[refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

[refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

[Guido Trentalancia]

The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.

At the moment it has been fully tested only with sysvinit.

Testing with other init daemons is needed before this is
released, so a "permissive" statement has been added in
order to log further needed permissions during this testing
phase (with systemd, upstart, and so on).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |   26 ++++++++++++++++++++++----
 3 files changed, 58 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)
@@ -190,6 +197,21 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+# Before moving to an init module which does
+# not call unconfined_domain(), we test
+# to discover possible side-effects, by
+# temporarily using the "permissive"
+# statement which logs further needed
+# permissions...
+#
+# The current module has already been
+# fully tested with sysvinit.
+#
+# The following line should be removed
+# as soon as the module has been tested
+# with the other init daemons.
+permissive init_t;
+
 ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
@@ -345,10 +367,6 @@ optional_policy(`
 	sssd_stream_connect(init_t)
 ')
 
-optional_policy(`
-	unconfined_domain(init_t)
-')
-
 ########################################
 #
 # Init script local policy

[refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

[Luis Ressel]

On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:

> The aim of this patch is to start securing the init module so
> that it can run in confined mode instead of in the most unsafe
> unconfined mode.
> 
> At the moment it has been fully tested only with sysvinit.
> 
> Testing with other init daemons is needed before this is
> released, so a "permissive" statement has been added in
> order to log further needed permissions during this testing
> phase (with systemd, upstart, and so on).
> 
> [...]
>
> +permissive init_t;

Please don't add that. Debugging statements such as this one should
only be added to local policies, not to refpol's master branch. This
statement would be a huge step backwards for everyone who isn't using
the 'unconfined' module.

Regards,
Luis

[refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

[Guido Trentalancia]

Hello.

> On the 27th of December 2016 at 23.38 Luis Ressel <aranea@aixah.de> wrote:
> 
> 
> On Tue, 27 Dec 2016 23:16:46 +0100 (CET)
> Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
> > The aim of this patch is to start securing the init module so
> > that it can run in confined mode instead of in the most unsafe
> > unconfined mode.
> > 
> > At the moment it has been fully tested only with sysvinit.
> > 
> > Testing with other init daemons is needed before this is
> > released, so a "permissive" statement has been added in
> > order to log further needed permissions during this testing
> > phase (with systemd, upstart, and so on).
> > 
> > [...]
> >
> > +permissive init_t;
> 
> Please don't add that. Debugging statements such as this one should
> only be added to local policies, not to refpol's master branch. This
> statement would be a huge step backwards for everyone who isn't using
> the 'unconfined' module.

Ok, that's fine. Consider, I have completed testing it with sysvinit, so I
don't really need to debug anything.

It comes from the following recent advice that has been posted (I was
not even aware of the existence of such statement):

http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html

but, if it is more likely to cause problems, then I can create a new patch
which just dumps the dangerous call to unconfined_domain() and that's
the end of the story.

At the end, there must be a way out of it !

Regards,

Guido

[refpolicy] [PATCH] init: run sysvinit without the dangerous unconfined_domain() call

[Luis Ressel]

On Tue, 27 Dec 2016 23:54:58 +0100 (CET)
Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:

> Ok, that's fine. Consider, I have completed testing it with sysvinit,
> so I don't really need to debug anything.
> 
> It comes from the following recent advice that has been posted (I was
> not even aware of the existence of such statement):
> 
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008835.html
> 

Neither was I; I had to look it up before answering to your mail. :)

> but, if it is more likely to cause problems, then I can create a new
> patch which just dumps the dangerous call to unconfined_domain() and
> that's the end of the story.
> 

Thanks!

> At the end, there must be a way out of it !

Yes. Personally, I never really cared about it because I don't use
'unconfined' anyway, but I definitly appreciate your effort to get rid
of it.

Regards,
Luis Ressel

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

Originally the aim of this patch was to start securing the init
module so that it could run in confined mode instead of in the
most unsafe unconfined mode and therefore the patch was removing
the call to unconfined_domain().

However, the removal of the unconfined_domain() call has been
rejected on the basis of the fact that it can be avoided by not
loading the "unconfined" policy module (which unfortunately at
the moment, still gets added to the configuration file during
"make conf").

