From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 23 Oct 2016 19:28:47 -0400 Subject: [refpolicy] [PATCH] single binary modutils In-Reply-To: <4296907.6ikEAEzyRm@russell.coker.com.au> References: <20160731123441.dcfgg3ln6z7u43f3@athena.coker.com.au> <64191a41-447c-83ab-dfab-2fcaa1275356@ieee.org> <4296907.6ikEAEzyRm@russell.coker.com.au> Message-ID: <567f6e42-7ca8-86d3-f8ef-be02395c3ba1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/21/16 04:35, Russell Coker wrote: > On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: >> On 07/31/16 08:34, Russell Coker wrote: >>> The following patch deals with a single binary for modutils, so depmod_t, >>> and insmod_t are merged. >> >> Since the main SELinux distros (including RHEL/CentOS 7) all have merged >> modutils these days, I'm open to taking a patch that fully merges these >> domains (in which case renaming to kmod_t, with proper aliasing seems >> the best idea). >> >> However, it's been some time since I used a busybox-based system; does >> busybox still have separated tools? Yes, this is a bit of an obvious >> question since busybox is also single-binary, but IIRC, the embedded >> guys made some tiny helper scripts or executables so proper >> transitioning could occur. Separate domains may still make sense. > > As we have had no response from Busybox users in the last 3 months and also no > response to the thread Luis started in 2013 I think it's safe to assume that > they don't need this. > > I've attached a new patch which renames to kmod_t as you suggested. Please > consider it for inclusion. > > Description: Change modutils policy to match the use of a single binary > Author: Russell Coker > Last-Update: 2014-06-25 > > Index: refpolicy-2.20160928/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20160928.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20160928/policy/modules/system/modutils.te > @@ -5,18 +5,15 @@ policy_module(modutils, 1.16.0) > # Declarations > # > > -attribute_role update_modules_roles; > +type kmod_t; > +typealias kmod_t alias { insmod_t depmod_t update_modules_t }; Nitpicky, but I'd prefer to have the aliases on the type declaration line here (and below) > -type depmod_t; > -type depmod_exec_t; > -init_system_domain(depmod_t, depmod_exec_t) > -role system_r types depmod_t; > - > -type insmod_t; > -type insmod_exec_t; > -application_domain(insmod_t, insmod_exec_t) > -mls_file_write_all_levels(insmod_t) > -role system_r types insmod_t; > +type kmod_exec_t; > +typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t }; > + > +application_domain(kmod_t, kmod_exec_t) > +mls_file_write_all_levels(kmod_t) > +role system_r types kmod_t; > > # module loading config > type modules_conf_t; > @@ -26,306 +23,164 @@ files_type(modules_conf_t) > type modules_dep_t; > files_type(modules_dep_t) > > -type update_modules_t; > -type update_modules_exec_t; > -init_system_domain(update_modules_t, update_modules_exec_t) It looks like the init_system_domain() was lost. > -roleattribute system_r update_modules_roles; > -role update_modules_roles types update_modules_t; This removal appears to break modutils_run_update_mods() at least. > -type update_modules_tmp_t; > -files_tmp_file(update_modules_tmp_t) > - > -######################################## > -# > -# depmod local policy > -# > - > -can_exec(depmod_t, depmod_exec_t) > - > -# Read conf.modules. > -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t) > - > -allow depmod_t modules_dep_t:file manage_file_perms; > -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) > - > -kernel_read_system_state(depmod_t) > - > -corecmd_search_bin(depmod_t) > - > -domain_use_interactive_fds(depmod_t) > - > -files_read_kernel_symbol_table(depmod_t) > -files_read_kernel_modules(depmod_t) > -files_read_etc_runtime_files(depmod_t) > -files_read_etc_files(depmod_t) > -files_read_usr_src_files(depmod_t) > -files_list_usr(depmod_t) > - > -fs_getattr_xattr_fs(depmod_t) > - > -term_use_console(depmod_t) > - > -init_use_fds(depmod_t) > -init_use_script_fds(depmod_t) > -init_use_script_ptys(depmod_t) > - > -userdom_use_user_terminals(depmod_t) > -# Read System.map from home directories. > -files_list_home(depmod_t) > -userdom_read_user_home_content_files(depmod_t) > - > -ifdef(`distro_ubuntu',` > - optional_policy(` > - unconfined_domain(depmod_t) > - ') > -') > - > -tunable_policy(`use_nfs_home_dirs',` > - fs_read_nfs_files(depmod_t) > -') > - > -tunable_policy(`use_samba_home_dirs',` > - fs_read_cifs_files(depmod_t) > -') > - > -optional_policy(` > - rpm_rw_pipes(depmod_t) > - rpm_manage_script_tmp_files(depmod_t) > -') > - > -optional_policy(` > - # Read System.map from home directories. > - unconfined_domain(depmod_t) > -') > +type kmod_var_run_t; > +files_pid_file(kmod_var_run_t) Please move these above the modules_*_t declarations. > ######################################## > # > # insmod local policy > # > > -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; > -allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; > +allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; > +allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; > > -allow insmod_t self:udp_socket create_socket_perms; > -allow insmod_t self:rawip_socket create_socket_perms; > +allow kmod_t self:udp_socket create_socket_perms; > +allow kmod_t self:rawip_socket create_socket_perms; > > # Read module config and dependency information > -list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) > -read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) > -list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) > -read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) > - > -can_exec(insmod_t, insmod_exec_t) > - > -kernel_load_module(insmod_t) > -kernel_request_load_module(insmod_t) > -kernel_read_system_state(insmod_t) > -kernel_read_network_state(insmod_t) > -kernel_write_proc_files(insmod_t) > -kernel_mount_debugfs(insmod_t) > -kernel_mount_kvmfs(insmod_t) > -kernel_read_debugfs(insmod_t) > +list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) > +read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) > +list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t) > +manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t) > +filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file) > +create_files_pattern(kmod_t, modules_object_t, modules_dep_t) > +delete_files_pattern(kmod_t, modules_object_t, modules_dep_t) > + > +can_exec(kmod_t, kmod_exec_t) > + > +kernel_load_module(kmod_t) > +kernel_request_load_module(kmod_t) > +kernel_read_system_state(kmod_t) > +kernel_read_network_state(kmod_t) > +kernel_write_proc_files(kmod_t) > +kernel_mount_debugfs(kmod_t) > +kernel_mount_kvmfs(kmod_t) > +kernel_read_debugfs(kmod_t) > # Rules for /proc/sys/kernel/tainted > -kernel_read_kernel_sysctls(insmod_t) > -kernel_rw_kernel_sysctl(insmod_t) > -kernel_read_hotplug_sysctls(insmod_t) > -kernel_setsched(insmod_t) > +kernel_read_kernel_sysctls(kmod_t) > +kernel_rw_kernel_sysctl(kmod_t) > +kernel_read_hotplug_sysctls(kmod_t) > +kernel_setsched(kmod_t) > # for when /var is not mounted early in the boot: > -kernel_dontaudit_search_unlabeled(insmod_t) > +kernel_dontaudit_search_unlabeled(kmod_t) > > -corecmd_exec_bin(insmod_t) > -corecmd_exec_shell(insmod_t) > +corecmd_exec_bin(kmod_t) > +corecmd_exec_shell(kmod_t) > > -dev_rw_sysfs(insmod_t) > -dev_search_usbfs(insmod_t) > -dev_rw_mtrr(insmod_t) > -dev_read_urand(insmod_t) > -dev_rw_agp(insmod_t) > -dev_read_sound(insmod_t) > -dev_write_sound(insmod_t) > -dev_rw_apm_bios(insmod_t) > - > -domain_signal_all_domains(insmod_t) > -domain_use_interactive_fds(insmod_t) > - > -files_read_kernel_modules(insmod_t) > -files_read_etc_runtime_files(insmod_t) > -files_read_etc_files(insmod_t) > -files_read_usr_files(insmod_t) > -files_exec_etc_files(insmod_t) > +# for /run/tmpfiles.d/kmod.conf > +files_pid_filetrans(kmod_t, kmod_var_run_t, dir) > +allow kmod_t kmod_var_run_t:dir manage_dir_perms; > +allow kmod_t kmod_var_run_t:file manage_file_perms; Please move these three kmod_var_run_t lines above the modules_conf_t group of lines (line 35 from what I see). [...] > # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. > Index: refpolicy-2.20160928/policy/modules/kernel/terminal.if > =================================================================== > --- refpolicy-2.20160928.orig/policy/modules/kernel/terminal.if > +++ refpolicy-2.20160928/policy/modules/kernel/terminal.if > @@ -1121,6 +1121,26 @@ interface(`term_getattr_unallocated_ttys > > ######################################## > ## > +## Setattr and unlink unallocated tty device nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`term_setattr_unlink_unallocated_ttys',` There already are term_(get|set)attr_unallocated_ttys, so I'd prefer to add a delete one for the unlink perm. > + gen_require(` > + type tty_device_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 tty_device_t:chr_file { getattr setattr unlink }; > +') > + -- Chris PeBenito