[refpolicy] [PATCH] single binary modutils

[refpolicy] [PATCH] single binary modutils

[Russell Coker]

The following patch deals with a single binary for modutils, so depmod_t,
and insmod_t are merged.


diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.fc ./policy/modules/system/modutils.fc
--- /home/rjc/src/pol-git/policy/modules/system/modutils.fc	2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/modutils.fc	2016-07-31 22:31:01.121039414 +1000
@@ -23,3 +23,4 @@
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.te ./policy/modules/system/modutils.te
--- /home/rjc/src/pol-git/policy/modules/system/modutils.te	2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/modutils.te	2016-07-31 22:31:01.117039342 +1000
@@ -5,15 +5,12 @@
 # Declarations
 #
 
-attribute_role update_modules_roles;
-
-type depmod_t;
-type depmod_exec_t;
-init_system_domain(depmod_t, depmod_exec_t)
-role system_r types depmod_t;
-
 type insmod_t;
+typealias insmod_t alias { depmod_t update_modules_t };
+
 type insmod_exec_t;
+typealias insmod_exec_t alias { depmod_exec_t update_modules_exec_t };
+
 application_domain(insmod_t, insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
 role system_r types insmod_t;
@@ -26,77 +23,8 @@
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type update_modules_t;
-type update_modules_exec_t;
-init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
-
-type update_modules_tmp_t;
-files_tmp_file(update_modules_tmp_t)
-
-########################################
-#
-# depmod local policy
-#
-
-can_exec(depmod_t, depmod_exec_t)
-
-# Read conf.modules.
-read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
-
-allow depmod_t modules_dep_t:file manage_file_perms;
-files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-
-kernel_read_system_state(depmod_t)
-
-corecmd_search_bin(depmod_t)
-
-domain_use_interactive_fds(depmod_t)
-
-files_read_kernel_symbol_table(depmod_t)
-files_read_kernel_modules(depmod_t)
-files_read_etc_runtime_files(depmod_t)
-files_read_etc_files(depmod_t)
-files_read_usr_src_files(depmod_t)
-files_list_usr(depmod_t)
-
-fs_getattr_xattr_fs(depmod_t)
-
-term_use_console(depmod_t)
-
-init_use_fds(depmod_t)
-init_use_script_fds(depmod_t)
-init_use_script_ptys(depmod_t)
-
-userdom_use_user_terminals(depmod_t)
-# Read System.map from home directories.
-files_list_home(depmod_t)
-userdom_read_user_home_content_files(depmod_t)
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(depmod_t)
-	')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(depmod_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(depmod_t)
-')
-
-optional_policy(`
-	rpm_rw_pipes(depmod_t)
-	rpm_manage_script_tmp_files(depmod_t)
-')
-
-optional_policy(`
-	# Read System.map from home directories.
-	unconfined_domain(depmod_t)
-')
+type kmod_var_run_t;
+files_pid_file(kmod_var_run_t)
 
 ########################################
 #
@@ -114,6 +42,9 @@
 read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
 read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+filetrans_add_pattern(insmod_t, modules_object_t, modules_dep_t, file)
+create_files_pattern(insmod_t, modules_object_t, modules_dep_t)
+delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
 
 can_exec(insmod_t, insmod_exec_t)
 
@@ -136,6 +67,11 @@
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
 
+# for /run/tmpfiles.d/kmod.conf
+files_pid_filetrans(insmod_t, kmod_var_run_t, dir)
+allow insmod_t kmod_var_run_t:dir manage_dir_perms;
+allow insmod_t kmod_var_run_t:file manage_file_perms;
+
 dev_rw_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
 dev_rw_mtrr(insmod_t)
@@ -238,6 +174,7 @@
 optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domtrans_to(insmod_t, insmod_exec_t)
 ')
 
 optional_policy(`
@@ -247,85 +184,3 @@
 	xserver_getattr_log(insmod_t)
 ')
 
-#################################
-#
-# update-modules local policy
-#
-
-allow update_modules_t self:fifo_file rw_fifo_file_perms;
-
-allow update_modules_t modules_dep_t:file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-can_exec(update_modules_t, update_modules_exec_t)
-
-# manage module loading configuration
-manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
-files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
-files_etc_filetrans(update_modules_t, modules_conf_t, file)
-
-# transition to depmod
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-allow update_modules_t depmod_t:fd use;
-allow depmod_t update_modules_t:fd use;
-allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
-
-manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(update_modules_t)
-kernel_read_system_state(update_modules_t)
-
-corecmd_exec_bin(update_modules_t)
-corecmd_exec_shell(update_modules_t)
-
-dev_read_urand(update_modules_t)
-
-domain_use_interactive_fds(update_modules_t)
-
-files_read_etc_runtime_files(update_modules_t)
-files_read_etc_files(update_modules_t)
-files_exec_etc_files(update_modules_t)
-
-fs_getattr_xattr_fs(update_modules_t)
-
-term_use_console(update_modules_t)
-
-init_use_fds(update_modules_t)
-init_use_script_fds(update_modules_t)
-init_use_script_ptys(update_modules_t)
-
-logging_send_syslog_msg(update_modules_t)
-
-miscfiles_read_localization(update_modules_t)
-
-modutils_run_insmod(update_modules_t, update_modules_roles)
-
-userdom_use_user_terminals(update_modules_t)
-userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
-ifdef(`distro_gentoo',`
-	kernel_list_unlabeled(update_modules_t) # /var
-
-	files_search_pids(update_modules_t)
-	files_getattr_usr_src_files(update_modules_t)
-
-	# update-modules on Gentoo throws errors when run because it
-	# sources /etc/init.d/functions.sh, which always scans
-	# /var/lib/init.d to set SOFTLEVEL environment var.
-	# This is never used by update-modules.
-	files_dontaudit_search_var_lib(update_modules_t)
-	init_dontaudit_read_script_status_files(update_modules_t)
-
-	optional_policy(`
-		consoletype_exec(update_modules_t)
-	')
-')
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(update_modules_t)
-	')
-')

[refpolicy] [PATCH] single binary modutils

[Chris PeBenito]

On 07/31/16 08:34, Russell Coker wrote:
> The following patch deals with a single binary for modutils, so depmod_t,
> and insmod_t are merged.

Since the main SELinux distros (including RHEL/CentOS 7) all have merged 
modutils these days, I'm open to taking a patch that fully merges these 
domains (in which case renaming to kmod_t, with proper aliasing seems 
the best idea).

However, it's been some time since I used a busybox-based system; does 
busybox still have separated tools?  Yes, this is a bit of an obvious 
question since busybox is also single-binary, but IIRC, the embedded 
guys made some tiny helper scripts or executables so proper 
transitioning could occur.  Separate domains may still make sense.



> diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.fc ./policy/modules/system/modutils.fc
> --- /home/rjc/src/pol-git/policy/modules/system/modutils.fc	2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/modutils.fc	2016-07-31 22:31:01.121039414 +1000
> @@ -23,3 +23,4 @@
>  /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
>
>  /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
> +/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/system/modutils.te ./policy/modules/system/modutils.te
> --- /home/rjc/src/pol-git/policy/modules/system/modutils.te	2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/modutils.te	2016-07-31 22:31:01.117039342 +1000
> @@ -5,15 +5,12 @@
>  # Declarations
>  #
>
> -attribute_role update_modules_roles;
> -
> -type depmod_t;
> -type depmod_exec_t;
> -init_system_domain(depmod_t, depmod_exec_t)
> -role system_r types depmod_t;
> -
>  type insmod_t;
> +typealias insmod_t alias { depmod_t update_modules_t };
> +
>  type insmod_exec_t;
> +typealias insmod_exec_t alias { depmod_exec_t update_modules_exec_t };
> +
>  application_domain(insmod_t, insmod_exec_t)
>  mls_file_write_all_levels(insmod_t)
>  role system_r types insmod_t;
> @@ -26,77 +23,8 @@
>  type modules_dep_t;
>  files_type(modules_dep_t)
>
> -type update_modules_t;
> -type update_modules_exec_t;
> -init_system_domain(update_modules_t, update_modules_exec_t)
> -roleattribute system_r update_modules_roles;
> -role update_modules_roles types update_modules_t;
> -
> -type update_modules_tmp_t;
> -files_tmp_file(update_modules_tmp_t)
> -
> -########################################
> -#
> -# depmod local policy
> -#
> -
> -can_exec(depmod_t, depmod_exec_t)
> -
> -# Read conf.modules.
> -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
> -
> -allow depmod_t modules_dep_t:file manage_file_perms;
> -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
> -
> -kernel_read_system_state(depmod_t)
> -
> -corecmd_search_bin(depmod_t)
> -
> -domain_use_interactive_fds(depmod_t)
> -
> -files_read_kernel_symbol_table(depmod_t)
> -files_read_kernel_modules(depmod_t)
> -files_read_etc_runtime_files(depmod_t)
> -files_read_etc_files(depmod_t)
> -files_read_usr_src_files(depmod_t)
> -files_list_usr(depmod_t)
> -
> -fs_getattr_xattr_fs(depmod_t)
> -
> -term_use_console(depmod_t)
> -
> -init_use_fds(depmod_t)
> -init_use_script_fds(depmod_t)
> -init_use_script_ptys(depmod_t)
> -
> -userdom_use_user_terminals(depmod_t)
> -# Read System.map from home directories.
> -files_list_home(depmod_t)
> -userdom_read_user_home_content_files(depmod_t)
> -
> -ifdef(`distro_ubuntu',`
> -	optional_policy(`
> -		unconfined_domain(depmod_t)
> -	')
> -')
> -
> -tunable_policy(`use_nfs_home_dirs',`
> -	fs_read_nfs_files(depmod_t)
> -')
> -
> -tunable_policy(`use_samba_home_dirs',`
> -	fs_read_cifs_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	rpm_rw_pipes(depmod_t)
> -	rpm_manage_script_tmp_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	# Read System.map from home directories.
> -	unconfined_domain(depmod_t)
> -')
> +type kmod_var_run_t;
> +files_pid_file(kmod_var_run_t)
>
>  ########################################
>  #
> @@ -114,6 +42,9 @@
>  read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
>  list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
>  read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
> +filetrans_add_pattern(insmod_t, modules_object_t, modules_dep_t, file)
> +create_files_pattern(insmod_t, modules_object_t, modules_dep_t)
> +delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
>
>  can_exec(insmod_t, insmod_exec_t)
>
> @@ -136,6 +67,11 @@
>  corecmd_exec_bin(insmod_t)
>  corecmd_exec_shell(insmod_t)
>
> +# for /run/tmpfiles.d/kmod.conf
> +files_pid_filetrans(insmod_t, kmod_var_run_t, dir)
> +allow insmod_t kmod_var_run_t:dir manage_dir_perms;
> +allow insmod_t kmod_var_run_t:file manage_file_perms;
> +
>  dev_rw_sysfs(insmod_t)
>  dev_search_usbfs(insmod_t)
>  dev_rw_mtrr(insmod_t)
> @@ -238,6 +174,7 @@
>  optional_policy(`
>  	unconfined_domain(insmod_t)
>  	unconfined_dontaudit_rw_pipes(insmod_t)
> +	unconfined_domtrans_to(insmod_t, insmod_exec_t)
>  ')
>
>  optional_policy(`
> @@ -247,85 +184,3 @@
>  	xserver_getattr_log(insmod_t)
>  ')
>
> -#################################
> -#
> -# update-modules local policy
> -#
> -
> -allow update_modules_t self:fifo_file rw_fifo_file_perms;
> -
> -allow update_modules_t modules_dep_t:file rw_file_perms;
> -
> -can_exec(update_modules_t, insmod_exec_t)
> -can_exec(update_modules_t, update_modules_exec_t)
> -
> -# manage module loading configuration
> -manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
> -files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
> -files_etc_filetrans(update_modules_t, modules_conf_t, file)
> -
> -# transition to depmod
> -domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
> -allow update_modules_t depmod_t:fd use;
> -allow depmod_t update_modules_t:fd use;
> -allow depmod_t update_modules_t:fifo_file rw_file_perms;
> -allow depmod_t update_modules_t:process sigchld;
> -
> -manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
> -manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
> -files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
> -
> -kernel_read_kernel_sysctls(update_modules_t)
> -kernel_read_system_state(update_modules_t)
> -
> -corecmd_exec_bin(update_modules_t)
> -corecmd_exec_shell(update_modules_t)
> -
> -dev_read_urand(update_modules_t)
> -
> -domain_use_interactive_fds(update_modules_t)
> -
> -files_read_etc_runtime_files(update_modules_t)
> -files_read_etc_files(update_modules_t)
> -files_exec_etc_files(update_modules_t)
> -
> -fs_getattr_xattr_fs(update_modules_t)
> -
> -term_use_console(update_modules_t)
> -
> -init_use_fds(update_modules_t)
> -init_use_script_fds(update_modules_t)
> -init_use_script_ptys(update_modules_t)
> -
> -logging_send_syslog_msg(update_modules_t)
> -
> -miscfiles_read_localization(update_modules_t)
> -
> -modutils_run_insmod(update_modules_t, update_modules_roles)
> -
> -userdom_use_user_terminals(update_modules_t)
> -userdom_dontaudit_search_user_home_dirs(update_modules_t)
> -
> -ifdef(`distro_gentoo',`
> -	kernel_list_unlabeled(update_modules_t) # /var
> -
> -	files_search_pids(update_modules_t)
> -	files_getattr_usr_src_files(update_modules_t)
> -
> -	# update-modules on Gentoo throws errors when run because it
> -	# sources /etc/init.d/functions.sh, which always scans
> -	# /var/lib/init.d to set SOFTLEVEL environment var.
> -	# This is never used by update-modules.
> -	files_dontaudit_search_var_lib(update_modules_t)
> -	init_dontaudit_read_script_status_files(update_modules_t)
> -
> -	optional_policy(`
> -		consoletype_exec(update_modules_t)
> -	')
> -')
> -
> -ifdef(`distro_ubuntu',`
> -	optional_policy(`
> -		unconfined_domain(update_modules_t)
> -	')
> -')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH] single binary modutils

[Russell Coker]

On Wed, 3 Aug 2016 09:59:28 AM Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
> 
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged 
> modutils these days, I'm open to taking a patch that fully merges these 
> domains (in which case renaming to kmod_t, with proper aliasing seems 
> the best idea).

OK.

> However, it's been some time since I used a busybox-based system; does 
> busybox still have separated tools?  Yes, this is a bit of an obvious 
> question since busybox is also single-binary, but IIRC, the embedded 
> guys made some tiny helper scripts or executables so proper 
> transitioning could occur.  Separate domains may still make sense.

Maybe have an ifdef(`embedded' or something around it then?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] single binary modutils

[Chris PeBenito]

On 08/02/16 22:33, Russell Coker wrote:
> On Wed, 3 Aug 2016 09:59:28 AM Chris PeBenito wrote:
>> On 07/31/16 08:34, Russell Coker wrote:
>>> The following patch deals with a single binary for modutils, so depmod_t,
>>> and insmod_t are merged.
>>
>> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
>> modutils these days, I'm open to taking a patch that fully merges these
>> domains (in which case renaming to kmod_t, with proper aliasing seems
>> the best idea).
>
> OK.
>
>> However, it's been some time since I used a busybox-based system; does
>> busybox still have separated tools?  Yes, this is a bit of an obvious
>> question since busybox is also single-binary, but IIRC, the embedded
>> guys made some tiny helper scripts or executables so proper
>> transitioning could occur.  Separate domains may still make sense.
>
> Maybe have an ifdef(`embedded' or something around it then?

I'm having a hard time envisioning how that would work.

If anyone is using busybox like this, please speak up.  No sense in us 
trying to handle a use case that no one uses.

-- 
Chris PeBenito

[refpolicy] [PATCH] single binary modutils

[Russell Coker]

On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
> 
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged 
> modutils these days, I'm open to taking a patch that fully merges these 
> domains (in which case renaming to kmod_t, with proper aliasing seems 
> the best idea).
> 
> However, it's been some time since I used a busybox-based system; does 
> busybox still have separated tools?  Yes, this is a bit of an obvious 
> question since busybox is also single-binary, but IIRC, the embedded 
> guys made some tiny helper scripts or executables so proper 
> transitioning could occur.  Separate domains may still make sense.

