From: krzysztof.a.nowicki@gmail.com (krzysztof.a.nowicki at gmail.com) Date: Sun, 14 May 2017 17:24:03 +0200 Subject: [refpolicy] [PATCH 4/4] Enable /etc directory protection using ProtectSystem In-Reply-To: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> Message-ID: <20170514152403.369-5-krzysztof.a.nowicki@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Krzysztof Nowicki Setting this service option to 'full' or 'strict' will also remount the /etc directory. Allow this in the policy. This fixes the systemd-networkd service, but will also positively affect any other service using the above hardening option. --- policy/modules/kernel/files.if | 19 +++++++++++++++++++ policy/modules/system/init.te | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 8a64031..ac5714f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2851,6 +2851,25 @@ interface(`files_relabelto_etc_dirs',` ######################################## ## +## Mount a filesystem on the +## etc directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_etc_dirs',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir mounton; +') + +######################################## +## ## Read generic files in /etc. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 061bb29..86795a2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -291,6 +291,7 @@ ifdef(`init_systemd',` files_search_kernel_modules(init_t) # for privatetmp functions files_mounton_tmp(init_t) + files_mounton_etc_dirs(init_t) fs_relabel_cgroup_dirs(init_t) fs_rw_cgroup_files(init_t) -- 2.10.2