From: russell@coker.com.au (Russell Coker) Date: Wed, 19 Apr 2017 21:00:59 +1000 Subject: [refpolicy] [PATCH] second strict patch Message-ID: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the rest of my policy that was developed on "strict" systems. It also has no inter-dependencies with other patches. I included the interface xdm_sigchld() in this patch as well so it can be applied on it's own, this means that it conflicts with the login patch. Chris, maybe even if you don't apply this patch or the login patch in the near future you could add the xdm_sigchld() interface so that both patches can be complete and working and not conflict. Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if @@ -76,6 +76,8 @@ template(`gnome_role_template',` allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $3 gconfd_t:dbus send_msg; + allow gconfd_t $3:dbus send_msg; userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc @@ -324,6 +324,7 @@ ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_gentoo', ` Index: refpolicy-2.20170419/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170419/policy/modules/kernel/devices.if @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') + +######################################## +## +## Create subdir of /dev +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_subdir',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir { add_entry_dir_perms create }; + allow $1 device_t:dir search_dir_perms; +') Index: refpolicy-2.20170419/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170419/policy/modules/kernel/files.if @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file ######################################## ## +## Relabel files and dirs to etc_runtime_t +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabelto_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file relabelto; + allow $1 etc_runtime_t:dir relabelto; +') + +######################################## +## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',` ') ######################################## +## +## Create a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dir',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir create_dir_perms; +') + +######################################## ## ## Search the contents of runtime process ## ID directories (/var/run). Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if @@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',` ######################################## ## +## Relabel pstore directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_pstore_dirs',` + gen_require(` + type pstore_t; + ') + + relabel_dirs_pattern($1, pstore_t, pstore_t) +') + +######################################## +## +## Get the attributes of a pstore filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`ZZZfs_getattr_pstorefs',` + gen_require(` + type pstore_t; + ') + +allow $1 pstore_t:filesystem getattr; +') + +######################################## +## ## Relabel cgroup directories. ## ## @@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',` ######################################## ## +## Create cgroup lnk_files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_links',` + gen_require(` + type cgroup_t; + ') + + create_lnk_files_pattern($1, cgroup_t, cgroup_t) + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## ## Write cgroup files. ## ## @@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', ` interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; - ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',` ') ######################################## +## +## Relabelfrom tmpfs link files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; +') + +######################################## ## ## Read and write character nodes on tmpfs filesystems. ## Index: refpolicy-2.20170419/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if +++ refpolicy-2.20170419/policy/modules/services/ssh.if @@ -353,6 +353,8 @@ template(`ssh_role_template',` allow $1_ssh_agent_t self:process { setrlimit signal }; allow $1_ssh_agent_t self:capability setgid; + allow $1_ssh_agent_t self:fifo_file rw_file_perms; + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -436,6 +438,7 @@ template(`ssh_role_template',` optional_policy(` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) + xdm_sigchld($1_ssh_agent_t) ') ') Index: refpolicy-2.20170419/policy/modules/system/fstools.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if +++ refpolicy-2.20170419/policy/modules/system/fstools.if @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',` allow $1 swapfile_t:file getattr; ') + +######################################## +## +## Write to fsadm_log_t +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_write_log',` + gen_require(` + type fsadm_log_t; + ') + + allow $1 fsadm_log_t:file write_file_perms; +') Index: refpolicy-2.20170419/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/init.if +++ refpolicy-2.20170419/policy/modules/system/init.if @@ -2966,6 +2966,7 @@ interface(`init_admin',` init_reload($1) init_reload_all_units($1) init_shutdown_system($1) + init_start_system($1) init_start_all_units($1) init_start_generic_units($1) init_stop_all_units($1) Index: refpolicy-2.20170419/policy/modules/system/init.te =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/init.te +++ refpolicy-2.20170419/policy/modules/system/init.te @@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t, init_var_run_t, file) +# for /run/systemd/inaccessible/{chr,blk} +allow init_t init_var_run_t:blk_file { create getattr }; +allow init_t init_var_run_t:chr_file { create getattr }; + +# for /run/initctl +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; + +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; + # for systemd to manage service file symlinks allow init_t init_var_run_t:file manage_lnk_file_perms; @@ -157,6 +167,7 @@ corecmd_exec_bin(init_t) dev_read_sysfs(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) +dev_relabel_generic_symlinks(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -170,6 +181,9 @@ files_read_etc_files(init_t) files_rw_generic_pids(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) +files_relabelto_etc_runtime(init_t) +files_list_usr(init_t) + # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: @@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) +fs_relabel_pstore_dirs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -225,6 +240,8 @@ ifdef(`init_systemd',` allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; + allow init_t init_var_run_t:sock_file manage_sock_file_perms; + allow init_t daemon:unix_stream_socket create_stream_socket_perms; allow init_t daemon:unix_dgram_socket create_socket_perms; allow init_t daemon:tcp_socket create_stream_socket_perms; @@ -257,6 +274,7 @@ ifdef(`init_systemd',` kernel_getattr_proc(init_t) kernel_read_fs_sysctls(init_t) + auth_manage_var_auth(init_t) dev_rw_autofs(init_t) dev_create_generic_dirs(init_t) dev_manage_input_dev(init_t) @@ -318,10 +336,14 @@ ifdef(`init_systemd',` seutil_read_file_contexts(init_t) systemd_manage_passwd_runtime_symlinks(init_t) + systemd_use_passwd_agent(init_t) # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t) + # for systemd to read udev status + udev_read_pid_files(init_t) + optional_policy(` clock_read_adjtime(init_t) ') @@ -350,11 +372,19 @@ ifdef(`init_systemd',` ') ') +fs_relabelfrom_tmpfs_symlinks(init_t) + ifdef(`distro_debian',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") allow init_t initrc_var_run_t:file manage_file_perms; fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") + fs_manage_tmpfs_files(initrc_t) + sysnet_manage_config(initrc_t) + + optional_policy(` + postfix_read_config(initrc_t) + ') ') ifdef(`distro_gentoo',` @@ -370,6 +400,12 @@ ifdef(`distro_redhat',` ') optional_policy(` + modutils_read_module_config(init_t) + modutils_read_module_deps(init_t) + modutils_read_module_objects(init_t) +') + +optional_policy(` auth_rw_login_records(init_t) ') @@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_ # Going to single user mode init_telinit(initrc_t) +# for logsave in strict configuration +fstools_write_log(initrc_t) + can_exec(initrc_t, init_script_file_type) create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) @@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_create_pid_dir(initrc_t) +files_setattr_pid_dirs(initrc_t) allow initrc_t daemon:process siginh; @@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) corenet_sendrecv_all_client_packets(initrc_t) +dev_create_subdir(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) dev_dontaudit_read_kmsg(initrc_t) @@ -825,26 +867,33 @@ ifdef(`enabled_mls',` ') ') +# for systemd +kernel_load_module(init_t) + ifdef(`init_systemd',` allow init_t self:system { status reboot halt reload }; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; allow init_t self:process { setsockcreate setfscreate setrlimit }; - allow init_t self:process { getcap setcap }; + allow init_t self:process { getcap setcap getsched setsched }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; + allow init_t self:netlink_selinux_socket create_socket_perms; # Until systemd is fixed allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; allow init_t initrc_t:unix_dgram_socket create_socket_perms; - allow initrc_t init_t:system { status reboot halt reload }; + allow initrc_t init_t:system { start status reboot halt reload }; allow init_t self:capability2 audit_read; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) + allow initrc_t init_var_run_t:file create_file_perms; + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; + allow initrc_t init_var_run_t:service { start status }; manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) @@ -868,6 +917,7 @@ ifdef(`init_systemd',` kernel_read_software_raid_state(init_t) kernel_unmount_debugfs(init_t) kernel_setsched(init_t) + kernel_rw_unix_sysctls(init_t) auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) @@ -926,6 +976,7 @@ ifdef(`init_systemd',` fs_list_auto_mountpoints(init_t) fs_manage_cgroup_dirs(init_t) fs_manage_cgroup_files(init_t) + fs_create_cgroup_links(init_t) fs_manage_hugetlbfs_dirs(init_t) fs_manage_tmpfs_dirs(init_t) fs_mount_all_fs(init_t) Index: refpolicy-2.20170419/policy/modules/system/modutils.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if +++ refpolicy-2.20170419/policy/modules/system/modutils.if @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',` ######################################## ## +## Read the kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_read_module_objects',` + gen_require(` + type modules_object_t; + ') + + files_list_kernel_modules($1) + allow $1 modules_object_t:file read_file_perms; +') + +######################################## +## ## Read the configuration options used when ## loading modules. ## Index: refpolicy-2.20170419/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170419/policy/modules/system/userdomain.if @@ -67,6 +67,7 @@ template(`userdom_base_user_template',` dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_vm_sysctls($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) @@ -78,6 +79,12 @@ template(`userdom_base_user_template',` dev_dontaudit_getattr_all_blk_files($1_t) dev_dontaudit_getattr_all_chr_files($1_t) + # for X session unlock + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; + + # for KDE + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; + # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_t) @@ -108,6 +115,14 @@ template(`userdom_base_user_template',` sysnet_read_config($1_t) + # kdeinit wants systemd status + init_get_system_status($1_t) + + optional_policy(` + apt_read_cache($1_t) + apt_read_db($1_t) + ') + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; Index: refpolicy-2.20170419/policy/support/file_patterns.spt =================================================================== --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt +++ refpolicy-2.20170419/policy/support/file_patterns.spt @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',` define(`create_chr_files_pattern',` allow $1 self:capability mknod; allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:chr_file create_chr_file_perms; + allow $1 $3:chr_file { create_chr_file_perms setattr }; ') define(`delete_chr_files_pattern',` Index: refpolicy-2.20170419/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/services/xserver.if +++ refpolicy-2.20170419/policy/modules/services/xserver.if @@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## +## Allow domain to send sigchld to xdm_t +## +## +## +## Domain allowed access. +## +## +# +interface(`xdm_sigchld',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:process sigchld; +')