From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 18 Apr 2017 20:57:32 -0400
Subject: [refpolicy] [PATCH] bootloader
In-Reply-To: <20170417115453.cioe2lcm3zluqbyy@athena.coker.com.au>
References: <20170417115453.cioe2lcm3zluqbyy@athena.coker.com.au>
Message-ID: <ad773dd2-2cf6-ba54-d0d0-bcd33beedca9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/17/2017 07:54 AM, Russell Coker via refpolicy wrote:
> This patch adds a lot of policy that is needed to setup an initramfs and grub
> on Debian nowadays.
>
> Also changed a comment about ia64 to correctly mention EFI.

Merged with line moving and renaming.


> --- refpolicy-2.20170417.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170417/policy/modules/admin/bootloader.te
> @@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
>  # bootloader local policy
>  #
>
> -allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
> +allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
>  allow bootloader_t self:process { signal_perms execmem };
>  allow bootloader_t self:fifo_file rw_fifo_file_perms;
>
> @@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, b
>  manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
>  manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
>  files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
> +allow bootloader_t bootloader_tmp_t:dir mounton;
>  # for tune2fs (cjp: ?)
>  files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
>
> @@ -65,10 +66,17 @@ kernel_read_system_state(bootloader_t)
>  kernel_read_software_raid_state(bootloader_t)
>  kernel_read_kernel_sysctls(bootloader_t)
>
> +# for grub-probe
> +kernel_request_load_module(bootloader_t)
> +
> +kernel_search_debugfs(bootloader_t)
> +kernel_setsched(bootloader_t)
> +
>  storage_raw_read_fixed_disk(bootloader_t)
>  storage_raw_write_fixed_disk(bootloader_t)
>  storage_raw_read_removable_device(bootloader_t)
>  storage_raw_write_removable_device(bootloader_t)
> +storage_rw_fuse(bootloader_t)
>
>  dev_getattr_all_chr_files(bootloader_t)
>  dev_getattr_all_blk_files(bootloader_t)
> @@ -82,7 +90,7 @@ dev_rw_nvram(bootloader_t)
>  fs_getattr_xattr_fs(bootloader_t)
>  fs_getattr_tmpfs(bootloader_t)
>  fs_read_tmpfs_symlinks(bootloader_t)
> -#Needed for ia64
> +#Needed for EFI
>  fs_manage_dos_files(bootloader_t)
>
>  mls_file_read_all_levels(bootloader_t)
> @@ -104,6 +112,7 @@ files_read_usr_src_files(bootloader_t)
>  files_read_usr_files(bootloader_t)
>  files_read_var_files(bootloader_t)
>  files_read_kernel_modules(bootloader_t)
> +files_search_mnt(bootloader_t)
>  # for nscd
>  files_dontaudit_search_pids(bootloader_t)
>  # for blkid.tab
> @@ -111,6 +120,16 @@ files_manage_etc_runtime_files(bootloade
>  files_etc_filetrans_etc_runtime(bootloader_t, file)
>  files_dontaudit_search_home(bootloader_t)
>
> +fs_mount_fusefs(bootloader_t)
> +fs_mount_xattr_fs(bootloader_t)
> +fs_mounton_fusefs(bootloader_t)
> +fs_read_fusefs_symlinks(bootloader_t)
> +fs_read_fusefs_files(bootloader_t)
> +fs_stat_fusefs(bootloader_t)
> +fs_unmount_fusefs(bootloader_t)
> +fs_unmount_xattr_fs(bootloader_t)
> +fstools_manage_run_files(bootloader_t)
> +
>  init_getattr_initctl(bootloader_t)
>  init_use_script_ptys(bootloader_t)
>  init_use_script_fds(bootloader_t)
> @@ -123,11 +142,14 @@ logging_send_syslog_msg(bootloader_t)
>  logging_rw_generic_logs(bootloader_t)
>
>  miscfiles_read_localization(bootloader_t)
> +mount_runtime_rw(bootloader_t)
>
>  seutil_read_bin_policy(bootloader_t)
>  seutil_read_loadpolicy(bootloader_t)
>  seutil_dontaudit_search_config(bootloader_t)
>
> +udev_read_pid_files(bootloader_t)
> +
>  userdom_use_user_terminals(bootloader_t)
>  userdom_dontaudit_search_user_home_dirs(bootloader_t)
>
> @@ -153,6 +175,7 @@ ifdef(`distro_debian',`
>  	apt_read_cache(bootloader_t)
>
>  	dpkg_read_db(bootloader_t)
> +	dpkg_rw_pipes(bootloader_t)
>  ')
>
>  ifdef(`distro_redhat',`
> --- refpolicy-2.20170417.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170417/policy/modules/kernel/filesystem.if
> @@ -1954,6 +1954,24 @@ interface(`fs_read_eventpollfs',`
>
>  ########################################
>  ## <summary>
> +##	stat a FUSE filesystem
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_stat_fusefs',`
> +	gen_require(`
> +		type fusefs_t;
> +	')
> +
> +	allow $1 fusefs_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Mount a FUSE filesystem.
>  ## </summary>
>  ## <param name="domain">
> --- refpolicy-2.20170417.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170417/policy/modules/system/fstools.if
> @@ -172,3 +172,22 @@ interface(`fstools_getattr_swap_files',`
>
>  	allow $1 swapfile_t:file getattr;
>  ')
> +
> +########################################
> +## <summary>
> +##	manage fsadm_run_t files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fstools_manage_run_files',`
> +	gen_require(`
> +		type fsadm_run_t;
> +	')
> +
> +	allow $1 fsadm_run_t:dir rw_dir_perms;
> +	allow $1 fsadm_run_t:file manage_file_perms;
> +')
> --- refpolicy-2.20170417.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20170417/policy/modules/system/mount.if
> @@ -209,3 +209,40 @@ interface(`mount_rw_loopback_files',`
>
>  	allow $1 mount_loopback_t:file rw_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Getattr on mount_runtime_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`stat_mount_var_run',`
> +	gen_require(`
> +		type mount_runtime_t;
> +	')
> +
> +	allow $1 mount_runtime_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> +##	rw mount_runtime_t files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mount_runtime_rw',`
> +	gen_require(`
> +		type mount_runtime_t;
> +	')
> +
> +	allow $1 mount_runtime_t:dir search;
> +	allow $1 mount_runtime_t:file rw_file_perms;
> +')


-- 
Chris PeBenito