From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 30 Dec 2016 21:53:03 +0100
Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy
In-Reply-To: <1483128957.3970.18.camel@trentalancia.net>
References: <1483051782.12123.10.camel@trentalancia.net>
	<c08dd357-9db1-d005-6e80-4234dd52c87d@ieee.org>
	<1483128957.3970.18.camel@trentalancia.net>
Message-ID: <1483131183.2613.4.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 30/12/2016 at 21.15 +0100, Guido Trentalancia via refpolicy
wrote:
> On Fri, 30/12/2016 at 14.30 -0500, Chris PeBenito wrote:
> > 
> > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote:
> > > 
> > > 
> > > Update the initrc_t domain policy in the init module with some
> > > missing permissions.
> > > 
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > ---
> > > ?policy/modules/kernel/terminal.if |???21 +++++++++++++++++++++
> > > ?policy/modules/system/init.te?????|???19 +++++++++++++++++--
> > > ?2 files changed, 38 insertions(+), 2 deletions(-)
> > > 
> > > diff -pru a/policy/modules/kernel/terminal.if
> > > b/policy/modules/kernel/terminal.if
> > > --- a/policy/modules/kernel/terminal.if	2016-12-27
> > > 22:41:00.664390360 +0100
> > > +++ b/policy/modules/kernel/terminal.if	2016-12-29
> > > 23:30:56.342306506 +0100
> > > @@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',`
> > > 
> > > ?########################################
> > > ?## <summary>
> > > +##	Unlink BSD-style pty device
> > > +##	nodes.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +## <rolecap/>
> > > +#
> > > +interface(`term_unlink_bsd_ptys',`
> > > +	gen_require(`
> > > +		type bsdpty_device_t;
> > > +	')
> > > +
> > > +	dev_list_all_dev_nodes($1)
> > > +	allow $1 bsdpty_device_t:chr_file { unlink };
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > ?##	Get the attributes of all unallocated
> > > ?##	tty device nodes.
> > > ?## </summary>
> > > diff -pru a/policy/modules/system/init.te
> > > b/policy/modules/system/init.te
> > > --- a/policy/modules/system/init.te	2016-12-29
> > > 22:48:16.456818544 +0100
> > > +++ b/policy/modules/system/init.te	2016-12-29
> > > 23:44:28.212518135 +0100
> 
> [...]
> 
> > 
> > > 
> > > ?files_create_lock_dirs(initrc_t)
> > > ?files_pid_filetrans_lock_dir(initrc_t, "lock")
> > > ?files_read_kernel_symbol_table(initrc_t)
> > > @@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t)
> > > ?dev_getattr_all_chr_files(initrc_t)
> > > ?# Early devtmpfs
> > > ?dev_rw_generic_chr_files(initrc_t)
> > > +# mcelog service
> > > +dev_read_kmsg(initrc_t)
> > 
> > mcelog is a service, so it shouldn't be running in initrc_t.
> 
> You see, unfortunately, the mcelog.init script, has a limitation in
> that sense because it checks that /dev/mcelog is readable otherwise
> it
> exits without starting the mcelog service.
> 
> It's not a bug strictly speaking, however, it causes such limitation
> in
> the security domain.
> 
> Of course, mcelog then runs in its own domain...

Actually, the mcelog init script does not exit, however it prints an
(annoying and false) error message about /dev/mcelog not being active !

I think we'd better keep the dev_read_kmsg(initrc_t) permission,
although theoretically it could be removed.

Regards,

Guido