From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 15 May 2017 18:42:45 -0400 Subject: [refpolicy] [PATCH 4/4] Enable /etc directory protection using ProtectSystem In-Reply-To: <20170514152403.369-5-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> <20170514152403.369-5-krzysztof.a.nowicki@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote: > From: Krzysztof Nowicki > > Setting this service option to 'full' or 'strict' will also remount the > /etc directory. Allow this in the policy. > > This fixes the systemd-networkd service, but will also positively affect > any other service using the above hardening option. > --- > policy/modules/kernel/files.if | 19 +++++++++++++++++++ > policy/modules/system/init.te | 1 + > 2 files changed, 20 insertions(+) > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index 8a64031..ac5714f 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -2851,6 +2851,25 @@ interface(`files_relabelto_etc_dirs',` > > ######################################## > ##

> +## Mount a filesystem on the > +## etc directories. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`files_mounton_etc_dirs',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:dir mounton; > +') > + > +######################################## > +##

> ## Read generic files in /etc. > ##

> ## > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 061bb29..86795a2 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -291,6 +291,7 @@ ifdef(`init_systemd',` > files_search_kernel_modules(init_t) > # for privatetmp functions > files_mounton_tmp(init_t) > + files_mounton_etc_dirs(init_t) > > fs_relabel_cgroup_dirs(init_t) > fs_rw_cgroup_files(init_t) Merged. -- Chris PeBenito