From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 14:26:57 +0200 (CEST) Subject: [refpolicy] [PATCH] second strict patch take 2 In-Reply-To: <20170420023321.mi2ued4gvuipopkr@athena.coker.com.au> References: <20170420023321.mi2ued4gvuipopkr@athena.coker.com.au> Message-ID: <1034371419.181844.1492691217821@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. > On the 20th of April 2017 at 4.33 Russell Coker via refpolicy wrote: > > > Here's a new version of the second strict patch addressing some of the issues > raised on the list. > > Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if > +++ refpolicy-2.20170419/policy/modules/contrib/gnome.if > @@ -76,6 +76,8 @@ template(`gnome_role_template',` > > allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; > allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; > + allow $3 gconfd_t:dbus send_msg; > + allow gconfd_t $3:dbus send_msg; As already explained the above two permissions have been already included with an appropriate gnome interface in a patch that specifically tackles dbus messaging. This patch has been posted before you posted this patch, here is the link to the latest version: http://oss.tresys.com/pipermail/refpolicy/2017-April/009318.html > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") > userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") > > Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc > @@ -324,6 +324,7 @@ ifdef(`distro_debian',` > /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) > +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) > ') > > ifdef(`distro_gentoo', ` > Index: refpolicy-2.20170419/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170419/policy/modules/kernel/devices.if > @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',` > > typeattribute $1 devices_unconfined_type; > ') > + > +######################################## > +## > +## Create subdir of /dev > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_create_subdir',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 device_t:dir { add_entry_dir_perms create }; > + allow $1 device_t:dir search_dir_perms; > +') > Index: refpolicy-2.20170419/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170419/policy/modules/kernel/files.if > @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file > > ######################################## > ## > +## Relabel files and dirs to etc_runtime_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_relabelto_etc_runtime',` > + gen_require(` > + type etc_runtime_t; > + ') > + > + allow $1 etc_runtime_t:file relabelto; > + allow $1 etc_runtime_t:dir relabelto; > +') > + > +######################################## > +## > ## Create, etc runtime objects with an automatic > ## type transition. > ## > @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',` > ') > > ######################################## > +## > +## Create a /var/run directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_create_pid_dir',` > + gen_require(` > + type var_run_t; > + ') > + > + allow $1 var_run_t:dir create_dir_perms; > +') > + > +######################################## > ## > ## Search the contents of runtime process > ## ID directories (/var/run). > Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if > @@ -769,6 +769,24 @@ interface(`fs_manage_cgroup_dirs',` > > ######################################## > ## > +## Relabel pstore directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabel_pstore_dirs',` > + gen_require(` > + type pstore_t; > + ') > + > + relabel_dirs_pattern($1, pstore_t, pstore_t) > +') > + > +######################################## > +## > ## Relabel cgroup directories. > ## > ## > @@ -828,6 +846,26 @@ interface(`fs_read_cgroup_files',` > > ######################################## > ## > +## Create cgroup lnk_files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_create_cgroup_links',` > + gen_require(` > + type cgroup_t; > + ') > + > + create_lnk_files_pattern($1, cgroup_t, cgroup_t) > + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) > + dev_search_sysfs($1) > +') > + > +######################################## > +## > ## Write cgroup files. > ## > ## > @@ -858,7 +896,6 @@ interface(`fs_write_cgroup_files', ` > interface(`fs_rw_cgroup_files',` > gen_require(` > type cgroup_t; > - > ') > > rw_files_pattern($1, cgroup_t, cgroup_t) > @@ -4505,6 +4542,24 @@ interface(`fs_read_tmpfs_symlinks',` > ') > > ######################################## > +## > +## Relabelfrom tmpfs link files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabelfrom_tmpfs_symlinks',` > + gen_require(` > + type tmpfs_t; > + ') > + > + allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; > +') > + > +######################################## > ## > ## Read and write character nodes on tmpfs filesystems. > ## > Index: refpolicy-2.20170419/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20170419/policy/modules/services/ssh.if > @@ -353,6 +353,8 @@ template(`ssh_role_template',` > allow $1_ssh_agent_t self:process { setrlimit signal }; > allow $1_ssh_agent_t self:capability setgid; > > + allow $1_ssh_agent_t self:fifo_file rw_file_perms; > + > allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; > > allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; > @@ -436,6 +438,7 @@ template(`ssh_role_template',` > optional_policy(` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > + xdm_sigchld($1_ssh_agent_t) > ') > ') > > Index: refpolicy-2.20170419/policy/modules/system/fstools.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if > +++ refpolicy-2.20170419/policy/modules/system/fstools.if > @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',` > > allow $1 swapfile_t:file getattr; > ') > + > +######################################## > +## > +## Write to fsadm_log_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fstools_write_log',` > + gen_require(` > + type fsadm_log_t; > + ') > + > + allow $1 fsadm_log_t:file write_file_perms; > +') > Index: refpolicy-2.20170419/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/init.if > +++ refpolicy-2.20170419/policy/modules/system/init.if > @@ -2966,6 +2966,7 @@ interface(`init_admin',` > init_reload($1) > init_reload_all_units($1) > init_shutdown_system($1) > + init_start_system($1) I have already mentioned this too. Please enclose systemd-related permissions in an appropriate ifdef (init_systemd) statement ! The above permission only applies to systemd. > init_start_all_units($1) > init_start_generic_units($1) > init_stop_all_units($1) > Index: refpolicy-2.20170419/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/init.te > +++ refpolicy-2.20170419/policy/modules/system/init.te > @@ -135,9 +135,15 @@ can_exec(init_t, init_exec_t) > allow init_t initrc_t:unix_stream_socket connectto; > > # For /var/run/shutdown.pid. > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; I have already mentioned this too. Please enclose systemd-related permissions in an appropriate ifdef (init_systemd) statement ! The above permission only applies to systemd. > allow init_t init_var_run_t:file manage_file_perms; > files_pid_filetrans(init_t, init_var_run_t, file) > > +# for /run/initctl > +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; > + > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; I have already mentioned this too. Please enclose systemd-related permissions in an appropriate ifdef (init_systemd) statement ! The above permission only applies to systemd. > + > # for systemd to manage service file symlinks > allow init_t init_var_run_t:file manage_lnk_file_perms; > > @@ -170,6 +176,8 @@ files_read_etc_files(init_t) > files_rw_generic_pids(init_t) > files_manage_etc_runtime_files(init_t) > files_etc_filetrans_etc_runtime(init_t, file) > +files_list_usr(init_t) > + I have already mentioned this too. Please enclose systemd-related permissions in an appropriate ifdef (init_systemd) statement ! The above permission only applies to systemd. > # Run /etc/X11/prefdm: > files_exec_etc_files(init_t) > # file descriptors inherited from the rootfs: > @@ -214,6 +222,11 @@ ifdef(`init_systemd',` > # handle instances where an old labeled init script is encountered. > typeattribute init_t init_run_all_scripts_domain; > > + # for /run/systemd/inaccessible/{chr,blk} > + allow init_t init_var_run_t:blk_file { create getattr }; > + allow init_t init_var_run_t:chr_file { create getattr }; > + > + > allow init_t systemprocess:process { dyntransition siginh }; > allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; > allow init_t systemprocess:unix_dgram_socket create_socket_perms; > @@ -225,6 +238,8 @@ ifdef(`init_systemd',` > allow init_t self:netlink_selinux_socket create_socket_perms; > allow init_t self:unix_dgram_socket lock; > > + allow init_t init_var_run_t:sock_file manage_sock_file_perms; > + > allow init_t daemon:unix_stream_socket create_stream_socket_perms; > allow init_t daemon:unix_dgram_socket create_socket_perms; > allow init_t daemon:tcp_socket create_stream_socket_perms; > @@ -262,6 +277,7 @@ ifdef(`init_systemd',` > dev_manage_input_dev(init_t) > dev_relabel_all_dev_nodes(init_t) > dev_relabel_all_sysfs(init_t) > + dev_relabel_generic_symlinks(init_t) > dev_read_urand(init_t) > dev_write_kmsg(init_t) > > @@ -275,6 +291,7 @@ ifdef(`init_systemd',` > files_mounton_root(init_t) > files_search_pids(init_t) > files_relabel_all_pids(init_t) > + files_relabelto_etc_runtime(init_t) > files_read_all_locks(init_t) > files_search_kernel_modules(init_t) > # for privatetmp functions > @@ -290,6 +307,7 @@ ifdef(`init_systemd',` > fs_getattr_tmpfs(init_t) > fs_read_tmpfs_files(init_t) > fs_read_cgroup_files(init_t) > + fs_relabel_pstore_dirs(init_t) > fs_dontaudit_getattr_xattr_fs(init_t) > # for privatetmp functions > fs_relabel_tmpfs_dirs(init_t) > @@ -318,10 +336,14 @@ ifdef(`init_systemd',` > seutil_read_file_contexts(init_t) > > systemd_manage_passwd_runtime_symlinks(init_t) > + systemd_use_passwd_agent(init_t) > > # udevd is a "systemd kobject uevent socket activated daemon" > udev_create_kobject_uevent_sockets(init_t) > > + # for systemd to read udev status > + udev_read_pid_files(init_t) > + > optional_policy(` > clock_read_adjtime(init_t) > ') > @@ -355,6 +377,12 @@ ifdef(`distro_debian',` > > allow init_t initrc_var_run_t:file manage_file_perms; > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") > + fs_manage_tmpfs_files(initrc_t) > + sysnet_manage_config(initrc_t) > + > + optional_policy(` > + postfix_read_config(initrc_t) > + ') > ') > > ifdef(`distro_gentoo',` > @@ -370,6 +398,12 @@ ifdef(`distro_redhat',` > ') > > optional_policy(` > + modutils_read_module_config(init_t) > + modutils_read_module_deps(init_t) > + modutils_read_module_objects(init_t) > +') > + > +optional_policy(` > auth_rw_login_records(init_t) > ') > > @@ -830,21 +864,25 @@ ifdef(`init_systemd',` > > allow init_t self:unix_dgram_socket { create_socket_perms sendto }; > allow init_t self:process { setsockcreate setfscreate setrlimit }; > - allow init_t self:process { getcap setcap }; > + allow init_t self:process { getcap setcap getsched setsched }; > allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > + allow init_t self:netlink_selinux_socket create_socket_perms; > # Until systemd is fixed > allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; > allow init_t self:udp_socket create_socket_perms; > allow init_t self:netlink_route_socket create_netlink_socket_perms; > allow init_t initrc_t:unix_dgram_socket create_socket_perms; > - allow initrc_t init_t:system { status reboot halt reload }; > + allow initrc_t init_t:system { start status reboot halt reload }; > allow init_t self:capability2 audit_read; > manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) > files_lock_filetrans(initrc_t, initrc_lock_t, file) > > manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) > + allow initrc_t init_var_run_t:file create_file_perms; > + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; > + allow initrc_t init_var_run_t:service { start status }; > > manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) > manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) > @@ -861,6 +899,7 @@ ifdef(`init_systemd',` > > kernel_dgram_send(initrc_t) > kernel_list_unlabeled(init_t) > + kernel_load_module(init_t) > kernel_read_network_state(init_t) > kernel_rw_kernel_sysctl(init_t) > kernel_rw_net_sysctls(init_t) > @@ -868,7 +907,9 @@ ifdef(`init_systemd',` > kernel_read_software_raid_state(init_t) > kernel_unmount_debugfs(init_t) > kernel_setsched(init_t) > + kernel_rw_unix_sysctls(init_t) > > + auth_manage_var_auth(init_t) > auth_relabel_login_records(init_t) > auth_relabel_pam_console_data_dirs(init_t) > > @@ -880,6 +921,7 @@ ifdef(`init_systemd',` > corecmd_bin_domtrans(init_t, initrc_t) > corecmd_shell_domtrans(init_t, initrc_t) > > + dev_create_subdir(initrc_t) > dev_write_kmsg(init_t) > dev_write_urand(init_t) > dev_rw_lvm_control(init_t) > @@ -903,6 +945,7 @@ ifdef(`init_systemd',` > files_create_all_pid_sockets(init_t) > files_create_all_spool_sockets(init_t) > files_create_lock_dirs(init_t) > + files_create_pid_dir(initrc_t) > files_delete_all_pids(init_t) > files_delete_all_spool_sockets(init_t) > files_exec_generic_pid_files(init_t) > @@ -922,6 +965,7 @@ ifdef(`init_systemd',` > files_setattr_pid_dirs(initrc_t) > files_unmount_all_file_type_fs(init_t) > > + fs_create_cgroup_links(init_t) > fs_getattr_all_fs(init_t) > fs_list_auto_mountpoints(init_t) > fs_manage_cgroup_dirs(init_t) > @@ -930,9 +974,13 @@ ifdef(`init_systemd',` > fs_manage_tmpfs_dirs(init_t) > fs_mount_all_fs(init_t) > fs_remount_all_fs(init_t) > + fs_relabelfrom_tmpfs_symlinks(init_t) > fs_unmount_all_fs(init_t) > fs_search_cgroup_dirs(daemon) > > + # for logsave in strict configuration > + fstools_write_log(initrc_t) > + > init_get_all_units_status(initrc_t) > init_manage_var_lib_files(initrc_t) > init_read_script_state(init_t) > Index: refpolicy-2.20170419/policy/modules/system/modutils.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if > +++ refpolicy-2.20170419/policy/modules/system/modutils.if > @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',` > > ######################################## > ## > +## Read the kernel modules. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`modutils_read_module_objects',` > + gen_require(` > + type modules_object_t; > + ') > + > + files_list_kernel_modules($1) > + allow $1 modules_object_t:file read_file_perms; > +') > + > +######################################## > +## > ## Read the configuration options used when > ## loading modules. > ## > Index: refpolicy-2.20170419/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170419/policy/modules/system/userdomain.if > @@ -78,6 +78,12 @@ template(`userdom_base_user_template',` > dev_dontaudit_getattr_all_blk_files($1_t) > dev_dontaudit_getattr_all_chr_files($1_t) > > + # for X session unlock > + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; > + > + # for KDE > + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; > + > # When the user domain runs ps, there will be a number of access > # denials when ps tries to search /proc. Do not audit these denials. > domain_dontaudit_read_all_domains_state($1_t) > @@ -108,6 +114,14 @@ template(`userdom_base_user_template',` > > sysnet_read_config($1_t) > > + # kdeinit wants systemd status > + init_get_system_status($1_t) > + > + optional_policy(` > + apt_read_cache($1_t) > + apt_read_db($1_t) > + ') > + > tunable_policy(`allow_execmem',` > # Allow loading DSOs that require executable stack. > allow $1_t self:process execmem; > Index: refpolicy-2.20170419/policy/support/file_patterns.spt > =================================================================== > --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt > +++ refpolicy-2.20170419/policy/support/file_patterns.spt > @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',` > define(`create_chr_files_pattern',` > allow $1 self:capability mknod; > allow $1 $2:dir add_entry_dir_perms; > - allow $1 $3:chr_file create_chr_file_perms; > + allow $1 $3:chr_file { create_chr_file_perms setattr }; > ') > > define(`delete_chr_files_pattern',` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy