From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 02 Jan 2017 19:26:21 +0100
Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run
	sysvinit without the dangerous unconfined_domain() call")
In-Reply-To: <14934c9b-bcc7-c478-cb40-dc1b4c8f89ff@gmail.com>
References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it>
	<20161227233846.6ed0ebf0@gentp.lnet>
	<1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it>
	<20161228000230.798bf64d@gentp.lnet>
	<1482957927.2738.12.camel@trentalancia.net>
	<e65513a4-1751-6eaa-0b7f-23ae8d7e835e@ieee.org>
	<1483132224.2893.5.camel@trentalancia.net>
	<1483206152.10088.0.camel@trentalancia.net>
	<5a7244c9-b526-df0d-468b-693716e3122b@ieee.org>
	<9856E0D6-B2D2-4534-922E-F550EE594D44@trentalancia.net>
	<14934c9b-bcc7-c478-cb40-dc1b4c8f89ff@gmail.com>
Message-ID: <9EAA313B-0A8D-4B17-B227-3BD841B5BBCB@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On systems using initramfs and sysvinit that is a bug in refpolicy due to the missing selinux_get_fs_mount(init_t).

Regards, 

Guido 

On the 02nd of January 2017 19:19:22 CET, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote:
>On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
>> On systems using sysvinit and not using initramfs, the init daemon
>from sysvinit needs to load the policy or it aborts the system
>initalization! 
>
>How does that work? The policy is obviously already loaded because else
>you would not need this permission. So it is "re-loading" the policy?
>
>Allowing init to load_policy is not a good idea IMHO
>
>> 
>> The call to selinux_init_load_policy is in the latest sysvinit source
>code at src/init.c.
>> 
>> Regards, 
>> 
>> Guido 
>> 
>> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><pebenito@ieee.org> wrote:
>>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>>> Hello again.
>>>>
>>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>>> wrote:
>>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>>
>>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>>
>>>>>>>
>>>>>>> Originally the aim of this patch was to start securing the init
>>>>>>> module so that it could run in confined mode instead of in the
>>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>>> the call to unconfined_domain().
>>>>>>>
>>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>>> the moment, still gets added to the configuration file during
>>>>>>> "make conf").
>>>>>>>
>>>>>>> Currently, this second version of the patch no longer removes
>the
>>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>>> the system boot).
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>>> ---
>>>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>>>  3 files changed, 43 insertions(+)
>>>>
>>>> [...]
>>>>
>>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>>> b/policy/modules/system/init.te
>>>>>>> --- a/policy/modules/system/init.te	2016-12-22
>>>>>>> 23:12:47.784929729 +0100
>>>>>>> +++ b/policy/modules/system/init.te	2016-12-27
>>>>>>> 23:05:37.731451479 +0100
>>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>>  # Modify utmp.
>>>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>>
>>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>>> +kernel_mount_proc(init_t)
>>>>>>>  kernel_read_system_state(init_t)
>>>>>>>  kernel_share_state(init_t)
>>>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>>  corecmd_exec_chroot(init_t)
>>>>>>>  corecmd_exec_bin(init_t)
>>>>>>>
>>>>>>> +dev_mounton_sysfs(init_t)
>>>>>>> +dev_mount_sysfs(init_t)
>>>>>>>  dev_read_sysfs(init_t)
>>>>>>>  # Early devtmpfs
>>>>>>>  dev_rw_generic_chr_files(init_t)
>>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>>>
>>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>>  fs_list_inotifyfs(init_t)
>>>>>>>  # cjp: this may be related to /dev/log
>>>>>>>  fs_write_ramfs_sockets(init_t)
>>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>>  mls_process_write_all_levels(init_t)
>>>>>>>  mls_fd_use_all_levels(init_t)
>>>>>>>
>>>>>>> +selinux_load_policy(init_t)
>>>>>>> +selinux_mount_fs(init_t)
>>>>>>>  selinux_set_all_booleans(init_t)
>>>>>>>
>>>>>>>  term_use_all_terms(init_t)
>>>>>>
>>>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>>>> loading
>>>>>> the policy if is not loaded yet, so these permissions should be
>>>>>> unnecessary.
>>>>>
>>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>>
>>>>> Perhaps, it is possible to get rid of the other similar permission
>>> in
>>>>> the kernel module, but surely not here, otherwise the system won't
>>>>> boot
>>>>>  !
>>>>
>>>> How about this patch ?
>>>>
>>>> The selinux_load_policy() permission is absolutely necessary for
>the
>>>> init_t domain, when using sysvinit.
>>>
>>> I still run sysvinit systems.  It isn't.
>> 
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>