From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 21:18:10 -0400 Subject: [refpolicy] [PATCH] kmod, lvm, brctl patches In-Reply-To: <20170417121354.w3lrn7ua4zr6tumt@athena.coker.com.au> References: <20170417121354.w3lrn7ua4zr6tumt@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 08:13 AM, Russell Coker via refpolicy wrote: > Patches for modutils, at least one of which is needed to generate an initramfs > on Debian. > > Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts > etc. > > Patch for brctl to allow it to create sysfs files. Merged with some renaming. > Index: refpolicy-2.20170417/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20170417/policy/modules/system/modutils.te > @@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t) > files_read_etc_files(kmod_t) > files_read_usr_files(kmod_t) > files_exec_etc_files(kmod_t) > +files_search_tmp(kmod_t) > # for nscd: > files_dontaudit_search_pids(kmod_t) > # to manage modules.dep > @@ -127,6 +128,10 @@ optional_policy(` > ') > > optional_policy(` > + dpkg_manage_script_tmp_files(kmod_t) > +') > + > +optional_policy(` > firstboot_dontaudit_rw_pipes(kmod_t) > firstboot_dontaudit_rw_stream_sockets(kmod_t) > ') > @@ -140,6 +145,10 @@ optional_policy(` > ') > > optional_policy(` > + iptables_dontaudit_var_run(kmod_t) > +') > + > +optional_policy(` > mount_domtrans(kmod_t) > ') > > Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.if > +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.if > @@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',` > > ######################################## > ## > +## access dpkg_script fifos > +## > +## > +## > +## Domain allowed access > +## > +## > +# > +interface(`dpkg_script_rw_fifo',` > + gen_require(` > + type dpkg_script_t; > + ') > + > + allow $1 dpkg_script_t:fd use; > + allow $1 dpkg_script_t:fifo_file rw_file_perms; > +') > + > +######################################## > +## > ## Execute dpkg programs in the dpkg domain. > ## > ## > @@ -242,3 +261,23 @@ interface(`dpkg_lock_db',` > allow $1 dpkg_var_lib_t:dir list_dir_perms; > allow $1 dpkg_lock_t:file manage_file_perms; > ') > + > +######################################## > +## > +## manage dpkg_script_tmp_t files and dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_manage_script_tmp_files',` > + gen_require(` > + type dpkg_script_tmp_t; > + ') > + > + files_search_tmp($1) > + allow $1 dpkg_script_tmp_t:dir manage_dir_perms; > + allow $1 dpkg_script_tmp_t:file manage_file_perms; > +') > Index: refpolicy-2.20170417/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20170417/policy/modules/system/lvm.te > @@ -342,6 +342,10 @@ optional_policy(` > ') > > optional_policy(` > + dpkg_script_rw_fifo(lvm_t) > +') > + > +optional_policy(` > gpm_dontaudit_getattr_gpmctl(lvm_t) > ') > > Index: refpolicy-2.20170417/policy/modules/system/iptables.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/system/iptables.if > +++ refpolicy-2.20170417/policy/modules/system/iptables.if > @@ -165,6 +165,24 @@ interface(`iptables_manage_config',` > manage_files_pattern($1, iptables_conf_t, iptables_conf_t) > ') > > +################################### > +## > +## dontaudit reading iptables_var_run_t > +## > +## > +## > +## Domain to not audit > +## > +## > +# > +interface(`iptables_dontaudit_var_run',` > + gen_require(` > + type iptables_var_run_t; > + ') > + > + dontaudit $1 iptables_var_run_t:file read; > +') > + > ######################################## > ## > ## All of the rules required to > Index: refpolicy-2.20170417/policy/modules/contrib/brctl.te > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/contrib/brctl.te > +++ refpolicy-2.20170417/policy/modules/contrib/brctl.te > @@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t) > > corenet_rw_tun_tap_dev(brctl_t) > > +dev_create_sysfs_files(brctl_t) > dev_rw_sysfs(brctl_t) > dev_write_sysfs_dirs(brctl_t) > > Index: refpolicy-2.20170417/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170417.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170417/policy/modules/kernel/devices.if > @@ -4100,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs', > > ######################################## > ## > +## Add a sysfs file > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_create_sysfs_files',` > + gen_require(` > + type sysfs_t; > + ') > + > + create_files_pattern($1, sysfs_t, sysfs_t) > +') > + > +######################################## > +## > ## mounton sysfs directories. > ## > ## -- Chris PeBenito