Changed some of the things that Guido didn't like.
Also removed a lot of duplicate rules from init.te.
As an aside we need to merge the 2 ifdef systemd_init sections. That will be
a separate patch.
Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
@@ -324,6 +324,7 @@ ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_gentoo', `
Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170419/policy/modules/kernel/devices.if
@@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Create subdir of /dev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_subdir',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir { add_entry_dir_perms create };
+ allow $1 device_t:dir search_dir_perms;
+')
Index: refpolicy-2.20170419/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170419/policy/modules/kernel/files.if
@@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
########################################
## <summary>
+## Relabel files and dirs to etc_runtime_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabelto_etc_runtime',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file relabelto;
+ allow $1 etc_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
## Create, etc runtime objects with an automatic
## type transition.
## </summary>
@@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
')
########################################
+## <summary>
+## Create a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_pid_dir',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
## <summary>
## Search the contents of runtime process
## ID directories (/var/run).
Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
@@ -769,6 +769,24 @@ interface(`fs_manage_cgroup_dirs',`
########################################
## <summary>
+## Relabel pstore directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
## Relabel cgroup directories.
## </summary>
## <param name="domain">
@@ -828,6 +846,26 @@ interface(`fs_read_cgroup_files',`
########################################
## <summary>
+## Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Write cgroup files.
## </summary>
## <param name="domain">
@@ -858,7 +896,6 @@ interface(`fs_write_cgroup_files', `
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
-
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -4505,6 +4542,24 @@ interface(`fs_read_tmpfs_symlinks',`
')
########################################
+## <summary>
+## Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
## <summary>
## Read and write character nodes on tmpfs filesystems.
## </summary>
Index: refpolicy-2.20170419/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20170419/policy/modules/services/ssh.if
@@ -353,6 +353,8 @@ template(`ssh_role_template',`
allow $1_ssh_agent_t self:process { setrlimit signal };
allow $1_ssh_agent_t self:capability setgid;
+ allow $1_ssh_agent_t self:fifo_file rw_file_perms;
+
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -436,6 +438,7 @@ template(`ssh_role_template',`
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
+ xdm_sigchld($1_ssh_agent_t)
')
')
Index: refpolicy-2.20170419/policy/modules/system/fstools.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
+++ refpolicy-2.20170419/policy/modules/system/fstools.if
@@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
allow $1 swapfile_t:file getattr;
')
+
+########################################
+## <summary>
+## Write to fsadm_log_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_write_log',`
+ gen_require(`
+ type fsadm_log_t;
+ ')
+
+ allow $1 fsadm_log_t:file write_file_perms;
+')
Index: refpolicy-2.20170419/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/init.if
+++ refpolicy-2.20170419/policy/modules/system/init.if
@@ -2966,6 +2966,7 @@ interface(`init_admin',`
init_reload($1)
init_reload_all_units($1)
init_shutdown_system($1)
+ init_start_system($1)
init_start_all_units($1)
init_start_generic_units($1)
init_stop_all_units($1)
Index: refpolicy-2.20170419/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/init.te
+++ refpolicy-2.20170419/policy/modules/system/init.te
@@ -138,6 +138,11 @@ allow init_t initrc_t:unix_stream_socket
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)
+# for /run/initctl
+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
+
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
+
# for systemd to manage service file symlinks
allow init_t init_var_run_t:file manage_lnk_file_perms;
@@ -170,6 +175,7 @@ files_read_etc_files(init_t)
files_rw_generic_pids(init_t)
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
+
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs:
@@ -214,6 +220,11 @@ ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
+ # for /run/systemd/inaccessible/{chr,blk}
+ allow init_t init_var_run_t:blk_file { create getattr };
+ allow init_t init_var_run_t:chr_file { create getattr };
+
+
allow init_t systemprocess:process { dyntransition siginh };
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
allow init_t systemprocess:unix_dgram_socket create_socket_perms;
@@ -221,10 +232,10 @@ ifdef(`init_systemd',`
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
allow init_t self:capability2 { audit_read block_suspend };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow init_t self:netlink_route_socket create_netlink_socket_perms;
- allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
+ allow init_t init_var_run_t:sock_file manage_sock_file_perms;
+
allow init_t daemon:unix_stream_socket create_stream_socket_perms;
allow init_t daemon:unix_dgram_socket create_socket_perms;
allow init_t daemon:tcp_socket create_stream_socket_perms;
@@ -257,13 +268,11 @@ ifdef(`init_systemd',`
kernel_getattr_proc(init_t)
kernel_read_fs_sysctls(init_t)
- dev_rw_autofs(init_t)
dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
- dev_relabel_all_dev_nodes(init_t)
dev_relabel_all_sysfs(init_t)
+ dev_relabel_generic_symlinks(init_t)
dev_read_urand(init_t)
- dev_write_kmsg(init_t)
domain_read_all_domains_state(init_t)
@@ -271,17 +280,15 @@ ifdef(`init_systemd',`
files_list_usr(init_t)
files_list_var(init_t)
files_list_var_lib(init_t)
- files_relabel_all_lock_dirs(init_t)
files_mounton_root(init_t)
files_search_pids(init_t)
files_relabel_all_pids(init_t)
+ files_relabelto_etc_runtime(init_t)
files_read_all_locks(init_t)
files_search_kernel_modules(init_t)
# for privatetmp functions
- files_manage_generic_tmp_dirs(init_t)
files_mounton_tmp(init_t)
- fs_manage_cgroup_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_rw_cgroup_files(init_t)
fs_list_auto_mountpoints(init_t)
@@ -290,6 +297,7 @@ ifdef(`init_systemd',`
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
fs_read_cgroup_files(init_t)
+ fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
@@ -309,19 +317,19 @@ ifdef(`init_systemd',`
selinux_compute_create_context(init_t)
selinux_compute_access_vector(init_t)
- term_relabel_pty_dirs(init_t)
-
logging_manage_pid_sockets(init_t)
logging_send_audit_msgs(init_t)
logging_relabelto_devlog_sock_files(init_t)
- seutil_read_file_contexts(init_t)
-
systemd_manage_passwd_runtime_symlinks(init_t)
+ systemd_use_passwd_agent(init_t)
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
+ # for systemd to read udev status
+ udev_read_pid_files(init_t)
+
optional_policy(`
clock_read_adjtime(init_t)
')
@@ -331,7 +339,6 @@ ifdef(`init_systemd',`
')
optional_policy(`
- dbus_system_bus_client(init_t)
dbus_connect_system_bus(init_t)
')
@@ -355,6 +362,12 @@ ifdef(`distro_debian',`
allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+ fs_manage_tmpfs_files(initrc_t)
+ sysnet_manage_config(initrc_t)
+
+ optional_policy(`
+ postfix_read_config(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -370,6 +383,12 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ modutils_read_module_config(init_t)
+ modutils_read_module_deps(init_t)
+ modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
auth_rw_login_records(init_t)
')
@@ -521,7 +540,6 @@ domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
-domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -639,7 +657,6 @@ ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
dev_getattr_generic_blk_files(initrc_t)
- dev_setattr_generic_dirs(initrc_t)
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
@@ -670,7 +687,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
- dev_create_generic_dirs(initrc_t)
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -693,8 +709,6 @@ ifdef(`distro_gentoo',`
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
- logging_send_audit_msgs(initrc_t)
-
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
@@ -830,21 +844,24 @@ ifdef(`init_systemd',`
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
allow init_t self:process { setsockcreate setfscreate setrlimit };
- allow init_t self:process { getcap setcap };
+ allow init_t self:process { getcap setcap getsched setsched };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+ allow init_t self:netlink_selinux_socket create_socket_perms;
# Until systemd is fixed
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
- allow initrc_t init_t:system { status reboot halt reload };
+ allow initrc_t init_t:system { start status reboot halt reload };
allow init_t self:capability2 audit_read;
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+ allow initrc_t init_var_run_t:file create_file_perms;
+ allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
+ allow initrc_t init_var_run_t:service { start status };
manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
@@ -861,14 +878,16 @@ ifdef(`init_systemd',`
kernel_dgram_send(initrc_t)
kernel_list_unlabeled(init_t)
- kernel_read_network_state(init_t)
+ kernel_load_module(init_t)
kernel_rw_kernel_sysctl(init_t)
kernel_rw_net_sysctls(init_t)
kernel_read_all_sysctls(init_t)
kernel_read_software_raid_state(init_t)
kernel_unmount_debugfs(init_t)
kernel_setsched(init_t)
+ kernel_rw_unix_sysctls(init_t)
+ auth_manage_var_auth(init_t)
auth_relabel_login_records(init_t)
auth_relabel_pam_console_data_dirs(init_t)
@@ -876,10 +895,10 @@ ifdef(`init_systemd',`
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
corecmd_bin_entry_type(initrc_t)
- corecmd_shell_entry_type(initrc_t)
corecmd_bin_domtrans(init_t, initrc_t)
corecmd_shell_domtrans(init_t, initrc_t)
+ dev_create_subdir(initrc_t)
dev_write_kmsg(init_t)
dev_write_urand(init_t)
dev_rw_lvm_control(init_t)
@@ -903,13 +922,13 @@ ifdef(`init_systemd',`
files_create_all_pid_sockets(init_t)
files_create_all_spool_sockets(init_t)
files_create_lock_dirs(init_t)
+ files_create_pid_dir(initrc_t)
files_delete_all_pids(init_t)
files_delete_all_spool_sockets(init_t)
files_exec_generic_pid_files(init_t)
files_get_etc_unit_status(initrc_t)
files_list_locks(init_t)
files_list_spool(init_t)
- files_list_var(init_t)
files_manage_all_pid_dirs(init_t)
files_manage_generic_tmp_dirs(init_t)
files_manage_urandom_seed(init_t)
@@ -922,28 +941,28 @@ ifdef(`init_systemd',`
files_setattr_pid_dirs(initrc_t)
files_unmount_all_file_type_fs(init_t)
+ fs_create_cgroup_links(init_t)
fs_getattr_all_fs(init_t)
- fs_list_auto_mountpoints(init_t)
fs_manage_cgroup_dirs(init_t)
fs_manage_cgroup_files(init_t)
- fs_manage_hugetlbfs_dirs(init_t)
fs_manage_tmpfs_dirs(init_t)
fs_mount_all_fs(init_t)
fs_remount_all_fs(init_t)
+ fs_relabelfrom_tmpfs_symlinks(init_t)
fs_unmount_all_fs(init_t)
fs_search_cgroup_dirs(daemon)
+ # for logsave in strict configuration
+ fstools_write_log(initrc_t)
+
init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
init_read_script_state(init_t)
init_rw_stream_sockets(initrc_t)
- init_stop_all_units(initrc_t)
- init_stream_connect(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
- selinux_compute_create_context(init_t)
selinux_set_enforce_mode(initrc_t)
selinux_unmount_fs(init_t)
selinux_validate_context(init_t)
@@ -993,6 +1012,9 @@ optional_policy(`
optional_policy(`
dev_read_usbfs(initrc_t)
+')
+
+optional_policy(`
bluetooth_read_config(initrc_t)
')
@@ -1076,8 +1098,6 @@ optional_policy(`
')
optional_policy(`
- dev_read_usbfs(initrc_t)
-
# init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t)
@@ -1266,17 +1286,8 @@ optional_policy(`
optional_policy(`
domain_role_change_exemption(initrc_t)
- mcs_file_read_all(initrc_t)
- mcs_file_write_all(initrc_t)
- mcs_killall(initrc_t)
-
unconfined_domain(initrc_t)
- ifdef(`distro_redhat',`
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
- ')
-
optional_policy(`
mono_domtrans(initrc_t)
')
Index: refpolicy-2.20170419/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20170419/policy/modules/system/modutils.if
@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
+## Read the kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170419/policy/modules/system/userdomain.if
@@ -78,6 +78,12 @@ template(`userdom_base_user_template',`
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)
+ # for X session unlock
+ allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+ # for KDE
+ allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
+
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
@@ -108,6 +114,14 @@ template(`userdom_base_user_template',`
sysnet_read_config($1_t)
+ # kdeinit wants systemd status
+ init_get_system_status($1_t)
+
+ optional_policy(`
+ apt_read_cache($1_t)
+ apt_read_db($1_t)
+ ')
+
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
Index: refpolicy-2.20170419/policy/support/file_patterns.spt
===================================================================
--- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
+++ refpolicy-2.20170419/policy/support/file_patterns.spt
@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
define(`create_chr_files_pattern',`
allow $1 self:capability mknod;
allow $1 $2:dir add_entry_dir_perms;
- allow $1 $3:chr_file create_chr_file_perms;
+ allow $1 $3:chr_file { create_chr_file_perms setattr };
')
define(`delete_chr_files_pattern',`
On 04/20/2017 10:51 AM, Russell Coker via refpolicy wrote:
> Changed some of the things that Guido didn't like.
