From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Wed, 19 Apr 2017 14:23:15 +0200 Subject: [refpolicy] [PATCH] second strict patch In-Reply-To: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-04-19 13:00 GMT+02:00 Russell Coker via refpolicy : > This is the rest of my policy that was developed on "strict" systems. It also > has no inter-dependencies with other patches. I included the interface > xdm_sigchld() in this patch as well so it can be applied on it's own, this > means that it conflicts with the login patch. > > Chris, maybe even if you don't apply this patch or the login patch in the > near future you could add the xdm_sigchld() interface so that both patches > can be complete and working and not conflict. > > Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if > +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if > @@ -76,6 +76,8 @@ template(`gnome_role_template',` > > allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; > allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; > + allow $3 gconfd_t:dbus send_msg; > + allow gconfd_t $3:dbus send_msg; > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") > > Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc > @@ -324,6 +324,7 @@ ifdef(`distro_debian',` > /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) > +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) > ') > > ifdef(`distro_gentoo', ` > Index: refpolicy-2.20170419/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170419/policy/modules/kernel/devices.if > @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',` > > typeattribute $1 devices_unconfined_type; > ') > + > +######################################## > +## > +## Create subdir of /dev > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_create_subdir',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 device_t:dir { add_entry_dir_perms create }; > + allow $1 device_t:dir search_dir_perms; > +') > Index: refpolicy-2.20170419/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170419/policy/modules/kernel/files.if > @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file > > ######################################## > ## > +## Relabel files and dirs to etc_runtime_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_relabelto_etc_runtime',` > + gen_require(` > + type etc_runtime_t; > + ') > + > + allow $1 etc_runtime_t:file relabelto; > + allow $1 etc_runtime_t:dir relabelto; > +') > + > +######################################## > +## > ## Create, etc runtime objects with an automatic > ## type transition. > ## > @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',` > ') > > ######################################## > +## > +## Create a /var/run directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_pid_dir',` > + gen_require(` > + type var_run_t; > + ') > + > + allow $1 var_run_t:dir create_dir_perms; > +') > + > +######################################## > ## > ## Search the contents of runtime process > ## ID directories (/var/run). > Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if > @@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',` > > ######################################## > ## > +## Relabel pstore directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabel_pstore_dirs',` > + gen_require(` > + type pstore_t; > + ') > + > + relabel_dirs_pattern($1, pstore_t, pstore_t) > +') > + > +######################################## > +## > +## Get the attributes of a pstore filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ZZZfs_getattr_pstorefs',` > + gen_require(` > + type pstore_t; > + ') > + > +allow $1 pstore_t:filesystem getattr; > +') > + > +######################################## > +## > ## Relabel cgroup directories. > ## > ## > @@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',` > > ######################################## > ## > +## Create cgroup lnk_files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_create_cgroup_links',` > + gen_require(` > + type cgroup_t; > + ') > + > + create_lnk_files_pattern($1, cgroup_t, cgroup_t) > + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) interface states create > + dev_search_sysfs($1) > +') > + > +######################################## > +## > ## Write cgroup files. > ## > ## > @@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', ` > interface(`fs_rw_cgroup_files',` > gen_require(` > type cgroup_t; > - > ') > > rw_files_pattern($1, cgroup_t, cgroup_t) > @@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',` > ') > > ######################################## > +## > +## Relabelfrom tmpfs link files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabelfrom_tmpfs_symlinks',` > + gen_require(` > + type tmpfs_t; > + ') > + > + allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; > +') > + > +######################################## > ## > ## Read and write character nodes on tmpfs filesystems. > ## > Index: refpolicy-2.20170419/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20170419/policy/modules/services/ssh.if > @@ -353,6 +353,8 @@ template(`ssh_role_template',` > allow $1_ssh_agent_t self:process { setrlimit signal }; > allow $1_ssh_agent_t self:capability setgid; > > + allow $1_ssh_agent_t self:fifo_file rw_file_perms; > + > allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; > > allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; > @@ -436,6 +438,7 @@ template(`ssh_role_template',` > optional_policy(` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > + xdm_sigchld($1_ssh_agent_t) > ') > ') > > Index: refpolicy-2.20170419/policy/modules/system/fstools.