From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 2 Aug 2016 19:59:28 -0400 Subject: [refpolicy] [PATCH] single binary modutils In-Reply-To: <20160731123441.dcfgg3ln6z7u43f3@athena.coker.com.au> References: <20160731123441.dcfgg3ln6z7u43f3@athena.coker.com.au> Message-ID: <64191a41-447c-83ab-dfab-2fcaa1275356@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/31/16 08:34, Russell Coker wrote: > The following patch deals with a single binary for modutils, so depmod_t, > and insmod_t are merged. Since the main SELinux distros (including RHEL/CentOS 7) all have merged modutils these days, I'm open to taking a patch that fully merges these domains (in which case renaming to kmod_t, with proper aliasing seems the best idea). However, it's been some time since I used a busybox-based system; does busybox still have separated tools? Yes, this is a bit of an obvious question since busybox is also single-binary, but IIRC, the embedded guys made some tiny helper scripts or executables so proper transitioning could occur. Separate domains may still make sense. > diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.fc ./policy/modules/system/modutils.fc > --- /home/rjc/src/pol-git/policy/modules/system/modutils.fc 2016-07-28 20:33:39.971961928 +1000 > +++ ./policy/modules/system/modutils.fc 2016-07-31 22:31:01.121039414 +1000 > @@ -23,3 +23,4 @@ > /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) > > /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) > +/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:kmod_var_run_t,s0) > diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.te ./policy/modules/system/modutils.te > --- /home/rjc/src/pol-git/policy/modules/system/modutils.te 2016-07-28 20:33:39.971961928 +1000 > +++ ./policy/modules/system/modutils.te 2016-07-31 22:31:01.117039342 +1000 > @@ -5,15 +5,12 @@ > # Declarations > # > > -attribute_role update_modules_roles; > - > -type depmod_t; > -type depmod_exec_t; > -init_system_domain(depmod_t, depmod_exec_t) > -role system_r types depmod_t; > - > type insmod_t; > +typealias insmod_t alias { depmod_t update_modules_t }; > + > type insmod_exec_t; > +typealias insmod_exec_t alias { depmod_exec_t update_modules_exec_t }; > + > application_domain(insmod_t, insmod_exec_t) > mls_file_write_all_levels(insmod_t) > role system_r types insmod_t; > @@ -26,77 +23,8 @@ > type modules_dep_t; > files_type(modules_dep_t) > > -type update_modules_t; > -type update_modules_exec_t; > -init_system_domain(update_modules_t, update_modules_exec_t) > -roleattribute system_r update_modules_roles; > -role update_modules_roles types update_modules_t; > - > -type update_modules_tmp_t; > -files_tmp_file(update_modules_tmp_t) > - > -######################################## > -# > -# depmod local policy > -# > - > -can_exec(depmod_t, depmod_exec_t) > - > -# Read conf.modules. > -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t) > - > -allow depmod_t modules_dep_t:file manage_file_perms; > -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) > - > -kernel_read_system_state(depmod_t) > - > -corecmd_search_bin(depmod_t) > - > -domain_use_interactive_fds(depmod_t) > - > -files_read_kernel_symbol_table(depmod_t) > -files_read_kernel_modules(depmod_t) > -files_read_etc_runtime_files(depmod_t) > -files_read_etc_files(depmod_t) > -files_read_usr_src_files(depmod_t) > -files_list_usr(depmod_t) > - > -fs_getattr_xattr_fs(depmod_t) > - > -term_use_console(depmod_t) > - > -init_use_fds(depmod_t) > -init_use_script_fds(depmod_t) > -init_use_script_ptys(depmod_t) > - > -userdom_use_user_terminals(depmod_t) > -# Read System.map from home directories. > -files_list_home(depmod_t) > -userdom_read_user_home_content_files(depmod_t) > - > -ifdef(`distro_ubuntu',` > - optional_policy(` > - unconfined_domain(depmod_t) > - ') > -') > - > -tunable_policy(`use_nfs_home_dirs',` > - fs_read_nfs_files(depmod_t) > -') > - > -tunable_policy(`use_samba_home_dirs',` > - fs_read_cifs_files(depmod_t) > -') > - > -optional_policy(` > - rpm_rw_pipes(depmod_t) > - rpm_manage_script_tmp_files(depmod_t) > -') > - > -optional_policy(` > - # Read