>
> Also removed a lot of duplicate rules from init.te.
>
> As an aside we need to merge the 2 ifdef systemd_init sections. That will be
> a separate patch.
Merged with some renaming and line moving, plus a few comments:
> Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
> @@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
> ')
>
> ifdef(`distro_gentoo', `
> Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170419/policy/modules/kernel/devices.if
> @@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
>
> typeattribute $1 devices_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + allow $1 device_t:dir { add_entry_dir_perms create };
> + allow $1 device_t:dir search_dir_perms;
> +')
Dropped this and fixed the call below to use the existing
dev_create_generic_dirs() which should be equivalent.
> Index: refpolicy-2.20170419/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170419/policy/modules/kernel/files.if
> @@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
>
> ########################################
> ## <summary>
> +## Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:file relabelto;
> + allow $1 etc_runtime_t:dir relabelto;
> +')
Split interface in two.
> +########################################
> +## <summary>
> ## Create, etc runtime objects with an automatic
> ## type transition.
> ## </summary>
> @@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ')
>
> ########################################
> +## <summary>
> +## Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Search the contents of runtime process
> ## ID directories (/var/run).
> Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
> @@ -769,6 +769,24 @@ interface(`fs_manage_cgroup_dirs',`
>
> ########################################
> ## <summary>
> +## Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> + relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> ## Relabel cgroup directories.
> ## </summary>
> ## <param name="domain">
> @@ -828,6 +846,26 @@ interface(`fs_read_cgroup_files',`
>
> ########################################
> ## <summary>
> +## Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Write cgroup files.
> ## </summary>
> ## <param name="domain">
> @@ -858,7 +896,6 @@ interface(`fs_write_cgroup_files', `
> interface(`fs_rw_cgroup_files',`
> gen_require(`
> type cgroup_t;
> -
> ')
>
> rw_files_pattern($1, cgroup_t, cgroup_t)
> @@ -4505,6 +4542,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ')
>
> ########################################
> +## <summary>
> +## Relabelfrom tmpfs link files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_symlinks',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
> +')
> +
> +########################################
> ## <summary>
> ## Read and write character nodes on tmpfs filesystems.
> ## </summary>
> Index: refpolicy-2.20170419/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20170419/policy/modules/services/ssh.if
> @@ -353,6 +353,8 @@ template(`ssh_role_template',`
> allow $1_ssh_agent_t self:process { setrlimit signal };
> allow $1_ssh_agent_t self:capability setgid;
>
> + allow $1_ssh_agent_t self:fifo_file rw_file_perms;
> +
> allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
>
> allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -436,6 +438,7 @@ template(`ssh_role_template',`
> optional_policy(`
> xserver_use_xdm_fds($1_ssh_agent_t)
> xserver_rw_xdm_pipes($1_ssh_agent_t)
> + xdm_sigchld($1_ssh_agent_t)
> ')
> ')
>
> Index: refpolicy-2.20170419/policy/modules/system/fstools.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
> +++ refpolicy-2.20170419/policy/modules/system/fstools.if
> @@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
>
> allow $1 swapfile_t:file getattr;
> ')
> +
> +########################################
> +## <summary>
> +## Write to fsadm_log_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fstools_write_log',`
> + gen_require(`
> + type fsadm_log_t;
> + ')
> +
> + allow $1 fsadm_log_t:file write_file_perms;
> +')
> Index: refpolicy-2.20170419/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170419/policy/modules/system/init.if
> @@ -2966,6 +2966,7 @@ interface(`init_admin',`
> init_reload($1)
> init_reload_all_units($1)
> init_shutdown_system($1)
> + init_start_system($1)
> init_start_all_units($1)
> init_start_generic_units($1)
> init_stop_all_units($1)
> Index: refpolicy-2.20170419/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170419/policy/modules/system/init.te
> @@ -138,6 +138,11 @@ allow init_t initrc_t:unix_stream_socket
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
>
> +# for /run/initctl
> +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
> +
> +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> +
> # for systemd to manage service file symlinks
> allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> @@ -170,6 +175,7 @@ files_read_etc_files(init_t)
> files_rw_generic_pids(init_t)
> files_manage_etc_runtime_files(init_t)
> files_etc_filetrans_etc_runtime(init_t, file)
> +
> # Run /etc/X11/prefdm:
> files_exec_etc_files(init_t)
> # file descriptors inherited from the rootfs:
> @@ -214,6 +220,11 @@ ifdef(`init_systemd',`
> # handle instances where an old labeled init script is encountered.
