From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 18:56:37 -0400 Subject: [refpolicy] [PATCH] bounds for tor, mysqld, and entropyd In-Reply-To: <20170911062434.cj2qxhdrcelmnm63@xev> References: <20170911062434.cj2qxhdrcelmnm63@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/11/2017 02:24 AM, Russell Coker via refpolicy wrote: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201 > > The following patch fixes 3 instances of the bounds issue as described in the > above bug report. There will be more as more maintainers and upstream > developers make use of systemd access control features. NAK. This has already been fixed with the upcoming nnp_transition nosuid_transition permissions in refpolicy. I'm afraid distros will have to carry policy patches until they can roll out kernels that support these permissions. https://marc.info/?l=selinux&m=150151037511601&w=2 > Index: refpolicy-2.20170907/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170907.orig/policy/modules/system/init.te > +++ refpolicy-2.20170907/policy/modules/system/init.te > @@ -295,6 +295,7 @@ ifdef(`init_systemd',` > fs_manage_hugetlbfs_dirs(init_t) > fs_getattr_tmpfs(init_t) > fs_read_tmpfs_files(init_t) > + fs_read_tmpfs_symlinks(init_t) > fs_read_cgroup_files(init_t) > fs_relabel_pstore_dirs(init_t) > fs_dontaudit_getattr_xattr_fs(init_t) > Index: refpolicy-2.20170907/policy/modules/contrib/entropyd.te > =================================================================== > --- refpolicy-2.20170907.orig/policy/modules/contrib/entropyd.te > +++ refpolicy-2.20170907/policy/modules/contrib/entropyd.te > @@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t) > > fs_getattr_all_fs(entropyd_t) > fs_search_auto_mountpoints(entropyd_t) > +fs_search_tmpfs(entropyd_t) > > domain_use_interactive_fds(entropyd_t) > > @@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',` > dev_write_sound(entropyd_t) > ') > > +ifdef(`init_systemd',` > + init_bounded(entropyd_t, entropyd_exec_t) > +') > + > optional_policy(` > tunable_policy(`entropyd_use_audio',` > alsa_read_lib(entropyd_t) > Index: refpolicy-2.20170907/policy/modules/contrib/tor.te > =================================================================== > --- refpolicy-2.20170907.orig/policy/modules/contrib/tor.te > +++ refpolicy-2.20170907/policy/modules/contrib/tor.te > @@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_ > corenet_tcp_bind_all_unreserved_ports(tor_t) > ') > > +ifdef(`init_systemd',` > + init_bounded(tor_t, tor_exec_t) > +') > + > optional_policy(` > seutil_sigchld_newrole(tor_t) > ') > Index: refpolicy-2.20170907/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170907.orig/policy/modules/system/init.if > +++ refpolicy-2.20170907/policy/modules/system/init.if > @@ -314,6 +314,31 @@ interface(`init_ranged_daemon_domain',` > ') > ') > > +######################################## > +## > +## Make a domain be bounded by init_t > +## NB init_t needs to have all the permissions of the domain in question > +## > +## > +## > +## Bounded domain > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +# > +interface(`init_bounded',` > + gen_require(` > + type init_t; > + ') > + > + typebounds init_t $1; > + allow init_t $2:file entrypoint; > +') > + > ######################################### > ## > ## Abstract socket service activation (systemd). > Index: refpolicy-2.20170907/policy/modules/contrib/mysql.te > =================================================================== > --- refpolicy-2.20170907.orig/policy/modules/contrib/mysql.te > +++ refpolicy-2.20170907/policy/modules/contrib/mysql.te > @@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t) > > fs_getattr_all_fs(mysqld_t) > fs_search_auto_mountpoints(mysqld_t) > +fs_search_tmpfs(mysqld_t) > fs_rw_hugetlbfs_files(mysqld_t) > > files_read_etc_runtime_files(mysqld_t) > @@ -149,6 +150,10 @@ optional_policy(` > daemontools_service_domain(mysqld_t, mysqld_exec_t) > ') > > +ifdef(`init_systemd',` > + init_bounded(mysqld_t, mysqld_exec_t) > +') > + > optional_policy(` > seutil_sigchld_newrole(mysqld_t) > ') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito