From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 23 Oct 2016 19:28:47 -0400
Subject: [refpolicy] [PATCH] single binary modutils
In-Reply-To: <4296907.6ikEAEzyRm@russell.coker.com.au>
References: <20160731123441.dcfgg3ln6z7u43f3@athena.coker.com.au>
	<64191a41-447c-83ab-dfab-2fcaa1275356@ieee.org>
	<4296907.6ikEAEzyRm@russell.coker.com.au>
Message-ID: <567f6e42-7ca8-86d3-f8ef-be02395c3ba1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/21/16 04:35, Russell Coker wrote:
> On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
>> On 07/31/16 08:34, Russell Coker wrote:
>>> The following patch deals with a single binary for modutils, so depmod_t,
>>> and insmod_t are merged.
>>
>> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
>> modutils these days, I'm open to taking a patch that fully merges these
>> domains (in which case renaming to kmod_t, with proper aliasing seems
>> the best idea).
>>
>> However, it's been some time since I used a busybox-based system; does
>> busybox still have separated tools?  Yes, this is a bit of an obvious
>> question since busybox is also single-binary, but IIRC, the embedded
>> guys made some tiny helper scripts or executables so proper
>> transitioning could occur.  Separate domains may still make sense.
>
> As we have had no response from Busybox users in the last 3 months and also no
> response to the thread Luis started in 2013 I think it's safe to assume that
> they don't need this.
>
> I've attached a new patch which renames to kmod_t as you suggested.  Please
> consider it for inclusion.
>
> Description: Change modutils policy to match the use of a single binary
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2014-06-25
>
> Index: refpolicy-2.20160928/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20160928/policy/modules/system/modutils.te
> @@ -5,18 +5,15 @@ policy_module(modutils, 1.16.0)
>  # Declarations
>  #
>
> -attribute_role update_modules_roles;
> +type kmod_t;
> +typealias kmod_t alias { insmod_t depmod_t update_modules_t };

Nitpicky, but I'd prefer to have the aliases on the type declaration 
line here (and below)

> -type depmod_t;
> -type depmod_exec_t;
> -init_system_domain(depmod_t, depmod_exec_t)
> -role system_r types depmod_t;
> -
> -type insmod_t;
> -type insmod_exec_t;
> -application_domain(insmod_t, insmod_exec_t)
> -mls_file_write_all_levels(insmod_t)
> -role system_r types insmod_t;
> +type kmod_exec_t;
> +typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
> +
> +application_domain(kmod_t, kmod_exec_t)
> +mls_file_write_all_levels(kmod_t)
> +role system_r types kmod_t;
>
>  # module loading config
>  type modules_conf_t;
> @@ -26,306 +23,164 @@ files_type(modules_conf_t)
>  type modules_dep_t;
>  files_type(modules_dep_t)
>
> -type update_modules_t;
> -type update_modules_exec_t;
> -init_system_domain(update_modules_t, update_modules_exec_t)

It looks like the init_system_domain() was lost.

> -roleattribute system_r update_modules_roles;
> -role update_modules_roles types update_modules_t;

This removal appears to break modutils_run_update_mods() at least.


> -type update_modules_tmp_t;
> -files_tmp_file(update_modules_tmp_t)
> -
> -########################################
> -#
> -# depmod local policy
> -#
> -
> -can_exec(depmod_t, depmod_exec_t)
> -
> -# Read conf.modules.
> -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
> -
> -allow depmod_t modules_dep_t:file manage_file_perms;
> -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
> -
> -kernel_read_system_state(depmod_t)
> -
> -corecmd_search_bin(depmod_t)
> -
> -domain_use_interactive_fds(depmod_t)
> -
> -files_read_kernel_symbol_table(depmod_t)
> -files_read_kernel_modules(depmod_t)
> -files_read_etc_runtime_files(depmod_t)
> -files_read_etc_files(depmod_t)
> -files_read_usr_src_files(depmod_t)
> -files_list_usr(depmod_t)
> -
> -fs_getattr_xattr_fs(depmod_t)
> -
> -term_use_console(depmod_t)
> -
> -init_use_fds(depmod_t)
> -init_use_script_fds(depmod_t)
> -init_use_script_ptys(depmod_t)
> -
> -userdom_use_user_terminals(depmod_t)
> -# Read System.map from home directories.
> -files_list_home(depmod_t)
> -userdom_read_user_home_content_files(depmod_t)
> -
> -ifdef(`distro_ubuntu',`
> -	optional_policy(`
> -		unconfined_domain(depmod_t)
> -	')
> -')
> -
> -tunable_policy(`use_nfs_home_dirs',`
> -	fs_read_nfs_files(depmod_t)
> -')
> -
> -tunable_policy(`use_samba_home_dirs',`
> -	fs_read_cifs_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	rpm_rw_pipes(depmod_t)
> -	rpm_manage_script_tmp_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	# Read System.map from home directories.
> -	unconfined_domain(depmod_t)
> -')
> +type kmod_var_run_t;
> +files_pid_file(kmod_var_run_t)

Please move these above the modules_*_t declarations.


>  ########################################
>  #
>  # insmod local policy
>  #
>
> -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> -allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> +allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> +allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
>
> -allow insmod_t self:udp_socket create_socket_perms;
> -allow insmod_t self:rawip_socket create_socket_perms;
> +allow kmod_t self:udp_socket create_socket_perms;
> +allow kmod_t self:rawip_socket create_socket_perms;
>
>  # Read module config and dependency information
> -list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
> -read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
> -list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
> -read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
> -
> -can_exec(insmod_t, insmod_exec_t)
> -
> -kernel_load_module(insmod_t)
> -kernel_request_load_module(insmod_t)
> -kernel_read_system_state(insmod_t)
> -kernel_read_network_state(insmod_t)
> -kernel_write_proc_files(insmod_t)
> -kernel_mount_debugfs(insmod_t)
> -kernel_mount_kvmfs(insmod_t)
> -kernel_read_debugfs(insmod_t)
> +list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
> +read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
> +list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
> +create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +
> +can_exec(kmod_t, kmod_exec_t)
> +
> +kernel_load_module(kmod_t)
> +kernel_request_load_module(kmod_t)
> +kernel_read_system_state(kmod_t)
> +kernel_read_network_state(kmod_t)
> +kernel_write_proc_files(kmod_t)
> +kernel_mount_debugfs(kmod_t)
> +kernel_mount_kvmfs(kmod_t)
> +kernel_read_debugfs(kmod_t)
>  # Rules for /proc/sys/kernel/tainted
> -kernel_read_kernel_sysctls(insmod_t)
> -kernel_rw_kernel_sysctl(insmod_t)
> -kernel_read_hotplug_sysctls(insmod_t)
> -kernel_setsched(insmod_t)
> +kernel_read_kernel_sysctls(kmod_t)
> +kernel_rw_kernel_sysctl(kmod_t)
> +kernel_read_hotplug_sysctls(kmod_t)
> +kernel_setsched(kmod_t)
>  # for when /var is not mounted early in the boot:
> -kernel_dontaudit_search_unlabeled(insmod_t)
> +kernel_dontaudit_search_unlabeled(kmod_t)
>
> -corecmd_exec_bin(insmod_t)
> -corecmd_exec_shell(insmod_t)
> +corecmd_exec_bin(kmod_t)
> +corecmd_exec_shell(kmod_t)
>
> -dev_rw_sysfs(insmod_t)
> -dev_search_usbfs(insmod_t)
> -dev_rw_mtrr(insmod_t)
> -dev_read_urand(insmod_t)
> -dev_rw_agp(insmod_t)
> -dev_read_sound(insmod_t)
> -dev_write_sound(insmod_t)
> -dev_rw_apm_bios(insmod_t)
> -
> -domain_signal_all_domains(insmod_t)
> -domain_use_interactive_fds(insmod_t)
> -
> -files_read_kernel_modules(insmod_t)
> -files_read_etc_runtime_files(insmod_t)
> -files_read_etc_files(insmod_t)
> -files_read_usr_files(insmod_t)
> -files_exec_etc_files(insmod_t)
> +# for /run/tmpfiles.d/kmod.conf
> +files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
> +allow kmod_t kmod_var_run_t:dir manage_dir_perms;
> +allow kmod_t kmod_var_run_t:file manage_file_perms;

Please move these three kmod_var_run_t lines above the modules_conf_t 
group of lines (line 35 from what I see).

[...]

>  # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
> Index: refpolicy-2.20160928/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/kernel/terminal.if
> +++ refpolicy-2.20160928/policy/modules/kernel/terminal.if
> @@ -1121,6 +1121,26 @@ interface(`term_getattr_unallocated_ttys
>
>  ########################################
>  ## <summary>
> +##	Setattr and unlink unallocated tty device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`term_setattr_unlink_unallocated_ttys',`

There already are term_(get|set)attr_unallocated_ttys, so I'd prefer to 
add a delete one for the unlink perm.


> +	gen_require(`
> +		type tty_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 tty_device_t:chr_file { getattr setattr unlink };
> +')
> +


-- 
Chris PeBenito