As we have had no response from Busybox users in the last 3 months and also no 
response to the thread Luis started in 2013 I think it's safe to assume that 
they don't need this.

I've attached a new patch which renames to kmod_t as you suggested.  Please 
consider it for inclusion.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25

Index: refpolicy-2.20160928/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20160928/policy/modules/system/modutils.te
@@ -5,18 +5,15 @@ policy_module(modutils, 1.16.0)
 # Declarations
 #
 
-attribute_role update_modules_roles;
+type kmod_t;
+typealias kmod_t alias { insmod_t depmod_t update_modules_t };
 
-type depmod_t;
-type depmod_exec_t;
-init_system_domain(depmod_t, depmod_exec_t)
-role system_r types depmod_t;
-
-type insmod_t;
-type insmod_exec_t;
-application_domain(insmod_t, insmod_exec_t)
-mls_file_write_all_levels(insmod_t)
-role system_r types insmod_t;
+type kmod_exec_t;
+typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
+
+application_domain(kmod_t, kmod_exec_t)
+mls_file_write_all_levels(kmod_t)
+role system_r types kmod_t;
 
 # module loading config
 type modules_conf_t;
@@ -26,306 +23,164 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type update_modules_t;
-type update_modules_exec_t;
-init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
-
-type update_modules_tmp_t;
-files_tmp_file(update_modules_tmp_t)
-
-########################################
-#
-# depmod local policy
-#
-
-can_exec(depmod_t, depmod_exec_t)
-
-# Read conf.modules.
-read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
-
-allow depmod_t modules_dep_t:file manage_file_perms;
-files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-
-kernel_read_system_state(depmod_t)
-
-corecmd_search_bin(depmod_t)
-
-domain_use_interactive_fds(depmod_t)
-
-files_read_kernel_symbol_table(depmod_t)
-files_read_kernel_modules(depmod_t)
-files_read_etc_runtime_files(depmod_t)
-files_read_etc_files(depmod_t)
-files_read_usr_src_files(depmod_t)
-files_list_usr(depmod_t)
-
-fs_getattr_xattr_fs(depmod_t)
-
-term_use_console(depmod_t)
-
-init_use_fds(depmod_t)
-init_use_script_fds(depmod_t)
-init_use_script_ptys(depmod_t)
-
-userdom_use_user_terminals(depmod_t)
-# Read System.map from home directories.
-files_list_home(depmod_t)
-userdom_read_user_home_content_files(depmod_t)
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(depmod_t)
-	')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(depmod_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(depmod_t)
-')
-
-optional_policy(`
-	rpm_rw_pipes(depmod_t)
-	rpm_manage_script_tmp_files(depmod_t)
-')
-
-optional_policy(`
-	# Read System.map from home directories.
-	unconfined_domain(depmod_t)
-')
+type kmod_var_run_t;
+files_pid_file(kmod_var_run_t)
 
 ########################################
 #
 # insmod local policy
 #
 
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
+allow kmod_t self:udp_socket create_socket_perms;
+allow kmod_t self:rawip_socket create_socket_perms;
 
 # Read module config and dependency information
-list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
-list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
-read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
-
-can_exec(insmod_t, insmod_exec_t)
-
-kernel_load_module(insmod_t)
-kernel_request_load_module(insmod_t)
-kernel_read_system_state(insmod_t)
-kernel_read_network_state(insmod_t)
-kernel_write_proc_files(insmod_t)
-kernel_mount_debugfs(insmod_t)
-kernel_mount_kvmfs(insmod_t)
-kernel_read_debugfs(insmod_t)
+list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
+manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
+filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
+create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+
+can_exec(kmod_t, kmod_exec_t)
+
+kernel_load_module(kmod_t)
+kernel_request_load_module(kmod_t)
+kernel_read_system_state(kmod_t)
+kernel_read_network_state(kmod_t)
+kernel_write_proc_files(kmod_t)
+kernel_mount_debugfs(kmod_t)
+kernel_mount_kvmfs(kmod_t)
+kernel_read_debugfs(kmod_t)
 # Rules for /proc/sys/kernel/tainted
-kernel_read_kernel_sysctls(insmod_t)
-kernel_rw_kernel_sysctl(insmod_t)
-kernel_read_hotplug_sysctls(insmod_t)
-kernel_setsched(insmod_t)
+kernel_read_kernel_sysctls(kmod_t)
+kernel_rw_kernel_sysctl(kmod_t)
+kernel_read_hotplug_sysctls(kmod_t)
+kernel_setsched(kmod_t)
 # for when /var is not mounted early in the boot:
-kernel_dontaudit_search_unlabeled(insmod_t)
+kernel_dontaudit_search_unlabeled(kmod_t)
 
