From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 21:09:16 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: References: <1483051782.12123.10.camel@trentalancia.net> Message-ID: <1483128556.3970.14.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 21.01 +0100, Dominick Grift via refpolicy wrote: > On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote: > > > > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: > > > > > > Update the initrc_t domain policy in the init module with some > > > missing permissions. > > > > > > Signed-off-by: Guido Trentalancia > > > --- > > > ?policy/modules/kernel/terminal.if |???21 +++++++++++++++++++++ > > > ?policy/modules/system/init.te?????|???19 +++++++++++++++++-- > > > ?2 files changed, 38 insertions(+), 2 deletions(-) > > > > > > diff -pru a/policy/modules/kernel/terminal.if > > > b/policy/modules/kernel/terminal.if > > > --- a/policy/modules/kernel/terminal.if 2016-12-27 > > > 22:41:00.664390360 +0100 > > > +++ b/policy/modules/kernel/terminal.if 2016-12-29 > > > 23:30:56.342306506 +0100 > > > @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` > > > > > > ?######################################## > > > ?## > > > +## Unlink BSD-style pty device > > > +## nodes. > > > +## > > > +## > > > +## > > > +## Domain allowed access. > > > +## > > > +## > > > +## > > > +# > > > +interface(`term_unlink_bsd_ptys',` > > > + gen_require(` > > > + type bsdpty_device_t; > > > + ') > > > + > > > + dev_list_all_dev_nodes($1) > > > + allow $1 bsdpty_device_t:chr_file { unlink }; > > > +') > > > + > > > +######################################## > > > +## > > > ?## Get the attributes of all unallocated > > > ?## tty device nodes. > > > ?## > > > diff -pru a/policy/modules/system/init.te > > > b/policy/modules/system/init.te > > > --- a/policy/modules/system/init.te 2016-12-29 > > > 22:48:16.456818544 +0100 > > > +++ b/policy/modules/system/init.te 2016-12-29 > > > 23:44:28.212518135 +0100 > > > @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t) > > > ?kernel_get_sysvipc_info(initrc_t) > > > ?kernel_read_all_sysctls(initrc_t) > > > ?kernel_rw_all_sysctls(initrc_t) > > > +kernel_use_fds(initrc_t) > > > ?# for lsof which is used by alsa shutdown: > > > ?kernel_dontaudit_getattr_message_if(initrc_t) > > > ?# cjp: not sure why these are here; should use mount policy > > > ?kernel_list_unlabeled(initrc_t) > > > ?kernel_mounton_unlabeled_dirs(initrc_t) > > > > > > +# plymouth > > > +kernel_stream_connect(initrc_t) > > > > Plymouth has a domain, so this seems unnecessary. > > Plymouthd is running from initramfs before policy is loaded. So once > the > policy gets loaded and root is switched the kernel isid kicks in and > associates kernel_t with the process Yes, I confirm. Plymouthd is running in the kernel_t domain because it is started before the policy is loaded. > > > ?files_create_lock_dirs(initrc_t) > > > ?files_pid_filetrans_lock_dir(initrc_t, "lock") > > > ?files_read_kernel_symbol_table(initrc_t) > > > @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) > > > ?dev_getattr_all_chr_files(initrc_t) > > > ?# Early devtmpfs > > > ?dev_rw_generic_chr_files(initrc_t) > > > +# mcelog service > > > +dev_read_kmsg(initrc_t) > > > > mcelog is a service, so it shouldn't be running in initrc_t. > > > > > > > > ?domain_kill_all_domains(initrc_t) > > > ?domain_signal_all_domains(initrc_t) > > > @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t) > > > ?files_read_usr_files(initrc_t) > > > ?files_manage_urandom_seed(initrc_t) > > > ?files_manage_generic_spool(initrc_t) > > > +# manage the restorecond lock file > > > +files_manage_generic_locks(initrc_t) > > > > initrc_t can already delete all locks.??Why does it need to create > > locks? > > > > > > > > > > ?# Mount and unmount file systems. > > > ?# cjp: not sure why these are here; should use mount policy > > > ?files_list_default(initrc_t) > > > @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t) > > > > > > ?term_use_all_terms(initrc_t) > > > ?term_reset_tty_labels(initrc_t) > > > +term_unlink_bsd_ptys(initrc_t) > > > > > > ?auth_rw_login_records(initrc_t) > > > ?auth_setattr_login_records(initrc_t) > > > ?auth_rw_lastlog(initrc_t) > > > +auth_manage_faillog(initrc_t) > > > ?auth_read_pam_pid(initrc_t) > > > ?auth_delete_pam_pid(initrc_t) > > > ?auth_delete_pam_console_data(initrc_t) > > > @@ -831,12 +841,13 @@ optional_policy(` > > > ?') > > > > > > ?optional_policy(` > > > - dev_getattr_printer_dev(initrc_t) > > > - > > > + cups_domtrans(initrc_t) > > > > This should not be necessary, as cups is already an > > init_daemon_domain(). > > > > > > > > ? cups_read_log(initrc_t) > > > ? cups_read_rw_config(initrc_t) > > > ?#cups init script clears error log > > > ? cups_write_log(initrc_t) > > > + > > > + dev_getattr_printer_dev(initrc_t) > > > ?') > > > > > > ?optional_policy(` > > > @@ -900,6 +911,10 @@ optional_policy(` > > > ?') > > > > > > ?optional_policy(` > > > + iptables_read_config(initrc_t) > > > +') > > > + > > > +optional_policy(` > > > ? iscsi_stream_connect(initrc_t) > > > ? iscsi_read_lib_files(initrc_t) > > > ?') Regards, Guido