From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 24 Jun 2012 20:04:48 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <20120624180258.GA11810@siphos.be>
References: <20120624180258.GA11810@siphos.be>
Message-ID: <20120624180448.GD11810@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
without unconfined domains. The calls to depmod, whose output is then
directed to a tmp location, is denied through this. Instead of granting
depmod (and other tools) "manage" access to user_tmp_t, we create a separate
domain for dracut (called dracut_t) and grant these tools management
access to dracut_tmp_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dracut.fc |    4 +++
 dracut.if |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 dracut.te |   76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+), 0 deletions(-)
 create mode 100644 dracut.fc
 create mode 100644 dracut.if
 create mode 100644 dracut.te

diff --git a/dracut.fc b/dracut.fc
new file mode 100644
index 0000000..fca0d67
--- /dev/null
+++ b/dracut.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/(s)?bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/dracut.if b/dracut.if
new file mode 100644
index 0000000..929fffd
--- /dev/null
+++ b/dracut.if
@@ -0,0 +1,69 @@
+## <summary>Dracut initramfs creation tool</summary>
+
+########################################
+## <summary>
+##	Execute the dracut program in the dracut domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dracut_domtrans',`
+	gen_require(`
+		type dracut_t, dracut_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+## <summary>
+##	Execute dracut in the dracut domain, and
+##	allow the specified role the dracut domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`dracut_run',`
+	gen_require(`
+		type dracut_t;
+	')
+
+	dracut_domtrans($1)
+	role $2 types dracut_t;
+')
+
+########################################
+## <summary>
+## 	Allow domain to manage dracut temporary files
+## </summary>
+## <param name="domain">
+##	<summary>
+##		Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dracut_manage_tmp_files',`
+	gen_require(`
+		type dracut_tmp_t;
+	')
+
+	files_search_var($1)
+	files_search_tmp($1)
+
+	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
+	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
+
diff --git a/dracut.te b/dracut.te
new file mode 100644
index 0000000..4bd6cb3
--- /dev/null
+++ b/dracut.te
@@ -0,0 +1,76 @@
+policy_module(dracut, 1.0)
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow dracut_t self:process setfscreate;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+kernel_read_system_state(dracut_t)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_read_all_executables(dracut_t)
+
+dev_read_sysfs(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_read_etc_files(dracut_t)
+files_read_kernel_modules(dracut_t)
+files_read_usr_files(dracut_t)
+files_search_pids(dracut_t)
+
+fstools_exec(dracut_t)
+
+libs_domtrans_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+
+miscfiles_read_localization(dracut_t)
+
+modutils_exec_depmod(dracut_t)
+modutils_exec_insmod(dracut_t)
+modutils_list_module_config(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+mount_exec(dracut_t)
+
+seutil_exec_setfiles(dracut_t)
+
+udev_exec(dracut_t)
+udev_read_rules_files(dracut_t)
+
+userdom_use_user_terminals(dracut_t)
+
+optional_policy(`
+	dmesg_exec(dracut_t)
+')
+
+optional_policy(`
+	lvm_exec(dracut_t)
+	lvm_read_config(dracut_t)
+')
+
-- 
1.7.3.4