From: dac.override@gmail.com (Dominick Grift) Date: Fri, 30 Dec 2016 21:01:22 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: References: <1483051782.12123.10.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote: > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: >> Update the initrc_t domain policy in the init module with some >> missing permissions. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/kernel/terminal.if | 21 +++++++++++++++++++++ >> policy/modules/system/init.te | 19 +++++++++++++++++-- >> 2 files changed, 38 insertions(+), 2 deletions(-) >> >> diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if >> --- a/policy/modules/kernel/terminal.if 2016-12-27 22:41:00.664390360 +0100 >> +++ b/policy/modules/kernel/terminal.if 2016-12-29 23:30:56.342306506 +0100 >> @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` >> >> ######################################## >> ## >> +## Unlink BSD-style pty device >> +## nodes. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +## >> +# >> +interface(`term_unlink_bsd_ptys',` >> + gen_require(` >> + type bsdpty_device_t; >> + ') >> + >> + dev_list_all_dev_nodes($1) >> + allow $1 bsdpty_device_t:chr_file { unlink }; >> +') >> + >> +######################################## >> +## >> ## Get the attributes of all unallocated >> ## tty device nodes. >> ## >> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te >> --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100 >> +++ b/policy/modules/system/init.te 2016-12-29 23:44:28.212518135 +0100 >> @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t) >> kernel_get_sysvipc_info(initrc_t) >> kernel_read_all_sysctls(initrc_t) >> kernel_rw_all_sysctls(initrc_t) >> +kernel_use_fds(initrc_t) >> # for lsof which is used by alsa shutdown: >> kernel_dontaudit_getattr_message_if(initrc_t) >> # cjp: not sure why these are here; should use mount policy >> kernel_list_unlabeled(initrc_t) >> kernel_mounton_unlabeled_dirs(initrc_t) >> >> +# plymouth >> +kernel_stream_connect(initrc_t) > > Plymouth has a domain, so this seems unnecessary. Plymouthd is running from initramfs before policy is loaded. So once the policy gets loaded and root is switched the kernel isid kicks in and associates kernel_t with the process > >> files_create_lock_dirs(initrc_t) >> files_pid_filetrans_lock_dir(initrc_t, "lock") >> files_read_kernel_symbol_table(initrc_t) >> @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) >> dev_getattr_all_chr_files(initrc_t) >> # Early devtmpfs >> dev_rw_generic_chr_files(initrc_t) >> +# mcelog service >> +dev_read_kmsg(initrc_t) > > mcelog is a service, so it shouldn't be running in initrc_t. > >> domain_kill_all_domains(initrc_t) >> domain_signal_all_domains(initrc_t) >> @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t) >> files_read_usr_files(initrc_t) >> files_manage_urandom_seed(initrc_t) >> files_manage_generic_spool(initrc_t) >> +# manage the restorecond lock file >> +files_manage_generic_locks(initrc_t) > > initrc_t can already delete all locks. Why does it need to create locks? > > >> # Mount and unmount file systems. >> # cjp: not sure why these are here; should use mount policy >> files_list_default(initrc_t) >> @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t) >> >> term_use_all_terms(initrc_t) >> term_reset_tty_labels(initrc_t) >> +term_unlink_bsd_ptys(initrc_t) >> >> auth_rw_login_records(initrc_t) >> auth_setattr_login_records(initrc_t) >> auth_rw_lastlog(initrc_t) >> +auth_manage_faillog(initrc_t) >> auth_read_pam_pid(initrc_t) >> auth_delete_pam_pid(initrc_t) >> auth_delete_pam_console_data(initrc_t) >> @@ -831,12 +841,13 @@ optional_policy(` >> ') >> >> optional_policy(` >> - dev_getattr_printer_dev(initrc_t) >> - >> + cups_domtrans(initrc_t) > > This should not be necessary, as cups is already an init_daemon_domain(). > >> cups_read_log(initrc_t) >> cups_read_rw_config(initrc_t) >> #cups init script clears error log >> cups_write_log(initrc_t) >> + >> + dev_getattr_printer_dev(initrc_t) >> ') >> >> optional_policy(` >> @@ -900,6 +911,10 @@ optional_policy(` >> ') >> >> optional_policy(` >> + iptables_read_config(initrc_t) >> +') >> + >> +optional_policy(` >> iscsi_stream_connect(initrc_t) >> iscsi_read_lib_files(initrc_t) >> ') > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/86333304/attachment.bin