From: Daniel J Walsh <dwalsh@redhat.com>
To: Chris PeBenito <pebenito@gentoo.org>
Cc: david@hardeman.nu, selinux@tycho.nsa.gov
Subject: Re: [refpolicy-patch 14/23] rhgb policy update
Date: Wed, 23 Jul 2008 20:24:08 -0400 [thread overview]
Message-ID: <4887CBA8.2020801@redhat.com> (raw)
In-Reply-To: <1216758563.4954.35.camel@defiant.pebenito.net>
[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris PeBenito wrote:
> On Sat, 2008-07-19 at 22:50 +0200, david@hardeman.nu wrote:
>> plain text document attachment (policy_modules_services_rhgb.patch)
>> rhgb (RedHat Graphical Boot) is RH specific so this should be uncontroversial...
>>
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.5.0/policy/modules/services/rhgb.if
>> --- nsaserefpolicy/policy/modules/services/rhgb.if 2008-07-10 11:38:46.000000000 -0400
>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.if 2008-07-15 14:05:13.000000000 -0400
>> @@ -4,7 +4,7 @@
>> ## <summary>
>> ## RHGB stub interface. No access allowed.
>> ## </summary>
>> -## <param name="domain" unused="true">
>> +## <param name="domain">
>> ## <summary>
>> ## N/A
>> ## </summary>
>
> This reverses an upstream change.
>
>> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.5.0/policy/modules/services/rhgb.te
>> --- nsaserefpolicy/policy/modules/services/rhgb.te 2008-07-10 11:38:46.000000000 -0400
>> +++ serefpolicy-3.5.0/policy/modules/services/rhgb.te 2008-07-15 14:05:13.000000000 -0400
>> @@ -92,6 +92,7 @@
>> term_getattr_pty_fs(rhgb_t)
>>
>> init_write_initctl(rhgb_t)
>> +init_chat(rhgb_t)
>>
>> libs_use_ld_so(rhgb_t)
>> libs_use_shared_libs(rhgb_t)
>
> This interface doesn't exist.
>
Here is the patch I sent you a couple of weeks ago with the init_chat
patch. This patch also includes the critical change to using labeled
initrc scripts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiHy6gACgkQrlYvE4MpobNo2gCgnDQuCMROpY8tO5+kJpKjgu2t
0hMAoIEKVK9/jQ8k+PM5sfAOxtNoHgCe
=Jiew
-----END PGP SIGNATURE-----
[-- Attachment #2: system_init.patch --]
[-- Type: text/plain, Size: 13510 bytes --]
--- nsaserefpolicy/policy/modules/system/init.fc 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.fc 2008-07-23 20:17:11.000000000 -0400
@@ -4,8 +4,7 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
--- nsaserefpolicy/policy/modules/system/init.if 2008-07-16 10:26:25.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.if 2008-07-23 20:17:11.000000000 -0400
@@ -211,6 +211,19 @@
kernel_dontaudit_use_fds($1)
')
')
+
+ sysadm_dontaudit_search_home_dirs($1)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_user_ttys($1)
+ term_use_all_user_ptys($1)
+ ', `
+ term_dontaudit_use_all_user_ttys($1)
+ term_dontaudit_use_all_user_ptys($1)
+ ')
+
+ # these apps are often redirect output to random log files
+ logging_rw_all_logs($1)
')
########################################
@@ -550,18 +563,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
')
files_list_etc($1)
- spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
+ spec_domtrans_pattern($1,initscript,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 initscript:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 initscript:process s0 - mls_systemhigh;
')
')
@@ -577,19 +591,66 @@
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute initscript;
+ ')
+
+ files_list_etc($1)
+ domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init a specific script with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_script_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
')
files_list_etc($1)
- domtrans_pattern($1,initrc_exec_t,initrc_t)
+ domtrans_pattern($1,$2,initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 $2:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 $2:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
')
+
+ corecmd_bin_domtrans($1, initrc_t)
')
########################################
@@ -619,11 +680,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,$2)
+ domain_auto_trans($1,initscript,$2)
')
########################################
@@ -694,11 +755,11 @@
#
interface(`init_getattr_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- allow $1 initrc_exec_t:file getattr;
+ allow $1 initscript:file getattr;
')
########################################
@@ -713,11 +774,11 @@
#
interface(`init_exec_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_list_etc($1)
- can_exec($1,initrc_exec_t)
+ can_exec($1,initscript)
')
########################################
@@ -941,6 +1002,7 @@
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
+
########################################
## <summary>
## Send messages to init scripts over dbus.
@@ -1040,11 +1102,11 @@
#
interface(`init_read_script_files',`
gen_require(`
- type initrc_exec_t;
+ attribute initscript;
')
files_search_etc($1)
- allow $1 initrc_exec_t:file read_file_perms;
+ allow $1 initscript:file read_file_perms;
')
########################################
@@ -1107,6 +1169,25 @@
########################################
## <summary>
+## Read init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1,initrc_tmp_t,initrc_tmp_t)
+')
+
+########################################
+## <summary>
## Create files in a init script
## temporary data directory.
## </summary>
@@ -1262,7 +1343,7 @@
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -1283,3 +1364,113 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_init_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_file_perms;
+')
+
+########################################
+## <summary>
+## Ptrace init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace_init_domain',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for initscripts
+## in a filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`init_script_type',`
+ gen_require(`
+ type initrc_t;
+ attribute initscript;
+ ')
+
+ typeattribute $1 initscript;
+ domain_entry_file(initrc_t,$1)
+
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute initscript;
+ ')
+
+ role_transition $1 initscript system_r;
+')
+
+########################################
+## <summary>
+## Send and receive unix_stream_messages with
+## init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_chat',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
+
--- nsaserefpolicy/policy/modules/system/init.te 2008-07-16 10:33:56.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/init.te 2008-07-23 20:17:11.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core,false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -26,6 +40,8 @@
# Mark process types as daemons
attribute daemon;
+attribute initscript;
+
#
# init_t is the domain of the init process.
#
@@ -52,7 +68,7 @@
mls_trusted_object(initctl_t)
type initrc_t;
-type initrc_exec_t;
+type initrc_exec_t, initscript;
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
@@ -84,7 +100,7 @@
#
# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -97,7 +113,7 @@
# Re-exec itself
can_exec(init_t,init_exec_t)
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
@@ -113,6 +129,8 @@
kernel_read_system_state(init_t)
kernel_share_state(init_t)
+fs_list_inotifyfs(init_t)
+
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
@@ -165,6 +183,8 @@
miscfiles_read_localization(init_t)
+allow init_t self:process setsched;
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
@@ -187,6 +207,14 @@
')
optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
nscd_socket_use(init_t)
')
@@ -200,7 +228,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
@@ -214,10 +242,10 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
-# Going to single user mode
-init_exec(initrc_t)
+init_telinit(initrc_t)
+init_chat(initrc_t)
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t,initscript)
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
@@ -270,7 +298,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
-dev_read_lvm_control(initrc_t)
+dev_rw_lvm_control(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -515,6 +543,31 @@
')
')
+domain_dontaudit_use_interactive_fds(daemon)
+
+sysadm_dontaudit_search_home_dirs(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_user_ttys(daemon)
+ term_use_all_user_ptys(daemon)
+', `
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_user_ttys(daemon)
+ term_dontaudit_use_all_user_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -573,6 +626,10 @@
dbus_read_config(initrc_t)
optional_policy(`
+ consolekit_dbus_chat(initrc_t)
+ ')
+
+ optional_policy(`
networkmanager_dbus_chat(initrc_t)
')
')
@@ -658,12 +715,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-# cjp: require doesnt work in the else of optionals :\
-# this also would result in a type transition
-# conflict if sendmail is enabled
-#optional_policy(`',`
-# mta_send_mail(initrc_t)
-#')
optional_policy(`
ifdef(`distro_redhat',`
@@ -724,6 +775,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
')
optional_policy(`
@@ -736,9 +790,11 @@
squid_manage_logs(initrc_t)
')
-optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc,initrc_t,system_r)
+ifndef(`targeted_policy',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+ ')
')
optional_policy(`
@@ -757,6 +813,11 @@
uml_setattr_util_sockets(initrc_t)
')
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+')
+
optional_policy(`
unconfined_domain(initrc_t)
@@ -771,6 +832,10 @@
')
optional_policy(`
+ rpm_dontaudit_rw_pipes(daemon)
+')
+
+optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
@@ -793,3 +858,8 @@
optional_policy(`
zebra_read_config(initrc_t)
')
+
+unprivuser_append_home_content_files(daemon)
+unprivuser_write_tmp_files(daemon)
+logging_append_all_logs(daemon)
+
[-- Attachment #3: system_init.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
next prev parent reply other threads:[~2008-07-24 0:24 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-19 20:50 [refpolicy-patch 00/23] Cherry-picks from Fedora SELinux patch david
2008-07-19 20:50 ` [refpolicy-patch 01/23] slocate policy update david
2008-07-19 20:50 ` [refpolicy-patch 02/23] anaconda " david
2008-07-20 5:53 ` Russell Coker
2008-07-22 10:16 ` Daniel J Walsh
2008-07-22 20:36 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 03/23] unconfined_u policy updates david
2008-07-19 20:50 ` [refpolicy-patch 04/23] kismet policy update david
2008-07-19 20:50 ` [refpolicy-patch 05/23] kudzu " david
2008-07-19 20:50 ` [refpolicy-patch 06/23] logrotate " david
2008-07-28 15:18 ` Chris PeBenito
2008-07-28 16:35 ` Daniel J Walsh
2008-07-19 20:50 ` [refpolicy-patch 07/23] corenetwork " david
2008-07-22 10:18 ` Daniel J Walsh
2008-07-19 20:50 ` [refpolicy-patch 08/23] secadm " david
2008-07-19 20:50 ` [refpolicy-patch 09/23] apm " david
2008-07-19 20:50 ` [refpolicy-patch 10/23] courier " david
2008-07-19 20:50 ` [refpolicy-patch 11/23] cpucontrol " david
2008-07-22 20:25 ` Chris PeBenito
2008-07-24 12:23 ` Daniel J Walsh
2008-07-19 20:50 ` [refpolicy-patch 12/23] openca " david
2008-07-19 20:50 ` [refpolicy-patch 13/23] portslave " david
2008-07-25 0:00 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 14/23] rhgb " david
2008-07-22 20:29 ` Chris PeBenito
2008-07-24 0:24 ` Daniel J Walsh [this message]
2008-07-24 23:44 ` Chris PeBenito
2008-07-25 1:25 ` Daniel J Walsh
2008-07-19 20:50 ` [refpolicy-patch 15/23] soundserver " david
2008-07-28 12:37 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 16/23] w3c policy addition david
2008-07-19 20:50 ` [refpolicy-patch 17/23] logging policy update david
2008-07-19 20:50 ` [refpolicy-patch 18/23] miscfiles " david
2008-07-25 12:14 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 19/23] netlabel " david
2008-07-25 12:14 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 20/23] pcmcia " david
2008-07-22 20:32 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 21/23] raid " david
2008-07-25 12:14 ` Chris PeBenito
2008-07-19 20:50 ` [refpolicy-patch 22/23] xen " david
2008-07-19 20:50 ` [refpolicy-patch 23/23] qemu " david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4887CBA8.2020801@redhat.com \
--to=dwalsh@redhat.com \
--cc=david@hardeman.nu \
--cc=pebenito@gentoo.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.