From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 21:15:57 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: References: <1483051782.12123.10.camel@trentalancia.net> Message-ID: <1483128957.3970.18.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 14.30 -0500, Chris PeBenito wrote: > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: > > > > Update the initrc_t domain policy in the init module with some > > missing permissions. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/kernel/terminal.if |???21 +++++++++++++++++++++ > > ?policy/modules/system/init.te?????|???19 +++++++++++++++++-- > > ?2 files changed, 38 insertions(+), 2 deletions(-) > > > > diff -pru a/policy/modules/kernel/terminal.if > > b/policy/modules/kernel/terminal.if > > --- a/policy/modules/kernel/terminal.if 2016-12-27 > > 22:41:00.664390360 +0100 > > +++ b/policy/modules/kernel/terminal.if 2016-12-29 > > 23:30:56.342306506 +0100 > > @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` > > > > ?######################################## > > ?## > > +## Unlink BSD-style pty device > > +## nodes. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +# > > +interface(`term_unlink_bsd_ptys',` > > + gen_require(` > > + type bsdpty_device_t; > > + ') > > + > > + dev_list_all_dev_nodes($1) > > + allow $1 bsdpty_device_t:chr_file { unlink }; > > +') > > + > > +######################################## > > +## > > ?## Get the attributes of all unallocated > > ?## tty device nodes. > > ?## > > diff -pru a/policy/modules/system/init.te > > b/policy/modules/system/init.te > > --- a/policy/modules/system/init.te 2016-12-29 > > 22:48:16.456818544 +0100 > > +++ b/policy/modules/system/init.te 2016-12-29 > > 23:44:28.212518135 +0100 [...] > > ?files_create_lock_dirs(initrc_t) > > ?files_pid_filetrans_lock_dir(initrc_t, "lock") > > ?files_read_kernel_symbol_table(initrc_t) > > @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) > > ?dev_getattr_all_chr_files(initrc_t) > > ?# Early devtmpfs > > ?dev_rw_generic_chr_files(initrc_t) > > +# mcelog service > > +dev_read_kmsg(initrc_t) > > mcelog is a service, so it shouldn't be running in initrc_t. You see, unfortunately, the mcelog.init script, has a limitation in that sense because it checks that /dev/mcelog is readable otherwise it exits without starting the mcelog service. It's not a bug strictly speaking, however, it causes such limitation in the security domain. Of course, mcelog then runs in its own domain... Regards, Guido