mounton_all_mountpoints($1_t)
fs_remount_xattr_fs($1_t)
corenet_tcp_sendrecv_inaddr_any_node($1_t)
corenet_udp_sendrecv_inaddr_any_node($1_t)
corenet_raw_sendrecv_inaddr_any_node($1_t)
corenet_tcp_bind_inaddr_any_node($1_t)
corenet_udp_bind_inaddr_any_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_ssh_port($1_t)
corenet_tcp_sendrecv_ssh_port($1_t)
corenet_udp_bind_dhcpc_port($1_t);
term_use_all_terms($1_t)
dev_getattr_sysfs_dirs($1_t)
dev_getattr_usbfs_dirs($1_t)
dev_read_rand($1_t)
kernel_sendrecv_unlabeled_association($1_t);
allow $1_t self:unix_dgram_socket {create read write ioctl sendto connect };
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:packet_socket *;
allow $1_t self:rawip_socket *;
allow $1_t unlabeled_t:packet recv;
allow $1_t unconfined_devpts_t:chr_file {setattr rw_term_perms};
')