-corecmd_exec_bin(insmod_t)
-corecmd_exec_shell(insmod_t)
+corecmd_exec_bin(kmod_t)
+corecmd_exec_shell(kmod_t)
 
-dev_rw_sysfs(insmod_t)
-dev_search_usbfs(insmod_t)
-dev_rw_mtrr(insmod_t)
-dev_read_urand(insmod_t)
-dev_rw_agp(insmod_t)
-dev_read_sound(insmod_t)
-dev_write_sound(insmod_t)
-dev_rw_apm_bios(insmod_t)
-
-domain_signal_all_domains(insmod_t)
-domain_use_interactive_fds(insmod_t)
-
-files_read_kernel_modules(insmod_t)
-files_read_etc_runtime_files(insmod_t)
-files_read_etc_files(insmod_t)
-files_read_usr_files(insmod_t)
-files_exec_etc_files(insmod_t)
+# for /run/tmpfiles.d/kmod.conf
+files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
+allow kmod_t kmod_var_run_t:dir manage_dir_perms;
+allow kmod_t kmod_var_run_t:file manage_file_perms;
+
+dev_rw_sysfs(kmod_t)
+dev_search_usbfs(kmod_t)
+dev_rw_mtrr(kmod_t)
+dev_read_urand(kmod_t)
+dev_rw_agp(kmod_t)
+dev_read_sound(kmod_t)
+dev_write_sound(kmod_t)
+dev_rw_apm_bios(kmod_t)
+
+domain_signal_all_domains(kmod_t)
+domain_use_interactive_fds(kmod_t)
+
+files_read_kernel_modules(kmod_t)
+files_read_etc_runtime_files(kmod_t)
+files_read_etc_files(kmod_t)
+files_read_usr_files(kmod_t)
+files_exec_etc_files(kmod_t)
 # for nscd:
-files_dontaudit_search_pids(insmod_t)
+files_dontaudit_search_pids(kmod_t)
 # for locking: (cjp: ????)
-files_write_kernel_modules(insmod_t)
+files_write_kernel_modules(kmod_t)
 
-fs_getattr_xattr_fs(insmod_t)
-fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_getattr_xattr_fs(kmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
 
-init_rw_initctl(insmod_t)
-init_use_fds(insmod_t)
-init_use_script_fds(insmod_t)
-init_use_script_ptys(insmod_t)
+init_rw_initctl(kmod_t)
+init_use_fds(kmod_t)
+init_use_script_fds(kmod_t)
+init_use_script_ptys(kmod_t)
 
-logging_send_syslog_msg(insmod_t)
-logging_search_logs(insmod_t)
+logging_send_syslog_msg(kmod_t)
+logging_search_logs(kmod_t)
 
-miscfiles_read_localization(insmod_t)
+miscfiles_read_localization(kmod_t)
 
-seutil_read_file_contexts(insmod_t)
+seutil_read_file_contexts(kmod_t)
 
-userdom_use_user_terminals(insmod_t)
+userdom_use_user_terminals(kmod_t)
 
-userdom_dontaudit_search_user_home_dirs(insmod_t)
+userdom_dontaudit_search_user_home_dirs(kmod_t)
 
-kernel_domtrans_to(insmod_t, insmod_exec_t)
+kernel_domtrans_to(kmod_t, kmod_exec_t)
 
 ifdef(`init_systemd',`
-	kernel_search_key(insmod_t)
+	kernel_search_key(kmod_t)
 
