From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 27 Dec 2016 23:56:33 +0100 (CET) Subject: [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call Message-ID: <951099772.14526.1482879393176.JavaMail.open-xchange@popper05.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The aim of this patch is to start securing the init module so that it can run in confined mode instead of in the most unsafe unconfined mode. At the moment it has been fully tested only with sysvinit. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 11 +++++++---- 3 files changed, 43 insertions(+), 4 deletions(-) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100 @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` ######################################## ## +## Mount a sysfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## +## ## Associate a file to a sysfs filesystem. ## ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100 @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` ######################################## ## +## Mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## ## Unmount the proc filesystem. ## ## diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100 +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100 @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +kernel_mounton_proc_dirs(init_t) +kernel_mount_proc(init_t) kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) +dev_mounton_sysfs(init_t) +dev_mount_sysfs(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +selinux_load_policy(init_t) +selinux_mount_fs(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t) @@ -345,10 +367,6 @@ optional_policy(` sssd_stream_connect(init_t) ') -optional_policy(` - unconfined_domain(init_t) -') - ######################################## # # Init script local policy