[refpolicy] [PATCH v4 0/5] Updates on init scripts and udev (mainly /run related)

[refpolicy] [PATCH v4 0/5] Updates on init scripts and udev (mainly /run related)

[Sven Vermeulen]

This is a larger set of structured changes to the system
utilities. The main drivers are supporting the new /run location,
but some smaller changes have been incorporated as well.

Changes since v3
----------------
- Change udev_pid_filetrans_run_dirs to udev_generic_pid_filetrans_run_dirs

Sven Vermeulen (5):
  Support log location for init script logging
  Supporting interfaces for the /run changes
  Allow init scripts to populate /run location
  Prepare udev interfaces for /run usage
  Allow init scripts to create and manage (udev) /run location

 policy/modules/kernel/files.if |   61 +++++++++++++++++++++++++++++++++
 policy/modules/system/init.te  |   14 +++++++
 policy/modules/system/udev.if  |   74 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 148 insertions(+), 1 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH v4 1/5] Support log location for init script logging

[Sven Vermeulen]

Recent init script packages allow for logging init script progress (service
start/stop state information, sometimes even duration, etc.) so we introduce an
initrc_var_log_t logtype and allow initrc_t to manage this.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5fb9683..953d586 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -74,6 +74,9 @@ files_type(initrc_state_t)
 type initrc_tmp_t;
 files_tmp_file(initrc_tmp_t)
 
+type initrc_var_log_t;
+logging_log_file(initrc_var_log_t)
+
 type initrc_var_run_t;
 files_pid_file(initrc_var_run_t)
 
@@ -255,6 +258,10 @@ manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
 
+manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
+
 init_write_initctl(initrc_t)
 
 kernel_read_system_state(initrc_t)
-- 
1.7.8.6

[refpolicy] [PATCH v4 2/5] Supporting interfaces for the /run changes

[Sven Vermeulen]

Since most distributions now support /run (which, thanks the the
file context substitutions, is marked as var_run_t), we need to update the
SELinux policies to support "dynamically" building up /run. Unlike /var/run,
which is most likely statically defined during distribution installation, /run
is a tmpfs which is built up from scratch on each and every boot.

But not only that, many services also use this location for other purposes than
just PID files (which is to be expected as these "other reasons" is why /run
came to be in the first place), so we need to support other types within this
location easily.

For this reason, we introduce support to
- creating the /run/lock location
- supporting named file transitions when init scripts create stuff in /run

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/files.if |   61 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 61 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 41346fb..e951402 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5608,6 +5608,26 @@ interface(`files_list_locks',`
 
 ########################################
 ## <summary>
+## 	Create lock directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_create_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+	create_dirs_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Add and remove entries in the /var/lock
 ##	directories.
 ## </summary>
@@ -5628,6 +5648,24 @@ interface(`files_rw_lock_dirs',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the generic lock directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_setattr_lock_dirs',`
+	gen_require(`
+		type var_t, var_lock_t;
+	')
+
+	setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
 ##	Relabel to and from all lock directory types.
 ## </summary>
 ## <param name="domain">
@@ -6016,6 +6054,29 @@ interface(`files_pid_filetrans',`
 
 ########################################
 ## <summary>
+## 	Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_pid_filetrans_lock_dir',`
+	gen_require(`
+		type var_lock_t;
+	')
+
+	files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write generic process ID files.
 ## </summary>
 ## <param name="domain">
-- 
1.7.8.6

[refpolicy] [PATCH v4 3/5] Allow init scripts to populate /run location

[Sven Vermeulen]

At boot up, the /run location is empty, and init scripts are responsible for
creating the necessary structure within to support their services. This means,
adding entries like for the lock folder (/run/lock).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 953d586..0dbd708 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -276,7 +276,10 @@ kernel_rw_all_sysctls(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 
+files_create_lock_dirs(initrc_t)
+files_pid_filetrans_lock_dir(initrc_t, "lock")
 files_read_kernel_symbol_table(initrc_t)
+files_setattr_lock_dirs(initrc_t)
 
 corecmd_exec_all_executables(initrc_t)
 
