From: dac.override@gmail.com (Dominick Grift) Date: Fri, 30 Dec 2016 21:12:10 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: <1483128556.3970.14.camel@trentalancia.net> References: <1483051782.12123.10.camel@trentalancia.net> <1483128556.3970.14.camel@trentalancia.net> Message-ID: <4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/30/2016 09:09 PM, Guido Trentalancia via refpolicy wrote: > On Fri, 30/12/2016 at 21.01 +0100, Dominick Grift via refpolicy wrote: >> On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote: >>> >>> On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: >>>> >>>> Update the initrc_t domain policy in the init module with some >>>> missing permissions. >>>> >>>> Signed-off-by: Guido Trentalancia >>>> --- >>>> policy/modules/kernel/terminal.if | 21 +++++++++++++++++++++ >>>> policy/modules/system/init.te | 19 +++++++++++++++++-- >>>> 2 files changed, 38 insertions(+), 2 deletions(-) >>>> >>>> diff -pru a/policy/modules/kernel/terminal.if >>>> b/policy/modules/kernel/terminal.if >>>> --- a/policy/modules/kernel/terminal.if 2016-12-27 >>>> 22:41:00.664390360 +0100 >>>> +++ b/policy/modules/kernel/terminal.if 2016-12-29 >>>> 23:30:56.342306506 +0100 >>>> @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` >>>> >>>> ######################################## >>>> ## >>>> +## Unlink BSD-style pty device >>>> +## nodes. >>>> +## >>>> +## >>>> +## >>>> +## Domain allowed access. >>>> +## >>>> +## >>>> +## >>>> +# >>>> +interface(`term_unlink_bsd_ptys',` >>>> + gen_require(` >>>> + type bsdpty_device_t; >>>> + ') >>>> + >>>> + dev_list_all_dev_nodes($1) >>>> + allow $1 bsdpty_device_t:chr_file { unlink }; >>>> +') >>>> + >>>> +######################################## >>>> +## >>>> ## Get the attributes of all unallocated >>>> ## tty device nodes. >>>> ## >>>> diff -pru a/policy/modules/system/init.te >>>> b/policy/modules/system/init.te >>>> --- a/policy/modules/system/init.te 2016-12-29 >>>> 22:48:16.456818544 +0100 >>>> +++ b/policy/modules/system/init.te 2016-12-29 >>>> 23:44:28.212518135 +0100 >>>> @@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t) >>>> kernel_get_sysvipc_info(initrc_t) >>>> kernel_read_all_sysctls(initrc_t) >>>> kernel_rw_all_sysctls(initrc_t) >>>> +kernel_use_fds(initrc_t) >>>> # for lsof which is used by alsa shutdown: >>>> kernel_dontaudit_getattr_message_if(initrc_t) >>>> # cjp: not sure why these are here; should use mount policy >>>> kernel_list_unlabeled(initrc_t) >>>> kernel_mounton_unlabeled_dirs(initrc_t) >>>> >>>> +# plymouth >>>> +kernel_stream_connect(initrc_t) >>> >>> Plymouth has a domain, so this seems unnecessary. >> >> Plymouthd is running from initramfs before policy is loaded. So once >> the >> policy gets loaded and root is switched the kernel isid kicks in and >> associates kernel_t with the process > > Yes, I confirm. Plymouthd is running in the kernel_t domain because it > is started before the policy is loaded. > The question is then what is running in initrc_t in that event? is it the plymouth client stream connecting to plymouthd? is the plymouth client an init_system_domain()? >>>> files_create_lock_dirs(initrc_t) >>>> files_pid_filetrans_lock_dir(initrc_t, "lock") >>>> files_read_kernel_symbol_table(initrc_t) >>>> @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) >>>> dev_getattr_all_chr_files(initrc_t) >>>> # Early devtmpfs >>>> dev_rw_generic_chr_files(initrc_t) >>>> +# mcelog service >>>> +dev_read_kmsg(initrc_t) >>> >>> mcelog is a service, so it shouldn't be running in initrc_t. >>> >>>> >>>> domain_kill_all_domains(initrc_t) >>>> domain_signal_all_domains(initrc_t) >>>> @@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t) >>>> files_read_usr_files(initrc_t) >>>> files_manage_urandom_seed(initrc_t) >>>> files_manage_generic_spool(initrc_t) >>>> +# manage the restorecond lock file >>>> +files_manage_generic_locks(initrc_t) >>> >>> initrc_t can already delete all locks. Why does it need to create >>> locks? >>> >>> >>>> >>>> # Mount and unmount file systems. >>>> # cjp: not sure why these are here; should use mount policy >>>> files_list_default(initrc_t) >>>> @@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t) >>>> >>>> term_use_all_terms(initrc_t) >>>> term_reset_tty_labels(initrc_t) >>>> +term_unlink_bsd_ptys(initrc_t) >>>> >>>> auth_rw_login_records(initrc_t) >>>> auth_setattr_login_records(initrc_t) >>>> auth_rw_lastlog(initrc_t) >>>> +auth_manage_faillog(initrc_t) >>>> auth_read_pam_pid(initrc_t) >>>> auth_delete_pam_pid(initrc_t) >>>> auth_delete_pam_console_data(initrc_t) >>>> @@ -831,12 +841,13 @@ optional_policy(` >>>> ') >>>> >>>> optional_policy(` >>>> - dev_getattr_printer_dev(initrc_t) >>>> - >>>> + cups_domtrans(initrc_t) >>> >>> This should not be necessary, as cups is already an >>> init_daemon_domain(). >>> >>>> >>>> cups_read_log(initrc_t) >>>> cups_read_rw_config(initrc_t) >>>> #cups init script clears error log >>>> cups_write_log(initrc_t) >>>> + >>>> + dev_getattr_printer_dev(initrc_t) >>>> ') >>>> >>>> optional_policy(` >>>> @@ -900,6 +911,10 @@ optional_policy(` >>>> ') >>>> >>>> optional_policy(` >>>> + iptables_read_config(initrc_t) >>>> +') >>>> + >>>> +optional_policy(` >>>> iscsi_stream_connect(initrc_t) >>>> iscsi_read_lib_files(initrc_t) >>>> ') > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/fe856286/attachment.bin