LinuxLists.cc - [refpolicy] [PATCH] kmod, lvm, brctl patches

2017-04-17 12:13:54

Subject: [refpolicy] [PATCH] kmod, lvm, brctl patches

Patches for modutils, at least one of which is needed to generate an initramfs
on Debian.

Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
etc.

Patch for brctl to allow it to create sysfs files.

Index: refpolicy-2.20170417/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20170417/policy/modules/system/modutils.te
@@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
files_read_etc_files(kmod_t)
files_read_usr_files(kmod_t)
files_exec_etc_files(kmod_t)
+files_search_tmp(kmod_t)
# for nscd:
files_dontaudit_search_pids(kmod_t)
# to manage modules.dep
@@ -127,6 +128,10 @@ optional_policy(`
')

optional_policy(`
+ dpkg_manage_script_tmp_files(kmod_t)
+')
+
+optional_policy(`
firstboot_dontaudit_rw_pipes(kmod_t)
firstboot_dontaudit_rw_stream_sockets(kmod_t)
')
@@ -140,6 +145,10 @@ optional_policy(`
')

optional_policy(`
+ iptables_dontaudit_var_run(kmod_t)
+')
+
+optional_policy(`
mount_domtrans(kmod_t)
')

Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.if
@@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`

########################################
## <summary>
+## access dpkg_script fifos
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_fifo',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
@@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## manage dpkg_script_tmp_t files and dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
+ allow $1 dpkg_script_tmp_t:file manage_file_perms;
+')
Index: refpolicy-2.20170417/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170417/policy/modules/system/lvm.te
@@ -342,6 +342,10 @@ optional_policy(`
')

optional_policy(`
+ dpkg_script_rw_fifo(lvm_t)
+')
+
+optional_policy(`
gpm_dontaudit_getattr_gpmctl(lvm_t)
')

Index: refpolicy-2.20170417/policy/modules/system/iptables.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20170417/policy/modules/system/iptables.if
@@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')

+###################################
+## <summary>
+## dontaudit reading iptables_var_run_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`iptables_dontaudit_var_run',`
+ gen_require(`
+ type iptables_var_run_t;
+ ')
+
+ dontaudit $1 iptables_var_run_t:file read;
+')
+
########################################
## <summary>
## All of the rules required to
Index: refpolicy-2.20170417/policy/modules/contrib/brctl.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/brctl.te
+++ refpolicy-2.20170417/policy/modules/contrib/brctl.te
@@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)

corenet_rw_tun_tap_dev(brctl_t)

+dev_create_sysfs_files(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)

Index: refpolicy-2.20170417/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170417/policy/modules/kernel/devices.if
@@ -4100,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',

########################################
## <summary>
+## Add a sysfs file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## mounton sysfs directories.
## </summary>
## <param name="domain">

2017-04-19 01:18:10

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] kmod, lvm, brctl patches

On 04/17/2017 08:13 AM, Russell Coker via refpolicy wrote:
> Patches for modutils, at least one of which is needed to generate an initramfs
> on Debian.
>
> Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts
> etc.
>
> Patch for brctl to allow it to create sysfs files.

Merged with some renaming.

> Index: refpolicy-2.20170417/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20170417/policy/modules/system/modutils.te
> @@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
> files_read_etc_files(kmod_t)
> files_read_usr_files(kmod_t)
> files_exec_etc_files(kmod_t)
> +files_search_tmp(kmod_t)
> # for nscd:
> files_dontaudit_search_pids(kmod_t)
> # to manage modules.dep
> @@ -127,6 +128,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_manage_script_tmp_files(kmod_t)
> +')
> +
> +optional_policy(`
> firstboot_dontaudit_rw_pipes(kmod_t)
> firstboot_dontaudit_rw_stream_sockets(kmod_t)
> ')
> @@ -140,6 +145,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + iptables_dontaudit_var_run(kmod_t)
> +')
> +
> +optional_policy(`
> mount_domtrans(kmod_t)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.if
> +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.if
> @@ -62,6 +62,25 @@ interface(`dpkg_domtrans_script',`
>
> ########################################
> ## <summary>
> +## access dpkg_script fifos
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_script_rw_fifo',`
> + gen_require(`
> + type dpkg_script_t;
> + ')
> +
> + allow $1 dpkg_script_t:fd use;
> + allow $1 dpkg_script_t:fifo_file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute dpkg programs in the dpkg domain.
> ## </summary>
> ## <param name="domain">
> @@ -242,3 +261,23 @@ interface(`dpkg_lock_db',`
> allow $1 dpkg_var_lib_t:dir list_dir_perms;
> allow $1 dpkg_lock_t:file manage_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## manage dpkg_script_tmp_t files and dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_manage_script_tmp_files',`
> + gen_require(`
> + type dpkg_script_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
> + allow $1 dpkg_script_tmp_t:file manage_file_perms;
> +')
> Index: refpolicy-2.20170417/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170417/policy/modules/system/lvm.te
> @@ -342,6 +342,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_script_rw_fifo(lvm_t)
> +')
> +
> +optional_policy(`
> gpm_dontaudit_getattr_gpmctl(lvm_t)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/system/iptables.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/iptables.if
> +++ refpolicy-2.20170417/policy/modules/system/iptables.if
> @@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
>
> +###################################
> +## <summary>
> +## dontaudit reading iptables_var_run_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit
> +## </summary>
> +## </param>
> +#
> +interface(`iptables_dontaudit_var_run',`
> + gen_require(`
> + type iptables_var_run_t;
> + ')
> +
> + dontaudit $1 iptables_var_run_t:file read;
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> Index: refpolicy-2.20170417/policy/modules/contrib/brctl.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/brctl.te
> +++ refpolicy-2.20170417/policy/modules/contrib/brctl.te
> @@ -29,6 +29,7 @@ kernel_read_sysctl(brctl_t)
>
> corenet_rw_tun_tap_dev(brctl_t)
>
> +dev_create_sysfs_files(brctl_t)
> dev_rw_sysfs(brctl_t)
> dev_write_sysfs_dirs(brctl_t)
>
> Index: refpolicy-2.20170417/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170417/policy/modules/kernel/devices.if
> @@ -4100,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',
>
> ########################################
> ## <summary>
> +## Add a sysfs file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_create_sysfs_files',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + create_files_pattern($1, sysfs_t, sysfs_t)
> +')
> +
> +########################################
> +## <summary>
> ## mounton sysfs directories.
> ## </summary>
> ## <param name="domain">

--
Chris PeBenito