2011-02-16 06:02:41

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/34]: patch to update mount permissions

This patch adds a new interface for mount. It then uses the new
interface and adds some permissions needed to use mount. It also
adds a conditional block for redhat systems that use a mount script
called /sbin/mount.tmpfs. Finally the patch adds a permission
needed for example by ntfs-3g (storage_rw_fuse).

diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if
--- refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if 2011-02-15 22:50:02.386800459 +0100
@@ -808,6 +808,25 @@ interface(`corecmd_check_exec_shell',`

########################################
## <summary>
+## Allow mmap_file_perms on a shell
+## executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_file_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ mmap_files_pattern($1, bin_t, shell_exec_t)
+')
+
+########################################
+## <summary>
## Execute shells in the caller domain.
## </summary>
## <desc>
diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te refpolicy-git-15022011-new-modified/policy/modules/system/mount.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/system/mount.te 2011-02-15 22:52:27.570043460 +0100
@@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };

+ifdef(`distro_redhat',`
+ # needed by /sbin/mount.tmpfs bash script
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+')
+
allow mount_t mount_loopback_t:file read_file_perms;

allow mount_t mount_tmp_t:file manage_file_perms;
@@ -51,15 +56,23 @@ kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)

+kernel_setsched(mount_t)
+
# required for mount.smbfs
corecmd_exec_bin(mount_t)

+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts
+corecmd_mmap_file_exec_shell(mount_t)
+
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
+dev_read_usbfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
@@ -108,6 +121,8 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)

term_use_all_terms(mount_t)



2011-02-19 05:08:06

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/34]: patch to update mount permissions

Hello !

A quick note about a minor issue with this patch.

Apparently, the mount.tmpfs script will be obsoleted with Fedora 15, so
the conditional block for that script on redhat systems, will probably
be better removed (from the mount.te patch).

Regards,

Guido

On Wed, 16/02/2011 at 07.02 +0100, Guido Trentalancia wrote:
> This patch adds a new interface for mount. It then uses the new
> interface and adds some permissions needed to use mount. It also
> adds a conditional block for redhat systems that use a mount script
> called /sbin/mount.tmpfs. Finally the patch adds a permission
> needed for example by ntfs-3g (storage_rw_fuse).
>
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if
> --- refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if 2011-02-15 22:50:02.386800459 +0100
> @@ -808,6 +808,25 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ## <summary>
> +## Allow mmap_file_perms on a shell
> +## executable.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + mmap_files_pattern($1, bin_t, shell_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Execute shells in the caller domain.
> ## </summary>
> ## <desc>
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te refpolicy-git-15022011-new-modified/policy/modules/system/mount.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/mount.te 2011-02-15 22:52:27.570043460 +0100
> @@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> +ifdef(`distro_redhat',`
> + # needed by /sbin/mount.tmpfs bash script
> + allow mount_t self:fifo_file rw_fifo_file_perms;
> +')
> +
> allow mount_t mount_loopback_t:file read_file_perms;
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> @@ -51,15 +56,23 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> +kernel_setsched(mount_t)
> +
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> +dev_read_usbfs(mount_t)
> dev_dontaudit_write_sysfs_dirs(mount_t)
> dev_rw_lvm_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> @@ -108,6 +121,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>