From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 02 Jan 2017 01:04:39 +0100 Subject: [refpolicy] [PATCH v4] init: support sysvinit In-Reply-To: <1483213929.9440.0.camel@trentalancia.net> References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it> <20161227233846.6ed0ebf0@gentp.lnet> <1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it> <20161228000230.798bf64d@gentp.lnet> <1482957927.2738.12.camel@trentalancia.net> <1483213929.9440.0.camel@trentalancia.net> Message-ID: <1483315479.3723.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add permissions needed by sysvinit (most notably permissions to read and load the SELinux policy when not using the initramfs). Signed-off-by: Guido Trentalancia --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 14 ++++++++++++++ 3 files changed, 50 insertions(+) diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100 +++ b/policy/modules/kernel/devices.if 2017-01-02 00:53:06.394093456 +0100 @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',` ######################################## ## +## Mount a sysfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## +## ## Associate a file to a sysfs filesystem. ## ## diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100 +++ b/policy/modules/kernel/kernel.if 2017-01-02 00:53:06.411094078 +0100 @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',` ######################################## ## +## Mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## ## Unmount the proc filesystem. ## ## diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100 +++ b/policy/modules/system/init.te 2017-01-02 01:00:14.377761326 +0100 @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +kernel_mount_proc(init_t) +kernel_mounton_proc_dirs(init_t) kernel_read_system_state(init_t) kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) +dev_mount_sysfs(init_t) +dev_mounton_sysfs(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +179,13 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +# the following one is needed for libselinux:is_selinux_enabled() +# otherwise the call fails and sysvinit tries to load the policy +# again +selinux_get_fs_mount(init_t) +# the following one is needed for sysvinit without initramfs +selinux_load_policy(init_t) +selinux_mount_fs(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t) @@ -186,6 +198,8 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) +# the following one is needed for sysvinit without initramfs +seutil_read_bin_policy(init_t) seutil_read_config(init_t) miscfiles_read_localization(init_t)