@@ -452,6 +455,7 @@ ifdef(`distro_gentoo',`
 
 	# allow bootmisc to create /var/lock/.keep.
 	files_manage_generic_locks(initrc_t)
+	files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
 
 	# openrc uses tmpfs for its state data
 	fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
-- 
1.7.8.6

[refpolicy] [PATCH v4 4/5] Prepare udev interfaces for /run usage

[Sven Vermeulen]

Recent udev implementations now use /run (actually, /run/udev) for storing
database files, rules and more. Hence, we need to extend existing interfaces to
support searching through the udev_var_run_t location (as most of that was
previously only in device_t and/or etc_t or udev_etc_t)

Next to enhancing the interfaces, we provide additional ones that will be used
by the init script (for udev) which needs to create and support the new
/run/udev locations.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/udev.if |   74 ++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 73 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..401d818 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -146,6 +146,10 @@ interface(`udev_manage_rules_files',`
 	')
 
 	manage_files_pattern($1, udev_rules_t, udev_rules_t)
+	
+	files_search_etc($1)
+
+	udev_search_pids($1)
 ')
 
 ########################################
@@ -187,10 +191,16 @@ interface(`udev_read_db',`
 		type udev_tbl_t;
 	')
 
-	dev_list_all_dev_nodes($1)
 	allow $1 udev_tbl_t:dir list_dir_perms;
+	
 	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+
+	dev_list_all_dev_nodes($1)
+	
+	files_search_etc($1)
+
+	udev_search_pids($1)
 ')
 
 ########################################
@@ -214,6 +224,68 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Search through udev pid content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_search_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	search_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create directories in the run location with udev_var_run_t type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+## 	<summary>
+##	Name of the directory that is created
+##	</summary>
+## </param>
+#
+interface(`udev_generic_pid_filetrans_run_dirs',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_pid_filetrans($1, udev_var_run_t, dir, $2)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	udev pid directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_pid_dirs',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid files.
 ## </summary>
-- 
1.7.8.6

[refpolicy] [PATCH v4 5/5] Allow init scripts to create and manage (udev) /run location

[Sven Vermeulen]

With udev now using /run for its data, the init script responsible for preparing
the environment to start up udev needs to be able to setup this location as
well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0dbd708..e40ae7f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -277,6 +277,7 @@ kernel_rw_all_sysctls(initrc_t)
 kernel_dontaudit_getattr_message_if(initrc_t)
 
 files_create_lock_dirs(initrc_t)
+files_create_pid_dirs(initrc_t)
 files_pid_filetrans_lock_dir(initrc_t, "lock")
 files_read_kernel_symbol_table(initrc_t)
 files_setattr_lock_dirs(initrc_t)
@@ -829,7 +830,9 @@ optional_policy(`
 
 optional_policy(`
 	udev_rw_db(initrc_t)
+	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
 	udev_manage_pid_files(initrc_t)
+	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
 
-- 
1.7.8.6

[refpolicy] [PATCH v4 5/5] Allow init scripts to create and manage (udev) /run location

[Dominick Grift]

On Thu, 2012-07-12 at 19:17 +0200, Sven Vermeulen wrote:
> With udev now using /run for its data, the init script responsible for preparing
> the environment to start up udev needs to be able to setup this location as
> well.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 0dbd708..e40ae7f 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -277,6 +277,7 @@ kernel_rw_all_sysctls(initrc_t)
>  kernel_dontaudit_getattr_message_if(initrc_t)
>  
>  files_create_lock_dirs(initrc_t)
> +files_create_pid_dirs(initrc_t)

Does it need to create generic pids as well?

>  files_pid_filetrans_lock_dir(initrc_t, "lock")
>  files_read_kernel_symbol_table(initrc_t)
>  files_setattr_lock_dirs(initrc_t)
> @@ -829,7 +830,9 @@ optional_policy(`
>  
>  optional_policy(`
>  	udev_rw_db(initrc_t)
> +	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
>  	udev_manage_pid_files(initrc_t)
> +	udev_manage_pid_dirs(initrc_t)
>  	udev_manage_rules_files(initrc_t)
>  ')
>  

[refpolicy] [PATCH v4 5/5] Allow init scripts to create and manage (udev) /run location

[Sven Vermeulen]

On Thu, Jul 12, 2012 at 07:50:25PM +0200, Dominick Grift wrote:
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -277,6 +277,7 @@ kernel_rw_all_sysctls(initrc_t)
> >  kernel_dontaudit_getattr_message_if(initrc_t)
> >  
> >  files_create_lock_dirs(initrc_t)
> > +files_create_pid_dirs(initrc_t)
> 
> Does it need to create generic pids as well?

For the moment I have not seen the need for it. Most applications write
their own pid file, or the pid files are written in a specific pid directory
(so init scripts do not need to write var_run_t files).

Of course, init scripts are quite "open" and I have only tested a very few
ones (those needed to boot and run my systems, namely ;-) so who knows what
other requirements could come out of the boat...

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v4 5/5] Allow init scripts to create and manage (udev) /run location

[Dominick Grift]

On Thu, 2012-07-12 at 20:11 +0200, Sven Vermeulen wrote:
> On Thu, Jul 12, 2012 at 07:50:25PM +0200, Dominick Grift wrote:
> > > --- a/policy/modules/system/init.te
> > > +++ b/policy/modules/system/init.te
> > > @@ -277,6 +277,7 @@ kernel_rw_all_sysctls(initrc_t)
> > >  kernel_dontaudit_getattr_message_if(initrc_t)
> > >  
> > >  files_create_lock_dirs(initrc_t)
> > > +files_create_pid_dirs(initrc_t)
> > 
> > Does it need to create generic pids as well?
> 
> For the moment I have not seen the need for it. Most applications write
> their own pid file, or the pid files are written in a specific pid directory
> (so init scripts do not need to write var_run_t files).
> 
> Of course, init scripts are quite "open" and I have only tested a very few
> ones (those needed to boot and run my systems, namely ;-) so who knows what
> other requirements could come out of the boat...
> 

Sorry, what i meant to say was: Does it need to create generic pid dirs
as well?

I guess it does or else you would not add a rule to allow it that?

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH v4 5/5] Allow init scripts to create and manage (udev) /run location

[Sven Vermeulen]

On Thu, Jul 12, 2012 at 08:34:53PM +0200, Dominick Grift wrote:
> On Thu, 2012-07-12 at 20:11 +0200, Sven Vermeulen wrote:
> > On Thu, Jul 12, 2012 at 07:50:25PM +0200, Dominick Grift wrote:
> > > > --- a/policy/modules/system/init.te
> > > > +++ b/policy/modules/system/init.te
> > > > @@ -277,6 +277,7 @@ kernel_rw_all_sysctls(initrc_t)
> > > >  kernel_dontaudit_getattr_message_if(initrc_t)
> > > >  
> > > >  files_create_lock_dirs(initrc_t)
> > > > +files_create_pid_dirs(initrc_t)
> > > 
> > > Does it need to create generic pids as well?
> > 
> > For the moment I have not seen the need for it. Most applications write
> > their own pid file, or the pid files are written in a specific pid directory
> > (so init scripts do not need to write var_run_t files).
> 
> Sorry, what i meant to say was: Does it need to create generic pid dirs
> as well?

It seems to require this, yes. We have reports for /run/udisks2,
/run/pm-utils, /run/openrc, /run/lightdm and /run/ConsoleKit for now. 

I'll see if these don't need to become their own subtype.

Wkr,
	Sven Vermeulen