From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 30 Dec 2016 14:24:24 -0500
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run
 sysvinit without the dangerous unconfined_domain() call")
In-Reply-To: <1482957927.2738.12.camel@trentalancia.net>
References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it>
	<20161227233846.6ed0ebf0@gentp.lnet>
	<1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it>
	<20161228000230.798bf64d@gentp.lnet>
	<1482957927.2738.12.camel@trentalancia.net>
Message-ID: <e65513a4-1751-6eaa-0b7f-23ae8d7e835e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> Originally the aim of this patch was to start securing the init
> module so that it could run in confined mode instead of in the
> most unsafe unconfined mode and therefore the patch was removing
> the call to unconfined_domain().
>
> However, the removal of the unconfined_domain() call has been
> rejected on the basis of the fact that it can be avoided by not
> loading the "unconfined" policy module (which unfortunately at
> the moment, still gets added to the configuration file during
> "make conf").
>
> Currently, this second version of the patch no longer removes the
> call to unconfined_domain() and it only adds permissions needed
> by sysvinit (most notably the ability to load the policy during
> the system boot).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>  policy/modules/system/init.te    |    7 +++++++
>  3 files changed, 43 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
>  ########################################
>  ## <summary>
> +##	Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
>  ##	Associate a file to a sysfs filesystem.
>  ## </summary>
>  ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
>  ########################################
>  ## <summary>
> +##	Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> +	gen_require(`
> +		type proc_t;
> +	')
> +
> +	allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
>  ##	Unmount the proc filesystem.
>  ## </summary>
>  ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>  # Modify utmp.
>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
>  kernel_read_system_state(init_t)
>  kernel_share_state(init_t)
>  kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>  corecmd_exec_chroot(init_t)
>  corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
>  dev_read_sysfs(init_t)
>  # Early devtmpfs
>  dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>  files_dontaudit_rw_root_files(init_t)
>  files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
>  fs_list_inotifyfs(init_t)
>  # cjp: this may be related to /dev/log
>  fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>  mls_process_write_all_levels(init_t)
>  mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
>  selinux_set_all_booleans(init_t)
>
>  term_use_all_terms(init_t)

I'm not clear why this is necessary.  Sysvinit should only be loading 
the policy if is not loaded yet, so these permissions should be unnecessary.

-- 
Chris PeBenito