From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 6 Aug 2016 17:14:26 -0400 Subject: [refpolicy] [PATCH] strict mode policy In-Reply-To: <20160803063859.gwyuqvqfkdrio3oq@athena.coker.com.au> References: <20160803063859.gwyuqvqfkdrio3oq@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/16 02:38, Russell Coker wrote: > The following patch contains the changes that I needed to get a Debian system > running correctly in a "strict" configuration, IE the unconfined module is not > loaded. > diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if > --- /home/rjc/src/pol-git/policy/modules/contrib/mta.if 2016-07-30 08:14:41.121650499 +1000 > +++ ./policy/modules/contrib/mta.if 2016-08-03 16:11:44.358831503 +1000 > @@ -121,6 +121,23 @@ > > ######################################## > ## > +## Enable system_mail_t to run in the specified role > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`system_mail_role',` > + gen_require(` > + type system_mail_t; > + ') > + role $1 types system_mail_t; > +') Why is this needed? I see it below, but why wouldn't roles be using user_mail_t instead? > diff -ru /home/rjc/src/pol-git/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if > --- /home/rjc/src/pol-git/policy/modules/kernel/devices.if 2016-07-28 20:33:39.959961616 +1000 > +++ ./policy/modules/kernel/devices.if 2016-08-03 16:11:44.366831728 +1000 > @@ -5046,3 +5046,21 @@ > > typeattribute $1 devices_unconfined_type; > ') > + > +######################################## > +## > +## Create subdir of /dev > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_create_subdir',` dev_create_generic_dirs() already exists, though it has read on device_t:dir. > + gen_require(` > + type device_t; > + ') > + allow $1 device_t:dir { add_entry_dir_perms create }; > + allow $1 device_t:dir search_dir_perms; > +') > diff -ru /home/rjc/src/pol-git/policy/modules/kernel/files.if ./policy/modules/kernel/files.if > --- /home/rjc/src/pol-git/policy/modules/kernel/files.if 2016-07-28 20:33:39.963961720 +1000 > +++ ./policy/modules/kernel/files.if 2016-08-03 16:11:44.366831728 +1000 > @@ -3194,6 +3194,26 @@ > > ######################################## > ## > +## Relabel files and dirs to etc_runtime_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_relabelto_etc_runtime',` > + gen_require(` > + type etc_runtime_t; > + ') > + > + allow $1 etc_runtime_t:file relabelto; > + allow $1 etc_runtime_t:dir relabelto; > +') This should be broken up into two interfaces. > @@ -6095,6 +6115,24 @@ > ') > > ######################################## > +## > +## Create a /var/run directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_pid_dir',` Should be named files_create_generic_pid_dirs(). > + gen_require(` > + type var_run_t; > + ') > + > + allow $1 var_run_t:dir create_dir_perms; > +') > + > +######################################## > ## > ## Search the contents of runtime process > ## ID directories (/var/run). > diff -ru /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if ./policy/modules/kernel/filesystem.if > --- /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if 2016-07-28 20:33:39.963961720 +1000 > +++ ./policy/modules/kernel/filesystem.if 2016-08-03 16:19:16.127550295 +1000 > @@ -767,6 +767,42 @@ > > ######################################## > ## > +## Relabel pstore directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabel_pstore_dirs',` > + gen_require(` > + type pstore_t; > + ') > + > + relabel_dirs_pattern($1, pstore_t, pstore_t) > +') > + > +######################################## > +## > +## Get the attributes of a pstore filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`getattr_pstorefs',` > + gen_require(` > + type pstore_t; > + ') > + > +allow $1 pstore_t:filesystem getattr; > +') > + > +######################################## > +## > ## Relabel cgroup directories. > ## > ## > @@ -806,6 +842,26 @@ > > ######################################## > ## > +## Create cgroup lnk_files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_create_cgroup_links',` > + gen_require(` > + type cgroup_t; > + ') > + > + create_lnk_files_pattern($1, cgroup_t, cgroup_t) > + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) > + dev_search_sysfs($1) This interface is "create", but I don't think that the rw perms are necessary. > diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te ./policy/modules/system/selinuxutil.te > --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te 2016-07-28 20:33:39.971961928 +1000 > +++ ./policy/modules/system/selinuxutil.te 2016-08-03 16:11:44.362831615 +1000 > @@ -192,6 +192,7 @@ > > userdom_use_user_terminals(load_policy_t) > userdom_use_all_users_fds(load_policy_t) > +dev_read_urand(load_policy_t) Is this related to SSP? -- Chris PeBenito