From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 27 Dec 2016 23:16:46 +0100 (CET) Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call Message-ID: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The aim of this patch is to start securing the init module so that it can run in confined mode instead of in the most unsafe unconfined mode. At the moment it has been fully tested only with sysvinit. Testing with other init daemons is needed before this is released, so a "permissive" statement has been added in order to log further needed permissions during this testing phase (with systemd, upstart, and so on). Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 26 ++++++++++++++++++++++---- 3 files changed, 58 insertions(+), 4 deletions(-) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100 @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` ######################################## ## +## Mount a sysfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## +## ## Associate a file to a sysfs filesystem. ## ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100 @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` ######################################## ## +## Mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## ## Unmount the proc filesystem. ## ## diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100 +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100 @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +kernel_mounton_proc_dirs(init_t) +kernel_mount_proc(init_t) kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) +dev_mounton_sysfs(init_t) +dev_mount_sysfs(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +selinux_load_policy(init_t) +selinux_mount_fs(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t) @@ -190,6 +197,21 @@ seutil_read_config(init_t) miscfiles_read_localization(init_t) +# Before moving to an init module which does +# not call unconfined_domain(), we test +# to discover possible side-effects, by +# temporarily using the "permissive" +# statement which logs further needed +# permissions... +# +# The current module has already been +# fully tested with sysvinit. +# +# The following line should be removed +# as soon as the module has been tested +# with the other init daemons. +permissive init_t; + ifdef(`init_systemd',` # handle instances where an old labeled init script is encountered. typeattribute init_t init_run_all_scripts_domain; @@ -345,10 +367,6 @@ optional_policy(` sssd_stream_connect(init_t) ') -optional_policy(` - unconfined_domain(init_t) -') - ######################################## # # Init script local policy