> typeattribute init_t init_run_all_scripts_domain;
>
> + # for /run/systemd/inaccessible/{chr,blk}
> + allow init_t init_var_run_t:blk_file { create getattr };
> + allow init_t init_var_run_t:chr_file { create getattr };
> +
> +
> allow init_t systemprocess:process { dyntransition siginh };
> allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
> allow init_t systemprocess:unix_dgram_socket create_socket_perms;
> @@ -221,10 +232,10 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
> allow init_t self:capability2 { audit_read block_suspend };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> - allow init_t self:netlink_route_socket create_netlink_socket_perms;
> - allow init_t self:netlink_selinux_socket create_socket_perms;
> allow init_t self:unix_dgram_socket lock;
>
> + allow init_t init_var_run_t:sock_file manage_sock_file_perms;
> +
> allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> allow init_t daemon:unix_dgram_socket create_socket_perms;
> allow init_t daemon:tcp_socket create_stream_socket_perms;
> @@ -257,13 +268,11 @@ ifdef(`init_systemd',`
> kernel_getattr_proc(init_t)
> kernel_read_fs_sysctls(init_t)
>
> - dev_rw_autofs(init_t)
> dev_create_generic_dirs(init_t)
> dev_manage_input_dev(init_t)
> - dev_relabel_all_dev_nodes(init_t)
> dev_relabel_all_sysfs(init_t)
> + dev_relabel_generic_symlinks(init_t)
> dev_read_urand(init_t)
> - dev_write_kmsg(init_t)
>
> domain_read_all_domains_state(init_t)
>
> @@ -271,17 +280,15 @@ ifdef(`init_systemd',`
> files_list_usr(init_t)
> files_list_var(init_t)
> files_list_var_lib(init_t)
> - files_relabel_all_lock_dirs(init_t)
> files_mounton_root(init_t)
> files_search_pids(init_t)
> files_relabel_all_pids(init_t)
> + files_relabelto_etc_runtime(init_t)
> files_read_all_locks(init_t)
> files_search_kernel_modules(init_t)
> # for privatetmp functions
> - files_manage_generic_tmp_dirs(init_t)
> files_mounton_tmp(init_t)
>
> - fs_manage_cgroup_dirs(init_t)
> fs_relabel_cgroup_dirs(init_t)
> fs_rw_cgroup_files(init_t)
> fs_list_auto_mountpoints(init_t)
> @@ -290,6 +297,7 @@ ifdef(`init_systemd',`
> fs_getattr_tmpfs(init_t)
> fs_read_tmpfs_files(init_t)
> fs_read_cgroup_files(init_t)
> + fs_relabel_pstore_dirs(init_t)
> fs_dontaudit_getattr_xattr_fs(init_t)
> # for privatetmp functions
> fs_relabel_tmpfs_dirs(init_t)
> @@ -309,19 +317,19 @@ ifdef(`init_systemd',`
> selinux_compute_create_context(init_t)
> selinux_compute_access_vector(init_t)
>
> - term_relabel_pty_dirs(init_t)
> -
> logging_manage_pid_sockets(init_t)
> logging_send_audit_msgs(init_t)
> logging_relabelto_devlog_sock_files(init_t)
>
> - seutil_read_file_contexts(init_t)
> -
> systemd_manage_passwd_runtime_symlinks(init_t)
> + systemd_use_passwd_agent(init_t)
>
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> + # for systemd to read udev status
> + udev_read_pid_files(init_t)
> +
> optional_policy(`
> clock_read_adjtime(init_t)
> ')
> @@ -331,7 +339,6 @@ ifdef(`init_systemd',`
> ')
>
> optional_policy(`
> - dbus_system_bus_client(init_t)
> dbus_connect_system_bus(init_t)
> ')
>
> @@ -355,6 +362,12 @@ ifdef(`distro_debian',`
>
> allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> + fs_manage_tmpfs_files(initrc_t)
> + sysnet_manage_config(initrc_t)
> +
> + optional_policy(`