System.map from home directories. > - unconfined_domain(depmod_t) > -') > +type kmod_var_run_t; > +files_pid_file(kmod_var_run_t) > > ######################################## > # > @@ -114,6 +42,9 @@ > read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) > list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) > read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) > +filetrans_add_pattern(insmod_t, modules_object_t, modules_dep_t, file) > +create_files_pattern(insmod_t, modules_object_t, modules_dep_t) > +delete_files_pattern(insmod_t, modules_object_t, modules_dep_t) > > can_exec(insmod_t, insmod_exec_t) > > @@ -136,6 +67,11 @@ > corecmd_exec_bin(insmod_t) > corecmd_exec_shell(insmod_t) > > +# for /run/tmpfiles.d/kmod.conf > +files_pid_filetrans(insmod_t, kmod_var_run_t, dir) > +allow insmod_t kmod_var_run_t:dir manage_dir_perms; > +allow insmod_t kmod_var_run_t:file manage_file_perms; > + > dev_rw_sysfs(insmod_t) > dev_search_usbfs(insmod_t) > dev_rw_mtrr(insmod_t) > @@ -238,6 +174,7 @@ > optional_policy(` > unconfined_domain(insmod_t) > unconfined_dontaudit_rw_pipes(insmod_t) > + unconfined_domtrans_to(insmod_t, insmod_exec_t) > ') > > optional_policy(` > @@ -247,85 +184,3 @@ > xserver_getattr_log(insmod_t) > ') > > -################################# > -# > -# update-modules local policy > -# > - > -allow update_modules_t self:fifo_file rw_fifo_file_perms; > - > -allow update_modules_t modules_dep_t:file rw_file_perms; > - > -can_exec(update_modules_t, insmod_exec_t) > -can_exec(update_modules_t, update_modules_exec_t) > - > -# manage module loading configuration > -manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t) > -files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) > -files_etc_filetrans(update_modules_t, modules_conf_t, file) > - > -# transition to depmod > -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) > -allow update_modules_t depmod_t:fd use; > -allow depmod_t update_modules_t:fd use; > -allow depmod_t update_modules_t:fifo_file rw_file_perms; > -allow depmod_t update_modules_t:process sigchld; > - > -manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) > -manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t) > -files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir }) > - > -kernel_read_kernel_sysctls(update_modules_t) > -kernel_read_system_state(update_modules_t) > - > -corecmd_exec_bin(update_modules_t) > -corecmd_exec_shell(update_modules_t) > - > -dev_read_urand(update_modules_t) > - > -domain_use_interactive_fds(update_modules_t) > - > -files_read_etc_runtime_files(update_modules_t) > -files_read_etc_files(update_modules_t) > -files_exec_etc_files(update_modules_t) > - > -fs_getattr_xattr_fs(update_modules_t) > - > -term_use_console(update_modules_t) > - > -init_use_fds(update_modules_t) > -init_use_script_fds(update_modules_t) > -init_use_script_ptys(update_modules_t) > - > -logging_send_syslog_msg(update_modules_t) > - > -miscfiles_read_localization(update_modules_t) > - > -modutils_run_insmod(update_modules_t, update_modules_roles) > - > -userdom_use_user_terminals(update_modules_t) > -userdom_dontaudit_search_user_home_dirs(update_modules_t) > - > -ifdef(`distro_gentoo',` > - kernel_list_unlabeled(update_modules_t) # /var > - > - files_search_pids(update_modules_t) > - files_getattr_usr_src_files(update_modules_t) > - > - # update-modules on Gentoo throws errors when run because it > - # sources /etc/init.d/functions.sh, which always scans > - # /var/lib/init.d to set SOFTLEVEL environment var. > - # This is never used by update-modules. > - files_dontaudit_search_var_lib(update_modules_t) > - init_dontaudit_read_script_status_files(update_modules_t) > - > - optional_policy(` > - consoletype_exec(update_modules_t) > - ') > -') > - > -ifdef(`distro_ubuntu',` > - optional_policy(` > - unconfined_domain(update_modules_t) > - ') > -') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito