From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:45:59 -0400
Subject: [refpolicy] [PATCH v2 2/2] init: allow systemd to relabel /dev
 and /run
In-Reply-To: <20170910182222.11150-2-nicolas.iooss@m4x.org>
References: <20170910182222.11150-1-nicolas.iooss@m4x.org>
	<20170910182222.11150-2-nicolas.iooss@m4x.org>
Message-ID: <97789c86-06e1-7c0f-226a-26e21cc1880a@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 02:22 PM, Nicolas Iooss via refpolicy wrote:
> systemd relabels everything in /dev and /run after loading the policy.
> In these directories there is a socket file for udev, /run/udev/control,
> which is not allowed to be relabelled from tmpfs_t:
> 
>      avc:  denied  { relabelfrom } for  pid=1 comm="systemd"
>      name="control" dev="tmpfs" ino=7027
>      scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
>      tclass=sock_file permissive=1
> 
>      avc:  denied  { relabelto } for  pid=1 comm="systemd" name="control"
>      dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
>      tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
>      permissive=1
> 
> /run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
> relabelled.
> ---
>   policy/modules/kernel/filesystem.if | 18 +++++++++++++
>   policy/modules/system/init.te       |  6 +++++
>   policy/modules/system/systemd.if    | 54 +++++++++++++++++++++++++++++++++++++
>   policy/modules/system/udev.if       | 18 +++++++++++++
>   4 files changed, 96 insertions(+)
> 
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index c39ae0c4363a..e2e3a041d9a9 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -4553,6 +4553,24 @@ interface(`fs_read_tmpfs_symlinks',`
>   	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Relabelfrom socket files on tmpfs filesystems.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_sockets',`
> +	gen_require(`
> +		type tmpfs_t;
> +	')
> +
> +	allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Relabelfrom tmpfs link files.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index c6d2304569c9..9bc5ee4b0858 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -301,6 +301,7 @@ ifdef(`init_systemd',`
>   	# for privatetmp functions
>   	fs_relabel_tmpfs_dirs(init_t)
>   	fs_relabel_tmpfs_files(init_t)
> +	fs_relabelfrom_tmpfs_sockets(init_t)
>   	# mount-setup
>   	fs_unmount_autofs(init_t)
>   	fs_getattr_pstore_dirs(init_t)
> @@ -322,6 +323,9 @@ ifdef(`init_systemd',`
>   
>   	systemd_manage_passwd_runtime_symlinks(init_t)
>   	systemd_use_passwd_agent(init_t)
> +	systemd_list_tmpfiles_conf(init_t)
> +	systemd_relabelto_tmpfiles_conf_dirs(init_t)
> +	systemd_relabelto_tmpfiles_conf_files(init_t)
>   
>   	term_create_devpts(init_t)
>   
> @@ -331,6 +335,8 @@ ifdef(`init_systemd',`
>   	# for systemd to read udev status
>   	udev_read_pid_files(init_t)
>   
> +	udev_relabelto_db_sockets(init_t)
> +
>   	optional_policy(`
>   		clock_read_adjtime(init_t)
>   	')
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index fa1c6568c0fe..766f33fb6cc9 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -463,6 +463,60 @@ interface(`systemd_tmpfiles_conf_filetrans',`
>   	filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow domain to list systemd tmpfiles config directory
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_list_tmpfiles_conf',`
> +	gen_require(`
> +		type systemd_tmpfiles_conf_t;
> +	')
> +
> +	allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Allow domain to relabel to systemd tmpfiles config directory
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_relabelto_tmpfiles_conf_dirs',`
> +	gen_require(`
> +		type systemd_tmpfiles_conf_t;
> +	')
> +
> +	allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Allow domain to relabel to systemd tmpfiles config files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_relabelto_tmpfiles_conf_files',`
> +	gen_require(`
> +		attribute systemd_tmpfiles_conf_type;
> +	')
> +
> +	allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
> +')
> +
>   #######################################
>   ## <summary>
>   ##  Allow systemd_tmpfiles_t to manage filesystem objects
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9d5473e063e3..a2067895b6c4 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -261,6 +261,24 @@ interface(`udev_relabelto_db',`
>   	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow process to relabelto sockets in /run/udev
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udev_relabelto_db_sockets',`
> +	gen_require(`
> +		type udev_var_run_t;
> +	')
> +
> +	allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Search through udev pid content
> 

Merged.


-- 
Chris PeBenito