> + postfix_read_config(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`
> @@ -370,6 +383,12 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
> + modutils_read_module_config(init_t)
> + modutils_read_module_deps(init_t)
> + modutils_read_module_objects(init_t)
> +')
> +
> +optional_policy(`
> auth_rw_login_records(init_t)
> ')
>
> @@ -521,7 +540,6 @@ domain_kill_all_domains(initrc_t)
> domain_signal_all_domains(initrc_t)
> domain_signull_all_domains(initrc_t)
> domain_sigstop_all_domains(initrc_t)
> -domain_sigstop_all_domains(initrc_t)
> domain_sigchld_all_domains(initrc_t)
> domain_read_all_domains_state(initrc_t)
> domain_getattr_all_domains(initrc_t)
> @@ -639,7 +657,6 @@ ifdef(`distro_debian',`
> kernel_getattr_core_if(initrc_t)
>
> dev_getattr_generic_blk_files(initrc_t)
> - dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
>
> @@ -670,7 +687,6 @@ ifdef(`distro_gentoo',`
> allow initrc_t self:process setfscreate;
> dev_create_null_dev(initrc_t)
> dev_create_zero_dev(initrc_t)
> - dev_create_generic_dirs(initrc_t)
> term_create_console_dev(initrc_t)
>
> # unfortunately /sbin/rc does stupid tricks
> @@ -693,8 +709,6 @@ ifdef(`distro_gentoo',`
> # init scripts touch this
> clock_dontaudit_write_adjtime(initrc_t)
>
> - logging_send_audit_msgs(initrc_t)
> -
> # for integrated run_init to read run_init_type.
> # happens during boot (/sbin/rc execs init scripts)
> seutil_read_default_contexts(initrc_t)
> @@ -830,21 +844,24 @@ ifdef(`init_systemd',`
>
> allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> allow init_t self:process { setsockcreate setfscreate setrlimit };
> - allow init_t self:process { getcap setcap };
> + allow init_t self:process { getcap setcap getsched setsched };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> - allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> + allow init_t self:netlink_selinux_socket create_socket_perms;
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> - allow initrc_t init_t:system { status reboot halt reload };
> + allow initrc_t init_t:system { start status reboot halt reload };
> allow init_t self:capability2 audit_read;
> manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> files_lock_filetrans(initrc_t, initrc_lock_t, file)
>
> manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
> + allow initrc_t init_var_run_t:file create_file_perms;
> + allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
> + allow initrc_t init_var_run_t:service { start status };
>
> manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
> manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
> @@ -861,14 +878,16 @@ ifdef(`init_systemd',`
>
> kernel_dgram_send(initrc_t)
> kernel_list_unlabeled(init_t)
> - kernel_read_network_state(init_t)
> + kernel_load_module(init_t)
> kernel_rw_kernel_sysctl(init_t)
> kernel_rw_net_sysctls(init_t)
> kernel_read_all_sysctls(init_t)
> kernel_read_software_raid_state(init_t)
> kernel_unmount_debugfs(init_t)
> kernel_setsched(init_t)
> + kernel_rw_unix_sysctls(init_t)
>
> + auth_manage_var_auth(init_t)
> auth_relabel_login_records(init_t)
> auth_relabel_pam_console_data_dirs(init_t)
>
> @@ -876,10 +895,10 @@ ifdef(`init_systemd',`
> # in the initrc_t domain, as would be
> # done in traditional sysvinit/upstart.
