[refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems

[refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems

[Chris Richards]

As of util-linux-n 2.18, the mount utility now attempts to write to the root
of newly mounted filesystems.  It does this in an attempt to ensure that the
r/w status of a filesystem as shown in mtab is correct.  To detect whether
a filesystem is r/w, mount calls access() with the W_OK argument.  This
results in an AVC denial with current policy.  As a fallback, mount also
attempts to modify the access time of the directory being mounted on if
the call to access() fails.  As mount already possesses the necessary
privileges, the modification of the access time succeeds (at least on systems
with the futimens() function, which has existed in linux since kernel 2.6.22
and glibc since version 2.6, or about July 2007).

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 99482ca..15a7bef 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write in a sysfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
 ##	Read hardware state information.
 ## </summary>
 ## <desc>
-- 
1.7.3.2

[refpolicy] [PATCH 2/5] dontaudit mount writes to newly mounted filesystems

[Chris Richards]

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/kernel/files.if |   20 +++++++++++++++++++-
 1 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..8f69b85 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1463,7 +1463,25 @@ interface(`files_list_root',`
 	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
 ')
 
-########################################
+#############################################################
+## <summary>
+##	Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_root_dirs',`
+	gen_require(`
+		type root_t;
+	')
+
+	dontaudit $1 root_t:dir write;
+')
+
+###################
 ## <summary>
 ##	Do not audit attempts to write
 ##	files in the root directory.
-- 
1.7.3.2

[refpolicy] [PATCH 3/5] dontaudit mount writes to newly mounted filesystems

[Chris Richards]

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/kernel/filesystem.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 437a42a..b8714e5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3791,6 +3791,25 @@ interface(`fs_manage_tmpfs_dirs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write
+##	tmpfs directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_write_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir write;
+')
+
+########################################
+## <summary>
 ##	Create an object in a tmpfs filesystem, with a private
 ##	type using a type transition.
 ## </summary>
-- 
1.7.3.2

[refpolicy] [PATCH 4/5] dontaudit mount writes to newly mounted filesystems

[Chris Richards]

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/kernel/kernel.if |   37 +++++++++++++++++++++++++++++++++++++
 1 files changed, 37 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ed7667a..9d6df6d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -678,6 +678,24 @@ interface(`kernel_dontaudit_search_debugfs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write kernel debugging filesystem dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_debugfs_dirs',`
+	gen_require(`
+		type debugfs_t;
+	')
+
+	dontaudit $1 debugfs_t:dir write;
+')
+
+########################################
+## <summary>
 ##	Read information from the debugging filesystem.
 ## </summary>
 ## <param name="domain">
@@ -807,6 +825,25 @@ interface(`kernel_dontaudit_list_proc',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write the
+##	directories in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_dirs',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:dir write;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of files in /proc.
 ## </summary>
 ## <param name="domain">
-- 
1.7.3.2

[refpolicy] [PATCH 5/5] dontaudit mount writes to newly mounted filesystems

[Chris Richards]

Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/system/mount.te |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..9d83898 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -49,16 +49,21 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)
+kernel_dontaudit_write_debugfs_dirs(mount_t)
+kernel_dontaudit_write_proc_dirs(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
 
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
+dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_getattr_sound_dev(mount_t)
+
 # Early devtmpfs, before udev relabel
 dev_dontaudit_rw_generic_chr_files(mount_t)
 
@@ -80,6 +85,7 @@ files_read_isid_type_files(mount_t)
 # For reading cert files
 files_read_usr_files(mount_t)
 files_list_mnt(mount_t)
+files_dontaudit_write_root_dirs(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_cifs(mount_t)
@@ -90,6 +96,7 @@ fs_relabelfrom_all_fs(mount_t)
 fs_list_auto_mountpoints(mount_t)
 fs_rw_tmpfs_chr_files(mount_t)
 fs_read_tmpfs_symlinks(mount_t)
+fs_dontaudit_write_tmpfs_dirs(mount_t)
 
 mls_file_read_all_levels(mount_t)
 mls_file_write_all_levels(mount_t)
-- 
1.7.3.2

[refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems

[Christopher J. PeBenito]

On 11/08/10 20:25, Chris Richards wrote:
> As of util-linux-n 2.18, the mount utility now attempts to write to the root
> of newly mounted filesystems.  It does this in an attempt to ensure that the
> r/w status of a filesystem as shown in mtab is correct.  To detect whether
> a filesystem is r/w, mount calls access() with the W_OK argument.  This
> results in an AVC denial with current policy.  As a fallback, mount also
> attempts to modify the access time of the directory being mounted on if
> the call to access() fails.  As mount already possesses the necessary
> privileges, the modification of the access time succeeds (at least on systems
> with the futimens() function, which has existed in linux since kernel 2.6.22
> and glibc since version 2.6, or about July 2007).

This set is merged, with a few trivial tweaks.

> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>  1 files changed, 18 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 99482ca..15a7bef 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to write in a sysfs directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_dontaudit_write_sysfs_dirs',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	dontaudit $1 sysfs_t:dir write;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read hardware state information.
>  ## </summary>
>  ## <desc>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com