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if > +++ refpolicy-2.20170419/policy/modules/system/fstools.if > @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',` > > allow $1 swapfile_t:file getattr; > ') > + > +######################################## > +## > +## Write to fsadm_log_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fstools_write_log',` > + gen_require(` > + type fsadm_log_t; > + ') > + > + allow $1 fsadm_log_t:file write_file_perms; > +') > Index: refpolicy-2.20170419/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/init.if > +++ refpolicy-2.20170419/policy/modules/system/init.if > @@ -2966,6 +2966,7 @@ interface(`init_admin',` > init_reload($1) > init_reload_all_units($1) > init_shutdown_system($1) > + init_start_system($1) > init_start_all_units($1) > init_start_generic_units($1) > init_stop_all_units($1) > Index: refpolicy-2.20170419/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/init.te > +++ refpolicy-2.20170419/policy/modules/system/init.te > @@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t) > allow init_t initrc_t:unix_stream_socket connectto; > > # For /var/run/shutdown.pid. > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; > allow init_t init_var_run_t:file manage_file_perms; > files_pid_filetrans(init_t, init_var_run_t, file) > > +# for /run/systemd/inaccessible/{chr,blk} > +allow init_t init_var_run_t:blk_file { create getattr }; > +allow init_t init_var_run_t:chr_file { create getattr }; > + > +# for /run/initctl > +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; > + > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; > + > # for systemd to manage service file symlinks > allow init_t init_var_run_t:file manage_lnk_file_perms; > > @@ -157,6 +167,7 @@ corecmd_exec_bin(init_t) > dev_read_sysfs(init_t) > # Early devtmpfs > dev_rw_generic_chr_files(init_t) > +dev_relabel_generic_symlinks(init_t) > > domain_getpgid_all_domains(init_t) > domain_kill_all_domains(init_t) > @@ -170,6 +181,9 @@ files_read_etc_files(init_t) > files_rw_generic_pids(init_t) > files_manage_etc_runtime_files(init_t) > files_etc_filetrans_etc_runtime(init_t, file) > +files_relabelto_etc_runtime(init_t) > +files_list_usr(init_t) > + > # Run /etc/X11/prefdm: > files_exec_etc_files(init_t) > # file descriptors inherited from the rootfs: > @@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t > > fs_getattr_xattr_fs(init_t) > fs_list_inotifyfs(init_t) > +fs_relabel_pstore_dirs(init_t) > # cjp: this may be related to /dev/log > fs_write_ramfs_sockets(init_t) > > @@ -225,6 +240,8 @@ ifdef(`init_systemd',` > allow init_t self:netlink_selinux_socket create_socket_perms; > allow init_t self:unix_dgram_socket lock; > > + allow init_t init_var_run_t:sock_file manage_sock_file_perms; > + > allow init_t daemon:unix_stream_socket create_stream_socket_perms; > allow init_t daemon:unix_dgram_socket create_socket_perms; > allow init_t daemon:tcp_socket create_stream_socket_perms; > @@ -257,6 +274,7 @@ ifdef(`init_systemd',` > kernel_getattr_proc(init_t) > kernel_read_fs_sysctls(init_t) > > + auth_manage_var_auth(init_t) > dev_rw_autofs(init_t) > dev_create_generic_dirs(init_t) > dev_manage_input_dev(init_t) > @@ -318,10 +336,14 @@ ifdef(`init_systemd',` > seutil_read_file_contexts(init_t) > > systemd_manage_passwd_runtime_symlinks(init_t) > + systemd_use_passwd_agent(init_t) > > # udevd is a "systemd kobject uevent socket activated daemon" > udev_create_kobject_uevent_sockets(init_t) > > + # for systemd to read udev status > + udev_read_pid_files(init_t) > + > optional_policy(` > clock_read_adjtime(init_t) > ') > @@ -350,11 +372,19 @@ ifdef(`init_systemd',` > ') > ') > > +fs_relabelfrom_tmpfs_symlinks(init_t) > + > ifdef(`distro_debian',` > fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") > > allow init_t initrc_var_run_t:file manage_file_perms; > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") > + fs_manage_tmpfs_files(initrc_t) > + sysnet_manage_config(initrc_t) > + > + optional_policy(` > + postfix_read_config(initrc_t) > + ') > ') > > ifdef(`distro_gentoo',` > @@ -370,6 +400,12 @@ ifdef(`distro_redhat',` > ') > > optional_policy(` > + modutils_read_module_config(init_t) > + modutils_read_module_deps(init_t) > + modutils_read_module_objects(init_t) > +') > + > +optional_policy(` > auth_rw_login_records(init_t) > ') > > @@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_ > # Going to single user mode > init_telinit(initrc_t) > > +# for logsave in strict configuration > +fstools_write_log(initrc_t) > + > can_exec(initrc_t, init_script_file_type) > > create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) > @@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init > > allow initrc_t initrc_var_run_t:file manage_file_perms; > files_pid_filetrans(initrc_t, initrc_var_run_t, file) > +files_create_pid_dir(initrc_t) > +files_setattr_pid_dirs(initrc_t) > > allow initrc_t daemon:process siginh; > > @@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t) > corenet_tcp_connect_all_ports(initrc_t) > corenet_sendrecv_all_client_packets(initrc_t) > > +dev_create_subdir(initrc_t) > dev_read_rand(initrc_t) > dev_read_urand(initrc_t) > dev_dontaudit_read_kmsg(initrc_t) > @@ -825,26 +867,33 @@ ifdef(`enabled_mls',` > ') > ') > > +# for systemd > +kernel_load_module(init_t) > + > ifdef(`init_systemd',` > allow init_t self:system { status reboot halt reload }; > > allow init_t self:unix_dgram_socket { create_socket_perms sendto }; > allow init_t self:process { setsockcreate setfscreate setrlimit }; > - allow init_t self:process { getcap setcap }; > + allow init_t self:process { getcap setcap getsched setsched }; > allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > + allow init_t self:netlink_selinux_socket create_socket_perms; > # Until systemd is fixed > allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; > allow init_t self:udp_socket create_socket_perms; > allow init_t self:netlink_route_socket create_netlink_socket_perms; > allow init_t initrc_t:unix_dgram_socket create_socket_perms; > - allow initrc_t init_t:system { status reboot halt reload }; > + allow initrc_t init_t:system { start status reboot halt reload }; > allow init_t self:capability2 audit_read; > manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) > files_lock_filetrans(initrc_t, initrc_lock_t, file) > > manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) > + allow initrc_t init_var_run_t:file create_file_perms; > + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; > + allow initrc_t init_var_run_t:service { start status }; > > manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) > manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) > @@ -868,6 +917,7 @@ ifdef(`init_systemd',` > kernel_read_software_raid_state(init_t) > kernel_unmount_debugfs(init_t) > kernel_setsched(init_t) > + kernel_rw_unix_sysctls(init_t) > > auth_relabel_login_records(init_t) > auth_relabel_pam_console_data_dirs(init_t) > @@ -926,6 +976,7 @@ ifdef(`init_systemd',` > fs_list_auto_mountpoints(init_t) > fs_manage_cgroup_dirs(init_t) > fs_manage_cgroup_files(init_t) > + fs_create_cgroup_links(init_t) > fs_manage_hugetlbfs_dirs(init_t) > fs_manage_tmpfs_dirs(init_t) > fs_mount_all_fs(init_t) > Index: refpolicy-2.20170419/policy/modules/system/modutils.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if > +++ refpolicy-2.20170419/policy/modules/system/modutils.if > @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',` > > ######################################## > ## > +## Read the kernel modules. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`modutils_read_module_objects',` > + gen_require(` > + type modules_object_t; > + ') > + > + files_list_kernel_modules($1) > + allow $1 modules_object_t:file read_file_perms; > +') > + > +######################################## > +## > ## Read the configuration options used when > ## loading modules. > ## > Index: refpolicy-2.20170419/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170419/policy/modules/system/userdomain.if > @@ -67,6 +67,7 @@ template(`userdom_base_user_template',` > dontaudit $1_t user_tty_device_t:chr_file ioctl; > > kernel_read_kernel_sysctls($1_t) > + kernel_read_vm_sysctls($1_t) > kernel_dontaudit_list_unlabeled($1_t) > kernel_dontaudit_getattr_unlabeled_files($1_t) > kernel_dontaudit_getattr_unlabeled_symlinks($1_t) > @@ -78,6 +79,12 @@ template(`userdom_base_user_template',` > dev_dontaudit_getattr_all_blk_files($1_t) > dev_dontaudit_getattr_all_chr_files($1_t) > > + # for X session unlock > + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; > + > + # for KDE > + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; > + > # When the user domain runs ps, there will be a number of access > # denials when ps tries to search /proc. Do not audit these denials. > domain_dontaudit_read_all_domains_state($1_t) > @@ -108,6 +115,14 @@ template(`userdom_base_user_template',` > > sysnet_read_config($1_t) > > + # kdeinit wants systemd status > + init_get_system_status($1_t) > + > + optional_policy(` > + apt_read_cache($1_t) > + apt_read_db($1_t) > + ') > + > tunable_policy(`allow_execmem',` > # Allow loading DSOs that require executable stack. > allow $1_t self:process execmem; > Index: refpolicy-2.20170419/policy/support/file_patterns.spt > =================================================================== > --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt > +++ refpolicy-2.20170419/policy/support/file_patterns.spt > @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',` > define(`create_chr_files_pattern',` > allow $1 self:capability mknod; > allow $1 $2:dir add_entry_dir_perms; > - allow $1 $3:chr_file create_chr_file_perms; > + allow $1 $3:chr_file { create_chr_file_perms setattr }; why setattr in create pattern? > ') > > define(`delete_chr_files_pattern',` > Index: refpolicy-2.20170419/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20170419/policy/modules/services/xserver.if > @@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## > +## Allow domain to send sigchld to xdm_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xdm_sigchld',` > + gen_require(` > + type xdm_t; > + ') > + > + allow $1 xdm_t:process sigchld; > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy