From: dac.override@gmail.com (Dominick Grift) Date: Fri, 30 Dec 2016 21:17:56 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: <1483128957.3970.18.camel@trentalancia.net> References: <1483051782.12123.10.camel@trentalancia.net> <1483128957.3970.18.camel@trentalancia.net> Message-ID: <06c9ca75-25b4-e864-bddd-5425a638121c@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/30/2016 09:15 PM, Guido Trentalancia via refpolicy wrote: > On Fri, 30/12/2016 at 14.30 -0500, Chris PeBenito wrote: >> On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: >>> >>> Update the initrc_t domain policy in the init module with some >>> missing permissions. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/kernel/terminal.if | 21 +++++++++++++++++++++ >>> policy/modules/system/init.te | 19 +++++++++++++++++-- >>> 2 files changed, 38 insertions(+), 2 deletions(-) >>> >>> diff -pru a/policy/modules/kernel/terminal.if >>> b/policy/modules/kernel/terminal.if >>> --- a/policy/modules/kernel/terminal.if 2016-12-27 >>> 22:41:00.664390360 +0100 >>> +++ b/policy/modules/kernel/terminal.if 2016-12-29 >>> 23:30:56.342306506 +0100 >>> @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',` >>> >>> ######################################## >>> ## >>> +## Unlink BSD-style pty device >>> +## nodes. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +# >>> +interface(`term_unlink_bsd_ptys',` >>> + gen_require(` >>> + type bsdpty_device_t; >>> + ') >>> + >>> + dev_list_all_dev_nodes($1) >>> + allow $1 bsdpty_device_t:chr_file { unlink }; >>> +') >>> + >>> +######################################## >>> +## >>> ## Get the attributes of all unallocated >>> ## tty device nodes. >>> ## >>> diff -pru a/policy/modules/system/init.te >>> b/policy/modules/system/init.te >>> --- a/policy/modules/system/init.te 2016-12-29 >>> 22:48:16.456818544 +0100 >>> +++ b/policy/modules/system/init.te 2016-12-29 >>> 23:44:28.212518135 +0100 > > [...] > >>> files_create_lock_dirs(initrc_t) >>> files_pid_filetrans_lock_dir(initrc_t, "lock") >>> files_read_kernel_symbol_table(initrc_t) >>> @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t) >>> dev_getattr_all_chr_files(initrc_t) >>> # Early devtmpfs >>> dev_rw_generic_chr_files(initrc_t) >>> +# mcelog service >>> +dev_read_kmsg(initrc_t) >> >> mcelog is a service, so it shouldn't be running in initrc_t. > > You see, unfortunately, the mcelog.init script, has a limitation in > that sense because it checks that /dev/mcelog is readable otherwise it > exits without starting the mcelog service. > > It's not a bug strictly speaking, however, it causes such limitation in > the security domain. how about adding a: dev_audit_read_access_kmsg() allow ARG1 kmsg_dev_t:chr_file { getattr read }; > > Of course, mcelog then runs in its own domain... > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/1933dd40/attachment.bin