From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 3/5] Adding dracut policy
Date: Wed, 4 Jan 2012 21:02:47 +0100 [thread overview]
Message-ID: <20120104200247.GD6512@siphos.be> (raw)
In-Reply-To: <20120104200014.GA6512@siphos.be>
Running dracut out of the sysadm_t domain doesn't (fully) work on a policy without unconfined domains. The calls to depmod,
whose output is then directed to a tmp location, is denied through this. Instead of granting depmod (and other tools)
"manage" access to user_tmp_t, we create a separate domain for dracut (called dracut_t) and grant these tools management
access to dracut_tmp_t.
This adds in the dracut policy
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
dracut.fc | 4 +++
dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++
dracut.te | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 152 insertions(+), 0 deletions(-)
create mode 100644 dracut.fc
create mode 100644 dracut.if
create mode 100644 dracut.te
diff --git a/dracut.fc b/dracut.fc
new file mode 100644
index 0000000..8e411eb
--- /dev/null
+++ b/dracut.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/dracut.if b/dracut.if
new file mode 100644
index 0000000..929fffd
--- /dev/null
+++ b/dracut.if
@@ -0,0 +1,69 @@
+## <summary>Dracut initramfs creation tool</summary>
+
+########################################
+## <summary>
+## Execute the dracut program in the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dracut_domtrans',`
+ gen_require(`
+ type dracut_t, dracut_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+## <summary>
+## Execute dracut in the dracut domain, and
+## allow the specified role the dracut domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_run',`
+ gen_require(`
+ type dracut_t;
+ ')
+
+ dracut_domtrans($1)
+ role $2 types dracut_t;
+')
+
+########################################
+## <summary>
+## Allow domain to manage dracut temporary files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dracut_manage_tmp_files',`
+ gen_require(`
+ type dracut_tmp_t;
+ ')
+
+ files_search_var($1)
+ files_search_tmp($1)
+
+ manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
+
diff --git a/dracut.te b/dracut.te
new file mode 100644
index 0000000..f83eecd
--- /dev/null
+++ b/dracut.te
@@ -0,0 +1,79 @@
+policy_module(localmod, 1.0)
+
+require {
+ type depmod_t;
+ type sysadm_t;
+ type ldconfig_t;
+ role sysadm_r;
+}
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow dracut_t self:process setfscreate;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+kernel_read_system_state(dracut_t)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_read_all_executables(dracut_t)
+
+dev_read_sysfs(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_read_kernel_modules(dracut_t)
+files_read_etc_files(dracut_t)
+files_read_usr_files(dracut_t)
+files_search_pids(dracut_t)
+
+fstools_domtrans(dracut_t)
+
+libs_domtrans_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+
+lvm_domtrans(dracut_t)
+lvm_read_config(dracut_t)
+
+miscfiles_read_localization(dracut_t)
+
+modutils_domtrans_depmod(dracut_t)
+modutils_domtrans_insmod(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_list_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+mount_domtrans(dracut_t)
+
+udev_domtrans(dracut_t)
+udev_read_rules_files(dracut_t)
+
+userdom_use_user_terminals(dracut_t)
+
+optional_policy(`
+ dmesg_domtrans(dracut_t)
+')
+
--
1.7.3.4
next prev parent reply other threads:[~2012-01-04 20:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-04 20:00 [refpolicy] [PATCH 0/5] Adding support for dracut Sven Vermeulen
2012-01-04 20:01 ` [refpolicy] [PATCH 1/5] Add read interface for udev rules Sven Vermeulen
2012-01-04 20:01 ` [refpolicy] [PATCH 2/5] Support listing module configuration files Sven Vermeulen
2012-01-04 20:02 ` Sven Vermeulen [this message]
2012-01-05 19:28 ` [refpolicy] [PATCH 3/5] Adding dracut policy Sven Vermeulen
2012-01-04 20:03 ` [refpolicy] [PATCH 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen
2012-01-04 20:03 ` [refpolicy] [PATCH 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120104200247.GD6512@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.