> corecmd_bin_entry_type(initrc_t)
> - corecmd_shell_entry_type(initrc_t)
> corecmd_bin_domtrans(init_t, initrc_t)
> corecmd_shell_domtrans(init_t, initrc_t)
>
> + dev_create_subdir(initrc_t)
> dev_write_kmsg(init_t)
> dev_write_urand(init_t)
> dev_rw_lvm_control(init_t)
> @@ -903,13 +922,13 @@ ifdef(`init_systemd',`
> files_create_all_pid_sockets(init_t)
> files_create_all_spool_sockets(init_t)
> files_create_lock_dirs(init_t)
> + files_create_pid_dir(initrc_t)
> files_delete_all_pids(init_t)
> files_delete_all_spool_sockets(init_t)
> files_exec_generic_pid_files(init_t)
> files_get_etc_unit_status(initrc_t)
> files_list_locks(init_t)
> files_list_spool(init_t)
> - files_list_var(init_t)
> files_manage_all_pid_dirs(init_t)
> files_manage_generic_tmp_dirs(init_t)
> files_manage_urandom_seed(init_t)
> @@ -922,28 +941,28 @@ ifdef(`init_systemd',`
> files_setattr_pid_dirs(initrc_t)
> files_unmount_all_file_type_fs(init_t)
>
> + fs_create_cgroup_links(init_t)
> fs_getattr_all_fs(init_t)
> - fs_list_auto_mountpoints(init_t)
> fs_manage_cgroup_dirs(init_t)
> fs_manage_cgroup_files(init_t)
> - fs_manage_hugetlbfs_dirs(init_t)
> fs_manage_tmpfs_dirs(init_t)
> fs_mount_all_fs(init_t)
> fs_remount_all_fs(init_t)
> + fs_relabelfrom_tmpfs_symlinks(init_t)
> fs_unmount_all_fs(init_t)
> fs_search_cgroup_dirs(daemon)
>
> + # for logsave in strict configuration
> + fstools_write_log(initrc_t)
> +
> init_get_all_units_status(initrc_t)
> init_manage_var_lib_files(initrc_t)
> init_read_script_state(init_t)
> init_rw_stream_sockets(initrc_t)
> - init_stop_all_units(initrc_t)
> - init_stream_connect(initrc_t)
>
> # Create /etc/audit.rules.prev after firstboot remediation
> logging_manage_audit_config(initrc_t)
>
> - selinux_compute_create_context(init_t)
> selinux_set_enforce_mode(initrc_t)
> selinux_unmount_fs(init_t)
> selinux_validate_context(init_t)
> @@ -993,6 +1012,9 @@ optional_policy(`
>
> optional_policy(`
> dev_read_usbfs(initrc_t)
> +')
> +
> +optional_policy(`
> bluetooth_read_config(initrc_t)
> ')
>
> @@ -1076,8 +1098,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - dev_read_usbfs(initrc_t)
> -
> # init scripts run /etc/hotplug/usb.rc
> hotplug_read_config(initrc_t)
>
> @@ -1266,17 +1286,8 @@ optional_policy(`
> optional_policy(`
> domain_role_change_exemption(initrc_t)
>
> - mcs_file_read_all(initrc_t)
> - mcs_file_write_all(initrc_t)
> - mcs_killall(initrc_t)
> -
> unconfined_domain(initrc_t)
>
> - ifdef(`distro_redhat',`
> - # system-config-services causes avc messages that should be dontaudited
> - unconfined_dontaudit_rw_pipes(daemon)
> - ')
> -
> optional_policy(`
> mono_domtrans(initrc_t)
> ')
> Index: refpolicy-2.20170419/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20170419/policy/modules/system/modutils.if
> @@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ## <summary>
> +## Read the kernel modules.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`modutils_read_module_objects',`
> + gen_require(`
> + type modules_object_t;
> + ')
> +
> + files_list_kernel_modules($1)
> + allow $1 modules_object_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read the configuration options used when
> ## loading modules.
> ## </summary>
> Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170419/policy/modules/system/userdomain.if
> @@ -78,6 +78,12 @@ template(`userdom_base_user_template',`
> dev_dontaudit_getattr_all_blk_files($1_t)
> dev_dontaudit_getattr_all_chr_files($1_t)
>
> + # for X session unlock
> + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
> +
> + # for KDE
> + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
> +
> # When the user domain runs ps, there will be a number of access
> # denials when ps tries to search /proc. Do not audit these denials.
> domain_dontaudit_read_all_domains_state($1_t)
> @@ -108,6 +114,14 @@ template(`userdom_base_user_template',`
>
> sysnet_read_config($1_t)
>
> + # kdeinit wants systemd status
> + init_get_system_status($1_t)
> +
> + optional_policy(`
> + apt_read_cache($1_t)
> + apt_read_db($1_t)
> + ')
> +
> tunable_policy(`allow_execmem',`
> # Allow loading DSOs that require executable stack.
> allow $1_t self:process execmem;
> Index: refpolicy-2.20170419/policy/support/file_patterns.spt
> ===================================================================
> --- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
> +++ refpolicy-2.20170419/policy/support/file_patterns.spt
> @@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
> define(`create_chr_files_pattern',`
> allow $1 self:capability mknod;
> allow $1 $2:dir add_entry_dir_perms;
> - allow $1 $3:chr_file create_chr_file_perms;
> + allow $1 $3:chr_file { create_chr_file_perms setattr };
> ')
Dropped. Too broad.
--
Chris PeBenito