From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 26 Apr 2017 06:43:46 -0400 Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!) In-Reply-To: <1493160602.4469.0.camel@trentalancia.net> References: <1492802281.4493.1.camel@trentalancia.net> <1493160602.4469.0.camel@trentalancia.net> Message-ID: <149b070a-56a6-507f-b417-2cfafa00c659@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/25/2017 06:50 PM, Guido Trentalancia via refpolicy wrote: > This patch fixes the policy for sulogin. It is very important > because without this patch, sulogin cannot work properly and > it should be considered that it is used as an emergency shell > when there are serious consistency errors in the system, so it > constitutes the only way to recover the system in such > circumstances. > > Nowadays, sulogin never uses PAM (at least not the official one > from util-linux), so obsolete, confusing and buggy policy has > been removed. > > Extensive testing carried out while creating this patch indicates > that there aren't other permissions needed to successfully run > sulogin. > > This second version should apply cleanly to the latest git tree. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/locallogin.te | 24 ++++++++++++++---------- > 1 file changed, 14 insertions(+), 10 deletions(-) > > --- a/policy/modules/system/locallogin.te 2017-04-13 22:04:35.111202539 +0200 > +++ b/policy/modules/system/locallogin.te 2017-04-26 00:44:23.028943625 +0200 > @@ -215,7 +215,8 @@ optional_policy(` > # Sulogin local policy > # > > -allow sulogin_t self:capability dac_override; > +allow sulogin_t self:capability { dac_override sys_admin sys_tty_config }; > +allow sulogin_t self:process setexec; > allow sulogin_t self:fd use; > allow sulogin_t self:fifo_file rw_fifo_file_perms; > allow sulogin_t self:unix_dgram_socket create_socket_perms; > @@ -228,6 +229,9 @@ allow sulogin_t self:msgq create_msgq_pe > allow sulogin_t self:msg { send receive }; > > kernel_read_system_state(sulogin_t) > +kernel_read_crypto_sysctls(sulogin_t) > +kernel_stream_connect(sulogin_t) > +kernel_use_fds(sulogin_t) > # because file systems are not mounted: > kernel_dontaudit_search_unlabeled(sulogin_t) > > @@ -238,10 +242,13 @@ files_read_etc_files(sulogin_t) > > auth_read_shadow(sulogin_t) > > +init_getpgid(sulogin_t) > init_getpgid_script(sulogin_t) > > logging_send_syslog_msg(sulogin_t) > > +miscfiles_read_localization(sulogin_t) > + > seutil_read_config(sulogin_t) > seutil_read_default_contexts(sulogin_t) > > @@ -252,15 +259,12 @@ userdom_use_user_ptys(sulogin_t) > > sysadm_shell_domtrans(sulogin_t) > > -# suse and debian do not use pam with sulogin... > -ifdef(`distro_suse', `define(`sulogin_no_pam')') > -ifdef(`distro_debian', `define(`sulogin_no_pam')') > - > -ifdef(`sulogin_no_pam', ` > - allow sulogin_t self:capability sys_tty_config; > - init_getpgid(sulogin_t) > -', ` > - allow sulogin_t self:process setexec; > +term_use_console(sulogin_t) > +term_use_unallocated_ttys(sulogin_t) > + > +# by default, sulogin does not use pam... > +# sulogin_pam might need to be defined otherwise > +ifdef(`sulogin_pam', ` > selinux_get_fs_mount(sulogin_t) > selinux_validate_context(sulogin_t) > selinux_compute_access_vector(sulogin_t) Merged, though I moved the terminal lines. -- Chris PeBenito