From: pebenito@ieee.org (Chris PeBenito) Date: Fri, 30 Dec 2016 14:24:24 -0500 Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") In-Reply-To: <1482957927.2738.12.camel@trentalancia.net> References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it> <20161227233846.6ed0ebf0@gentp.lnet> <1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it> <20161228000230.798bf64d@gentp.lnet> <1482957927.2738.12.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote: > Originally the aim of this patch was to start securing the init > module so that it could run in confined mode instead of in the > most unsafe unconfined mode and therefore the patch was removing > the call to unconfined_domain(). > > However, the removal of the unconfined_domain() call has been > rejected on the basis of the fact that it can be avoided by not > loading the "unconfined" policy module (which unfortunately at > the moment, still gets added to the configuration file during > "make conf"). > > Currently, this second version of the patch no longer removes the > call to unconfined_domain() and it only adds permissions needed > by sysvinit (most notably the ability to load the policy during > the system boot). > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/devices.if | 18 ++++++++++++++++++ > policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ > policy/modules/system/init.te | 7 +++++++ > 3 files changed, 43 insertions(+) > > diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 > +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100 > @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` > > ######################################## > ## > +## Mount a sysfs filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem mount; > +') > + > +######################################## > +## > ## Associate a file to a sysfs filesystem. > ## > ## > diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if > --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 > +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100 > @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` > > ######################################## > ## > +## Mount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_mount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem mount; > +') > + > +######################################## > +## > ## Unmount the proc filesystem. > ## > ## > diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te > --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100 > +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100 > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi > # Modify utmp. > allow init_t initrc_var_run_t:file { rw_file_perms setattr }; > > +kernel_mounton_proc_dirs(init_t) > +kernel_mount_proc(init_t) > kernel_read_system_state(init_t) > kernel_share_state(init_t) > kernel_dontaudit_search_unlabeled(init_t) > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t > corecmd_exec_chroot(init_t) > corecmd_exec_bin(init_t) > > +dev_mounton_sysfs(init_t) > +dev_mount_sysfs(init_t) > dev_read_sysfs(init_t) > # Early devtmpfs > dev_rw_generic_chr_files(init_t) > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) > files_dontaudit_rw_root_files(init_t) > files_dontaudit_rw_root_chr_files(init_t) > > +fs_getattr_xattr_fs(init_t) > fs_list_inotifyfs(init_t) > # cjp: this may be related to /dev/log > fs_write_ramfs_sockets(init_t) > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) > mls_process_write_all_levels(init_t) > mls_fd_use_all_levels(init_t) > > +selinux_load_policy(init_t) > +selinux_mount_fs(init_t) > selinux_set_all_booleans(init_t) > > term_use_all_terms(init_t) I'm not clear why this is necessary. Sysvinit should only be loading the policy if is not loaded yet, so these permissions should be unnecessary. -- Chris PeBenito