[refpolicy] [PATCH v2 3/5] Adding dracut policy

[mgrepl@redhat.com (Miroslav Grepl)]

On 06/24/2012 09:42 PM, Dominick Grift wrote:
> On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote:
>> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy
>> without unconfined domains. The calls to depmod, whose output is then
>> directed to a tmp location, is denied through this. Instead of granting
>> depmod (and other tools) "manage" access to user_tmp_t, we create a separate
>> domain for dracut (called dracut_t) and grant these tools management
>> access to dracut_tmp_t.
>>
>> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
>> ---
>>   dracut.fc |    4 +++
>>   dracut.if |   69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>   dracut.te |   76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>   3 files changed, 149 insertions(+), 0 deletions(-)
>>   create mode 100644 dracut.fc
>>   create mode 100644 dracut.if
>>   create mode 100644 dracut.te
>>
>> diff --git a/dracut.fc b/dracut.fc
>> new file mode 100644
>> index 0000000..fca0d67
>> --- /dev/null
>> +++ b/dracut.fc
>> @@ -0,0 +1,4 @@
>> +#
>> +# /usr
>> +#
>> +/usr/(s)?bin/dracut	--	gen_context(system_u:object_r:dracut_exec_t,s0)
>> diff --git a/dracut.if b/dracut.if
>> new file mode 100644
>> index 0000000..929fffd
>> --- /dev/null
>> +++ b/dracut.if
>> @@ -0,0 +1,69 @@
>> +##<summary>Dracut initramfs creation tool</summary>
>> +
>> +########################################
>> +##<summary>
>> +##	Execute the dracut program in the dracut domain.
>> +##</summary>
>> +##<param name="domain">
>> +##	<summary>
>> +##	Domain allowed to transition.
>> +##	</summary>
>> +##</param>
>> +#
>> +interface(`dracut_domtrans',`
>> +	gen_require(`
>> +		type dracut_t, dracut_exec_t;
>> +	')
>> +
>> +	corecmd_search_bin($1)
>> +	domtrans_pattern($1, dracut_exec_t, dracut_t)
>> +')
>> +
>> +########################################
>> +##<summary>
>> +##	Execute dracut in the dracut domain, and
>> +##	allow the specified role the dracut domain.
>> +##</summary>
>> +##<param name="domain">
>> +##	<summary>
>> +##	Domain allowed to transition.
>> +##	</summary>
>> +##</param>
>> +##<param name="role">
>> +##	<summary>
>> +##	Role allowed access.
>> +##	</summary>
>> +##</param>
>> +#
>> +interface(`dracut_run',`
>> +	gen_require(`
>> +		type dracut_t;
>> +	')
>> +
>> +	dracut_domtrans($1)
>> +	role $2 types dracut_t;
>> +')
>> +
>> +########################################
>> +##<summary>
>> +## 	Allow domain to manage dracut temporary files
>> +##</summary>
>> +##<param name="domain">
>> +##	<summary>
>> +##		Domain allowed access.
>> +##	</summary>
>> +##</param>
>> +#
>> +interface(`dracut_manage_tmp_files',`
>> +	gen_require(`
>> +		type dracut_tmp_t;
>> +	')
>> +
>> +	files_search_var($1)
>> +	files_search_tmp($1)
>> +
>> +	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> +	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> +	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
>> +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
>
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"
>
>> diff --git a/dracut.te b/dracut.te
>> new file mode 100644
>> index 0000000..4bd6cb3
>> --- /dev/null
>> +++ b/dracut.te
>> @@ -0,0 +1,76 @@
>> +policy_module(dracut, 1.0)
>> +
>> +type dracut_t;
>> +type dracut_exec_t;
>> +application_domain(dracut_t, dracut_exec_t)
>> +
>> +type dracut_var_log_t;
>> +logging_log_file(dracut_var_log_t)
>> +
>> +type dracut_tmp_t;
>> +files_tmp_file(dracut_tmp_t)
>> +
>> +########################################
>> +#
>> +# Local policy
>> +#
>> +allow dracut_t self:process setfscreate;
>> +allow dracut_t self:fifo_file rw_fifo_file_perms;
>> +allow dracut_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
>> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
>
>> +
>> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
>> +logging_log_filetrans(dracut_t, dracut_var_log_t, file)
>> +
>> +kernel_read_system_state(dracut_t)
>> +
>> +corecmd_exec_bin(dracut_t)
>> +corecmd_exec_shell(dracut_t)
>> +corecmd_read_all_executables(dracut_t)
>> +
>> +dev_read_sysfs(dracut_t)
>> +
>> +domain_use_interactive_fds(dracut_t)
>> +
>> +files_create_kernel_img(dracut_t)
>> +files_read_etc_files(dracut_t)
>> +files_read_kernel_modules(dracut_t)
>> +files_read_usr_files(dracut_t)
>> +files_search_pids(dracut_t)
>> +
>> +fstools_exec(dracut_t)
>> +
>> +libs_domtrans_ldconfig(dracut_t)
>> +libs_exec_ld_so(dracut_t)
>> +libs_exec_lib_files(dracut_t)
>> +
>> +miscfiles_read_localization(dracut_t)
>> +
>> +modutils_exec_depmod(dracut_t)
>> +modutils_exec_insmod(dracut_t)
>> +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
>
>> +modutils_read_module_config(dracut_t)
>> +modutils_read_module_deps(dracut_t)
>> +
>> +mount_exec(dracut_t)
>> +
>> +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?
I believe dracut should stay as unconfined domain. Also you probably 
will see other domains which are want to execute dracut. And I would 
think transitions will be needed rather than just execute apps in the 
dracut domain.
>
>> +
>> +udev_exec(dracut_t)
>> +udev_read_rules_files(dracut_t)
>> +
>> +userdom_use_user_terminals(dracut_t)
>> +
>> +optional_policy(`
>> +	dmesg_exec(dracut_t)
>> +')
>> +
>> +optional_policy(`
>> +	lvm_exec(dracut_t)
>> +	lvm_read_config(dracut_t)
>> +')
>> +
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy