From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 30 Dec 2016 21:17:56 +0100
Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy
In-Reply-To: <1483128957.3970.18.camel@trentalancia.net>
References: <1483051782.12123.10.camel@trentalancia.net>
	<c08dd357-9db1-d005-6e80-4234dd52c87d@ieee.org>
	<1483128957.3970.18.camel@trentalancia.net>
Message-ID: <06c9ca75-25b4-e864-bddd-5425a638121c@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/30/2016 09:15 PM, Guido Trentalancia via refpolicy wrote:
> On Fri, 30/12/2016 at 14.30 -0500, Chris PeBenito wrote:
>> On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote:
>>>
>>> Update the initrc_t domain policy in the init module with some
>>> missing permissions.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/kernel/terminal.if |   21 +++++++++++++++++++++
>>>  policy/modules/system/init.te     |   19 +++++++++++++++++--
>>>  2 files changed, 38 insertions(+), 2 deletions(-)
>>>
>>> diff -pru a/policy/modules/kernel/terminal.if
>>> b/policy/modules/kernel/terminal.if
>>> --- a/policy/modules/kernel/terminal.if	2016-12-27
>>> 22:41:00.664390360 +0100
>>> +++ b/policy/modules/kernel/terminal.if	2016-12-29
>>> 23:30:56.342306506 +0100
>>> @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',`
>>>
>>>  ########################################
>>>  ## <summary>
>>> +##	Unlink BSD-style pty device
>>> +##	nodes.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +## <rolecap/>
>>> +#
>>> +interface(`term_unlink_bsd_ptys',`
>>> +	gen_require(`
>>> +		type bsdpty_device_t;
>>> +	')
>>> +
>>> +	dev_list_all_dev_nodes($1)
>>> +	allow $1 bsdpty_device_t:chr_file { unlink };
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Get the attributes of all unallocated
>>>  ##	tty device nodes.
>>>  ## </summary>
>>> diff -pru a/policy/modules/system/init.te
>>> b/policy/modules/system/init.te
>>> --- a/policy/modules/system/init.te	2016-12-29
>>> 22:48:16.456818544 +0100
>>> +++ b/policy/modules/system/init.te	2016-12-29
>>> 23:44:28.212518135 +0100
> 
> [...]
> 
>>>  files_create_lock_dirs(initrc_t)
>>>  files_pid_filetrans_lock_dir(initrc_t, "lock")
>>>  files_read_kernel_symbol_table(initrc_t)
>>> @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t)
>>>  dev_getattr_all_chr_files(initrc_t)
>>>  # Early devtmpfs
>>>  dev_rw_generic_chr_files(initrc_t)
>>> +# mcelog service
>>> +dev_read_kmsg(initrc_t)
>>
>> mcelog is a service, so it shouldn't be running in initrc_t.
> 
> You see, unfortunately, the mcelog.init script, has a limitation in
> that sense because it checks that /dev/mcelog is readable otherwise it
> exits without starting the mcelog service.
> 
> It's not a bug strictly speaking, however, it causes such limitation in
> the security domain.

how about adding a:

dev_audit_read_access_kmsg()

allow ARG1 kmsg_dev_t:chr_file { getattr read };

> 
> Of course, mcelog then runs in its own domain...
> 
> Regards,
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/1933dd40/attachment.bin