From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 19 Feb 2017 16:14:23 -0500
Subject: [refpolicy] [PATCH] dpkg related patches version 2
In-Reply-To: <20170216031858.ckyproc6ehwksody@athena.coker.com.au>
References: <20170216031858.ckyproc6ehwksody@athena.coker.com.au>
Message-ID: <4a3677ef-bddf-61a8-628b-feafcdfa2abb@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 02/15/17 22:18, Russell Coker via refpolicy wrote:
> Here is the latest version.
I've merged this but made some interface renames and moved a few lines
around.
> Index: refpolicy-2.20170216/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170216/policy/modules/contrib/dpkg.te
> @@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
> domain_interactive_fd(dpkg_script_t)
> role dpkg_roles types dpkg_script_t;
>
> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
> +
> type dpkg_script_tmp_t;
> files_tmp_file(dpkg_script_tmp_t)
>
> @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
> kernel_read_system_state(dpkg_t)
> kernel_read_kernel_sysctls(dpkg_t)
>
> -corecmd_exec_all_executables(dpkg_t)
> -
> corenet_all_recvfrom_unlabeled(dpkg_t)
> corenet_all_recvfrom_netlabel(dpkg_t)
> corenet_tcp_sendrecv_generic_if(dpkg_t)
> @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
>
> userdom_use_user_terminals(dpkg_t)
> userdom_use_unpriv_users_fds(dpkg_t)
> +userdom_use_all_users_fds(dpkg_t)
>
> dpkg_domtrans_script(dpkg_t)
>
> @@ -176,18 +178,10 @@ optional_policy(`
> unconfined_domain(dpkg_t)
> ')
>
> -# TODO: the following was copied from dpkg_script_t, and could probably
> -# be removed again when dpkg_script_t is actually used...
> -domain_signal_all_domains(dpkg_t)
> -domain_signull_all_domains(dpkg_t)
> -files_read_etc_runtime_files(dpkg_t)
> -files_exec_usr_files(dpkg_t)
> -miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
> -seutil_run_loadpolicy(dpkg_t, dpkg_roles)
> -seutil_run_setfiles(dpkg_t, dpkg_roles)
> -userdom_use_all_users_fds(dpkg_t)
> +optional_policy(`
> + modutils_run_depmod(dpkg_t, dpkg_roles)
> + modutils_run_insmod(dpkg_t, dpkg_roles)
> +')
>
> optional_policy(`
> mta_send_mail(dpkg_t)
> @@ -202,8 +196,8 @@ optional_policy(`
> # Script Local policy
> #
>
> -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
> -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
> +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> allow dpkg_script_t self:fd use;
> allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
> allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
> @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
> allow dpkg_script_t self:sem create_sem_perms;
> allow dpkg_script_t self:msgq create_msgq_perms;
> allow dpkg_script_t self:msg { send receive };
> +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow dpkg_script_t self:udp_socket create_socket_perms;
>
> allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
>
> @@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
> kernel_read_kernel_sysctls(dpkg_script_t)
> kernel_read_system_state(dpkg_script_t)
>
> +auth_manage_shadow(dpkg_script_t)
> corecmd_exec_all_executables(dpkg_script_t)
>
> +dev_manage_null_service(dpkg_script_t)
> dev_list_sysfs(dpkg_script_t)
> # Use named file transition to fix this
> # dev_manage_generic_blk_files(dpkg_script_t)
> @@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
> selinux_compute_create_context(dpkg_script_t)
> selinux_compute_relabel_context(dpkg_script_t)
> selinux_compute_user_contexts(dpkg_script_t)
> +selinux_read_policy(dpkg_script_t)
>
> storage_raw_read_fixed_disk(dpkg_script_t)
> storage_raw_write_fixed_disk(dpkg_script_t)
>
> term_use_all_terms(dpkg_script_t)
>
> -auth_dontaudit_getattr_shadow(dpkg_script_t)
> files_manage_non_auth_files(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> +init_get_generic_units_status(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> +init_status(dpkg_script_t)
> +init_start_generic_units(dpkg_script_t)
> +init_stop_generic_units(dpkg_script_t)
> +init_reload(dpkg_script_t)
> +init_system_stop(dpkg_script_t)
> +init_telinit(dpkg_script_t)
> +initrc_manage_service(dpkg_script_t)
> +init_restart_script_service(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
> @@ -287,13 +294,11 @@ logging_send_syslog_msg(dpkg_script_t)
>
> miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> -
> seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
> seutil_run_setfiles(dpkg_script_t, dpkg_roles)
>
> userdom_use_all_users_fds(dpkg_script_t)
> +usermanage_run_passwd(dpkg_script_t, sysadm_r)
>
> tunable_policy(`allow_execmem',`
> allow dpkg_script_t self:process execmem;
> @@ -309,6 +314,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')
> +
> +optional_policy(`
> mta_send_mail(dpkg_script_t)
> ')
>
> @@ -317,6 +327,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_read_logind_state(dpkg_script_t)
> + systemd_dbus_chat_logind(dpkg_script_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(dpkg_script_t)
> ')
>
> Index: refpolicy-2.20170216/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170216/policy/modules/admin/bootloader.te
> @@ -149,6 +149,11 @@ ifdef(`distro_debian',`
> fstools_relabelto_entry_files(bootloader_t)
>
> libs_relabelto_lib_files(bootloader_t)
> +
> + # for apt-cache
> + dpkg_read_db(bootloader_t)
> + apt_read_db(bootloader_t)
> + apt_read_cache(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20170216/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170216/policy/modules/system/init.if
> @@ -809,6 +809,42 @@ interface(`init_udp_send',`
>
> ########################################
> ##
> +## start service (systemd).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_system_start',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system start;
> +')
> +
> +########################################
> +##
> +## stop service (systemd).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_system_stop',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system stop;
> +')
> +
> +########################################
> +##
> ## Get all service status (systemd).
> ##
> ##
> @@ -2514,3 +2550,58 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +##
> +## Start and stop init_script_file_type services
> +##
> +##
> +##
> +## domain that can start and stop the services
> +##
> +##
> +#
> +interface(`init_restart_script_service',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + allow $1 init_script_file_type:service { start status stop };
> +')
> +
> +########################################
> +##
> +## Get the system status information from init
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_status',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system status;
> +')
> +
> +########################################
> +##
> +## Allow manage service for initrc_exec_t scripts
> +##
> +##
> +##
> +## Target domain
> +##
> +##
> +#
> +interface(`initrc_manage_service',`
> + gen_require(`
> + type initrc_exec_t;
> + class service { status start stop };
> + ')
> +
> + allow $1 initrc_exec_t:service { start stop status };
> +')
> Index: refpolicy-2.20170216/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170216/policy/modules/kernel/devices.if
> @@ -3260,6 +3260,26 @@ interface(`dev_create_null_dev',`
>
> ########################################
> ##
> +## Manage services with script type null_device_t for when
> +## /lib/systemd/system/something.service is a link to /dev/null
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`dev_manage_null_service',`
> + gen_require(`
> + type null_device_t;
> + class service { status start stop reload };
> + ')
> +
> + allow $1 null_device_t:service { status start stop reload };
> +')
> +
> +########################################
> +##
> ## Do not audit attempts to get the attributes
> ## of the BIOS non-volatile RAM device.
> ##
> Index: refpolicy-2.20170216/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170216/policy/modules/system/systemd.if
> @@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +##
> +## Allow systemd_logind_t to read process state for cgroup file
> +##
> +##
> +##
> +## Domain systemd_logind_t may access.
> +##
> +##
> +#
> +interface(`systemd_read_logind_state',`
> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + allow systemd_logind_t $1:dir list_dir_perms;
> + allow systemd_logind_t $1:file read_file_perms;
> +')
> Index: refpolicy-2.20170216/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170216/policy/modules/system/unconfined.if
> @@ -319,6 +319,23 @@ interface(`unconfined_run_to',`
>
> ########################################
> ##
> +## Allow the specified domain to be in the unconfined role
> +##
> +##
> +##
> +## Domain to permit in unconfined_r
> +##
> +##
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> + role unconfined_r types $1;
> +')
This hunk was dropped (it wasn't used anyway).
> +########################################
> +##
> ## Inherit file descriptors from the unconfined domain.
> ##
> ##
> Index: refpolicy-2.20170216/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170216/policy/modules/system/init.te
> @@ -277,8 +277,6 @@ ifdef(`init_systemd',`
>
> term_relabel_pty_dirs(init_t)
>
> - clock_read_adjtime(init_t)
> -
> logging_manage_pid_sockets(init_t)
> logging_send_audit_msgs(init_t)
> logging_relabelto_devlog_sock_files(init_t)
> @@ -289,6 +287,10 @@ ifdef(`init_systemd',`
> udev_create_kobject_uevent_sockets(init_t)
>
> optional_policy(`
> + clock_read_adjtime(init_t)
> + ')
> +
> + optional_policy(`
> systemd_relabelto_kmod_files(init_t)
> systemd_dbus_chat_logind(init_t)
> ')
> Index: refpolicy-2.20170216/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170216/policy/modules/system/userdomain.if
> @@ -674,6 +674,10 @@ template(`userdom_common_user_template',
> ')
>
> optional_policy(`
> + dpkg_read_db($1_t)
> + ')
> +
> + optional_policy(`
> hwloc_exec_dhwd($1_t)
> hwloc_read_runtime_files($1_t)
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito