From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 19 Apr 2017 13:51:14 +0200 Subject: [refpolicy] [PATCH] second strict patch In-Reply-To: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> Message-ID: <1B3399CF-E91A-47A3-8C02-80FCAD532262@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. I believe it is very important to move *all* permission required by systemd within the appropriate ifdef block (init_systemd). Not everybody is using systemd and many people believe it is, amongst other things, a waste of resources and SELinux permissions. Thanks, Guido On the 19th of April 2017 13:00:59 CEST, Russell Coker via refpolicy wrote: >This is the rest of my policy that was developed on "strict" systems. >It also >has no inter-dependencies with other patches. I included the interface >xdm_sigchld() in this patch as well so it can be applied on it's own, >this >means that it conflicts with the login patch. > >Chris, maybe even if you don't apply this patch or the login patch in >the >near future you could add the xdm_sigchld() interface so that both >patches >can be complete and working and not conflict. > >Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if >+++ refpolicy-2.20170419/policy/modules/contrib/gnome.if >@@ -76,6 +76,8 @@ template(`gnome_role_template',` > > allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms >relabel_dir_perms }; > allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms >relabel_file_perms }; >+ allow $3 gconfd_t:dbus send_msg; >+ allow gconfd_t $3:dbus send_msg; > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") > >Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc >+++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc >@@ -324,6 +324,7 @@ ifdef(`distro_debian',` > /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) >+/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) > ') > > ifdef(`distro_gentoo', ` >Index: refpolicy-2.20170419/policy/modules/kernel/devices.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if >+++ refpolicy-2.20170419/policy/modules/kernel/devices.if >@@ -5249,3 +5249,22 @@ interface(`dev_unconfined',` > > typeattribute $1 devices_unconfined_type; > ') >+ >+######################################## >+## >+## Create subdir of /dev >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`dev_create_subdir',` >+ gen_require(` >+ type device_t; >+ ') >+ >+ allow $1 device_t:dir { add_entry_dir_perms create }; >+ allow $1 device_t:dir search_dir_perms; >+') >Index: refpolicy-2.20170419/policy/modules/kernel/files.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/kernel/files.if >+++ refpolicy-2.20170419/policy/modules/kernel/files.if >@@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file > > ######################################## > ## >+## Relabel files and dirs to etc_runtime_t >+## >+## >+## >+## Domain allowed access. >+## >+## >+## >+# >+interface(`files_relabelto_etc_runtime',` >+ gen_require(` >+ type etc_runtime_t; >+ ') >+ >+ allow $1 etc_runtime_t:file relabelto; >+ allow $1 etc_runtime_t:dir relabelto; >+') >+ >+######################################## >+## > ## Create, etc runtime objects with an automatic > ## type transition. > ## >@@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',` > ') > > ######################################## >+## >+## Create a /var/run directory. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`files_create_pid_dir',` >+ gen_require(` >+ type var_run_t; >+ ') >+ >+ allow $1 var_run_t:dir create_dir_perms; >+') >+ >+######################################## > ## > ## Search the contents of runtime process > ## ID directories (/var/run). >Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if >+++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if >@@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',` > > ######################################## > ## >+## Relabel pstore directories. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`fs_relabel_pstore_dirs',` >+ gen_require(` >+ type pstore_t; >+ ') >+ >+ relabel_dirs_pattern($1, pstore_t, pstore_t) >+') >+ >+######################################## >+## >+## Get the attributes of a pstore filesystem. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`ZZZfs_getattr_pstorefs',` >+ gen_require(` >+ type pstore_t; >+ ') >+ >+allow $1 pstore_t:filesystem getattr; >+') >+ >+######################################## >+## > ## Relabel cgroup directories. > ## > ## >@@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',` > > ######################################## > ## >+## Create cgroup lnk_files. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`fs_create_cgroup_links',` >+ gen_require(` >+ type cgroup_t; >+ ') >+ >+ create_lnk_files_pattern($1, cgroup_t, cgroup_t) >+ rw_lnk_files_pattern($1, cgroup_t, cgroup_t) >+ dev_search_sysfs($1) >+') >+ >+######################################## >+## > ## Write cgroup files. > ## > ## >@@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', ` > interface(`fs_rw_cgroup_files',` > gen_require(` > type cgroup_t; >- > ') > > rw_files_pattern($1, cgroup_t, cgroup_t) >@@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',` > ') > > ######################################## >+## >+## Relabelfrom tmpfs link files. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`fs_relabelfrom_tmpfs_symlinks',` >+ gen_require(` >+ type tmpfs_t; >+ ') >+ >+ allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; >+') >+ >+######################################## > ## > ## Read and write character nodes on tmpfs filesystems. > ## >Index: refpolicy-2.20170419/policy/modules/services/ssh.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/services/ssh.if >+++ refpolicy-2.20170419/policy/modules/services/ssh.if >@@ -353,6 +353,8 @@ template(`ssh_role_template',` > allow $1_ssh_agent_t self:process { setrlimit signal }; > allow $1_ssh_agent_t self:capability setgid; > >+ allow $1_ssh_agent_t self:fifo_file rw_file_perms; >+ > allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; > > allow $1_ssh_agent_t self:unix_stream_socket { >create_stream_socket_perms connectto }; >@@ -436,6 +438,7 @@ template(`ssh_role_template',` > optional_policy(` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) >+ xdm_sigchld($1_ssh_agent_t) > ') > ') > >Index: refpolicy-2.20170419/policy/modules/system/fstools.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/fstools.if >+++ refpolicy-2.20170419/policy/modules/system/fstools.if >@@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',` > > allow $1 swapfile_t:file getattr; > ') >+ >+######################################## >+## >+## Write to fsadm_log_t >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`fstools_write_log',` >+ gen_require(` >+ type fsadm_log_t; >+ ') >+ >+ allow $1 fsadm_log_t:file write_file_perms; >+') >Index: refpolicy-2.20170419/policy/modules/system/init.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/init.if >+++ refpolicy-2.20170419/policy/modules/system/init.if >@@ -2966,6 +2966,7 @@ interface(`init_admin',` > init_reload($1) > init_reload_all_units($1) > init_shutdown_system($1) >+ init_start_system($1) > init_start_all_units($1) > init_start_generic_units($1) > init_stop_all_units($1) >Index: refpolicy-2.20170419/policy/modules/system/init.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/init.te >+++ refpolicy-2.20170419/policy/modules/system/init.te >@@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t) > allow init_t initrc_t:unix_stream_socket connectto; > > # For /var/run/shutdown.pid. >+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; > allow init_t init_var_run_t:file manage_file_perms; > files_pid_filetrans(init_t, init_var_run_t, file) > >+# for /run/systemd/inaccessible/{chr,blk} >+allow init_t init_var_run_t:blk_file { create getattr }; >+allow init_t init_var_run_t:chr_file { create getattr }; >+ >+# for /run/initctl >+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; >+ >+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; >+ > # for systemd to manage service file symlinks > allow init_t init_var_run_t:file manage_lnk_file_perms; > >@@ -157,6 +167,7 @@ corecmd_exec_bin(init_t) > dev_read_sysfs(init_t) > # Early devtmpfs > dev_rw_generic_chr_files(init_t) >+dev_relabel_generic_symlinks(init_t) > > domain_getpgid_all_domains(init_t) > domain_kill_all_domains(init_t) >@@ -170,6 +181,9 @@ files_read_etc_files(init_t) > files_rw_generic_pids(init_t) > files_manage_etc_runtime_files(init_t) > files_etc_filetrans_etc_runtime(init_t, file) >+files_relabelto_etc_runtime(init_t) >+files_list_usr(init_t) >+ > # Run /etc/X11/prefdm: > files_exec_etc_files(init_t) > # file descriptors inherited from the rootfs: >@@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t > > fs_getattr_xattr_fs(init_t) > fs_list_inotifyfs(init_t) >+fs_relabel_pstore_dirs(init_t) > # cjp: this may be related to /dev/log > fs_write_ramfs_sockets(init_t) > >@@ -225,6 +240,8 @@ ifdef(`init_systemd',` > allow init_t self:netlink_selinux_socket create_socket_perms; > allow init_t self:unix_dgram_socket lock; > >+ allow init_t init_var_run_t:sock_file manage_sock_file_perms; >+ > allow init_t daemon:unix_stream_socket create_stream_socket_perms; > allow init_t daemon:unix_dgram_socket create_socket_perms; > allow init_t daemon:tcp_socket create_stream_socket_perms; >@@ -257,6 +274,7 @@ ifdef(`init_systemd',` > kernel_getattr_proc(init_t) > kernel_read_fs_sysctls(init_t) > >+ auth_manage_var_auth(init_t) > dev_rw_autofs(init_t) > dev_create_generic_dirs(init_t) > dev_manage_input_dev(init_t) >@@ -318,10 +336,14 @@ ifdef(`init_systemd',` > seutil_read_file_contexts(init_t) > > systemd_manage_passwd_runtime_symlinks(init_t) >+ systemd_use_passwd_agent(init_t) > > # udevd is a "systemd kobject uevent socket activated daemon" > udev_create_kobject_uevent_sockets(init_t) > >+ # for systemd to read udev status >+ udev_read_pid_files(init_t) >+ > optional_policy(` > clock_read_adjtime(init_t) > ') >@@ -350,11 +372,19 @@ ifdef(`init_systemd',` > ') > ') > >+fs_relabelfrom_tmpfs_symlinks(init_t) >+ > ifdef(`distro_debian',` > fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") > > allow init_t initrc_var_run_t:file manage_file_perms; > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") >+ fs_manage_tmpfs_files(initrc_t) >+ sysnet_manage_config(initrc_t) >+ >+ optional_policy(` >+ postfix_read_config(initrc_t) >+ ') > ') > > ifdef(`distro_gentoo',` >@@ -370,6 +400,12 @@ ifdef(`distro_redhat',` > ') > > optional_policy(` >+ modutils_read_module_config(init_t) >+ modutils_read_module_deps(init_t) >+ modutils_read_module_objects(init_t) >+') >+ >+optional_policy(` > auth_rw_login_records(init_t) > ') > >@@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_ > # Going to single user mode > init_telinit(initrc_t) > >+# for logsave in strict configuration >+fstools_write_log(initrc_t) >+ > can_exec(initrc_t, init_script_file_type) > > create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) >@@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init > > allow initrc_t initrc_var_run_t:file manage_file_perms; > files_pid_filetrans(initrc_t, initrc_var_run_t, file) >+files_create_pid_dir(initrc_t) >+files_setattr_pid_dirs(initrc_t) > > allow initrc_t daemon:process siginh; > >@@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t) > corenet_tcp_connect_all_ports(initrc_t) > corenet_sendrecv_all_client_packets(initrc_t) > >+dev_create_subdir(initrc_t) > dev_read_rand(initrc_t) > dev_read_urand(initrc_t) > dev_dontaudit_read_kmsg(initrc_t) >@@ -825,26 +867,33 @@ ifdef(`enabled_mls',` > ') > ') > >+# for systemd >+kernel_load_module(init_t) >+ > ifdef(`init_systemd',` > allow init_t self:system { status reboot halt reload }; > > allow init_t self:unix_dgram_socket { create_socket_perms sendto }; > allow init_t self:process { setsockcreate setfscreate setrlimit }; >- allow init_t self:process { getcap setcap }; >+ allow init_t self:process { getcap setcap getsched setsched }; > allow init_t self:unix_stream_socket { create_stream_socket_perms >connectto }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > allow init_t self:netlink_audit_socket { nlmsg_relay >create_socket_perms }; >+ allow init_t self:netlink_selinux_socket create_socket_perms; > # Until systemd is fixed > allow daemon init_t:socket_class_set { getopt read getattr ioctl >setopt write }; > allow init_t self:udp_socket create_socket_perms; > allow init_t self:netlink_route_socket create_netlink_socket_perms; > allow init_t initrc_t:unix_dgram_socket create_socket_perms; >- allow initrc_t init_t:system { status reboot halt reload }; >+ allow initrc_t init_t:system { start status reboot halt reload }; > allow init_t self:capability2 audit_read; > manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) > files_lock_filetrans(initrc_t, initrc_lock_t, file) > > manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) >+ allow initrc_t init_var_run_t:file create_file_perms; >+ allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; >+ allow initrc_t init_var_run_t:service { start status }; > > manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) > manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) >@@ -868,6 +917,7 @@ ifdef(`init_systemd',` > kernel_read_software_raid_state(init_t) > kernel_unmount_debugfs(init_t) > kernel_setsched(init_t) >+ kernel_rw_unix_sysctls(init_t) > > auth_relabel_login_records(init_t) > auth_relabel_pam_console_data_dirs(init_t) >@@ -926,6 +976,7 @@ ifdef(`init_systemd',` > fs_list_auto_mountpoints(init_t) > fs_manage_cgroup_dirs(init_t) > fs_manage_cgroup_files(init_t) >+ fs_create_cgroup_links(init_t) > fs_manage_hugetlbfs_dirs(init_t) > fs_manage_tmpfs_dirs(init_t) > fs_mount_all_fs(init_t) >Index: refpolicy-2.20170419/policy/modules/system/modutils.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/modutils.if >+++ refpolicy-2.20170419/policy/modules/system/modutils.if >@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',` > > ######################################## > ## >+## Read the kernel modules. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`modutils_read_module_objects',` >+ gen_require(` >+ type modules_object_t; >+ ') >+ >+ files_list_kernel_modules($1) >+ allow $1 modules_object_t:file read_file_perms; >+') >+ >+######################################## >+## > ## Read the configuration options used when > ## loading modules. > ## >Index: refpolicy-2.20170419/policy/modules/system/userdomain.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if >+++ refpolicy-2.20170419/policy/modules/system/userdomain.if >@@ -67,6 +67,7 @@ template(`userdom_base_user_template',` > dontaudit $1_t user_tty_device_t:chr_file ioctl; > > kernel_read_kernel_sysctls($1_t) >+ kernel_read_vm_sysctls($1_t) > kernel_dontaudit_list_unlabeled($1_t) > kernel_dontaudit_getattr_unlabeled_files($1_t) > kernel_dontaudit_getattr_unlabeled_symlinks($1_t) >@@ -78,6 +79,12 @@ template(`userdom_base_user_template',` > dev_dontaudit_getattr_all_blk_files($1_t) > dev_dontaudit_getattr_all_chr_files($1_t) > >+ # for X session unlock >+ allow $1_t self:netlink_audit_socket { create_socket_perms >nlmsg_relay }; >+ >+ # for KDE >+ allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; >+ > # When the user domain runs ps, there will be a number of access > # denials when ps tries to search /proc. Do not audit these denials. > domain_dontaudit_read_all_domains_state($1_t) >@@ -108,6 +115,14 @@ template(`userdom_base_user_template',` > > sysnet_read_config($1_t) > >+ # kdeinit wants systemd status >+ init_get_system_status($1_t) >+ >+ optional_policy(` >+ apt_read_cache($1_t) >+ apt_read_db($1_t) >+ ') >+ > tunable_policy(`allow_execmem',` > # Allow loading DSOs that require executable stack. > allow $1_t self:process execmem; >Index: refpolicy-2.20170419/policy/support/file_patterns.spt >=================================================================== >--- refpolicy-2.20170419.orig/policy/support/file_patterns.spt >+++ refpolicy-2.20170419/policy/support/file_patterns.spt >@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',` > define(`create_chr_files_pattern',` > allow $1 self:capability mknod; > allow $1 $2:dir add_entry_dir_perms; >- allow $1 $3:chr_file create_chr_file_perms; >+ allow $1 $3:chr_file { create_chr_file_perms setattr }; > ') > > define(`delete_chr_files_pattern',` >Index: refpolicy-2.20170419/policy/modules/services/xserver.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/services/xserver.if >+++ refpolicy-2.20170419/policy/modules/services/xserver.if >@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') >+ >+######################################## >+## >+## Allow domain to send sigchld to xdm_t >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`xdm_sigchld',` >+ gen_require(` >+ type xdm_t; >+ ') >+ >+ allow $1 xdm_t:process sigchld; >+') >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy