From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 6 Aug 2016 17:14:26 -0400
Subject: [refpolicy] [PATCH] strict mode policy
In-Reply-To: <20160803063859.gwyuqvqfkdrio3oq@athena.coker.com.au>
References: <20160803063859.gwyuqvqfkdrio3oq@athena.coker.com.au>
Message-ID: <c18f1b6a-ac3f-fc32-5546-9f33c31a9434@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/03/16 02:38, Russell Coker wrote:
> The following patch contains the changes that I needed to get a Debian system
> running correctly in a "strict" configuration, IE the unconfined module is not
> loaded.



> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mta.if	2016-07-30 08:14:41.121650499 +1000
> +++ ./policy/modules/contrib/mta.if	2016-08-03 16:11:44.358831503 +1000
> @@ -121,6 +121,23 @@
>
>  ########################################
>  ## <summary>
> +##	Enable system_mail_t to run in the specified role
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`system_mail_role',`
> +	gen_require(`
> +		type system_mail_t;
> +	')
> +	role $1 types system_mail_t;
> +')

Why is this needed?  I see it below, but why wouldn't roles be using 
user_mail_t instead?




> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/devices.if	2016-07-28 20:33:39.959961616 +1000
> +++ ./policy/modules/kernel/devices.if	2016-08-03 16:11:44.366831728 +1000
> @@ -5046,3 +5046,21 @@
>
>  	typeattribute $1 devices_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##      Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`

dev_create_generic_dirs() already exists, though it has read on 
device_t:dir.


> +        gen_require(`
> +                type device_t;
> +        ')
> +       allow $1 device_t:dir { add_entry_dir_perms create };
> +       allow $1 device_t:dir search_dir_perms;
> +')
> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/files.if ./policy/modules/kernel/files.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/files.if	2016-07-28 20:33:39.963961720 +1000
> +++ ./policy/modules/kernel/files.if	2016-08-03 16:11:44.366831728 +1000
> @@ -3194,6 +3194,26 @@
>
>  ########################################
>  ## <summary>
> +##	Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> +	gen_require(`
> +		type etc_runtime_t;
> +	')
> +
> +	allow $1 etc_runtime_t:file relabelto;
> +	allow $1 etc_runtime_t:dir relabelto;
> +')

This should be broken up into two interfaces.



> @@ -6095,6 +6115,24 @@
>  ')
>
>  ########################################
> +## <summary>
> +##	Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`

Should be named files_create_generic_pid_dirs().


> +	gen_require(`
> +		type var_run_t;
> +	')
> +
> +	allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Search the contents of runtime process
>  ##	ID directories (/var/run).
> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if ./policy/modules/kernel/filesystem.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if	2016-07-28 20:33:39.963961720 +1000
> +++ ./policy/modules/kernel/filesystem.if	2016-08-03 16:19:16.127550295 +1000
> @@ -767,6 +767,42 @@
>
>  ########################################
>  ## <summary>
> +##     Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> +	gen_require(`
> +		type pstore_t;
> +	')
> +
> +	relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Get the attributes of a pstore filesystem.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`getattr_pstorefs',`
> +	gen_require(`
> +		type pstore_t;
> +	')
> +
> +allow $1 pstore_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Relabel cgroup directories.
>  ## </summary>
>  ## <param name="domain">
> @@ -806,6 +842,26 @@
>
>  ########################################
>  ## <summary>
> +##     Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> +	gen_require(`
> +		type cgroup_t;
> +	')
> +
> +	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +	dev_search_sysfs($1)

This interface is "create", but I don't think that the rw perms are 
necessary.



> diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te ./policy/modules/system/selinuxutil.te
> --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te	2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/selinuxutil.te	2016-08-03 16:11:44.362831615 +1000
> @@ -192,6 +192,7 @@
>
>  userdom_use_user_terminals(load_policy_t)
>  userdom_use_all_users_fds(load_policy_t)
> +dev_read_urand(load_policy_t)

Is this related to SSP?


-- 
Chris PeBenito