From: dominick.grift@gmail.com (Dominick Grift)
Date: Sun, 24 Jun 2012 21:42:09 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <20120624180448.GD11810@siphos.be>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
Message-ID: <1340566929.8671.10.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote:
> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
> without unconfined domains. The calls to depmod, whose output is then
> directed to a tmp location, is denied through this. Instead of granting
> depmod (and other tools) "manage" access to user_tmp_t, we create a separate
> domain for dracut (called dracut_t) and grant these tools management
> access to dracut_tmp_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dracut.fc |    4 +++
>  dracut.if |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  dracut.te |   76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 149 insertions(+), 0 deletions(-)
>  create mode 100644 dracut.fc
>  create mode 100644 dracut.if
>  create mode 100644 dracut.te
> 
> diff --git a/dracut.fc b/dracut.fc
> new file mode 100644
> index 0000000..fca0d67
> --- /dev/null
> +++ b/dracut.fc
> @@ -0,0 +1,4 @@
> +#
> +# /usr
> +#
> +/usr/(s)?bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
> diff --git a/dracut.if b/dracut.if
> new file mode 100644
> index 0000000..929fffd
> --- /dev/null
> +++ b/dracut.if
> @@ -0,0 +1,69 @@
> +## <summary>Dracut initramfs creation tool</summary>
> +
> +########################################
> +## <summary>
> +##	Execute the dracut program in the dracut domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`dracut_domtrans',`
> +	gen_require(`
> +		type dracut_t, dracut_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, dracut_exec_t, dracut_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute dracut in the dracut domain, and
> +##	allow the specified role the dracut domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dracut_run',`
> +	gen_require(`
> +		type dracut_t;
> +	')
> +
> +	dracut_domtrans($1)
> +	role $2 types dracut_t;
> +')
> +
> +########################################
> +## <summary>
> +## 	Allow domain to manage dracut temporary files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##		Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dracut_manage_tmp_files',`
> +	gen_require(`
> +		type dracut_tmp_t;
> +	')
> +
> +	files_search_var($1)
> +	files_search_tmp($1)
> +
> +	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> +	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> +	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> +')
This isn't what it say's it is. I would probably make it
dracut_manage_tmp()

Allow, and dracut in description is obvious, i would make it "Manage
temporary content"

> diff --git a/dracut.te b/dracut.te
> new file mode 100644
> index 0000000..4bd6cb3
> --- /dev/null
> +++ b/dracut.te
> @@ -0,0 +1,76 @@
> +policy_module(dracut, 1.0)
> +
> +type dracut_t;
> +type dracut_exec_t;
> +application_domain(dracut_t, dracut_exec_t)
> +
> +type dracut_var_log_t;
> +logging_log_file(dracut_var_log_t)
> +
> +type dracut_tmp_t;
> +files_tmp_file(dracut_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +allow dracut_t self:process setfscreate;
> +allow dracut_t self:fifo_file rw_fifo_file_perms;
> +allow dracut_t self:unix_stream_socket create_stream_socket_perms;
> +
> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
i suspect not all these type transitions are needed.

> +
> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
> +logging_log_filetrans(dracut_t, dracut_var_log_t, file)
> +
> +kernel_read_system_state(dracut_t)
> +
> +corecmd_exec_bin(dracut_t)
> +corecmd_exec_shell(dracut_t)
> +corecmd_read_all_executables(dracut_t)
> +
> +dev_read_sysfs(dracut_t)
> +
> +domain_use_interactive_fds(dracut_t)
> +
> +files_create_kernel_img(dracut_t)
> +files_read_etc_files(dracut_t)
> +files_read_kernel_modules(dracut_t)
> +files_read_usr_files(dracut_t)
> +files_search_pids(dracut_t)
> +
> +fstools_exec(dracut_t)
> +
> +libs_domtrans_ldconfig(dracut_t)
> +libs_exec_ld_so(dracut_t)
> +libs_exec_lib_files(dracut_t)
> +
> +miscfiles_read_localization(dracut_t)
> +
> +modutils_exec_depmod(dracut_t)
> +modutils_exec_insmod(dracut_t)
> +modutils_list_module_config(dracut_t)
redundant this is already allowed with modutils_read_module_config()

> +modutils_read_module_config(dracut_t)
> +modutils_read_module_deps(dracut_t)
> +
> +mount_exec(dracut_t)
> +
> +seutil_exec_setfiles(dracut_t)
So you allow it to run setfiles in the dracut domain, but you dont allow
the dracut domain to relabelfrom and -to anything?

> +
> +udev_exec(dracut_t)
> +udev_read_rules_files(dracut_t)
> +
> +userdom_use_user_terminals(dracut_t)
> +
> +optional_policy(`
> +	dmesg_exec(dracut_t)
> +')
> +
> +optional_policy(`
> +	lvm_exec(dracut_t)
> +	lvm_read_config(dracut_t)
> +')
> +