From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 18:56:37 -0400
Subject: [refpolicy] [PATCH] bounds for tor, mysqld, and entropyd
In-Reply-To: <20170911062434.cj2qxhdrcelmnm63@xev>
References: <20170911062434.cj2qxhdrcelmnm63@xev>
Message-ID: <af0d0108-6435-128a-eaee-fc0c8866c291@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/11/2017 02:24 AM, Russell Coker via refpolicy wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201
>
> The following patch fixes 3 instances of the bounds issue as described in the
> above bug report.  There will be more as more maintainers and upstream
> developers make use of systemd access control features.

NAK.  This has already been fixed with the upcoming nnp_transition
nosuid_transition permissions in refpolicy.  I'm afraid distros will
have to carry policy patches until they can roll out kernels that
support these permissions.

https://marc.info/?l=selinux&m=150151037511601&w=2


> Index: refpolicy-2.20170907/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170907/policy/modules/system/init.te
> @@ -295,6 +295,7 @@ ifdef(`init_systemd',`
>   fs_manage_hugetlbfs_dirs(init_t)
>   fs_getattr_tmpfs(init_t)
>   fs_read_tmpfs_files(init_t)
> + fs_read_tmpfs_symlinks(init_t)
>   fs_read_cgroup_files(init_t)
>   fs_relabel_pstore_dirs(init_t)
>   fs_dontaudit_getattr_xattr_fs(init_t)
> Index: refpolicy-2.20170907/policy/modules/contrib/entropyd.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/entropyd.te
> +++ refpolicy-2.20170907/policy/modules/contrib/entropyd.te
> @@ -50,6 +50,7 @@ files_read_usr_files(entropyd_t)
>  
>   fs_getattr_all_fs(entropyd_t)
>   fs_search_auto_mountpoints(entropyd_t)
> +fs_search_tmpfs(entropyd_t)
>  
>   domain_use_interactive_fds(entropyd_t)
>  
> @@ -65,6 +66,10 @@ tunable_policy(`entropyd_use_audio',`
>   dev_write_sound(entropyd_t)
>   ')
>  
> +ifdef(`init_systemd',`
> + init_bounded(entropyd_t, entropyd_exec_t)
> +')
> +
>   optional_policy(`
>   tunable_policy(`entropyd_use_audio',`
>   alsa_read_lib(entropyd_t)
> Index: refpolicy-2.20170907/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20170907/policy/modules/contrib/tor.te
> @@ -118,6 +118,10 @@ tunable_policy(`tor_bind_all_unreserved_
>   corenet_tcp_bind_all_unreserved_ports(tor_t)
>   ')
>  
> +ifdef(`init_systemd',`
> + init_bounded(tor_t, tor_exec_t)
> +')
> +
>   optional_policy(`
>   seutil_sigchld_newrole(tor_t)
>   ')
> Index: refpolicy-2.20170907/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170907/policy/modules/system/init.if
> @@ -314,6 +314,31 @@ interface(`init_ranged_daemon_domain',`
>   ')
>   ')
>  
> +########################################
> +## <summary>
> +##     Make a domain be bounded by init_t
> +##     NB init_t needs to have all the permissions of the domain in question
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Bounded domain
> +##     </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_bounded',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + typebounds init_t $1;
> + allow init_t $2:file entrypoint;
> +')
> +
>   #########################################
>   ## <summary>
>   ## Abstract socket service activation (systemd).
> Index: refpolicy-2.20170907/policy/modules/contrib/mysql.te
> ===================================================================
> --- refpolicy-2.20170907.orig/policy/modules/contrib/mysql.te
> +++ refpolicy-2.20170907/policy/modules/contrib/mysql.te
> @@ -125,6 +125,7 @@ domain_use_interactive_fds(mysqld_t)
>  
>   fs_getattr_all_fs(mysqld_t)
>   fs_search_auto_mountpoints(mysqld_t)
> +fs_search_tmpfs(mysqld_t)
>   fs_rw_hugetlbfs_files(mysqld_t)
>  
>   files_read_etc_runtime_files(mysqld_t)
> @@ -149,6 +150,10 @@ optional_policy(`
>   daemontools_service_domain(mysqld_t, mysqld_exec_t)
>   ')
>  
> +ifdef(`init_systemd',`
> + init_bounded(mysqld_t, mysqld_exec_t)
> +')
> +
>   optional_policy(`
>   seutil_sigchld_newrole(mysqld_t)
>   ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito