From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 19 Apr 2017 15:22:48 +0200
Subject: [refpolicy] [PATCH] second strict patch
In-Reply-To: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au>
References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au>
Message-ID: <1492608168.4994.11.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 19/04/2017 at 21.00 +1000, Russell Coker via refpolicy
wrote:
> This is the rest of my policy that was developed on "strict"
> systems.??It also
> has no inter-dependencies with other patches.??I included the
> interface
> xdm_sigchld() in this patch as well so it can be applied on it's own,
> this
> means that it conflicts with the login patch.
> 
> Chris, maybe even if you don't apply this patch or the login patch in
> the
> near future you could add the xdm_sigchld() interface so that both
> patches
> can be complete and working and not conflict.
> 
> Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
> +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
> @@ -76,6 +76,8 @@ template(`gnome_role_template',`
> ?
> ?	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
> relabel_dir_perms };
> ?	allow $3 { gconf_home_t gconf_tmp_t }:file {
> manage_file_perms relabel_file_perms };
> +	allow $3 gconfd_t:dbus send_msg;
> +	allow gconfd_t $3:dbus send_msg;
> ?	userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconf")
> ?	userdom_user_home_dir_filetrans($3, gconf_home_t, dir,
> ".gconfd")
> ?
> Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> @@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> ?/usr/lib/ConsoleKit/.*		--	gen_context(system_u
> :object_r:bin_t,s0)
> ?/usr/lib/gdm3/.*		--	gen_context(system_u:objec
> t_r:bin_t,s0)
> ?/usr/lib/udisks/.*		--	gen_context(system_u:obj
> ect_r:bin_t,s0)
> +/usr/share/bug/.*		--	gen_context(system_u:obje
> ct_r:bin_t,s0)
> ?')
> ?
> ?ifdef(`distro_gentoo', `
> Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170419/policy/modules/kernel/devices.if
> @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
> ?
> ?	typeattribute $1 devices_unconfined_type;
> ?')
> +
> +########################################
> +## <summary>
> +##??????Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +##??????<summary>
> +##??????Domain allowed access.
> +##??????</summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`
> +	gen_require(`
> +		type device_t;
> +	')
> +
> +	allow $1 device_t:dir { add_entry_dir_perms create };
> +	allow $1 device_t:dir search_dir_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170419/policy/modules/kernel/files.if
> @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
> ?
> ?########################################
> ?## <summary>
> +##	Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> +	gen_require(`
> +		type etc_runtime_t;
> +	')
> +
> +	allow $1 etc_runtime_t:file relabelto;
> +	allow $1 etc_runtime_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
> ?##	Create, etc runtime objects with an automatic
> ?##	type transition.
> ?## </summary>
> @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ?')
> ?
> ?########################################
> +## <summary>
> +##	Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`
> +	gen_require(`
> +		type var_run_t;
> +	')
> +
> +	allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
> ?## <summary>
> ?##	Search the contents of runtime process
> ?##	ID directories (/var/run).
> Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> @@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`
> ?
> ?########################################
> ?## <summary>
> +##?????Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +##?????<summary>
> +##?????Domain allowed access.
> +##?????</summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> +	gen_require(`
> +		type pstore_t;
> +	')
> +
> +	relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> +##??????Get the attributes of a pstore filesystem.
> +## </summary>
> +## <param name="domain">
> +##??????<summary>
> +##??????Domain allowed access.
> +##??????</summary>
> +## </param>
> +#
> +interface(`ZZZfs_getattr_pstorefs',`

The interface above has an odd name and however it is not being used
anywhere, so you might probably need to remove it.

