From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 25 Jun 2012 10:24:24 +0200 Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy In-Reply-To: <1340566929.8671.10.camel@x220.mydomain.internal> References: <20120624180258.GA11810@siphos.be> <20120624180448.GD11810@siphos.be> <1340566929.8671.10.camel@x220.mydomain.internal> Message-ID: <4FE82038.7070707@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/24/2012 09:42 PM, Dominick Grift wrote: > On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote: >> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy >> without unconfined domains. The calls to depmod, whose output is then >> directed to a tmp location, is denied through this. Instead of granting >> depmod (and other tools) "manage" access to user_tmp_t, we create a separate >> domain for dracut (called dracut_t) and grant these tools management >> access to dracut_tmp_t. >> >> Signed-off-by: Sven Vermeulen >> --- >> dracut.fc | 4 +++ >> dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> 3 files changed, 149 insertions(+), 0 deletions(-) >> create mode 100644 dracut.fc >> create mode 100644 dracut.if >> create mode 100644 dracut.te >> >> diff --git a/dracut.fc b/dracut.fc >> new file mode 100644 >> index 0000000..fca0d67 >> --- /dev/null >> +++ b/dracut.fc >> @@ -0,0 +1,4 @@ >> +# >> +# /usr >> +# >> +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) >> diff --git a/dracut.if b/dracut.if >> new file mode 100644 >> index 0000000..929fffd >> --- /dev/null >> +++ b/dracut.if >> @@ -0,0 +1,69 @@ >> +##Dracut initramfs creation tool >> + >> +######################################## >> +## >> +## Execute the dracut program in the dracut domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +# >> +interface(`dracut_domtrans',` >> + gen_require(` >> + type dracut_t, dracut_exec_t; >> + ') >> + >> + corecmd_search_bin($1) >> + domtrans_pattern($1, dracut_exec_t, dracut_t) >> +') >> + >> +######################################## >> +## >> +## Execute dracut in the dracut domain, and >> +## allow the specified role the dracut domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +# >> +interface(`dracut_run',` >> + gen_require(` >> + type dracut_t; >> + ') >> + >> + dracut_domtrans($1) >> + role $2 types dracut_t; >> +') >> + >> +######################################## >> +## >> +## Allow domain to manage dracut temporary files >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`dracut_manage_tmp_files',` >> + gen_require(` >> + type dracut_tmp_t; >> + ') >> + >> + files_search_var($1) >> + files_search_tmp($1) >> + >> + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) >> + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) >> + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) >> +') > This isn't what it say's it is. I would probably make it > dracut_manage_tmp() > > Allow, and dracut in description is obvious, i would make it "Manage > temporary content" > >> diff --git a/dracut.te b/dracut.te >> new file mode 100644 >> index 0000000..4bd6cb3 >> --- /dev/null >> +++ b/dracut.te >> @@ -0,0 +1,76 @@ >> +policy_module(dracut, 1.0) >> + >> +type dracut_t; >> +type dracut_exec_t; >> +application_domain(dracut_t, dracut_exec_t) >> + >> +type dracut_var_log_t; >> +logging_log_file(dracut_var_log_t) >> + >> +type dracut_tmp_t; >> +files_tmp_file(dracut_tmp_t) >> + >> +######################################## >> +# >> +# Local policy >> +# >> +allow dracut_t self:process setfscreate; >> +allow dracut_t self:fifo_file rw_fifo_file_perms; >> +allow dracut_t self:unix_stream_socket create_stream_socket_perms; >> + >> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) > i suspect not all these type transitions are needed. > >> + >> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) >> +logging_log_filetrans(dracut_t, dracut_var_log_t, file) >> + >> +kernel_read_system_state(dracut_t) >> + >> +corecmd_exec_bin(dracut_t) >> +corecmd_exec_shell(dracut_t) >> +corecmd_read_all_executables(dracut_t) >> + >> +dev_read_sysfs(dracut_t) >> + >> +domain_use_interactive_fds(dracut_t) >> + >> +files_create_kernel_img(dracut_t) >> +files_read_etc_files(dracut_t) >> +files_read_kernel_modules(dracut_t) >> +files_read_usr_files(dracut_t) >> +files_search_pids(dracut_t) >> + >> +fstools_exec(dracut_t) >> + >> +libs_domtrans_ldconfig(dracut_t) >> +libs_exec_ld_so(dracut_t) >> +libs_exec_lib_files(dracut_t) >> + >> +miscfiles_read_localization(dracut_t) >> + >> +modutils_exec_depmod(dracut_t) >> +modutils_exec_insmod(dracut_t) >> +modutils_list_module_config(dracut_t) > redundant this is already allowed with modutils_read_module_config() > >> +modutils_read_module_config(dracut_t) >> +modutils_read_module_deps(dracut_t) >> + >> +mount_exec(dracut_t) >> + >> +seutil_exec_setfiles(dracut_t) > So you allow it to run setfiles in the dracut domain, but you dont allow > the dracut domain to relabelfrom and -to anything? I believe dracut should stay as unconfined domain. Also you probably will see other domains which are want to execute dracut. And I would think transitions will be needed rather than just execute apps in the dracut domain. > >> + >> +udev_exec(dracut_t) >> +udev_read_rules_files(dracut_t) >> + >> +userdom_use_user_terminals(dracut_t) >> + >> +optional_policy(` >> + dmesg_exec(dracut_t) >> +') >> + >> +optional_policy(` >> + lvm_exec(dracut_t) >> + lvm_read_config(dracut_t) >> +') >> + > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy