From: russell@coker.com.au (Russell Coker) Date: Thu, 20 Apr 2017 12:33:21 +1000 Subject: [refpolicy] [PATCH] second strict patch take 2 Message-ID: <20170420023321.mi2ued4gvuipopkr@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here's a new version of the second strict patch addressing some of the issues raised on the list. Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if @@ -76,6 +76,8 @@ template(`gnome_role_template',` allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $3 gconfd_t:dbus send_msg; + allow gconfd_t $3:dbus send_msg; userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc @@ -324,6 +324,7 @@ ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_gentoo', ` Index: refpolicy-2.20170419/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170419/policy/modules/kernel/devices.if @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') + +######################################## +## +## Create subdir of /dev +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_subdir',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir { add_entry_dir_perms create }; + allow $1 device_t:dir search_dir_perms; +') Index: refpolicy-2.20170419/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170419/policy/modules/kernel/files.if @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file ######################################## ## +## Relabel files and dirs to etc_runtime_t +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabelto_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file relabelto; + allow $1 etc_runtime_t:dir relabelto; +') + +######################################## +## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',` ') ######################################## +## +## Create a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dir',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir create_dir_perms; +') + +######################################## ## ## Search the contents of runtime process ## ID directories (/var/run). Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if @@ -769,6 +769,24 @@ interface(`fs_manage_cgroup_dirs',` ######################################## ## +## Relabel pstore directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_pstore_dirs',` + gen_require(` + type pstore_t; + ') + + relabel_dirs_pattern($1, pstore_t, pstore_t) +') + +######################################## +## ## Relabel cgroup directories. ## ## @@ -828,6 +846,26 @@ interface(`fs_read_cgroup_files',` ######################################## ## +## Create cgroup lnk_files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_links',` + gen_require(` + type cgroup_t; + ') + + create_lnk_files_pattern($1, cgroup_t, cgroup_t) + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## ## Write cgroup files. ## ## @@ -858,7 +896,6 @@ interface(`fs_write_cgroup_files', ` interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; - ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -4505,6 +4542,24 @@ interface(`fs_read_tmpfs_symlinks',` ') ######################################## +## +## Relabelfrom tmpfs link files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; +') + +######################################## ## ## Read and write character nodes on tmpfs filesystems. ## Index: refpolicy-2.20170419/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if +++ refpolicy-2.20170419/policy/modules/services/ssh.if @@ -353,6 +353,8 @@ template(`ssh_role_template',` allow $1_ssh_agent_t self:process { setrlimit signal }; allow $1_ssh_agent_t self:capability setgid; + allow $1_ssh_agent_t self:fifo_file rw_file_perms; + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -436,6 +438,7 @@ template(`ssh_role_template',` optional_policy(` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) + xdm_sigchld($1_ssh_agent_t) ') ') Index: refpolicy-2.20170419/policy/modules/system/fstools.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if +++ refpolicy-2.20170419/policy/modules/system/fstools.if @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',` allow $1 swapfile_t:file getattr; ') + +######################################## +## +## Write to fsadm_log_t +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_write_log',` + gen_require(` + type fsadm_log_t; + ') + + allow $1 fsadm_log_t:file write_file_perms; +') Index: refpolicy-2.20170419/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/init.if +++ refpolicy-2.20170419/policy/modules/system/init.if @@ -2966,6 +2966,7 @@ interface(`init_admin',` init_reload($1) init_reload_all_units($1) init_shutdown_system($1) + init_start_system($1) init_start_all_units($1) init_start_generic_units($1) init_stop_all_units($1) Index: refpolicy-2.20170419/policy/modules/system/init.te =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/init.te +++ refpolicy-2.20170419/policy/modules/system/init.te @@ -135,9 +135,15 @@ can_exec(init_t, init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t, init_var_run_t, file) +# for /run/initctl +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; + +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; + # for systemd to manage service file symlinks allow init_t init_var_run_t:file manage_lnk_file_perms; @@ -170,6 +176,8 @@ files_read_etc_files(init_t) files_rw_generic_pids(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) +files_list_usr(init_t) + # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: @@ -214,6 +222,11 @@ ifdef(`init_systemd',` # handle instances where an old labeled init script is encountered. typeattribute init_t init_run_all_scripts_domain; + # for /run/systemd/inaccessible/{chr,blk} + allow init_t init_var_run_t:blk_file { create getattr }; + allow init_t init_var_run_t:chr_file { create getattr }; + + allow init_t systemprocess:process { dyntransition siginh }; allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; allow init_t systemprocess:unix_dgram_socket create_socket_perms; @@ -225,6 +238,8 @@ ifdef(`init_systemd',` allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; + allow init_t init_var_run_t:sock_file manage_sock_file_perms; + allow init_t daemon:unix_stream_socket create_stream_socket_perms; allow init_t daemon:unix_dgram_socket create_socket_perms; allow init_t daemon:tcp_socket create_stream_socket_perms; @@ -262,6 +277,7 @@ ifdef(`init_systemd',` dev_manage_input_dev(init_t) dev_relabel_all_dev_nodes(init_t) dev_relabel_all_sysfs(init_t) + dev_relabel_generic_symlinks(init_t) dev_read_urand(init_t) dev_write_kmsg(init_t) @@ -275,6 +291,7 @@ ifdef(`init_systemd',` files_mounton_root(init_t) files_search_pids(init_t) files_relabel_all_pids(init_t) + files_relabelto_etc_runtime(init_t) files_read_all_locks(init_t) files_search_kernel_modules(init_t) # for privatetmp functions @@ -290,6 +307,7 @@ ifdef(`init_systemd',` fs_getattr_tmpfs(init_t) fs_read_tmpfs_files(init_t) fs_read_cgroup_files(init_t) + fs_relabel_pstore_dirs(init_t) fs_dontaudit_getattr_xattr_fs(init_t) # for privatetmp functions fs_relabel_tmpfs_dirs(init_t) @@ -318,10 +336,14 @@ ifdef(`init_systemd',` seutil_read_file_contexts(init_t) systemd_manage_passwd_runtime_symlinks(init_t) + systemd_use_passwd_agent(init_t) # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t) + # for systemd to read udev status + udev_read_pid_files(init_t) + optional_policy(` clock_read_adjtime(init_t) ') @@ -355,6 +377,12 @@ ifdef(`distro_debian',` allow init_t initrc_var_run_t:file manage_file_perms; fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") + fs_manage_tmpfs_files(initrc_t) + sysnet_manage_config(initrc_t) + + optional_policy(` + postfix_read_config(initrc_t) + ') ') ifdef(`distro_gentoo',` @@ -370,6 +398,12 @@ ifdef(`distro_redhat',` ') optional_policy(` + modutils_read_module_config(init_t) + modutils_read_module_deps(init_t) + modutils_read_module_objects(init_t) +') + +optional_policy(` auth_rw_login_records(init_t) ') @@ -830,21 +864,25 @@ ifdef(`init_systemd',` allow init_t self:unix_dgram_socket { create_socket_perms sendto }; allow init_t self:process { setsockcreate setfscreate setrlimit }; - allow init_t self:process { getcap setcap }; + allow init_t self:process { getcap setcap getsched setsched }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; + allow init_t self:netlink_selinux_socket create_socket_perms; # Until systemd is fixed allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; allow init_t initrc_t:unix_dgram_socket create_socket_perms; - allow initrc_t init_t:system { status reboot halt reload }; + allow initrc_t init_t:system { start status reboot halt reload }; allow init_t self:capability2 audit_read; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) + allow initrc_t init_var_run_t:file create_file_perms; + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; + allow initrc_t init_var_run_t:service { start status }; manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) @@ -861,6 +899,7 @@ ifdef(`init_systemd',` kernel_dgram_send(initrc_t) kernel_list_unlabeled(init_t) + kernel_load_module(init_t) kernel_read_network_state(init_t) kernel_rw_kernel_sysctl(init_t) kernel_rw_net_sysctls(init_t) @@ -868,7 +907,9 @@ ifdef(`init_systemd',` kernel_read_software_raid_state(init_t) kernel_unmount_debugfs(init_t) kernel_setsched(init_t) + kernel_rw_unix_sysctls(init_t) + auth_manage_var_auth(init_t) auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) @@ -880,6 +921,7 @@ ifdef(`init_systemd',` corecmd_bin_domtrans(init_t, initrc_t) corecmd_shell_domtrans(init_t, initrc_t) + dev_create_subdir(initrc_t) dev_write_kmsg(init_t) dev_write_urand(init_t) dev_rw_lvm_control(init_t) @@ -903,6 +945,7 @@ ifdef(`init_systemd',` files_create_all_pid_sockets(init_t) files_create_all_spool_sockets(init_t) files_create_lock_dirs(init_t) + files_create_pid_dir(initrc_t) files_delete_all_pids(init_t) files_delete_all_spool_sockets(init_t) files_exec_generic_pid_files(init_t) @@ -922,6 +965,7 @@ ifdef(`init_systemd',` files_setattr_pid_dirs(initrc_t) files_unmount_all_file_type_fs(init_t) + fs_create_cgroup_links(init_t) fs_getattr_all_fs(init_t) fs_list_auto_mountpoints(init_t) fs_manage_cgroup_dirs(init_t) @@ -930,9 +974,13 @@ ifdef(`init_systemd',` fs_manage_tmpfs_dirs(init_t) fs_mount_all_fs(init_t) fs_remount_all_fs(init_t) + fs_relabelfrom_tmpfs_symlinks(init_t) fs_unmount_all_fs(init_t) fs_search_cgroup_dirs(daemon) + # for logsave in strict configuration + fstools_write_log(initrc_t) + init_get_all_units_status(initrc_t) init_manage_var_lib_files(initrc_t) init_read_script_state(init_t) Index: refpolicy-2.20170419/policy/modules/system/modutils.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if +++ refpolicy-2.20170419/policy/modules/system/modutils.if @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',` ######################################## ## +## Read the kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_read_module_objects',` + gen_require(` + type modules_object_t; + ') + + files_list_kernel_modules($1) + allow $1 modules_object_t:file read_file_perms; +') + +######################################## +## ## Read the configuration options used when ## loading modules. ## Index: refpolicy-2.20170419/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170419/policy/modules/system/userdomain.if @@ -78,6 +78,12 @@ template(`userdom_base_user_template',` dev_dontaudit_getattr_all_blk_files($1_t) dev_dontaudit_getattr_all_chr_files($1_t) + # for X session unlock + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; + + # for KDE + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; + # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_t) @@ -108,6 +114,14 @@ template(`userdom_base_user_template',` sysnet_read_config($1_t) + # kdeinit wants systemd status + init_get_system_status($1_t) + + optional_policy(` + apt_read_cache($1_t) + apt_read_db($1_t) + ') + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; Index: refpolicy-2.20170419/policy/support/file_patterns.spt =================================================================== --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt +++ refpolicy-2.20170419/policy/support/file_patterns.spt @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',` define(`create_chr_files_pattern',` allow $1 self:capability mknod; allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:chr_file create_chr_file_perms; + allow $1 $3:chr_file { create_chr_file_perms setattr }; ') define(`delete_chr_files_pattern',`