> +	gen_require(`
> +		type pstore_t;
> +	')
> +
> +allow $1 pstore_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ?##	Relabel cgroup directories.
> ?## </summary>
> ?## <param name="domain">
> @@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`
> ?
> ?########################################
> ?## <summary>
> +##?????Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +##?????<summary>
> +##?????Domain allowed access.
> +##?????</summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> +	gen_require(`
> +		type cgroup_t;
> +	')
> +
> +	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ?##	Write cgroup files.
> ?## </summary>
> ?## <param name="domain">
> @@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
> ?interface(`fs_rw_cgroup_files',`
> ?	gen_require(`
> ?		type cgroup_t;
> -
> ?	')
> ?
> ?	rw_files_pattern($1, cgroup_t, cgroup_t)
> @@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ?')
> ?
> ?########################################
> +## <summary>
> +##	Relabelfrom tmpfs link files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_symlinks',`
> +	gen_require(`
> +		type tmpfs_t;
> +	')
> +
> +	allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
> +')
> +
> +########################################
> ?## <summary>
> ?##	Read and write character nodes on tmpfs filesystems.
> ?## </summary>
> Index: refpolicy-2.20170419/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170419/policy/modules/services/ssh.if
> @@ -353,6 +353,8 @@ template(`ssh_role_template',`
> ?	allow $1_ssh_agent_t self:process { setrlimit signal };
> ?	allow $1_ssh_agent_t self:capability setgid;
> ?
> +	allow $1_ssh_agent_t self:fifo_file rw_file_perms;
> +
> ?	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
> ?
> ?	allow $1_ssh_agent_t self:unix_stream_socket {
> create_stream_socket_perms connectto };
> @@ -436,6 +438,7 @@ template(`ssh_role_template',`
> ?	optional_policy(`
> ?		xserver_use_xdm_fds($1_ssh_agent_t)
> ?		xserver_rw_xdm_pipes($1_ssh_agent_t)
> +		xdm_sigchld($1_ssh_agent_t)
> ?	')
> ?')
> ?
> Index: refpolicy-2.20170419/policy/modules/system/fstools.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170419/policy/modules/system/fstools.if
> @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
> ?
> ?	allow $1 swapfile_t:file getattr;
> ?')
> +
> +########################################
> +## <summary>
> +##	Write to fsadm_log_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fstools_write_log',`
> +	gen_require(`
> +		type fsadm_log_t;
> +	')
> +
> +	allow $1 fsadm_log_t:file write_file_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170419/policy/modules/system/init.if
> @@ -2966,6 +2966,7 @@ interface(`init_admin',`
> ?	init_reload($1)
> ?	init_reload_all_units($1)
> ?	init_shutdown_system($1)
> +	init_start_system($1)
> ?	init_start_all_units($1)
> ?	init_start_generic_units($1)
> ?	init_stop_all_units($1)
> Index: refpolicy-2.20170419/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170419/policy/modules/system/init.te
> @@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)

As already explained, we already tested an essential init daemon
(sysvinit) in unconfined mode quite recently and we ended up with a
very concise diff:

http://oss.tresys.com/pipermail/refpolicy/2017-January/008969.html

The daemon hasn't changed since, so I am pretty sure most, if not all,
init_t permissions that you are adding here strictly refer to systemd:
please enclose them into an init_systemd ifdef block.

Thanks.

> ?allow init_t initrc_t:unix_stream_socket connectto;
> ?
> ?# For /var/run/shutdown.pid.
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> ?allow init_t init_var_run_t:file manage_file_perms;
> ?files_pid_filetrans(init_t, init_var_run_t, file)
> ?
> +# for /run/systemd/inaccessible/{chr,blk}
> +allow init_t init_var_run_t:blk_file { create getattr };
> +allow init_t init_var_run_t:chr_file { create getattr };
> +
> +# for /run/initctl
> +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
> +
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> +
> ?# for systemd to manage service file symlinks
> ?allow init_t init_var_run_t:file manage_lnk_file_perms;
> ?
> @@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
> ?dev_read_sysfs(init_t)
> ?# Early devtmpfs
> ?dev_rw_generic_chr_files(init_t)
> +dev_relabel_generic_symlinks(init_t)
> ?
> ?domain_getpgid_all_domains(init_t)
> ?domain_kill_all_domains(init_t)
> @@ -170,6 +181,9 @@ files_read_etc_files(init_t)
> ?files_rw_generic_pids(init_t)
> ?files_manage_etc_runtime_files(init_t)
> ?files_etc_filetrans_etc_runtime(init_t, file)
> +files_relabelto_etc_runtime(init_t)
> +files_list_usr(init_t)
> +
> ?# Run /etc/X11/prefdm:
> ?files_exec_etc_files(init_t)
> ?# file descriptors inherited from the rootfs:
> @@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t
> ?
> ?fs_getattr_xattr_fs(init_t)
> ?fs_list_inotifyfs(init_t)
> +fs_relabel_pstore_dirs(init_t)
> ?# cjp: this may be related to /dev/log
> ?fs_write_ramfs_sockets(init_t)
> ?
> @@ -225,6 +240,8 @@ ifdef(`init_systemd',`
> ?	allow init_t self:netlink_selinux_socket
> create_socket_perms;
> ?	allow init_t self:unix_dgram_socket lock;
> ?
> +	allow init_t init_var_run_t:sock_file
> manage_sock_file_perms;
> +
> ?	allow init_t daemon:unix_stream_socket
> create_stream_socket_perms;
> ?	allow init_t daemon:unix_dgram_socket create_socket_perms;
> ?	allow init_t daemon:tcp_socket create_stream_socket_perms;
> @@ -257,6 +274,7 @@ ifdef(`init_systemd',`
> ?	kernel_getattr_proc(init_t)
> ?	kernel_read_fs_sysctls(init_t)
> ?
> +	auth_manage_var_auth(init_t)
> ?	dev_rw_autofs(init_t)
> ?	dev_create_generic_dirs(init_t)
> ?	dev_manage_input_dev(init_t)
> @@ -318,10 +336,14 @@ ifdef(`init_systemd',`
> ?	seutil_read_file_contexts(init_t)
> ?
> ?	systemd_manage_passwd_runtime_symlinks(init_t)
> +	systemd_use_passwd_agent(init_t)
> ?
> ?	# udevd is a "systemd kobject uevent socket activated
> daemon"
> ?	udev_create_kobject_uevent_sockets(init_t)
> ?
> +	# for systemd to read udev status
> +	udev_read_pid_files(init_t)
> +
> ?	optional_policy(`
> ?		clock_read_adjtime(init_t)
> ?	')
> @@ -350,11 +372,19 @@ ifdef(`init_systemd',`
> ?	')
> ?')
> ?
> +fs_relabelfrom_tmpfs_symlinks(init_t)
> +
> ?ifdef(`distro_debian',`
> ?	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> ?
> ?	allow init_t initrc_var_run_t:file manage_file_perms;
> ?	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> +	fs_manage_tmpfs_files(initrc_t)
> +	sysnet_manage_config(initrc_t)
> +
> +	optional_policy(`
> +		postfix_read_config(initrc_t)
> +	')
> ?')
> ?
> ?ifdef(`distro_gentoo',`
> @@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
> ?')
> ?
> ?optional_policy(`
> +	modutils_read_module_config(init_t)
> +	modutils_read_module_deps(init_t)
> +	modutils_read_module_objects(init_t)
> +')
> +
> +optional_policy(`
> ?	auth_rw_login_records(init_t)
> ?')
> ?
> @@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
> ?# Going to single user mode
> ?init_telinit(initrc_t)
> ?
> +# for logsave in strict configuration
> +fstools_write_log(initrc_t)
> +
> ?can_exec(initrc_t, init_script_file_type)
> ?
> ?create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
> @@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init
> ?
> ?allow initrc_t initrc_var_run_t:file manage_file_perms;
> ?files_pid_filetrans(initrc_t, initrc_var_run_t, file)
> +files_create_pid_dir(initrc_t)
> +files_setattr_pid_dirs(initrc_t)
> ?
> ?allow initrc_t daemon:process siginh;
> ?
> @@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
> ?corenet_tcp_connect_all_ports(initrc_t)
> ?corenet_sendrecv_all_client_packets(initrc_t)
> ?
> +dev_create_subdir(initrc_t)
> ?dev_read_rand(initrc_t)
> ?dev_read_urand(initrc_t)
> ?dev_dontaudit_read_kmsg(initrc_t)
> @@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
> ?	')
> ?')
> ?
> +# for systemd
> +kernel_load_module(init_t)
> +
> ?ifdef(`init_systemd',`
> ?	allow init_t self:system { status reboot halt reload };
> ?
> ?	allow init_t self:unix_dgram_socket { create_socket_perms
> sendto };
> ?	allow init_t self:process { setsockcreate setfscreate
> setrlimit };
> -	allow init_t self:process { getcap setcap };
> +	allow init_t self:process { getcap setcap getsched setsched
> };
> ?	allow init_t self:unix_stream_socket {
> create_stream_socket_perms connectto };
> ?	allow init_t self:netlink_kobject_uevent_socket
> create_socket_perms;
> ?	allow init_t self:netlink_audit_socket { nlmsg_relay
> create_socket_perms };
> +	allow init_t self:netlink_selinux_socket
> create_socket_perms;
> ?	# Until systemd is fixed
> ?	allow daemon init_t:socket_class_set { getopt read getattr
> ioctl setopt write };
> ?	allow init_t self:udp_socket create_socket_perms;
> ?	allow init_t self:netlink_route_socket
> create_netlink_socket_perms;
> ?	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> -	allow initrc_t init_t:system { status reboot halt reload };
> +	allow initrc_t init_t:system { start status reboot halt
> reload };
> ?	allow init_t self:capability2 audit_read;
> ?	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> ?	files_lock_filetrans(initrc_t, initrc_lock_t, file)
> ?
> ?	manage_dirs_pattern(initrc_t, init_var_run_t,
> init_var_run_t)
> +	allow initrc_t init_var_run_t:file create_file_perms;
> +	allow initrc_t init_var_run_t:lnk_file
> create_lnk_file_perms;
> +	allow initrc_t init_var_run_t:service { start status };
> ?
> ?	manage_dirs_pattern(initrc_t, initrc_var_run_t,
> initrc_var_run_t)
> ?	manage_chr_files_pattern(initrc_t, initrc_var_run_t,
> initrc_var_run_t)
> @@ -868,6 +917,7 @@ ifdef(`init_systemd',`
> ?	kernel_read_software_raid_state(init_t)
> ?	kernel_unmount_debugfs(init_t)
> ?	kernel_setsched(init_t)
> +	kernel_rw_unix_sysctls(init_t)
> ?
> ?	auth_relabel_login_records(init_t)
> ?	auth_relabel_pam_console_data_dirs(init_t)
> @@ -926,6 +976,7 @@ ifdef(`init_systemd',`
> ?	fs_list_auto_mountpoints(init_t)
> ?	fs_manage_cgroup_dirs(init_t)
> ?	fs_manage_cgroup_files(init_t)
> +	fs_create_cgroup_links(init_t)
> ?	fs_manage_hugetlbfs_dirs(init_t)
> ?	fs_manage_tmpfs_dirs(init_t)
> ?	fs_mount_all_fs(init_t)
> Index: refpolicy-2.20170419/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20170419/policy/modules/system/modutils.if
> @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
> ?
> ?########################################
> ?## <summary>
> +##	Read the kernel modules.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`modutils_read_module_objects',`
> +	gen_require(`
> +		type modules_object_t;
> +	')
> +
> +	files_list_kernel_modules($1)
> +	allow $1 modules_object_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ?##	Read the configuration options used when
> ?##	loading modules.
> ?## </summary>
> Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> @@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> ?	dontaudit $1_t user_tty_device_t:chr_file ioctl;
> ?
> ?	kernel_read_kernel_sysctls($1_t)
> +	kernel_read_vm_sysctls($1_t)

What is this for ?

> ?	kernel_dontaudit_list_unlabeled($1_t)
> ?	kernel_dontaudit_getattr_unlabeled_files($1_t)
> ?	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)

[...]

Regards,

Guido