From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 02 Jan 2017 19:26:21 +0100 Subject: [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") In-Reply-To: <14934c9b-bcc7-c478-cb40-dc1b4c8f89ff@gmail.com> References: <1425370720.18751.1482877006863.JavaMail.open-xchange@popper10.register.it> <20161227233846.6ed0ebf0@gentp.lnet> <1320659434.14525.1482879298312.JavaMail.open-xchange@popper05.register.it> <20161228000230.798bf64d@gentp.lnet> <1482957927.2738.12.camel@trentalancia.net> <1483132224.2893.5.camel@trentalancia.net> <1483206152.10088.0.camel@trentalancia.net> <5a7244c9-b526-df0d-468b-693716e3122b@ieee.org> <9856E0D6-B2D2-4534-922E-F550EE594D44@trentalancia.net> <14934c9b-bcc7-c478-cb40-dc1b4c8f89ff@gmail.com> Message-ID: <9EAA313B-0A8D-4B17-B227-3BD841B5BBCB@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On systems using initramfs and sysvinit that is a bug in refpolicy due to the missing selinux_get_fs_mount(init_t). Regards, Guido On the 02nd of January 2017 19:19:22 CET, Dominick Grift via refpolicy wrote: >On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote: >> On systems using sysvinit and not using initramfs, the init daemon >from sysvinit needs to load the policy or it aborts the system >initalization! > >How does that work? The policy is obviously already loaded because else >you would not need this permission. So it is "re-loading" the policy? > >Allowing init to load_policy is not a good idea IMHO > >> >> The call to selinux_init_load_policy is in the latest sysvinit source >code at src/init.c. >> >> Regards, >> >> Guido >> >> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito > wrote: >>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote: >>>> Hello again. >>>> >>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy >>>> wrote: >>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote: >>>>>> >>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote: >>>>>>> >>>>>>> >>>>>>> Originally the aim of this patch was to start securing the init >>>>>>> module so that it could run in confined mode instead of in the >>>>>>> most unsafe unconfined mode and therefore the patch was removing >>>>>>> the call to unconfined_domain(). >>>>>>> >>>>>>> However, the removal of the unconfined_domain() call has been >>>>>>> rejected on the basis of the fact that it can be avoided by not >>>>>>> loading the "unconfined" policy module (which unfortunately at >>>>>>> the moment, still gets added to the configuration file during >>>>>>> "make conf"). >>>>>>> >>>>>>> Currently, this second version of the patch no longer removes >the >>>>>>> call to unconfined_domain() and it only adds permissions needed >>>>>>> by sysvinit (most notably the ability to load the policy during >>>>>>> the system boot). >>>>>>> >>>>>>> Signed-off-by: Guido Trentalancia >>>>>>> --- >>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++ >>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ >>>>>>> policy/modules/system/init.te | 7 +++++++ >>>>>>> 3 files changed, 43 insertions(+) >>>> >>>> [...] >>>> >>>>>>> diff -pru a/policy/modules/system/init.te >>>>>>> b/policy/modules/system/init.te >>>>>>> --- a/policy/modules/system/init.te 2016-12-22 >>>>>>> 23:12:47.784929729 +0100 >>>>>>> +++ b/policy/modules/system/init.te 2016-12-27 >>>>>>> 23:05:37.731451479 +0100 >>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi >>>>>>> # Modify utmp. >>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr }; >>>>>>> >>>>>>> +kernel_mounton_proc_dirs(init_t) >>>>>>> +kernel_mount_proc(init_t) >>>>>>> kernel_read_system_state(init_t) >>>>>>> kernel_share_state(init_t) >>>>>>> kernel_dontaudit_search_unlabeled(init_t) >>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t >>>>>>> corecmd_exec_chroot(init_t) >>>>>>> corecmd_exec_bin(init_t) >>>>>>> >>>>>>> +dev_mounton_sysfs(init_t) >>>>>>> +dev_mount_sysfs(init_t) >>>>>>> dev_read_sysfs(init_t) >>>>>>> # Early devtmpfs >>>>>>> dev_rw_generic_chr_files(init_t) >>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t) >>>>>>> files_dontaudit_rw_root_files(init_t) >>>>>>> files_dontaudit_rw_root_chr_files(init_t) >>>>>>> >>>>>>> +fs_getattr_xattr_fs(init_t) >>>>>>> fs_list_inotifyfs(init_t) >>>>>>> # cjp: this may be related to /dev/log >>>>>>> fs_write_ramfs_sockets(init_t) >>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t) >>>>>>> mls_process_write_all_levels(init_t) >>>>>>> mls_fd_use_all_levels(init_t) >>>>>>> >>>>>>> +selinux_load_policy(init_t) >>>>>>> +selinux_mount_fs(init_t) >>>>>>> selinux_set_all_booleans(init_t) >>>>>>> >>>>>>> term_use_all_terms(init_t) >>>>>> >>>>>> I'm not clear why this is necessary. Sysvinit should only be >>>>>> loading >>>>>> the policy if is not loaded yet, so these permissions should be >>>>>> unnecessary. >>>>> >>>>> The init daemon absolutely needs to load the SELinux policy ! >>>>> >>>>> Perhaps, it is possible to get rid of the other similar permission >>> in >>>>> the kernel module, but surely not here, otherwise the system won't >>>>> boot >>>>> ! >>>> >>>> How about this patch ? >>>> >>>> The selinux_load_policy() permission is absolutely necessary for >the >>>> init_t domain, when using sysvinit. >>> >>> I still run sysvinit systems. It isn't. >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>