2017-04-17 11:54:53

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] bootloader

This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.

Also changed a comment about ia64 to correctly mention EFI.

--- refpolicy-2.20170417.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20170417/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#

-allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;

@@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, b
manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
+allow bootloader_t bootloader_tmp_t:dir mounton;
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)

@@ -65,10 +66,17 @@ kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)

+# for grub-probe
+kernel_request_load_module(bootloader_t)
+
+kernel_search_debugfs(bootloader_t)
+kernel_setsched(bootloader_t)
+
storage_raw_read_fixed_disk(bootloader_t)
storage_raw_write_fixed_disk(bootloader_t)
storage_raw_read_removable_device(bootloader_t)
storage_raw_write_removable_device(bootloader_t)
+storage_rw_fuse(bootloader_t)

dev_getattr_all_chr_files(bootloader_t)
dev_getattr_all_blk_files(bootloader_t)
@@ -82,7 +90,7 @@ dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
-#Needed for ia64
+#Needed for EFI
fs_manage_dos_files(bootloader_t)

mls_file_read_all_levels(bootloader_t)
@@ -104,6 +112,7 @@ files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
files_read_kernel_modules(bootloader_t)
+files_search_mnt(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
@@ -111,6 +120,16 @@ files_manage_etc_runtime_files(bootloade
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)

+fs_mount_fusefs(bootloader_t)
+fs_mount_xattr_fs(bootloader_t)
+fs_mounton_fusefs(bootloader_t)
+fs_read_fusefs_symlinks(bootloader_t)
+fs_read_fusefs_files(bootloader_t)
+fs_stat_fusefs(bootloader_t)
+fs_unmount_fusefs(bootloader_t)
+fs_unmount_xattr_fs(bootloader_t)
+fstools_manage_run_files(bootloader_t)
+
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
init_use_script_fds(bootloader_t)
@@ -123,11 +142,14 @@ logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)

miscfiles_read_localization(bootloader_t)
+mount_runtime_rw(bootloader_t)

seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)

+udev_read_pid_files(bootloader_t)
+
userdom_use_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)

@@ -153,6 +175,7 @@ ifdef(`distro_debian',`
apt_read_cache(bootloader_t)

dpkg_read_db(bootloader_t)
+ dpkg_rw_pipes(bootloader_t)
')

ifdef(`distro_redhat',`
--- refpolicy-2.20170417.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170417/policy/modules/kernel/filesystem.if
@@ -1954,6 +1954,24 @@ interface(`fs_read_eventpollfs',`

########################################
## <summary>
+## stat a FUSE filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_stat_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Mount a FUSE filesystem.
## </summary>
## <param name="domain">
--- refpolicy-2.20170417.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20170417/policy/modules/system/fstools.if
@@ -172,3 +172,22 @@ interface(`fstools_getattr_swap_files',`

allow $1 swapfile_t:file getattr;
')
+
+########################################
+## <summary>
+## manage fsadm_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_manage_run_files',`
+ gen_require(`
+ type fsadm_run_t;
+ ')
+
+ allow $1 fsadm_run_t:dir rw_dir_perms;
+ allow $1 fsadm_run_t:file manage_file_perms;
+')
--- refpolicy-2.20170417.orig/policy/modules/system/mount.if
+++ refpolicy-2.20170417/policy/modules/system/mount.if
@@ -209,3 +209,40 @@ interface(`mount_rw_loopback_files',`

allow $1 mount_loopback_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Getattr on mount_runtime_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stat_mount_var_run',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:file getattr;
+')
+
+########################################
+## <summary>
+## rw mount_runtime_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_runtime_rw',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:dir search;
+ allow $1 mount_runtime_t:file rw_file_perms;
+')


2017-04-19 00:57:32

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] bootloader

On 04/17/2017 07:54 AM, Russell Coker via refpolicy wrote:
> This patch adds a lot of policy that is needed to setup an initramfs and grub
> on Debian nowadays.
>
> Also changed a comment about ia64 to correctly mention EFI.

Merged with line moving and renaming.


> --- refpolicy-2.20170417.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170417/policy/modules/admin/bootloader.te
> @@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
> # bootloader local policy
> #
>
> -allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
> +allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
> allow bootloader_t self:process { signal_perms execmem };
> allow bootloader_t self:fifo_file rw_fifo_file_perms;
>
> @@ -56,6 +56,7 @@ manage_lnk_files_pattern(bootloader_t, b
> manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
> manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
> files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
> +allow bootloader_t bootloader_tmp_t:dir mounton;
> # for tune2fs (cjp: ?)
> files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
>
> @@ -65,10 +66,17 @@ kernel_read_system_state(bootloader_t)
> kernel_read_software_raid_state(bootloader_t)
> kernel_read_kernel_sysctls(bootloader_t)
>
> +# for grub-probe
> +kernel_request_load_module(bootloader_t)
> +
> +kernel_search_debugfs(bootloader_t)
> +kernel_setsched(bootloader_t)
> +
> storage_raw_read_fixed_disk(bootloader_t)
> storage_raw_write_fixed_disk(bootloader_t)
> storage_raw_read_removable_device(bootloader_t)
> storage_raw_write_removable_device(bootloader_t)
> +storage_rw_fuse(bootloader_t)
>
> dev_getattr_all_chr_files(bootloader_t)
> dev_getattr_all_blk_files(bootloader_t)
> @@ -82,7 +90,7 @@ dev_rw_nvram(bootloader_t)
> fs_getattr_xattr_fs(bootloader_t)
> fs_getattr_tmpfs(bootloader_t)
> fs_read_tmpfs_symlinks(bootloader_t)
> -#Needed for ia64
> +#Needed for EFI
> fs_manage_dos_files(bootloader_t)
>
> mls_file_read_all_levels(bootloader_t)
> @@ -104,6 +112,7 @@ files_read_usr_src_files(bootloader_t)
> files_read_usr_files(bootloader_t)
> files_read_var_files(bootloader_t)
> files_read_kernel_modules(bootloader_t)
> +files_search_mnt(bootloader_t)
> # for nscd
> files_dontaudit_search_pids(bootloader_t)
> # for blkid.tab
> @@ -111,6 +120,16 @@ files_manage_etc_runtime_files(bootloade
> files_etc_filetrans_etc_runtime(bootloader_t, file)
> files_dontaudit_search_home(bootloader_t)
>
> +fs_mount_fusefs(bootloader_t)
> +fs_mount_xattr_fs(bootloader_t)
> +fs_mounton_fusefs(bootloader_t)
> +fs_read_fusefs_symlinks(bootloader_t)
> +fs_read_fusefs_files(bootloader_t)
> +fs_stat_fusefs(bootloader_t)
> +fs_unmount_fusefs(bootloader_t)
> +fs_unmount_xattr_fs(bootloader_t)
> +fstools_manage_run_files(bootloader_t)
> +
> init_getattr_initctl(bootloader_t)
> init_use_script_ptys(bootloader_t)
> init_use_script_fds(bootloader_t)
> @@ -123,11 +142,14 @@ logging_send_syslog_msg(bootloader_t)
> logging_rw_generic_logs(bootloader_t)
>
> miscfiles_read_localization(bootloader_t)
> +mount_runtime_rw(bootloader_t)
>
> seutil_read_bin_policy(bootloader_t)
> seutil_read_loadpolicy(bootloader_t)
> seutil_dontaudit_search_config(bootloader_t)
>
> +udev_read_pid_files(bootloader_t)
> +
> userdom_use_user_terminals(bootloader_t)
> userdom_dontaudit_search_user_home_dirs(bootloader_t)
>
> @@ -153,6 +175,7 @@ ifdef(`distro_debian',`
> apt_read_cache(bootloader_t)
>
> dpkg_read_db(bootloader_t)
> + dpkg_rw_pipes(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> --- refpolicy-2.20170417.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170417/policy/modules/kernel/filesystem.if
> @@ -1954,6 +1954,24 @@ interface(`fs_read_eventpollfs',`
>
> ########################################
> ## <summary>
> +## stat a FUSE filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_stat_fusefs',`
> + gen_require(`
> + type fusefs_t;
> + ')
> +
> + allow $1 fusefs_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Mount a FUSE filesystem.
> ## </summary>
> ## <param name="domain">
> --- refpolicy-2.20170417.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170417/policy/modules/system/fstools.if
> @@ -172,3 +172,22 @@ interface(`fstools_getattr_swap_files',`
>
> allow $1 swapfile_t:file getattr;
> ')
> +
> +########################################
> +## <summary>
> +## manage fsadm_run_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fstools_manage_run_files',`
> + gen_require(`
> + type fsadm_run_t;
> + ')
> +
> + allow $1 fsadm_run_t:dir rw_dir_perms;
> + allow $1 fsadm_run_t:file manage_file_perms;
> +')
> --- refpolicy-2.20170417.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20170417/policy/modules/system/mount.if
> @@ -209,3 +209,40 @@ interface(`mount_rw_loopback_files',`
>
> allow $1 mount_loopback_t:file rw_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Getattr on mount_runtime_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`stat_mount_var_run',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## rw mount_runtime_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_runtime_rw',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:dir search;
> + allow $1 mount_runtime_t:file rw_file_perms;
> +')


--
Chris PeBenito