From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 30 Dec 2016 21:01:22 +0100
Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy
In-Reply-To: <c08dd357-9db1-d005-6e80-4234dd52c87d@ieee.org>
References: <1483051782.12123.10.camel@trentalancia.net>
	<c08dd357-9db1-d005-6e80-4234dd52c87d@ieee.org>
Message-ID: <c3317e74-accc-77bb-d7a8-d28aa4a50d2d@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote:
> On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote:
>> Update the initrc_t domain policy in the init module with some
>> missing permissions.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/kernel/terminal.if |   21 +++++++++++++++++++++
>>  policy/modules/system/init.te     |   19 +++++++++++++++++--
>>  2 files changed, 38 insertions(+), 2 deletions(-)
>>
>> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
>> --- a/policy/modules/kernel/terminal.if	2016-12-27 22:41:00.664390360 +0100
>> +++ b/policy/modules/kernel/terminal.if	2016-12-29 23:30:56.342306506 +0100
>> @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',`
>>
>>  ########################################
>>  ## <summary>
>> +##	Unlink BSD-style pty device
>> +##	nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`term_unlink_bsd_ptys',`
>> +	gen_require(`
>> +		type bsdpty_device_t;
>> +	')
>> +
>> +	dev_list_all_dev_nodes($1)
>> +	allow $1 bsdpty_device_t:chr_file { unlink };
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	Get the attributes of all unallocated
>>  ##	tty device nodes.
>>  ## </summary>
>> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
>> --- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
>> +++ b/policy/modules/system/init.te	2016-12-29 23:44:28.212518135 +0100
>> @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t)
>>  kernel_get_sysvipc_info(initrc_t)
>>  kernel_read_all_sysctls(initrc_t)
>>  kernel_rw_all_sysctls(initrc_t)
>> +kernel_use_fds(initrc_t)
>>  # for lsof which is used by alsa shutdown:
>>  kernel_dontaudit_getattr_message_if(initrc_t)
>>  # cjp: not sure why these are here; should use mount policy
>>  kernel_list_unlabeled(initrc_t)
>>  kernel_mounton_unlabeled_dirs(initrc_t)
>>
>> +# plymouth
>> +kernel_stream_connect(initrc_t)
> 
> Plymouth has a domain, so this seems unnecessary.

Plymouthd is running from initramfs before policy is loaded. So once the
policy gets loaded and root is switched the kernel isid kicks in and
associates kernel_t with the process

> 
>>  files_create_lock_dirs(initrc_t)
>>  files_pid_filetrans_lock_dir(initrc_t, "lock")
>>  files_read_kernel_symbol_table(initrc_t)
>> @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t)
>>  dev_getattr_all_chr_files(initrc_t)
>>  # Early devtmpfs
>>  dev_rw_generic_chr_files(initrc_t)
>> +# mcelog service
>> +dev_read_kmsg(initrc_t)
> 
> mcelog is a service, so it shouldn't be running in initrc_t.
> 
>>  domain_kill_all_domains(initrc_t)
>>  domain_signal_all_domains(initrc_t)
>> @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t)
>>  files_read_usr_files(initrc_t)
>>  files_manage_urandom_seed(initrc_t)
>>  files_manage_generic_spool(initrc_t)
>> +# manage the restorecond lock file
>> +files_manage_generic_locks(initrc_t)
> 
> initrc_t can already delete all locks.  Why does it need to create locks?
> 
> 
>>  # Mount and unmount file systems.
>>  # cjp: not sure why these are here; should use mount policy
>>  files_list_default(initrc_t)
>> @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t)
>>
>>  term_use_all_terms(initrc_t)
>>  term_reset_tty_labels(initrc_t)
>> +term_unlink_bsd_ptys(initrc_t)
>>
>>  auth_rw_login_records(initrc_t)
>>  auth_setattr_login_records(initrc_t)
>>  auth_rw_lastlog(initrc_t)
>> +auth_manage_faillog(initrc_t)
>>  auth_read_pam_pid(initrc_t)
>>  auth_delete_pam_pid(initrc_t)
>>  auth_delete_pam_console_data(initrc_t)
>> @@ -831,12 +841,13 @@ optional_policy(`
>>  ')
>>
>>  optional_policy(`
>> -	dev_getattr_printer_dev(initrc_t)
>> -
>> +	cups_domtrans(initrc_t)
> 
> This should not be necessary, as cups is already an init_daemon_domain().
> 
>>  	cups_read_log(initrc_t)
>>  	cups_read_rw_config(initrc_t)
>>  #cups init script clears error log
>>  	cups_write_log(initrc_t)
>> +
>> +	dev_getattr_printer_dev(initrc_t)
>>  ')
>>
>>  optional_policy(`
>> @@ -900,6 +911,10 @@ optional_policy(`
>>  ')
>>
>>  optional_policy(`
>> +	iptables_read_config(initrc_t)
>> +')
>> +
>> +optional_policy(`
>>  	iscsi_stream_connect(initrc_t)
>>  	iscsi_read_lib_files(initrc_t)
>>  ')
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/86333304/attachment.bin