From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 27 Dec 2016 23:16:46 +0100 (CET)
Subject: [refpolicy] [PATCH] init: run sysvinit without the dangerous
 unconfined_domain() call
Message-ID: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.

At the moment it has been fully tested only with sysvinit.

Testing with other init daemons is needed before this is
released, so a "permissive" statement has been added in
order to log further needed permissions during this testing
phase (with systemd, upstart, and so on).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |   26 ++++++++++++++++++++++----
 3 files changed, 58 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)
@@ -190,6 +197,21 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+# Before moving to an init module which does
+# not call unconfined_domain(), we test
+# to discover possible side-effects, by
+# temporarily using the "permissive"
+# statement which logs further needed
+# permissions...
+#
+# The current module has already been
+# fully tested with sysvinit.
+#
+# The following line should be removed
+# as soon as the module has been tested
+# with the other init daemons.
+permissive init_t;
+
 ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
@@ -345,10 +367,6 @@ optional_policy(`
 	sssd_stream_connect(init_t)
 ')
 
-optional_policy(`
-	unconfined_domain(init_t)
-')
-
 ########################################
 #
 # Init script local policy