From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 28 Dec 2016 21:45:27 +0100 Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") In-Reply-To: <20161228000230.798bf64d@gentp.lnet> References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it> <20161227233846.6ed0ebf0@gentp.lnet> <1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it> <20161228000230.798bf64d@gentp.lnet> Message-ID: <1482957927.2738.12.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Originally the aim of this patch was to start securing the init module so that it could run in confined mode instead of in the most unsafe unconfined mode and therefore the patch was removing the call to unconfined_domain(). However, the removal of the unconfined_domain() call has been rejected on the basis of the fact that it can be avoided by not loading the "unconfined" policy module (which unfortunately at the moment, still gets added to the configuration file during "make conf"). Currently, this second version of the patch no longer removes the call to unconfined_domain() and it only adds permissions needed by sysvinit (most notably the ability to load the policy during the system boot). Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 7 +++++++ 3 files changed, 43 insertions(+) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100 @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` ######################################## ## +## Mount a sysfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## +## ## Associate a file to a sysfs filesystem. ## ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100 @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` ######################################## ## +## Mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## ## Unmount the proc filesystem. ## ## diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100 +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100 @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +kernel_mounton_proc_dirs(init_t) +kernel_mount_proc(init_t) kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) +dev_mounton_sysfs(init_t) +dev_mount_sysfs(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +selinux_load_policy(init_t) +selinux_mount_fs(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t)