2018-03-30 22:07:54

by Luis Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl

sysvinit 2.89 moved /dev/initctl to /run/initctl.

Reported-by: revel
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4fd9745b..64c61377 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;

allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")

# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.3


2018-04-03 10:07:13

by Dominick Grift

[permalink] [raw]
Subject: [refpolicy] [PATCH] system/init: Add a filetrans for /run/initctl

On Sat, Mar 31, 2018 at 12:07:54AM +0200, Luis Ressel via refpolicy wrote:
> sysvinit 2.89 moved /dev/initctl to /run/initctl.

Might this be missing an file context specification?

Also, should existing interfaces providing access to initctl, be extended to allow traversal of /run?

>
> Reported-by: revel
> ---
> policy/modules/system/init.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 4fd9745b..64c61377 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> --
> 2.16.3
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180403/cbe55edf/attachment.bin

2018-04-27 06:32:59

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl

sysvinit 2.89 moved /dev/initctl to /run/initctl.

There is already a filecontext so this only adds the filetrans and
updates interfaces.

Reported-by: revel
---
policy/modules/system/init.if | 5 +++++
policy/modules/system/init.te | 1 +
2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 326581ec..bd5fe207 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
type initctl_t;
')

+ dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file getattr;
')
')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
')

dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')

@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
corecmd_exec_bin($1)

dev_list_all_dev_nodes($1)
+ files_search_pids($1)

init_exec($1)
')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
')

dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8fabb0ea..aa5506ca 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;

allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")

# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.1

2018-04-28 22:05:59

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl

On 04/27/2018 02:32 AM, Jason Zaman via refpolicy wrote:

> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8fabb0ea..aa5506ca 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")

Is the name really needed? I don't see any type_transition conflicts.

--
Chris PeBenito

2018-04-30 03:55:24

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] init: Add filetrans for /run/initctl

On Sat, Apr 28, 2018 at 06:05:59PM -0400, Chris PeBenito wrote:
> On 04/27/2018 02:32 AM, Jason Zaman via refpolicy wrote:
>
> > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> > index 8fabb0ea..aa5506ca 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
> >
> > allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> > dev_filetrans(init_t, initctl_t, fifo_file)
> > +files_pid_filetrans(init_t, initctl_t, fifo_file, "initctl")
>
> Is the name really needed? I don't see any type_transition conflicts.
>
Indeed, there is a filetrans for file but nothing for fifo_file. I'll
re-send the patch

-- Jason

2018-04-30 06:32:23

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] init: Add filetrans for /run/initctl

sysvinit 2.89 moved /dev/initctl to /run/initctl.

Reported-by: revel
---
policy/modules/system/init.if | 5 +++++
policy/modules/system/init.te | 1 +
2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 326581ec..bd5fe207 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
type initctl_t;
')

+ dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file getattr;
')
')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
')

dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')

@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
corecmd_exec_bin($1)

dev_list_all_dev_nodes($1)
+ files_search_pids($1)

init_exec($1)
')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
')

dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8fabb0ea..02538ac7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;

allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file)

# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
2.16.1

2018-05-02 21:23:12

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] init: Add filetrans for /run/initctl

On 04/30/2018 02:32 AM, Jason Zaman via refpolicy wrote:
> sysvinit 2.89 moved /dev/initctl to /run/initctl.
>
> Reported-by: revel
> ---
> policy/modules/system/init.if | 5 +++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 326581ec..bd5fe207 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
> type initctl_t;
> ')
>
> + dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file getattr;
> ')
> ')
> @@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
> ')
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file write;
> ')
>
> @@ -1385,6 +1388,7 @@ interface(`init_telinit',`
> corecmd_exec_bin($1)
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
>
> init_exec($1)
> ')
> @@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
> ')
>
> dev_list_all_dev_nodes($1)
> + files_search_pids($1)
> allow $1 initctl_t:fifo_file rw_fifo_file_perms;
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8fabb0ea..02538ac7 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
>
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
> +files_pid_filetrans(init_t, initctl_t, fifo_file)
>
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };

Merged.

--
Chris PeBenito