* [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call
@ 2016-12-27 22:16 Guido Trentalancia
2016-12-27 22:38 ` Luis Ressel
0 siblings, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-27 22:16 UTC (permalink / raw)
To: refpolicy
The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.
At the moment it has been fully tested only with sysvinit.
Testing with other init daemons is needed before this is
released, so a "permissive" statement has been added in
order to log further needed permissions during this testing
phase (with systemd, upstart, and so on).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 26 ++++++++++++++++++++++----
3 files changed, 58 insertions(+), 4 deletions(-)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
@@ -190,6 +197,21 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+# Before moving to an init module which does
+# not call unconfined_domain(), we test
+# to discover possible side-effects, by
+# temporarily using the "permissive"
+# statement which logs further needed
+# permissions...
+#
+# The current module has already been
+# fully tested with sysvinit.
+#
+# The following line should be removed
+# as soon as the module has been tested
+# with the other init daemons.
+permissive init_t;
+
ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
@@ -345,10 +367,6 @@ optional_policy(`
sssd_stream_connect(init_t)
')
-optional_policy(`
- unconfined_domain(init_t)
-')
-
########################################
#
# Init script local policy
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call
2016-12-27 22:16 [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call Guido Trentalancia
@ 2016-12-27 22:38 ` Luis Ressel
2016-12-27 22:54 ` Guido Trentalancia
0 siblings, 1 reply; 19+ messages in thread
From: Luis Ressel @ 2016-12-27 22:38 UTC (permalink / raw)
To: refpolicy
On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
> The aim of this patch is to start securing the init module so
> that it can run in confined mode instead of in the most unsafe
> unconfined mode.
>
> At the moment it has been fully tested only with sysvinit.
>
> Testing with other init daemons is needed before this is
> released, so a "permissive" statement has been added in
> order to log further needed permissions during this testing
> phase (with systemd, upstart, and so on).
>
> [...]
>
> +permissive init_t;
Please don't add that. Debugging statements such as this one should
only be added to local policies, not to refpol's master branch. This
statement would be a huge step backwards for everyone who isn't using
the 'unconfined' module.
Regards,
Luis
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call
2016-12-27 22:38 ` Luis Ressel
@ 2016-12-27 22:54 ` Guido Trentalancia
2016-12-27 23:02 ` Luis Ressel
0 siblings, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-27 22:54 UTC (permalink / raw)
To: refpolicy
Hello.
> On the 27th of December 2016 at 23.38 Luis Ressel <aranea@aixah.de> wrote:
>
>
> On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
> Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>
> > The aim of this patch is to start securing the init module so
> > that it can run in confined mode instead of in the most unsafe
> > unconfined mode.
> >
> > At the moment it has been fully tested only with sysvinit.
> >
> > Testing with other init daemons is needed before this is
> > released, so a "permissive" statement has been added in
> > order to log further needed permissions during this testing
> > phase (with systemd, upstart, and so on).
> >
> > [...]
> >
> > +permissive init_t;
>
> Please don't add that. Debugging statements such as this one should
> only be added to local policies, not to refpol's master branch. This
> statement would be a huge step backwards for everyone who isn't using
> the 'unconfined' module.
Ok, that's fine. Consider, I have completed testing it with sysvinit, so I
don't really need to debug anything.
It comes from the following recent advice that has been posted (I was
not even aware of the existence of such statement):
http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html
but, if it is more likely to cause problems, then I can create a new patch
which just dumps the dangerous call to unconfined_domain() and that's
the end of the story.
At the end, there must be a way out of it !
Regards,
Guido
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call
2016-12-27 22:54 ` Guido Trentalancia
@ 2016-12-27 23:02 ` Luis Ressel
2016-12-28 20:45 ` [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") Guido Trentalancia
0 siblings, 1 reply; 19+ messages in thread
From: Luis Ressel @ 2016-12-27 23:02 UTC (permalink / raw)
To: refpolicy
On Tue, 27 Dec 2016 23:54:58 +0100 (CET)
Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
> Ok, that's fine. Consider, I have completed testing it with sysvinit,
> so I don't really need to debug anything.
>
> It comes from the following recent advice that has been posted (I was
> not even aware of the existence of such statement):
>
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html
>
Neither was I; I had to look it up before answering to your mail. :)
> but, if it is more likely to cause problems, then I can create a new
> patch which just dumps the dangerous call to unconfined_domain() and
> that's the end of the story.
>
Thanks!
> At the end, there must be a way out of it !
Yes. Personally, I never really cared about it because I don't use
'unconfined' anyway, but I definitly appreciate your effort to get rid
of it.
Regards,
Luis Ressel
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-27 23:02 ` Luis Ressel
@ 2016-12-28 20:45 ` Guido Trentalancia
2016-12-30 19:24 ` Chris PeBenito
2016-12-31 19:52 ` [refpolicy] [PATCH v3] init: support sysvinit Guido Trentalancia
0 siblings, 2 replies; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-28 20:45 UTC (permalink / raw)
To: refpolicy
Originally the aim of this patch was to start securing the init
module so that it could run in confined mode instead of in the
most unsafe unconfined mode and therefore the patch was removing
the call to unconfined_domain().
However, the removal of the unconfined_domain() call has been
rejected on the basis of the fact that it can be avoided by not
loading the "unconfined" policy module (which unfortunately at
the moment, still gets added to the configuration file during
"make conf").
Currently, this second version of the patch no longer removes the
call to unconfined_domain() and it only adds permissions needed
by sysvinit (most notably the ability to load the policy during
the system boot).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 7 +++++++
3 files changed, 43 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-28 20:45 ` [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") Guido Trentalancia
@ 2016-12-30 19:24 ` Chris PeBenito
2016-12-30 21:10 ` Guido Trentalancia
2016-12-31 19:52 ` [refpolicy] [PATCH v3] init: support sysvinit Guido Trentalancia
1 sibling, 1 reply; 19+ messages in thread
From: Chris PeBenito @ 2016-12-30 19:24 UTC (permalink / raw)
To: refpolicy
On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> Originally the aim of this patch was to start securing the init
> module so that it could run in confined mode instead of in the
> most unsafe unconfined mode and therefore the patch was removing
> the call to unconfined_domain().
>
> However, the removal of the unconfined_domain() call has been
> rejected on the basis of the fact that it can be avoided by not
> loading the "unconfined" policy module (which unfortunately at
> the moment, still gets added to the configuration file during
> "make conf").
>
> Currently, this second version of the patch no longer removes the
> call to unconfined_domain() and it only adds permissions needed
> by sysvinit (most notably the ability to load the policy during
> the system boot).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 7 +++++++
> 3 files changed, 43 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
> ########################################
> ## <summary>
> +## Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
> ########################################
> ## <summary>
> +## Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Unmount the proc filesystem.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
> kernel_read_system_state(init_t)
> kernel_share_state(init_t)
> kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
> selinux_set_all_booleans(init_t)
>
> term_use_all_terms(init_t)
I'm not clear why this is necessary. Sysvinit should only be loading
the policy if is not loaded yet, so these permissions should be unnecessary.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-30 19:24 ` Chris PeBenito
@ 2016-12-30 21:10 ` Guido Trentalancia
2016-12-30 21:13 ` Dominick Grift
2016-12-31 17:42 ` Guido Trentalancia
0 siblings, 2 replies; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-30 21:10 UTC (permalink / raw)
To: refpolicy
On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> >
> > Originally the aim of this patch was to start securing the init
> > module so that it could run in confined mode instead of in the
> > most unsafe unconfined mode and therefore the patch was removing
> > the call to unconfined_domain().
> >
> > However, the removal of the unconfined_domain() call has been
> > rejected on the basis of the fact that it can be avoided by not
> > loading the "unconfined" policy module (which unfortunately at
> > the moment, still gets added to the configuration file during
> > "make conf").
> >
> > Currently, this second version of the patch no longer removes the
> > call to unconfined_domain() and it only adds permissions needed
> > by sysvinit (most notably the ability to load the policy during
> > the system boot).
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > ?policy/modules/system/init.te????|????7 +++++++
> > ?3 files changed, 43 insertions(+)
> >
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if 2016-12-27
> > 22:41:00.650390161 +0100
> > +++ b/policy/modules/kernel/devices.if 2016-12-27
> > 22:50:19.301315139 +0100
> > @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Mount a sysfs filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dev_mount_sysfs',`
> > + gen_require(`
> > + type sysfs_t;
> > + ')
> > +
> > + allow $1 sysfs_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if 2016-12-27
> > 22:41:00.652390190 +0100
> > +++ b/policy/modules/kernel/kernel.if 2016-12-27
> > 22:51:01.009904157 +0100
> > @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
> >
> > ?########################################
> > ?## <summary>
> > +## Mount the proc filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`kernel_mount_proc',`
> > + gen_require(`
> > + type proc_t;
> > + ')
> > +
> > + allow $1 proc_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Unmount the proc filesystem.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/system/init.te
> > b/policy/modules/system/init.te
> > --- a/policy/modules/system/init.te 2016-12-22
> > 23:12:47.784929729 +0100
> > +++ b/policy/modules/system/init.te 2016-12-27
> > 23:05:37.731451479 +0100
> > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > ?# Modify utmp.
> > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> >
> > +kernel_mounton_proc_dirs(init_t)
> > +kernel_mount_proc(init_t)
> > ?kernel_read_system_state(init_t)
> > ?kernel_share_state(init_t)
> > ?kernel_dontaudit_search_unlabeled(init_t)
> > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > ?corecmd_exec_chroot(init_t)
> > ?corecmd_exec_bin(init_t)
> >
> > +dev_mounton_sysfs(init_t)
> > +dev_mount_sysfs(init_t)
> > ?dev_read_sysfs(init_t)
> > ?# Early devtmpfs
> > ?dev_rw_generic_chr_files(init_t)
> > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > ?files_dontaudit_rw_root_files(init_t)
> > ?files_dontaudit_rw_root_chr_files(init_t)
> >
> > +fs_getattr_xattr_fs(init_t)
> > ?fs_list_inotifyfs(init_t)
> > ?# cjp: this may be related to /dev/log
> > ?fs_write_ramfs_sockets(init_t)
> > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > ?mls_process_write_all_levels(init_t)
> > ?mls_fd_use_all_levels(init_t)
> >
> > +selinux_load_policy(init_t)
> > +selinux_mount_fs(init_t)
> > ?selinux_set_all_booleans(init_t)
> >
> > ?term_use_all_terms(init_t)
>
> I'm not clear why this is necessary.??Sysvinit should only be
> loading?
> the policy if is not loaded yet, so these permissions should be
> unnecessary.
The init daemon absolutely needs to load the SELinux policy !
Perhaps, it is possible to get rid of the other similar permission in
the kernel module, but surely not here, otherwise the system won't boot
!
Thanks.
Guido
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-30 21:10 ` Guido Trentalancia
@ 2016-12-30 21:13 ` Dominick Grift
2016-12-31 17:42 ` Guido Trentalancia
1 sibling, 0 replies; 19+ messages in thread
From: Dominick Grift @ 2016-12-30 21:13 UTC (permalink / raw)
To: refpolicy
On 12/30/2016 10:10 PM, Guido Trentalancia via refpolicy wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>
>>> Originally the aim of this patch was to start securing the init
>>> module so that it could run in confined mode instead of in the
>>> most unsafe unconfined mode and therefore the patch was removing
>>> the call to unconfined_domain().
>>>
>>> However, the removal of the unconfined_domain() call has been
>>> rejected on the basis of the fact that it can be avoided by not
>>> loading the "unconfined" policy module (which unfortunately at
>>> the moment, still gets added to the configuration file during
>>> "make conf").
>>>
>>> Currently, this second version of the patch no longer removes the
>>> call to unconfined_domain() and it only adds permissions needed
>>> by sysvinit (most notably the ability to load the policy during
>>> the system boot).
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>> policy/modules/system/init.te | 7 +++++++
>>> 3 files changed, 43 insertions(+)
>>>
>>> diff -pru a/policy/modules/kernel/devices.if
>>> b/policy/modules/kernel/devices.if
>>> --- a/policy/modules/kernel/devices.if 2016-12-27
>>> 22:41:00.650390161 +0100
>>> +++ b/policy/modules/kernel/devices.if 2016-12-27
>>> 22:50:19.301315139 +0100
>>> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Mount a sysfs filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`dev_mount_sysfs',`
>>> + gen_require(`
>>> + type sysfs_t;
>>> + ')
>>> +
>>> + allow $1 sysfs_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Associate a file to a sysfs filesystem.
>>> ## </summary>
>>> ## <param name="file_type">
>>> diff -pru a/policy/modules/kernel/kernel.if
>>> b/policy/modules/kernel/kernel.if
>>> --- a/policy/modules/kernel/kernel.if 2016-12-27
>>> 22:41:00.652390190 +0100
>>> +++ b/policy/modules/kernel/kernel.if 2016-12-27
>>> 22:51:01.009904157 +0100
>>> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Mount the proc filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`kernel_mount_proc',`
>>> + gen_require(`
>>> + type proc_t;
>>> + ')
>>> +
>>> + allow $1 proc_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Unmount the proc filesystem.
>>> ## </summary>
>>> ## <param name="domain">
>>> diff -pru a/policy/modules/system/init.te
>>> b/policy/modules/system/init.te
>>> --- a/policy/modules/system/init.te 2016-12-22
>>> 23:12:47.784929729 +0100
>>> +++ b/policy/modules/system/init.te 2016-12-27
>>> 23:05:37.731451479 +0100
>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>> # Modify utmp.
>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>
>>> +kernel_mounton_proc_dirs(init_t)
>>> +kernel_mount_proc(init_t)
>>> kernel_read_system_state(init_t)
>>> kernel_share_state(init_t)
>>> kernel_dontaudit_search_unlabeled(init_t)
>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>> corecmd_exec_chroot(init_t)
>>> corecmd_exec_bin(init_t)
>>>
>>> +dev_mounton_sysfs(init_t)
>>> +dev_mount_sysfs(init_t)
>>> dev_read_sysfs(init_t)
>>> # Early devtmpfs
>>> dev_rw_generic_chr_files(init_t)
>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>> files_dontaudit_rw_root_files(init_t)
>>> files_dontaudit_rw_root_chr_files(init_t)
>>>
>>> +fs_getattr_xattr_fs(init_t)
>>> fs_list_inotifyfs(init_t)
>>> # cjp: this may be related to /dev/log
>>> fs_write_ramfs_sockets(init_t)
>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>> mls_process_write_all_levels(init_t)
>>> mls_fd_use_all_levels(init_t)
>>>
>>> +selinux_load_policy(init_t)
>>> +selinux_mount_fs(init_t)
>>> selinux_set_all_booleans(init_t)
>>>
>>> term_use_all_terms(init_t)
>>
>> I'm not clear why this is necessary. Sysvinit should only be
>> loading
>> the policy if is not loaded yet, so these permissions should be
>> unnecessary.
>
> The init daemon absolutely needs to load the SELinux policy !
why?
>
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't boot
> !
>
> Thanks.
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/b0709e1c/attachment.bin
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-30 21:10 ` Guido Trentalancia
2016-12-30 21:13 ` Dominick Grift
@ 2016-12-31 17:42 ` Guido Trentalancia
2017-01-02 17:55 ` Chris PeBenito
1 sibling, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-31 17:42 UTC (permalink / raw)
To: refpolicy
Hello again.
On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> >
> > On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> > >
> > >
> > > Originally the aim of this patch was to start securing the init
> > > module so that it could run in confined mode instead of in the
> > > most unsafe unconfined mode and therefore the patch was removing
> > > the call to unconfined_domain().
> > >
> > > However, the removal of the unconfined_domain() call has been
> > > rejected on the basis of the fact that it can be avoided by not
> > > loading the "unconfined" policy module (which unfortunately at
> > > the moment, still gets added to the configuration file during
> > > "make conf").
> > >
> > > Currently, this second version of the patch no longer removes the
> > > call to unconfined_domain() and it only adds permissions needed
> > > by sysvinit (most notably the ability to load the policy during
> > > the system boot).
> > >
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > ---
> > > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > > ?policy/modules/system/init.te????|????7 +++++++
> > > ?3 files changed, 43 insertions(+)
[...]
> > > diff -pru a/policy/modules/system/init.te
> > > b/policy/modules/system/init.te
> > > --- a/policy/modules/system/init.te 2016-12-22
> > > 23:12:47.784929729 +0100
> > > +++ b/policy/modules/system/init.te 2016-12-27
> > > 23:05:37.731451479 +0100
> > > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > > ?# Modify utmp.
> > > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> > >
> > > +kernel_mounton_proc_dirs(init_t)
> > > +kernel_mount_proc(init_t)
> > > ?kernel_read_system_state(init_t)
> > > ?kernel_share_state(init_t)
> > > ?kernel_dontaudit_search_unlabeled(init_t)
> > > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > > ?corecmd_exec_chroot(init_t)
> > > ?corecmd_exec_bin(init_t)
> > >
> > > +dev_mounton_sysfs(init_t)
> > > +dev_mount_sysfs(init_t)
> > > ?dev_read_sysfs(init_t)
> > > ?# Early devtmpfs
> > > ?dev_rw_generic_chr_files(init_t)
> > > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > > ?files_dontaudit_rw_root_files(init_t)
> > > ?files_dontaudit_rw_root_chr_files(init_t)
> > >
> > > +fs_getattr_xattr_fs(init_t)
> > > ?fs_list_inotifyfs(init_t)
> > > ?# cjp: this may be related to /dev/log
> > > ?fs_write_ramfs_sockets(init_t)
> > > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > > ?mls_process_write_all_levels(init_t)
> > > ?mls_fd_use_all_levels(init_t)
> > >
> > > +selinux_load_policy(init_t)
> > > +selinux_mount_fs(init_t)
> > > ?selinux_set_all_booleans(init_t)
> > >
> > > ?term_use_all_terms(init_t)
> >
> > I'm not clear why this is necessary.??Sysvinit should only be
> > loading?
> > the policy if is not loaded yet, so these permissions should be
> > unnecessary.
>
> The init daemon absolutely needs to load the SELinux policy !
>
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't
> boot
> ?!
How about this patch ?
The selinux_load_policy() permission is absolutely necessary for the
init_t domain, when using sysvinit.