Currently, this second version of the patch no longer removes the
call to unconfined_domain() and it only adds permissions needed
by sysvinit (most notably the ability to load the policy during
the system boot).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |    7 +++++++
 3 files changed, 43 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Chris PeBenito]

On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> Originally the aim of this patch was to start securing the init
> module so that it could run in confined mode instead of in the
> most unsafe unconfined mode and therefore the patch was removing
> the call to unconfined_domain().
>
> However, the removal of the unconfined_domain() call has been
> rejected on the basis of the fact that it can be avoided by not
> loading the "unconfined" policy module (which unfortunately at
> the moment, still gets added to the configuration file during
> "make conf").
>
> Currently, this second version of the patch no longer removes the
> call to unconfined_domain() and it only adds permissions needed
> by sysvinit (most notably the ability to load the policy during
> the system boot).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>  policy/modules/system/init.te    |    7 +++++++
>  3 files changed, 43 insertions(+)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
>  ########################################
>  ## <summary>
> +##	Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
>  ##	Associate a file to a sysfs filesystem.
>  ## </summary>
>  ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
>  ########################################
>  ## <summary>
> +##	Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> +	gen_require(`
> +		type proc_t;
> +	')
> +
> +	allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
>  ##	Unmount the proc filesystem.
>  ## </summary>
>  ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>  # Modify utmp.
>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
>  kernel_read_system_state(init_t)
>  kernel_share_state(init_t)
>  kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>  corecmd_exec_chroot(init_t)
>  corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
>  dev_read_sysfs(init_t)
>  # Early devtmpfs
>  dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>  files_dontaudit_rw_root_files(init_t)
>  files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
>  fs_list_inotifyfs(init_t)
>  # cjp: this may be related to /dev/log
>  fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>  mls_process_write_all_levels(init_t)
>  mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
>  selinux_set_all_booleans(init_t)
>
>  term_use_all_terms(init_t)

I'm not clear why this is necessary.  Sysvinit should only be loading 
the policy if is not loaded yet, so these permissions should be unnecessary.

-- 
Chris PeBenito

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> > 
> > Originally the aim of this patch was to start securing the init
> > module so that it could run in confined mode instead of in the
> > most unsafe unconfined mode and therefore the patch was removing
> > the call to unconfined_domain().
> > 
> > However, the removal of the unconfined_domain() call has been
> > rejected on the basis of the fact that it can be avoided by not
> > loading the "unconfined" policy module (which unfortunately at
> > the moment, still gets added to the configuration file during
> > "make conf").
> > 
> > Currently, this second version of the patch no longer removes the
> > call to unconfined_domain() and it only adds permissions needed
> > by sysvinit (most notably the ability to load the policy during
> > the system boot).
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > ?policy/modules/system/init.te????|????7 +++++++
> > ?3 files changed, 43 insertions(+)
> > 
> > diff -pru a/policy/modules/kernel/devices.if
> > b/policy/modules/kernel/devices.if
> > --- a/policy/modules/kernel/devices.if	2016-12-27
> > 22:41:00.650390161 +0100
> > +++ b/policy/modules/kernel/devices.if	2016-12-27
> > 22:50:19.301315139 +0100
> > @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Mount a sysfs filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`dev_mount_sysfs',`
> > +	gen_require(`
> > +		type sysfs_t;
> > +	')
> > +
> > +	allow $1 sysfs_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Associate a file to a sysfs filesystem.
> > ?## </summary>
> > ?## <param name="file_type">
> > diff -pru a/policy/modules/kernel/kernel.if
> > b/policy/modules/kernel/kernel.if
> > --- a/policy/modules/kernel/kernel.if	2016-12-27
> > 22:41:00.652390190 +0100
> > +++ b/policy/modules/kernel/kernel.if	2016-12-27
> > 22:51:01.009904157 +0100
> > @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Mount the proc filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`kernel_mount_proc',`
> > +	gen_require(`
> > +		type proc_t;
> > +	')
> > +
> > +	allow $1 proc_t:filesystem mount;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Unmount the proc filesystem.
> > ?## </summary>
> > ?## <param name="domain">
> > diff -pru a/policy/modules/system/init.te
> > b/policy/modules/system/init.te
> > --- a/policy/modules/system/init.te	2016-12-22
> > 23:12:47.784929729 +0100
> > +++ b/policy/modules/system/init.te	2016-12-27
> > 23:05:37.731451479 +0100
> > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > ?# Modify utmp.
> > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> > 
> > +kernel_mounton_proc_dirs(init_t)
> > +kernel_mount_proc(init_t)
> > ?kernel_read_system_state(init_t)
> > ?kernel_share_state(init_t)
> > ?kernel_dontaudit_search_unlabeled(init_t)
> > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > ?corecmd_exec_chroot(init_t)
> > ?corecmd_exec_bin(init_t)
> > 
> > +dev_mounton_sysfs(init_t)
> > +dev_mount_sysfs(init_t)
> > ?dev_read_sysfs(init_t)
> > ?# Early devtmpfs
> > ?dev_rw_generic_chr_files(init_t)
> > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > ?files_dontaudit_rw_root_files(init_t)
> > ?files_dontaudit_rw_root_chr_files(init_t)
> > 
> > +fs_getattr_xattr_fs(init_t)
> > ?fs_list_inotifyfs(init_t)
> > ?# cjp: this may be related to /dev/log
> > ?fs_write_ramfs_sockets(init_t)
> > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > ?mls_process_write_all_levels(init_t)
> > ?mls_fd_use_all_levels(init_t)
> > 
> > +selinux_load_policy(init_t)
> > +selinux_mount_fs(init_t)
> > ?selinux_set_all_booleans(init_t)
> > 
> > ?term_use_all_terms(init_t)
> 
> I'm not clear why this is necessary.??Sysvinit should only be
> loading?
> the policy if is not loaded yet, so these permissions should be
> unnecessary.

The init daemon absolutely needs to load the SELinux policy !

Perhaps, it is possible to get rid of the other similar permission in
the kernel module, but surely not here, otherwise the system won't boot
 !

Thanks.

Guido

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Dominick Grift]

On 12/30/2016 10:10 PM, Guido Trentalancia via refpolicy wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>
>>> Originally the aim of this patch was to start securing the init
>>> module so that it could run in confined mode instead of in the
>>> most unsafe unconfined mode and therefore the patch was removing
>>> the call to unconfined_domain().
>>>
>>> However, the removal of the unconfined_domain() call has been
>>> rejected on the basis of the fact that it can be avoided by not
>>> loading the "unconfined" policy module (which unfortunately at
>>> the moment, still gets added to the configuration file during
>>> "make conf").
>>>
>>> Currently, this second version of the patch no longer removes the
>>> call to unconfined_domain() and it only adds permissions needed
>>> by sysvinit (most notably the ability to load the policy during
>>> the system boot).
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>  policy/modules/system/init.te    |    7 +++++++
>>>  3 files changed, 43 insertions(+)
>>>
>>> diff -pru a/policy/modules/kernel/devices.if
>>> b/policy/modules/kernel/devices.if
>>> --- a/policy/modules/kernel/devices.if	2016-12-27
>>> 22:41:00.650390161 +0100
>>> +++ b/policy/modules/kernel/devices.if	2016-12-27
>>> 22:50:19.301315139 +0100
>>> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>>>
>>>  ########################################
>>>  ## <summary>
>>> +##	Mount a sysfs filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`dev_mount_sysfs',`
>>> +	gen_require(`
>>> +		type sysfs_t;
>>> +	')
>>> +
>>> +	allow $1 sysfs_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Associate a file to a sysfs filesystem.
>>>  ## </summary>
>>>  ## <param name="file_type">
>>> diff -pru a/policy/modules/kernel/kernel.if
>>> b/policy/modules/kernel/kernel.if
>>> --- a/policy/modules/kernel/kernel.if	2016-12-27
>>> 22:41:00.652390190 +0100
>>> +++ b/policy/modules/kernel/kernel.if	2016-12-27
>>> 22:51:01.009904157 +0100
>>> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>>>
>>>  ########################################
>>>  ## <summary>
>>> +##	Mount the proc filesystem.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`kernel_mount_proc',`
>>> +	gen_require(`
>>> +		type proc_t;
>>> +	')
>>> +
>>> +	allow $1 proc_t:filesystem mount;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Unmount the proc filesystem.
>>>  ## </summary>
>>>  ## <param name="domain">
>>> diff -pru a/policy/modules/system/init.te
>>> b/policy/modules/system/init.te
>>> --- a/policy/modules/system/init.te	2016-12-22
>>> 23:12:47.784929729 +0100
>>> +++ b/policy/modules/system/init.te	2016-12-27
>>> 23:05:37.731451479 +0100
>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>  # Modify utmp.
>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>
>>> +kernel_mounton_proc_dirs(init_t)
>>> +kernel_mount_proc(init_t)
>>>  kernel_read_system_state(init_t)
>>>  kernel_share_state(init_t)
>>>  kernel_dontaudit_search_unlabeled(init_t)
>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>  corecmd_exec_chroot(init_t)
>>>  corecmd_exec_bin(init_t)
>>>
>>> +dev_mounton_sysfs(init_t)
>>> +dev_mount_sysfs(init_t)
>>>  dev_read_sysfs(init_t)
>>>  # Early devtmpfs
>>>  dev_rw_generic_chr_files(init_t)
>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>  files_dontaudit_rw_root_files(init_t)
>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>
>>> +fs_getattr_xattr_fs(init_t)
>>>  fs_list_inotifyfs(init_t)
>>>  # cjp: this may be related to /dev/log
>>>  fs_write_ramfs_sockets(init_t)
>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>  mls_process_write_all_levels(init_t)
>>>  mls_fd_use_all_levels(init_t)
>>>
>>> +selinux_load_policy(init_t)
>>> +selinux_mount_fs(init_t)
>>>  selinux_set_all_booleans(init_t)
>>>
>>>  term_use_all_terms(init_t)
>>
>> I'm not clear why this is necessary.  Sysvinit should only be
>> loading 
>> the policy if is not loaded yet, so these permissions should be
>> unnecessary.
> 
> The init daemon absolutely needs to load the SELinux policy !

why?

> 
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't boot
>  !
> 
> Thanks.
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161230/b0709e1c/attachment.bin 

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

Hello again.

On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
wrote:
> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
> > 
> > On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
> > > 
> > > 
> > > Originally the aim of this patch was to start securing the init
> > > module so that it could run in confined mode instead of in the
> > > most unsafe unconfined mode and therefore the patch was removing
> > > the call to unconfined_domain().
> > > 
> > > However, the removal of the unconfined_domain() call has been
> > > rejected on the basis of the fact that it can be avoided by not
> > > loading the "unconfined" policy module (which unfortunately at
> > > the moment, still gets added to the configuration file during
> > > "make conf").
> > > 
> > > Currently, this second version of the patch no longer removes the
> > > call to unconfined_domain() and it only adds permissions needed
> > > by sysvinit (most notably the ability to load the policy during
> > > the system boot).
> > > 
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > ---
> > > ?policy/modules/kernel/devices.if |???18 ++++++++++++++++++
> > > ?policy/modules/kernel/kernel.if??|???18 ++++++++++++++++++
> > > ?policy/modules/system/init.te????|????7 +++++++
> > > ?3 files changed, 43 insertions(+)

[...]

> > > diff -pru a/policy/modules/system/init.te
> > > b/policy/modules/system/init.te
> > > --- a/policy/modules/system/init.te	2016-12-22
> > > 23:12:47.784929729 +0100
> > > +++ b/policy/modules/system/init.te	2016-12-27
> > > 23:05:37.731451479 +0100
> > > @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> > > ?# Modify utmp.
> > > ?allow init_t initrc_var_run_t:file { rw_file_perms setattr };
> > > 
> > > +kernel_mounton_proc_dirs(init_t)
> > > +kernel_mount_proc(init_t)
> > > ?kernel_read_system_state(init_t)
> > > ?kernel_share_state(init_t)
> > > ?kernel_dontaudit_search_unlabeled(init_t)
> > > @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> > > ?corecmd_exec_chroot(init_t)
> > > ?corecmd_exec_bin(init_t)
> > > 
> > > +dev_mounton_sysfs(init_t)
> > > +dev_mount_sysfs(init_t)
> > > ?dev_read_sysfs(init_t)
> > > ?# Early devtmpfs
> > > ?dev_rw_generic_chr_files(init_t)
> > > @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> > > ?files_dontaudit_rw_root_files(init_t)
> > > ?files_dontaudit_rw_root_chr_files(init_t)
> > > 
> > > +fs_getattr_xattr_fs(init_t)
> > > ?fs_list_inotifyfs(init_t)
> > > ?# cjp: this may be related to /dev/log
> > > ?fs_write_ramfs_sockets(init_t)
> > > @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> > > ?mls_process_write_all_levels(init_t)
> > > ?mls_fd_use_all_levels(init_t)
> > > 
> > > +selinux_load_policy(init_t)
> > > +selinux_mount_fs(init_t)
> > > ?selinux_set_all_booleans(init_t)
> > > 
> > > ?term_use_all_terms(init_t)
> > 
> > I'm not clear why this is necessary.??Sysvinit should only be
> > loading?
> > the policy if is not loaded yet, so these permissions should be
> > unnecessary.
> 
> The init daemon absolutely needs to load the SELinux policy !
> 
> Perhaps, it is possible to get rid of the other similar permission in
> the kernel module, but surely not here, otherwise the system won't
> boot
> ?!

How about this patch ?

The selinux_load_policy() permission is absolutely necessary for the
init_t domain, when using sysvinit.

Regards,

Guido

[refpolicy] [PATCH v3] init: support sysvinit

[Guido Trentalancia]

Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |    8 ++++++++
 3 files changed, 44 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2016-12-31 20:22:50.106586282 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-31 20:22:50.157588150 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te	2016-12-31 20:24:06.184371379 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)
@@ -186,6 +193,7 @@ libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
 logging_rw_generic_logs(init_t)
 
+seutil_read_bin_policy(init_t)
 seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)

[refpolicy] [PATCH v4] init: support sysvinit

[Guido Trentalancia]

Add permissions needed by sysvinit (most notably permissions to
read and load the SELinux policy when not using the initramfs).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |   14 ++++++++++++++
 3 files changed, 50 insertions(+)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2017-01-02 00:53:06.394093456 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2017-01-02 00:53:06.411094078 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te	2017-01-02 01:00:14.377761326 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mount_proc(init_t)
+kernel_mounton_proc_dirs(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mount_sysfs(init_t)
+dev_mounton_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,13 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again
+selinux_get_fs_mount(init_t)
+# the following one is needed for sysvinit without initramfs
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)
@@ -186,6 +198,8 @@ libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
 logging_rw_generic_logs(init_t)
 
+# the following one is needed for sysvinit without initramfs
+seutil_read_bin_policy(init_t)
 seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Chris PeBenito]

On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
> wrote:
>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>
>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>
>>>>
>>>> Originally the aim of this patch was to start securing the init
>>>> module so that it could run in confined mode instead of in the
>>>> most unsafe unconfined mode and therefore the patch was removing
>>>> the call to unconfined_domain().
>>>>
>>>> However, the removal of the unconfined_domain() call has been
>>>> rejected on the basis of the fact that it can be avoided by not
>>>> loading the "unconfined" policy module (which unfortunately at
>>>> the moment, still gets added to the configuration file during
>>>> "make conf").
>>>>
>>>> Currently, this second version of the patch no longer removes the
>>>> call to unconfined_domain() and it only adds permissions needed
>>>> by sysvinit (most notably the ability to load the policy during
>>>> the system boot).
>>>>
>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>> ---
>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>  3 files changed, 43 insertions(+)
>
> [...]
>
>>>> diff -pru a/policy/modules/system/init.te
>>>> b/policy/modules/system/init.te
>>>> --- a/policy/modules/system/init.te	2016-12-22
>>>> 23:12:47.784929729 +0100
>>>> +++ b/policy/modules/system/init.te	2016-12-27
>>>> 23:05:37.731451479 +0100
>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>  # Modify utmp.
>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>
>>>> +kernel_mounton_proc_dirs(init_t)
>>>> +kernel_mount_proc(init_t)
>>>>  kernel_read_system_state(init_t)
>>>>  kernel_share_state(init_t)
>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>  corecmd_exec_chroot(init_t)
>>>>  corecmd_exec_bin(init_t)
>>>>
>>>> +dev_mounton_sysfs(init_t)
>>>> +dev_mount_sysfs(init_t)
>>>>  dev_read_sysfs(init_t)
>>>>  # Early devtmpfs
>>>>  dev_rw_generic_chr_files(init_t)
>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>  files_dontaudit_rw_root_files(init_t)
>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>
>>>> +fs_getattr_xattr_fs(init_t)
>>>>  fs_list_inotifyfs(init_t)
>>>>  # cjp: this may be related to /dev/log
>>>>  fs_write_ramfs_sockets(init_t)
>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>  mls_process_write_all_levels(init_t)
>>>>  mls_fd_use_all_levels(init_t)
>>>>
>>>> +selinux_load_policy(init_t)
>>>> +selinux_mount_fs(init_t)
>>>>  selinux_set_all_booleans(init_t)
>>>>
>>>>  term_use_all_terms(init_t)
>>>
>>> I'm not clear why this is necessary.  Sysvinit should only be
>>> loading
>>> the policy if is not loaded yet, so these permissions should be
>>> unnecessary.
>>
>> The init daemon absolutely needs to load the SELinux policy !
>>
>> Perhaps, it is possible to get rid of the other similar permission in
>> the kernel module, but surely not here, otherwise the system won't
>> boot
>>  !
>
> How about this patch ?
>
> The selinux_load_policy() permission is absolutely necessary for the
> init_t domain, when using sysvinit.

I still run sysvinit systems.  It isn't.


-- 
Chris PeBenito

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization! 

The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.

Regards, 

Guido 

On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>> ---
>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>  3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te	2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te	2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>  # Modify utmp.
>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>>  kernel_read_system_state(init_t)
>>>>>  kernel_share_state(init_t)
>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>  corecmd_exec_chroot(init_t)
>>>>>  corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>>  dev_read_sysfs(init_t)
>>>>>  # Early devtmpfs
>>>>>  dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>  fs_list_inotifyfs(init_t)
>>>>>  # cjp: this may be related to /dev/log
>>>>>  fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>  mls_process_write_all_levels(init_t)
>>>>>  mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>>  selinux_set_all_booleans(init_t)
>>>>>
>>>>>  term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>>  !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems.  It isn't.

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Jason Zaman]

On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
refpolicy@oss.tresys.com> wrote:

On systems using sysvinit and not using initramfs, the init daemon from
sysvinit needs to load the policy or it aborts the system initalization!

The call to selinux_init_load_policy is in the latest sysvinit source code
at src/init.c.


All my machines use sysvinit. And none of the initramfs' have anything
SELinux related. Sysvinit loads the policy for me and it all works fine.

If sysvinit is loading the policy because it isn't in the initramfs then by
definition there is no policy yet at all so how can this rule make any
difference at all?

This rule is absolutely not required on sysvinit systems I'm not sure why
you need it but you're gonna have to give us more info if you want help
figuring out why.

