Changes to init for policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* Changes to init for policy
@ 2007-02-20 17:00 Daniel J Walsh
  2007-02-26 19:16 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2007-02-20 17:00 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 271 bytes --]

Added init_exec to init_telinit interface

Added daemon attribute so we can add general rules around daemons.  Like 
allowing/disallowing
daemons to talk to terminals.

ricci_modservice needs to be able to manipulate initrc_exec_t scripts.

Remove strict policy ifdef.



[-- Attachment #2: nsaserefpolicy_policy_modules_system_init.patch --]
[-- Type: text/x-patch, Size: 3267 bytes --]

--- nsaserefpolicy/policy/modules/system/init.if	2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/system/init.if	2007-02-20 10:24:13.000000000 -0500
@@ -202,11 +202,14 @@
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute daemon;
 	')
 
 	domain_type($1)
 	domain_entry_file($1,$2)
 
+	typeattribute $1 daemon;
+
 	role system_r types $1;
 
 	domtrans_pattern(initrc_t,$2,$1)
@@ -489,6 +492,7 @@
 
 	dev_list_all_dev_nodes($1)
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+	can_exec($1,init_exec_t)
 ')
 
 ########################################
@@ -1275,3 +1279,62 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_create_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_etc_filetrans($1, initrc_exec_t, file)
+	allow $1 initrc_exec_t:file create_file_perms;
+	allow $1 initrc_exec_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_init_state',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:dir search_dir_perms;
+	read_files_pattern($1,init_t, init_t)
+	read_lnk_files_pattern($1,init_t, init_t)
+')
+
+########################################
+## <summary>
+##	Ptrace init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace_init_domain',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	allow $1 init_t:process ptrace;
+')
--- nsaserefpolicy/policy/modules/system/init.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/system/init.te	2007-02-20 10:27:56.000000000 -0500
@@ -205,8 +205,7 @@
 allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
 term_create_pty(initrc_t,initrc_devpts_t)
 
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
 
 can_exec(initrc_t,initrc_exec_t)
 
@@ -500,6 +502,12 @@
 	')
 ')
 
+optional_policy(`
+	rhgb_use_ptys(daemon)
+')
+
+domain_dontaudit_use_interactive_fds(daemon)
+
 ifdef(`targeted_policy',`
 	domain_subj_id_change_exemption(initrc_t)
 	unconfined_domain(initrc_t)
@@ -512,11 +520,21 @@
 	tunable_policy(`allow_daemons_use_tty',`
 		term_use_unallocated_ttys(daemon)
 		term_use_generic_ptys(daemon)
-	')
-
+ 		unconfined_rw_pipes(daemon)
+ 	', `
+ 		# system-config-services causes avc messages that should be dontaudited
+ 		unconfined_dontaudit_rw_pipes(daemon)
+ 
+ 	')
+ 
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+ 	tunable_policy(`allow_daemons_dump_core',`
+ 		files_dump_core(daemon)
+  	')
+
 ',`
 	# cjp: require doesnt work in the else of optionals :\
 	# this also would result in a type transition
@@ -727,6 +745,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
+	# Allow SELinux aware applications to request rpm_script_t execution
+	rpm_transition_script(initrc_t)
+
 ')
 
 optional_policy(`

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Changes to init for policy
  2007-02-20 17:00 Changes to init for policy Daniel J Walsh
@ 2007-02-26 19:16 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2007-02-26 19:16 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Tue, 2007-02-20 at 12:00 -0500, Daniel J Walsh wrote:
> Added init_exec to init_telinit interface

I added init_exec(); the patch had can_exec($1,init_exec_t).

> Added daemon attribute so we can add general rules around daemons.  Like 
> allowing/disallowing
> daemons to talk to terminals.

I think we want a slightly broader one that can cover services from
inetd too.  I suspect this and the application concept could potentially
be put in the same module.

> ricci_modservice needs to be able to manipulate initrc_exec_t scripts.

These interfaces should be grouped with that change.

> Remove strict policy ifdef.

Not sure what this refers to.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-02-26 19:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-20 17:00 Changes to init for policy Daniel J Walsh
2007-02-26 19:16 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.