From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 28 Dec 2016 14:02:00 -0500 Subject: [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call In-Reply-To: <951099772.14526.1482879393176.JavaMail.open-xchange@popper05.register.it> References: <951099772.14526.1482879393176.JavaMail.open-xchange@popper05.register.it> Message-ID: <0c7d4fc5-e017-ac80-d5d4-9b329ddec960@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/27/16 17:56, Guido Trentalancia via refpolicy wrote: > The aim of this patch is to start securing the init module so > that it can run in confined mode instead of in the most unsafe > unconfined mode. > > At the moment it has been fully tested only with sysvinit. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/devices.if | 18 ++++++++++++++++++ > policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ > policy/modules/system/init.te | 11 +++++++---- > 3 files changed, 43 insertions(+), 4 deletions(-) > > diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 > +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100 > @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` > > ######################################## > ## > +## Mount a sysfs filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem mount; > +') > + > +######################################## > +## > ## Associate a file to a sysfs filesystem. > ## > ## > diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if > --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 > +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100 > @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` > > ######################################## > ## > +## Mount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_mount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem mount; > +') > + > +######################################## > +## > ## Unmount the proc filesystem. > ## > ## > diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te > --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100 > +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100 > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi > # Modify utmp. > allow init_t initrc_var_run_t:file { rw_file_perms setattr }; > > +kernel_mounton_proc_dirs(init_t) > +kernel_mount_proc(init_t) > kernel_read_system_state(init_t) > kernel_share_state(init_t) > kernel_dontaudit_search_unlabeled(init_t) > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t > corecmd_exec_chroot(init_t) > corecmd_exec_bin(init_t) > > +dev_mounton_sysfs(init_t) > +dev_mount_sysfs(init_t) > dev_read_sysfs(init_t) > # Early devtmpfs > dev_rw_generic_chr_files(init_t) > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) > files_dontaudit_rw_root_files(init_t) > files_dontaudit_rw_root_chr_files(init_t) > > +fs_getattr_xattr_fs(init_t) > fs_list_inotifyfs(init_t) > # cjp: this may be related to /dev/log > fs_write_ramfs_sockets(init_t) > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) > mls_process_write_all_levels(init_t) > mls_fd_use_all_levels(init_t) > > +selinux_load_policy(init_t) > +selinux_mount_fs(init_t) > selinux_set_all_booleans(init_t) Sysvinit shouldn't need this access since it only loads the policy if it hasn't been loaded yet. I still run sysvinit systems and don't have these rules. > @@ -345,10 +367,6 @@ optional_policy(` > sssd_stream_connect(init_t) > ') > > -optional_policy(` > - unconfined_domain(init_t) > -') > - Don't remove this. -- Chris PeBenito