Regards,
Guido
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2016-12-31 17:42 ` Guido Trentalancia
@ 2017-01-02 17:55 ` Chris PeBenito
2017-01-02 18:05 ` Guido Trentalancia
0 siblings, 1 reply; 19+ messages in thread
From: Chris PeBenito @ 2017-01-02 17:55 UTC (permalink / raw)
To: refpolicy
On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
> wrote:
>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>
>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>
>>>>
>>>> Originally the aim of this patch was to start securing the init
>>>> module so that it could run in confined mode instead of in the
>>>> most unsafe unconfined mode and therefore the patch was removing
>>>> the call to unconfined_domain().
>>>>
>>>> However, the removal of the unconfined_domain() call has been
>>>> rejected on the basis of the fact that it can be avoided by not
>>>> loading the "unconfined" policy module (which unfortunately at
>>>> the moment, still gets added to the configuration file during
>>>> "make conf").
>>>>
>>>> Currently, this second version of the patch no longer removes the
>>>> call to unconfined_domain() and it only adds permissions needed
>>>> by sysvinit (most notably the ability to load the policy during
>>>> the system boot).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>> policy/modules/system/init.te | 7 +++++++
>>>> 3 files changed, 43 insertions(+)
>
> [...]
>
>>>> diff -pru a/policy/modules/system/init.te
>>>> b/policy/modules/system/init.te
>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>> 23:12:47.784929729 +0100
>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>> 23:05:37.731451479 +0100
>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>> # Modify utmp.
>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>
>>>> +kernel_mounton_proc_dirs(init_t)
>>>> +kernel_mount_proc(init_t)
>>>> kernel_read_system_state(init_t)
>>>> kernel_share_state(init_t)
>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>> corecmd_exec_chroot(init_t)
>>>> corecmd_exec_bin(init_t)
>>>>
>>>> +dev_mounton_sysfs(init_t)
>>>> +dev_mount_sysfs(init_t)
>>>> dev_read_sysfs(init_t)
>>>> # Early devtmpfs
>>>> dev_rw_generic_chr_files(init_t)
>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>> files_dontaudit_rw_root_files(init_t)
>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>
>>>> +fs_getattr_xattr_fs(init_t)
>>>> fs_list_inotifyfs(init_t)
>>>> # cjp: this may be related to /dev/log
>>>> fs_write_ramfs_sockets(init_t)
>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>> mls_process_write_all_levels(init_t)
>>>> mls_fd_use_all_levels(init_t)
>>>>
>>>> +selinux_load_policy(init_t)
>>>> +selinux_mount_fs(init_t)
>>>> selinux_set_all_booleans(init_t)
>>>>
>>>> term_use_all_terms(init_t)
>>>
>>> I'm not clear why this is necessary. Sysvinit should only be
>>> loading
>>> the policy if is not loaded yet, so these permissions should be
>>> unnecessary.
>>
>> The init daemon absolutely needs to load the SELinux policy !
>>
>> Perhaps, it is possible to get rid of the other similar permission in
>> the kernel module, but surely not here, otherwise the system won't
>> boot
>> !
>
> How about this patch ?
>
> The selinux_load_policy() permission is absolutely necessary for the
> init_t domain, when using sysvinit.
I still run sysvinit systems. It isn't.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2017-01-02 17:55 ` Chris PeBenito
@ 2017-01-02 18:05 ` Guido Trentalancia
2017-01-02 18:13 ` Jason Zaman
2017-01-02 18:19 ` Dominick Grift
0 siblings, 2 replies; 19+ messages in thread
From: Guido Trentalancia @ 2017-01-02 18:05 UTC (permalink / raw)
To: refpolicy
On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization!
The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.
Regards,
Guido
On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>> ---
>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>> policy/modules/system/init.te | 7 +++++++
>>>>> 3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>> # Modify utmp.
>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>> kernel_read_system_state(init_t)
>>>>> kernel_share_state(init_t)
>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>> corecmd_exec_chroot(init_t)
>>>>> corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>> dev_read_sysfs(init_t)
>>>>> # Early devtmpfs
>>>>> dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>> files_dontaudit_rw_root_files(init_t)
>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>> fs_list_inotifyfs(init_t)
>>>>> # cjp: this may be related to /dev/log
>>>>> fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>> mls_process_write_all_levels(init_t)
>>>>> mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>> selinux_set_all_booleans(init_t)
>>>>>
>>>>> term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>> !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems. It isn't.
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2017-01-02 18:05 ` Guido Trentalancia
@ 2017-01-02 18:13 ` Jason Zaman
2017-01-02 18:19 ` Guido Trentalancia
2017-01-02 18:19 ` Dominick Grift
1 sibling, 1 reply; 19+ messages in thread
From: Jason Zaman @ 2017-01-02 18:13 UTC (permalink / raw)
To: refpolicy
On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
refpolicy@oss.tresys.com> wrote:
On systems using sysvinit and not using initramfs, the init daemon from
sysvinit needs to load the policy or it aborts the system initalization!
The call to selinux_init_load_policy is in the latest sysvinit source code
at src/init.c.
All my machines use sysvinit. And none of the initramfs' have anything
SELinux related. Sysvinit loads the policy for me and it all works fine.
If sysvinit is loading the policy because it isn't in the initramfs then by
definition there is no policy yet at all so how can this rule make any
difference at all?
This rule is absolutely not required on sysvinit systems I'm not sure why
you need it but you're gonna have to give us more info if you want help
figuring out why.
-- Jason
Regards,
Guido
On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org>
wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>> ---
>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>> policy/modules/system/init.te | 7 +++++++
>>>>> 3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>> # Modify utmp.
>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>> kernel_read_system_state(init_t)
>>>>> kernel_share_state(init_t)
>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>> corecmd_exec_chroot(init_t)
>>>>> corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>> dev_read_sysfs(init_t)
>>>>> # Early devtmpfs
>>>>> dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>> files_dontaudit_rw_root_files(init_t)
>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>> fs_list_inotifyfs(init_t)
>>>>> # cjp: this may be related to /dev/log
>>>>> fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>> mls_process_write_all_levels(init_t)
>>>>> mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>> selinux_set_all_booleans(init_t)
>>>>>
>>>>> term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>> !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems. It isn't.
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/3d64c4c4/attachment-0001.html
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2017-01-02 18:13 ` Jason Zaman
@ 2017-01-02 18:19 ` Guido Trentalancia
0 siblings, 0 replies; 19+ messages in thread
From: Guido Trentalancia @ 2017-01-02 18:19 UTC (permalink / raw)
To: refpolicy
Hello!
I think you and Christopher are right, because on systems not using initramfs, when sysvinit loads the policy it is still running as kernel_t and has not transitioned yet to init_t.
However, in such scenario I suspect the kernel module needs selinux_get_fs_mount so that sysvinit can check if selinux is enabled as in a popular patch that circulated after version 2.88dsf.
Regards,
Guido
On the 02nd of January 2017 19:13:17 CET, Jason Zaman <jason@perfinion.com> wrote:
>On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>On systems using sysvinit and not using initramfs, the init daemon from
>sysvinit needs to load the policy or it aborts the system
>initalization!
>
>The call to selinux_init_load_policy is in the latest sysvinit source
>code
>at src/init.c.
>
>
>All my machines use sysvinit. And none of the initramfs' have anything
>SELinux related. Sysvinit loads the policy for me and it all works
>fine.
>
>If sysvinit is loading the policy because it isn't in the initramfs
>then by
>definition there is no policy yet at all so how can this rule make any
>difference at all?
>
>This rule is absolutely not required on sysvinit systems I'm not sure
>why
>you need it but you're gonna have to give us more info if you want help
>figuring out why.
>
>-- Jason
>
>Regards,
>
>Guido
>
>On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><pebenito@ieee.org>
>wrote:
>>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>> ---
>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>> 3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>> # Modify utmp.
>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>> kernel_read_system_state(init_t)
>>>>>> kernel_share_state(init_t)
>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>> corecmd_exec_chroot(init_t)
>>>>>> corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>> dev_read_sysfs(init_t)
>>>>>> # Early devtmpfs
>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>> fs_list_inotifyfs(init_t)
>>>>>> # cjp: this may be related to /dev/log
>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>> mls_process_write_all_levels(init_t)
>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>> selinux_set_all_booleans(init_t)
>>>>>>
>>>>>> term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>>in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>> !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>>I still run sysvinit systems. It isn't.
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2017-01-02 18:05 ` Guido Trentalancia
2017-01-02 18:13 ` Jason Zaman
@ 2017-01-02 18:19 ` Dominick Grift
2017-01-02 18:26 ` Guido Trentalancia
1 sibling, 1 reply; 19+ messages in thread
From: Dominick Grift @ 2017-01-02 18:19 UTC (permalink / raw)
To: refpolicy
On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
> On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization!
How does that work? The policy is obviously already loaded because else
you would not need this permission. So it is "re-loading" the policy?
Allowing init to load_policy is not a good idea IMHO
>
> The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.
>
> Regards,
>
> Guido
>
> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>> ---
>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>> 3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>> # Modify utmp.
>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>> kernel_read_system_state(init_t)
>>>>>> kernel_share_state(init_t)
>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>> corecmd_exec_chroot(init_t)
>>>>>> corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>> dev_read_sysfs(init_t)
>>>>>> # Early devtmpfs
>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>> fs_list_inotifyfs(init_t)
>>>>>> # cjp: this may be related to /dev/log
>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>> mls_process_write_all_levels(init_t)
>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>> selinux_set_all_booleans(init_t)
>>>>>>
>>>>>> term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>> in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>> !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>> I still run sysvinit systems. It isn't.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/7fdd76fd/attachment.bin
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")
2017-01-02 18:19 ` Dominick Grift
@ 2017-01-02 18:26 ` Guido Trentalancia
0 siblings, 0 replies; 19+ messages in thread
From: Guido Trentalancia @ 2017-01-02 18:26 UTC (permalink / raw)
To: refpolicy
On systems using initramfs and sysvinit that is a bug in refpolicy due to the missing selinux_get_fs_mount(init_t).
Regards,
Guido
On the 02nd of January 2017 19:19:22 CET, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote:
>On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
>> On systems using sysvinit and not using initramfs, the init daemon
>from sysvinit needs to load the policy or it aborts the system
>initalization!
>
>How does that work? The policy is obviously already loaded because else
>you would not need this permission. So it is "re-loading" the policy?
>
>Allowing init to load_policy is not a good idea IMHO
>
>>
>> The call to selinux_init_load_policy is in the latest sysvinit source
>code at src/init.c.
>>
>> Regards,
>>
>> Guido
>>
>> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><pebenito@ieee.org> wrote:
>>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>>> Hello again.
>>>>
>>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>>> wrote:
>>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>>
>>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>>
>>>>>>>
>>>>>>> Originally the aim of this patch was to start securing the init
>>>>>>> module so that it could run in confined mode instead of in the
>>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>>> the call to unconfined_domain().
>>>>>>>
>>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>>> the moment, still gets added to the configuration file during
>>>>>>> "make conf").
>>>>>>>
>>>>>>> Currently, this second version of the patch no longer removes
>the
>>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>>> the system boot).
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>>> ---
>>>>>>> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>>>>>>> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
>>>>>>> policy/modules/system/init.te | 7 +++++++
>>>>>>> 3 files changed, 43 insertions(+)
>>>>
>>>> [...]
>>>>
>>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>>> b/policy/modules/system/init.te
>>>>>>> --- a/policy/modules/system/init.te 2016-12-22
>>>>>>> 23:12:47.784929729 +0100
>>>>>>> +++ b/policy/modules/system/init.te 2016-12-27
>>>>>>> 23:05:37.731451479 +0100
>>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>> # Modify utmp.
>>>>>>> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>>
>>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>>> +kernel_mount_proc(init_t)
>>>>>>> kernel_read_system_state(init_t)
>>>>>>> kernel_share_state(init_t)
>>>>>>> kernel_dontaudit_search_unlabeled(init_t)
>>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>> corecmd_exec_chroot(init_t)
>>>>>>> corecmd_exec_bin(init_t)
>>>>>>>
>>>>>>> +dev_mounton_sysfs(init_t)
>>>>>>> +dev_mount_sysfs(init_t)
>>>>>>> dev_read_sysfs(init_t)
>>>>>>> # Early devtmpfs
>>>>>>> dev_rw_generic_chr_files(init_t)
>>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>> files_dontaudit_rw_root_files(init_t)
>>>>>>> files_dontaudit_rw_root_chr_files(init_t)
>>>>>>>
>>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>> fs_list_inotifyfs(init_t)
>>>>>>> # cjp: this may be related to /dev/log
>>>>>>> fs_write_ramfs_sockets(init_t)
>>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>> mls_process_write_all_levels(init_t)
>>>>>>> mls_fd_use_all_levels(init_t)
>>>>>>>
>>>>>>> +selinux_load_policy(init_t)
>>>>>>> +selinux_mount_fs(init_t)
>>>>>>> selinux_set_all_booleans(init_t)
>>>>>>>
>>>>>>> term_use_all_terms(init_t)
>>>>>>
>>>>>> I'm not clear why this is necessary. Sysvinit should only be
>>>>>> loading
>>>>>> the policy if is not loaded yet, so these permissions should be
>>>>>> unnecessary.
>>>>>
>>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>>
>>>>> Perhaps, it is possible to get rid of the other similar permission
>>> in
>>>>> the kernel module, but surely not here, otherwise the system won't
>>>>> boot
>>>>> !
>>>>
>>>> How about this patch ?
>>>>
>>>> The selinux_load_policy() permission is absolutely necessary for
>the
>>>> init_t domain, when using sysvinit.
>>>
>>> I still run sysvinit systems. It isn't.
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH v3] init: support sysvinit
2016-12-28 20:45 ` [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") Guido Trentalancia
2016-12-30 19:24 ` Chris PeBenito
@ 2016-12-31 19:52 ` Guido Trentalancia
2017-01-02 0:04 ` [refpolicy] [PATCH v4] " Guido Trentalancia
1 sibling, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2016-12-31 19:52 UTC (permalink / raw)
To: refpolicy
Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 8 ++++++++
3 files changed, 44 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-31 20:22:50.106586282 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-31 20:22:50.157588150 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2016-12-31 20:24:06.184371379 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
@@ -186,6 +193,7 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
+seutil_read_bin_policy(init_t)
seutil_read_config(init_t)
miscfiles_read_localization(init_t)
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v4] init: support sysvinit
2016-12-31 19:52 ` [refpolicy] [PATCH v3] init: support sysvinit Guido Trentalancia
@ 2017-01-02 0:04 ` Guido Trentalancia
2017-01-02 21:11 ` [refpolicy] [PATCH v5] " Guido Trentalancia
0 siblings, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2017-01-02 0:04 UTC (permalink / raw)
To: refpolicy
Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy when not using the initramfs).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 14 ++++++++++++++
3 files changed, 50 insertions(+)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2017-01-02 00:53:06.394093456 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2017-01-02 00:53:06.411094078 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2017-01-02 01:00:14.377761326 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+kernel_mount_proc(init_t)
+kernel_mounton_proc_dirs(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
+dev_mount_sysfs(init_t)
+dev_mounton_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,13 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again
+selinux_get_fs_mount(init_t)
+# the following one is needed for sysvinit without initramfs
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
@@ -186,6 +198,8 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
+# the following one is needed for sysvinit without initramfs
+seutil_read_bin_policy(init_t)
seutil_read_config(init_t)
miscfiles_read_localization(init_t)
^ permalink raw reply [flat|nested] 19+ messages in thread* [refpolicy] [PATCH v5] init: support sysvinit
2017-01-02 0:04 ` [refpolicy] [PATCH v4] " Guido Trentalancia
@ 2017-01-02 21:11 ` Guido Trentalancia
2017-01-04 0:36 ` Chris PeBenito
0 siblings, 1 reply; 19+ messages in thread
From: Guido Trentalancia @ 2017-01-02 21:11 UTC (permalink / raw)
To: refpolicy
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.
Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te 2017-01-02 21:08:19.963436591 +0100
@@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again when using the initramfs
+selinux_get_fs_mount(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
^ permalink raw reply [flat|nested] 19+ messages in thread
* [refpolicy] [PATCH v5] init: support sysvinit
2017-01-02 21:11 ` [refpolicy] [PATCH v5] " Guido Trentalancia
@ 2017-01-04 0:36 ` Chris PeBenito
0 siblings, 0 replies; 19+ messages in thread
From: Chris PeBenito @ 2017-01-04 0:36 UTC (permalink / raw)
To: refpolicy
On 01/02/17 16:11, Guido Trentalancia via refpolicy wrote:
> Add a permission needed for the correct functioning of sysvinit
> on systems using the initramfs.
>
> Without the selinux_get_fs_mount() interface call, the call to
> libselinux:is_selinux_enabled() fails and sysvinit tries to do
> the initial policy load again.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-29 22:48:16.456818544 +0100
> +++ b/policy/modules/system/init.te 2017-01-02 21:08:19.963436591 +0100
> @@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +# the following one is needed for libselinux:is_selinux_enabled()
> +# otherwise the call fails and sysvinit tries to load the policy
> +# again when using the initramfs
> +selinux_get_fs_mount(init_t)
> selinux_set_all_booleans(init_t)
>
> term_use_all_terms(init_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2017-01-04 0:36 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-27 22:16 [refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call Guido Trentalancia
2016-12-27 22:38 ` Luis Ressel
2016-12-27 22:54 ` Guido Trentalancia
2016-12-27 23:02 ` Luis Ressel
2016-12-28 20:45 ` [refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call") Guido Trentalancia
2016-12-30 19:24 ` Chris PeBenito
2016-12-30 21:10 ` Guido Trentalancia
2016-12-30 21:13 ` Dominick Grift
2016-12-31 17:42 ` Guido Trentalancia
2017-01-02 17:55 ` Chris PeBenito
2017-01-02 18:05 ` Guido Trentalancia
2017-01-02 18:13 ` Jason Zaman
2017-01-02 18:19 ` Guido Trentalancia
2017-01-02 18:19 ` Dominick Grift
2017-01-02 18:26 ` Guido Trentalancia
2016-12-31 19:52 ` [refpolicy] [PATCH v3] init: support sysvinit Guido Trentalancia
2017-01-02 0:04 ` [refpolicy] [PATCH v4] " Guido Trentalancia
2017-01-02 21:11 ` [refpolicy] [PATCH v5] " Guido Trentalancia
2017-01-04 0:36 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.