From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 18 Apr 2017 21:18:10 -0400
Subject: [refpolicy] [PATCH] kmod, lvm, brctl patches
In-Reply-To: <20170417121354.w3lrn7ua4zr6tumt@athena.coker.com.au>
References: <20170417121354.w3lrn7ua4zr6tumt@athena.coker.com.au>
Message-ID: <d53c2a21-0a71-792f-de91-c5125e11b1a9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/17/2017 08:13 AM, Russell Coker via refpolicy wrote:
> Patches for modutils, at least one of which is needed to generate an initramfs
> on Debian.
>
> Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
> etc.
>
> Patch for brctl to allow it to create sysfs files.

Merged with some renaming.


> Index: refpolicy-2.20170417/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20170417/policy/modules/system/modutils.te
> @@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
>  files_read_etc_files(kmod_t)
>  files_read_usr_files(kmod_t)
>  files_exec_etc_files(kmod_t)
> +files_search_tmp(kmod_t)
>  # for nscd:
>  files_dontaudit_search_pids(kmod_t)
>  # to manage modules.dep
> @@ -127,6 +128,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	dpkg_manage_script_tmp_files(kmod_t)
> +')
> +
> +optional_policy(`
>  	firstboot_dontaudit_rw_pipes(kmod_t)
>  	firstboot_dontaudit_rw_stream_sockets(kmod_t)
>  ')
> @@ -140,6 +145,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	iptables_dontaudit_var_run(kmod_t)
> +')
> +
> +optional_policy(`
>  	mount_domtrans(kmod_t)
>  ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.if
> +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.if
> @@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
>
>  ########################################
>  ## <summary>
> +##	access dpkg_script fifos
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_script_rw_fifo',`
> +	gen_require(`
> +		type dpkg_script_t;
> +	')
> +
> +	allow $1 dpkg_script_t:fd use;
> +	allow $1 dpkg_script_t:fifo_file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute dpkg programs in the dpkg domain.
>  ## </summary>
>  ## <param name="domain">
> @@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
>  	allow $1 dpkg_var_lib_t:dir list_dir_perms;
>  	allow $1 dpkg_lock_t:file manage_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	manage dpkg_script_tmp_t files and dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_manage_script_tmp_files',`
> +	gen_require(`
> +		type dpkg_script_tmp_t;
> +	')
> +
> +	files_search_tmp($1)
> +	allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
> +	allow $1 dpkg_script_tmp_t:file manage_file_perms;
> +')
> Index: refpolicy-2.20170417/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170417/policy/modules/system/lvm.te
> @@ -342,6 +342,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	dpkg_script_rw_fifo(lvm_t)
> +')
> +
> +optional_policy(`
>  	gpm_dontaudit_getattr_gpmctl(lvm_t)
>  ')
>
> Index: refpolicy-2.20170417/policy/modules/system/iptables.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/iptables.if
> +++ refpolicy-2.20170417/policy/modules/system/iptables.if
> @@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
>  	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>  ')
>
> +###################################
> +## <summary>
> +##	dontaudit reading iptables_var_run_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit
> +##	</summary>
> +## </param>
> +#
> +interface(`iptables_dontaudit_var_run',`
> +	gen_require(`
> +		type iptables_var_run_t;
> +	')
> +
> +	dontaudit $1 iptables_var_run_t:file read;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	All of the rules required to
> Index: refpolicy-2.20170417/policy/modules/contrib/brctl.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/brctl.te
> +++ refpolicy-2.20170417/policy/modules/contrib/brctl.te
> @@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
>
>  corenet_rw_tun_tap_dev(brctl_t)
>
> +dev_create_sysfs_files(brctl_t)
>  dev_rw_sysfs(brctl_t)
>  dev_write_sysfs_dirs(brctl_t)
>
> Index: refpolicy-2.20170417/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170417/policy/modules/kernel/devices.if
> @@ -4100,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',
>
>  ########################################
>  ## <summary>
> +##	Add a sysfs file
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_create_sysfs_files',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	create_files_pattern($1, sysfs_t, sysfs_t)
> +')
> +
> +########################################
> +## <summary>
>  ##     mounton sysfs directories.
>  ## </summary>
>  ## <param name="domain">


-- 
Chris PeBenito