From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 29 Dec 2016 23:49:42 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy Message-ID: <1483051782.12123.10.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the initrc_t domain policy in the init module with some missing permissions. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/terminal.if | 21 +++++++++++++++++++++ policy/modules/system/init.te | 19 +++++++++++++++++-- 2 files changed, 38 insertions(+), 2 deletions(-) diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if --- a/policy/modules/kernel/terminal.if 2016-12-27 22:41:00.664390360 +0100 +++ b/policy/modules/kernel/terminal.if 2016-12-29 23:30:56.342306506 +0100 @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` ######################################## ## +## Unlink BSD-style pty device +## nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_unlink_bsd_ptys',` + gen_require(` + type bsdpty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 bsdpty_device_t:chr_file { unlink }; +') + +######################################## +## ## Get the attributes of all unallocated ## tty device nodes. ## diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100 +++ b/policy/modules/system/init.te 2016-12-29 23:44:28.212518135 +0100 @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) +kernel_use_fds(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) # cjp: not sure why these are here; should use mount policy kernel_list_unlabeled(initrc_t) kernel_mounton_unlabeled_dirs(initrc_t) +# plymouth +kernel_stream_connect(initrc_t) + files_create_lock_dirs(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) # Early devtmpfs dev_rw_generic_chr_files(initrc_t) +# mcelog service +dev_read_kmsg(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) +# manage the restorecond lock file +files_manage_generic_locks(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy files_list_default(initrc_t) @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t) term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) +term_unlink_bsd_ptys(initrc_t) auth_rw_login_records(initrc_t) auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) +auth_manage_faillog(initrc_t) auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) @@ -831,12 +841,13 @@ optional_policy(` ') optional_policy(` - dev_getattr_printer_dev(initrc_t) - + cups_domtrans(initrc_t) cups_read_log(initrc_t) cups_read_rw_config(initrc_t) #cups init script clears error log cups_write_log(initrc_t) + + dev_getattr_printer_dev(initrc_t) ') optional_policy(` @@ -900,6 +911,10 @@ optional_policy(` ') optional_policy(` + iptables_read_config(initrc_t) +') + +optional_policy(` iscsi_stream_connect(initrc_t) iscsi_read_lib_files(initrc_t) ')