From: pebenito@ieee.org (Chris PeBenito) Date: Fri, 30 Dec 2016 14:30:37 -0500 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: <1483051782.12123.10.camel@trentalancia.net> References: <1483051782.12123.10.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: > Update the initrc_t domain policy in the init module with some > missing permissions. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/terminal.if | 21 +++++++++++++++++++++ > policy/modules/system/init.te | 19 +++++++++++++++++-- > 2 files changed, 38 insertions(+), 2 deletions(-) > > diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > --- a/policy/modules/kernel/terminal.if 2016-12-27 22:41:00.664390360 +0100 > +++ b/policy/modules/kernel/terminal.if 2016-12-29 23:30:56.342306506 +0100 > @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` > > ######################################## > ## > +## Unlink BSD-style pty device > +## nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`term_unlink_bsd_ptys',` > + gen_require(` > + type bsdpty_device_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 bsdpty_device_t:chr_file { unlink }; > +') > + > +######################################## > +## > ## Get the attributes of all unallocated > ## tty device nodes. > ## > diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te > --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100 > +++ b/policy/modules/system/init.te 2016-12-29 23:44:28.212518135 +0100 > @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t) > kernel_get_sysvipc_info(initrc_t) > kernel_read_all_sysctls(initrc_t) > kernel_rw_all_sysctls(initrc_t) > +kernel_use_fds(initrc_t) > # for lsof which is used by alsa shutdown: > kernel_dontaudit_getattr_message_if(initrc_t) > # cjp: not sure why these are here; should use mount policy > kernel_list_unlabeled(initrc_t) > kernel_mounton_unlabeled_dirs(initrc_t) > > +# plymouth > +kernel_stream_connect(initrc_t) Plymouth has a domain, so this seems unnecessary. > files_create_lock_dirs(initrc_t) > files_pid_filetrans_lock_dir(initrc_t, "lock") > files_read_kernel_symbol_table(initrc_t) > @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) > dev_getattr_all_chr_files(initrc_t) > # Early devtmpfs > dev_rw_generic_chr_files(initrc_t) > +# mcelog service > +dev_read_kmsg(initrc_t) mcelog is a service, so it shouldn't be running in initrc_t. > domain_kill_all_domains(initrc_t) > domain_signal_all_domains(initrc_t) > @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t) > files_read_usr_files(initrc_t) > files_manage_urandom_seed(initrc_t) > files_manage_generic_spool(initrc_t) > +# manage the restorecond lock file > +files_manage_generic_locks(initrc_t) initrc_t can already delete all locks. Why does it need to create locks? > # Mount and unmount file systems. > # cjp: not sure why these are here; should use mount policy > files_list_default(initrc_t) > @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t) > > term_use_all_terms(initrc_t) > term_reset_tty_labels(initrc_t) > +term_unlink_bsd_ptys(initrc_t) > > auth_rw_login_records(initrc_t) > auth_setattr_login_records(initrc_t) > auth_rw_lastlog(initrc_t) > +auth_manage_faillog(initrc_t) > auth_read_pam_pid(initrc_t) > auth_delete_pam_pid(initrc_t) > auth_delete_pam_console_data(initrc_t) > @@ -831,12 +841,13 @@ optional_policy(` > ') > > optional_policy(` > - dev_getattr_printer_dev(initrc_t) > - > + cups_domtrans(initrc_t) This should not be necessary, as cups is already an init_daemon_domain(). > cups_read_log(initrc_t) > cups_read_rw_config(initrc_t) > #cups init script clears error log > cups_write_log(initrc_t) > + > + dev_getattr_printer_dev(initrc_t) > ') > > optional_policy(` > @@ -900,6 +911,10 @@ optional_policy(` > ') > > optional_policy(` > + iptables_read_config(initrc_t) > +') > + > +optional_policy(` > iscsi_stream_connect(initrc_t) > iscsi_read_lib_files(initrc_t) > ') -- Chris PeBenito