All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] init: update the initrc_t domain policy
@ 2016-12-29 22:49 Guido Trentalancia
  2016-12-30 19:30 ` Chris PeBenito
  2016-12-30 22:28 ` [refpolicy] [PATCH v2] " Guido Trentalancia
  0 siblings, 2 replies; 20+ messages in thread
From: Guido Trentalancia @ 2016-12-29 22:49 UTC (permalink / raw)
  To: refpolicy

Update the initrc_t domain policy in the init module with some
missing permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/terminal.if |   21 +++++++++++++++++++++
 policy/modules/system/init.te     |   19 +++++++++++++++++--
 2 files changed, 38 insertions(+), 2 deletions(-)

diff -pru a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
--- a/policy/modules/kernel/terminal.if	2016-12-27 22:41:00.664390360 +0100
+++ b/policy/modules/kernel/terminal.if	2016-12-29 23:30:56.342306506 +0100
@@ -1102,6 +1102,27 @@ interface(`term_relabel_all_user_ptys',`
 
 ########################################
 ## <summary>
+##	Unlink BSD-style pty device
+##	nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_unlink_bsd_ptys',`
+	gen_require(`
+		type bsdpty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 bsdpty_device_t:chr_file { unlink };
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all unallocated
 ##	tty device nodes.
 ## </summary>
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te	2016-12-29 23:44:28.212518135 +0100
@@ -415,12 +415,16 @@ kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
 kernel_rw_all_sysctls(initrc_t)
+kernel_use_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 # cjp: not sure why these are here; should use mount policy
 kernel_list_unlabeled(initrc_t)
 kernel_mounton_unlabeled_dirs(initrc_t)
 
+# plymouth
+kernel_stream_connect(initrc_t)
+
 files_create_lock_dirs(initrc_t)
 files_pid_filetrans_lock_dir(initrc_t, "lock")
 files_read_kernel_symbol_table(initrc_t)
@@ -462,6 +466,8 @@ dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(initrc_t)
+# mcelog service
+dev_read_kmsg(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
@@ -496,6 +502,8 @@ files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
+# manage the restorecond lock file
+files_manage_generic_locks(initrc_t)
 # Mount and unmount file systems.
 # cjp: not sure why these are here; should use mount policy
 files_list_default(initrc_t)
@@ -532,10 +540,12 @@ storage_setattr_removable_dev(initrc_t)
 
 term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
+term_unlink_bsd_ptys(initrc_t)
 
 auth_rw_login_records(initrc_t)
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
+auth_manage_faillog(initrc_t)
 auth_read_pam_pid(initrc_t)
 auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
@@ -831,12 +841,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dev_getattr_printer_dev(initrc_t)
-
+	cups_domtrans(initrc_t)
 	cups_read_log(initrc_t)
 	cups_read_rw_config(initrc_t)
 #cups init script clears error log
 	cups_write_log(initrc_t)
+
+	dev_getattr_printer_dev(initrc_t)
 ')
 
 optional_policy(`
@@ -900,6 +911,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_read_config(initrc_t)
+')
+
+optional_policy(`
 	iscsi_stream_connect(initrc_t)
 	iscsi_read_lib_files(initrc_t)
 ')

^ permalink raw reply	[flat|nested] 20+ messages in thread
end of thread, other threads:[~2016-12-31 16:28 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-29 22:49 [refpolicy] [PATCH] init: update the initrc_t domain policy Guido Trentalancia
2016-12-30 19:30 ` Chris PeBenito
2016-12-30 20:01   ` Dominick Grift
2016-12-30 20:09     ` Guido Trentalancia
2016-12-30 20:12       ` Dominick Grift
2016-12-30 20:19         ` Guido Trentalancia
2016-12-30 20:20           ` Dominick Grift
2016-12-30 20:50             ` Guido Trentalancia
2016-12-30 20:52               ` Dominick Grift
2016-12-30 21:06                 ` Guido Trentalancia
2016-12-30 21:09                   ` Dominick Grift
2016-12-30 20:15   ` Guido Trentalancia
2016-12-30 20:17     ` Dominick Grift
2016-12-30 20:53     ` Guido Trentalancia
2016-12-31 15:43       ` Chris PeBenito
2016-12-31 16:05         ` Guido Trentalancia
2016-12-31 16:22           ` Chris PeBenito
2016-12-31 16:28             ` Guido Trentalancia
2016-12-30 22:16   ` Guido Trentalancia
2016-12-30 22:28 ` [refpolicy] [PATCH v2] " Guido Trentalancia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.