-- Jason

Regards,

Guido

On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org>
wrote:
>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>> Hello again.
>>
>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>
>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>
>>>>>
>>>>> Originally the aim of this patch was to start securing the init
>>>>> module so that it could run in confined mode instead of in the
>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>> the call to unconfined_domain().
>>>>>
>>>>> However, the removal of the unconfined_domain() call has been
>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>> the moment, still gets added to the configuration file during
>>>>> "make conf").
>>>>>
>>>>> Currently, this second version of the patch no longer removes the
>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>> by sysvinit (most notably the ability to load the policy during
>>>>> the system boot).
>>>>>
>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>> ---
>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>  3 files changed, 43 insertions(+)
>>
>> [...]
>>
>>>>> diff -pru a/policy/modules/system/init.te
>>>>> b/policy/modules/system/init.te
>>>>> --- a/policy/modules/system/init.te       2016-12-22
>>>>> 23:12:47.784929729 +0100
>>>>> +++ b/policy/modules/system/init.te       2016-12-27
>>>>> 23:05:37.731451479 +0100
>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>  # Modify utmp.
>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>
>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>> +kernel_mount_proc(init_t)
>>>>>  kernel_read_system_state(init_t)
>>>>>  kernel_share_state(init_t)
>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>  corecmd_exec_chroot(init_t)
>>>>>  corecmd_exec_bin(init_t)
>>>>>
>>>>> +dev_mounton_sysfs(init_t)
>>>>> +dev_mount_sysfs(init_t)
>>>>>  dev_read_sysfs(init_t)
>>>>>  # Early devtmpfs
>>>>>  dev_rw_generic_chr_files(init_t)
>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>
>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>  fs_list_inotifyfs(init_t)
>>>>>  # cjp: this may be related to /dev/log
>>>>>  fs_write_ramfs_sockets(init_t)
>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>  mls_process_write_all_levels(init_t)
>>>>>  mls_fd_use_all_levels(init_t)
>>>>>
>>>>> +selinux_load_policy(init_t)
>>>>> +selinux_mount_fs(init_t)
>>>>>  selinux_set_all_booleans(init_t)
>>>>>
>>>>>  term_use_all_terms(init_t)
>>>>
>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>> loading
>>>> the policy if is not loaded yet, so these permissions should be
>>>> unnecessary.
>>>
>>> The init daemon absolutely needs to load the SELinux policy !
>>>
>>> Perhaps, it is possible to get rid of the other similar permission
>in
>>> the kernel module, but surely not here, otherwise the system won't
>>> boot
>>>  !
>>
>> How about this patch ?
>>
>> The selinux_load_policy() permission is absolutely necessary for the
>> init_t domain, when using sysvinit.
>
>I still run sysvinit systems.  It isn't.

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/3d64c4c4/attachment-0001.html 

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Dominick Grift]

On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
> On systems using sysvinit and not using initramfs, the init daemon from sysvinit needs to load the policy or it aborts the system initalization! 

How does that work? The policy is obviously already loaded because else
you would not need this permission. So it is "re-loading" the policy?

Allowing init to load_policy is not a good idea IMHO

> 
> The call to selinux_init_load_policy is in the latest sysvinit source code at src/init.c.
> 
> Regards, 
> 
> Guido 
> 
> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>> ---
>>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>>  3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te	2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te	2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>  # Modify utmp.
>>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>>  kernel_read_system_state(init_t)
>>>>>>  kernel_share_state(init_t)
>>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>  corecmd_exec_chroot(init_t)
>>>>>>  corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>>  dev_read_sysfs(init_t)
>>>>>>  # Early devtmpfs
>>>>>>  dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>  fs_list_inotifyfs(init_t)
>>>>>>  # cjp: this may be related to /dev/log
>>>>>>  fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>  mls_process_write_all_levels(init_t)
>>>>>>  mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>>  selinux_set_all_booleans(init_t)
>>>>>>
>>>>>>  term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>> in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>>  !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>> I still run sysvinit systems.  It isn't.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/7fdd76fd/attachment.bin 

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

Hello! 

I think you and Christopher are right, because on systems not using initramfs, when sysvinit loads the policy it is still running as kernel_t and has not transitioned yet to init_t. 
However, in such scenario I suspect the kernel module needs selinux_get_fs_mount so that sysvinit can check if selinux is enabled as in a popular patch that circulated after version 2.88dsf.

Regards, 

Guido 

On the 02nd of January 2017 19:13:17 CET, Jason Zaman <jason@perfinion.com> wrote:
>On 3 Jan 2017 2:06 am, "Guido Trentalancia via refpolicy" <
>refpolicy at oss.tresys.com> wrote:
>
>On systems using sysvinit and not using initramfs, the init daemon from
>sysvinit needs to load the policy or it aborts the system
>initalization!
>
>The call to selinux_init_load_policy is in the latest sysvinit source
>code
>at src/init.c.
>
>
>All my machines use sysvinit. And none of the initramfs' have anything
>SELinux related. Sysvinit loads the policy for me and it all works
>fine.
>
>If sysvinit is loading the policy because it isn't in the initramfs
>then by
>definition there is no policy yet at all so how can this rule make any
>difference at all?
>
>This rule is absolutely not required on sysvinit systems I'm not sure
>why
>you need it but you're gonna have to give us more info if you want help
>figuring out why.
>
>-- Jason
>
>Regards,
>
>Guido
>
>On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><pebenito@ieee.org>
>wrote:
>>On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>> Hello again.
>>>
>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>> wrote:
>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>
>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>
>>>>>>
>>>>>> Originally the aim of this patch was to start securing the init
>>>>>> module so that it could run in confined mode instead of in the
>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>> the call to unconfined_domain().
>>>>>>
>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>> the moment, still gets added to the configuration file during
>>>>>> "make conf").
>>>>>>
>>>>>> Currently, this second version of the patch no longer removes the
>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>> the system boot).
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>> ---
>>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>>  3 files changed, 43 insertions(+)
>>>
>>> [...]
>>>
>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>> b/policy/modules/system/init.te
>>>>>> --- a/policy/modules/system/init.te       2016-12-22
>>>>>> 23:12:47.784929729 +0100
>>>>>> +++ b/policy/modules/system/init.te       2016-12-27
>>>>>> 23:05:37.731451479 +0100
>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>  # Modify utmp.
>>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>
>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>> +kernel_mount_proc(init_t)
>>>>>>  kernel_read_system_state(init_t)
>>>>>>  kernel_share_state(init_t)
>>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>  corecmd_exec_chroot(init_t)
>>>>>>  corecmd_exec_bin(init_t)
>>>>>>
>>>>>> +dev_mounton_sysfs(init_t)
>>>>>> +dev_mount_sysfs(init_t)
>>>>>>  dev_read_sysfs(init_t)
>>>>>>  # Early devtmpfs
>>>>>>  dev_rw_generic_chr_files(init_t)
>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>>
>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>  fs_list_inotifyfs(init_t)
>>>>>>  # cjp: this may be related to /dev/log
>>>>>>  fs_write_ramfs_sockets(init_t)
>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>  mls_process_write_all_levels(init_t)
>>>>>>  mls_fd_use_all_levels(init_t)
>>>>>>
>>>>>> +selinux_load_policy(init_t)
>>>>>> +selinux_mount_fs(init_t)
>>>>>>  selinux_set_all_booleans(init_t)
>>>>>>
>>>>>>  term_use_all_terms(init_t)
>>>>>
>>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>>> loading
>>>>> the policy if is not loaded yet, so these permissions should be
>>>>> unnecessary.
>>>>
>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>
>>>> Perhaps, it is possible to get rid of the other similar permission
>>in
>>>> the kernel module, but surely not here, otherwise the system won't
>>>> boot
>>>>  !
>>>
>>> How about this patch ?
>>>
>>> The selinux_load_policy() permission is absolutely necessary for the
>>> init_t domain, when using sysvinit.
>>
>>I still run sysvinit systems.  It isn't.
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH v2] init: support sysvinit (was "run sysvinit without the dangerous unconfined_domain() call")

[Guido Trentalancia]

On systems using initramfs and sysvinit that is a bug in refpolicy due to the missing selinux_get_fs_mount(init_t).

Regards, 

Guido 

On the 02nd of January 2017 19:19:22 CET, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote:
>On 01/02/2017 07:05 PM, Guido Trentalancia via refpolicy wrote:
>> On systems using sysvinit and not using initramfs, the init daemon
>from sysvinit needs to load the policy or it aborts the system
>initalization! 
>
>How does that work? The policy is obviously already loaded because else
>you would not need this permission. So it is "re-loading" the policy?
>
>Allowing init to load_policy is not a good idea IMHO
>
>> 
>> The call to selinux_init_load_policy is in the latest sysvinit source
>code at src/init.c.
>> 
>> Regards, 
>> 
>> Guido 
>> 
>> On the 02nd of January 2017 18:55:07 CET, Chris PeBenito
><pebenito@ieee.org> wrote:
>>> On 12/31/16 12:42, Guido Trentalancia via refpolicy wrote:
>>>> Hello again.
>>>>
>>>> On Fri, 30/12/2016 at 22.10 +0100, Guido Trentalancia via refpolicy
>>>> wrote:
>>>>> On Fri, 30/12/2016 at 14.24 -0500, Chris PeBenito wrote:
>>>>>>
>>>>>> On 12/28/16 15:45, Guido Trentalancia via refpolicy wrote:
>>>>>>>
>>>>>>>
>>>>>>> Originally the aim of this patch was to start securing the init
>>>>>>> module so that it could run in confined mode instead of in the
>>>>>>> most unsafe unconfined mode and therefore the patch was removing
>>>>>>> the call to unconfined_domain().
>>>>>>>
>>>>>>> However, the removal of the unconfined_domain() call has been
>>>>>>> rejected on the basis of the fact that it can be avoided by not
>>>>>>> loading the "unconfined" policy module (which unfortunately at
>>>>>>> the moment, still gets added to the configuration file during
>>>>>>> "make conf").
>>>>>>>
>>>>>>> Currently, this second version of the patch no longer removes
>the
>>>>>>> call to unconfined_domain() and it only adds permissions needed
>>>>>>> by sysvinit (most notably the ability to load the policy during
>>>>>>> the system boot).
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>>>>>> ---
>>>>>>>  policy/modules/kernel/devices.if |   18 ++++++++++++++++++
>>>>>>>  policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
>>>>>>>  policy/modules/system/init.te    |    7 +++++++
>>>>>>>  3 files changed, 43 insertions(+)
>>>>
>>>> [...]
>>>>
>>>>>>> diff -pru a/policy/modules/system/init.te
>>>>>>> b/policy/modules/system/init.te
>>>>>>> --- a/policy/modules/system/init.te	2016-12-22
>>>>>>> 23:12:47.784929729 +0100
>>>>>>> +++ b/policy/modules/system/init.te	2016-12-27
>>>>>>> 23:05:37.731451479 +0100
>>>>>>> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
>>>>>>>  # Modify utmp.
>>>>>>>  allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>>>>>>>
>>>>>>> +kernel_mounton_proc_dirs(init_t)
>>>>>>> +kernel_mount_proc(init_t)
>>>>>>>  kernel_read_system_state(init_t)
>>>>>>>  kernel_share_state(init_t)
>>>>>>>  kernel_dontaudit_search_unlabeled(init_t)
>>>>>>> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
>>>>>>>  corecmd_exec_chroot(init_t)
>>>>>>>  corecmd_exec_bin(init_t)
>>>>>>>
>>>>>>> +dev_mounton_sysfs(init_t)
>>>>>>> +dev_mount_sysfs(init_t)
>>>>>>>  dev_read_sysfs(init_t)
>>>>>>>  # Early devtmpfs
>>>>>>>  dev_rw_generic_chr_files(init_t)
>>>>>>> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
>>>>>>>  files_dontaudit_rw_root_files(init_t)
>>>>>>>  files_dontaudit_rw_root_chr_files(init_t)
>>>>>>>
>>>>>>> +fs_getattr_xattr_fs(init_t)
>>>>>>>  fs_list_inotifyfs(init_t)
>>>>>>>  # cjp: this may be related to /dev/log
>>>>>>>  fs_write_ramfs_sockets(init_t)
>>>>>>> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
>>>>>>>  mls_process_write_all_levels(init_t)
>>>>>>>  mls_fd_use_all_levels(init_t)
>>>>>>>
>>>>>>> +selinux_load_policy(init_t)
>>>>>>> +selinux_mount_fs(init_t)
>>>>>>>  selinux_set_all_booleans(init_t)
>>>>>>>
>>>>>>>  term_use_all_terms(init_t)
>>>>>>
>>>>>> I'm not clear why this is necessary.  Sysvinit should only be
>>>>>> loading
>>>>>> the policy if is not loaded yet, so these permissions should be
>>>>>> unnecessary.
>>>>>
>>>>> The init daemon absolutely needs to load the SELinux policy !
>>>>>
>>>>> Perhaps, it is possible to get rid of the other similar permission
>>> in
>>>>> the kernel module, but surely not here, otherwise the system won't
>>>>> boot
>>>>>  !
>>>>
>>>> How about this patch ?
>>>>
>>>> The selinux_load_policy() permission is absolutely necessary for
>the
>>>> init_t domain, when using sysvinit.
>>>
>>> I still run sysvinit systems.  It isn't.
>> 
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>> 

[refpolicy] [PATCH v5] init: support sysvinit

[Guido Trentalancia]

Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.

Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
 
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/init.te |    5 +++++
 1 file changed, 5 insertions(+)

diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
+++ b/policy/modules/system/init.te	2017-01-02 21:08:19.963436591 +0100
@@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again when using the initramfs
+selinux_get_fs_mount(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)

[refpolicy] [PATCH v5] init: support sysvinit

[Chris PeBenito]

On 01/02/17 16:11, Guido Trentalancia via refpolicy wrote:
> Add a permission needed for the correct functioning of sysvinit
> on systems using the initramfs.
>
> Without the selinux_get_fs_mount() interface call, the call to
> libselinux:is_selinux_enabled() fails and sysvinit tries to do
> the initial policy load again.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/init.te |    5 +++++
>  1 file changed, 5 insertions(+)
>
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te	2016-12-29 22:48:16.456818544 +0100
> +++ b/policy/modules/system/init.te	2017-01-02 21:08:19.963436591 +0100
> @@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
>  files_dontaudit_rw_root_files(init_t)
>  files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
>  fs_list_inotifyfs(init_t)
>  # cjp: this may be related to /dev/log
>  fs_write_ramfs_sockets(init_t)
> @@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
>  mls_process_write_all_levels(init_t)
>  mls_fd_use_all_levels(init_t)
>
> +# the following one is needed for libselinux:is_selinux_enabled()
> +# otherwise the call fails and sysvinit tries to load the policy
> +# again when using the initramfs
> +selinux_get_fs_mount(init_t)
>  selinux_set_all_booleans(init_t)
>
>  term_use_all_terms(init_t)

Merged.

-- 
Chris PeBenito