-	init_rw_stream_sockets(insmod_t)
+	init_rw_stream_sockets(kmod_t)
 
-	systemd_write_kmod_files(insmod_t)
+	systemd_write_kmod_files(kmod_t)
 ')
 
 optional_policy(`
-	alsa_domtrans(insmod_t)
+	alsa_domtrans(kmod_t)
 ')
 
 optional_policy(`
-	firstboot_dontaudit_rw_pipes(insmod_t)
-	firstboot_dontaudit_rw_stream_sockets(insmod_t)
+	firstboot_dontaudit_rw_pipes(kmod_t)
+	firstboot_dontaudit_rw_stream_sockets(kmod_t)
 ')
 
 optional_policy(`
-	hal_write_log(insmod_t)
+	hal_write_log(kmod_t)
 ')
 
 optional_policy(`
-	hotplug_search_config(insmod_t)
+	hotplug_search_config(kmod_t)
 ')
 
 optional_policy(`
-	mount_domtrans(insmod_t)
+	mount_domtrans(kmod_t)
 ')
 
 optional_policy(`
-	nis_use_ypbind(insmod_t)
+	nis_use_ypbind(kmod_t)
 ')
 
 optional_policy(`
-	nscd_use(insmod_t)
+	nscd_use(kmod_t)
 ')
 
 optional_policy(`
-	fs_manage_ramfs_files(insmod_t)
+	fs_manage_ramfs_files(kmod_t)
 
-	rhgb_use_fds(insmod_t)
-	rhgb_dontaudit_use_ptys(insmod_t)
+	rhgb_use_fds(kmod_t)
+	rhgb_dontaudit_use_ptys(kmod_t)
 
-	xserver_dontaudit_write_log(insmod_t)
-	xserver_stream_connect(insmod_t)
-	xserver_dontaudit_rw_stream_sockets(insmod_t)
+	xserver_dontaudit_write_log(kmod_t)
+	xserver_stream_connect(kmod_t)
+	xserver_dontaudit_rw_stream_sockets(kmod_t)
 
 	ifdef(`hide_broken_symptoms',`
-		xserver_dontaudit_rw_tcp_sockets(insmod_t)
+		xserver_dontaudit_rw_tcp_sockets(kmod_t)
 	')
 ')
 
 optional_policy(`
-	rpm_rw_pipes(insmod_t)
+	rpm_rw_pipes(kmod_t)
 ')
 
 optional_policy(`
-	unconfined_domain(insmod_t)
-	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domain(kmod_t)
+	unconfined_dontaudit_rw_pipes(kmod_t)
+	unconfined_domtrans_to(kmod_t, kmod_exec_t)
 ')
 
 optional_policy(`
 	# cjp: why is this needed:
-	dev_rw_xserver_misc(insmod_t)
+	dev_rw_xserver_misc(kmod_t)
 
-	xserver_getattr_log(insmod_t)
+	xserver_getattr_log(kmod_t)
 ')
 
-#################################
-#
-# update-modules local policy
-#
-
-allow update_modules_t self:fifo_file rw_fifo_file_perms;
-
-allow update_modules_t modules_dep_t:file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-can_exec(update_modules_t, update_modules_exec_t)
-
-# manage module loading configuration
-manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
-files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
-files_etc_filetrans(update_modules_t, modules_conf_t, file)
-
-# transition to depmod
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-allow update_modules_t depmod_t:fd use;
-allow depmod_t update_modules_t:fd use;
-allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
-
-manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(update_modules_t)
-kernel_read_system_state(update_modules_t)
-
-corecmd_exec_bin(update_modules_t)
-corecmd_exec_shell(update_modules_t)
-
-dev_read_urand(update_modules_t)
-
-domain_use_interactive_fds(update_modules_t)
-
-files_read_etc_runtime_files(update_modules_t)
-files_read_etc_files(update_modules_t)
-files_exec_etc_files(update_modules_t)
-
-fs_getattr_xattr_fs(update_modules_t)
-
-term_use_console(update_modules_t)
-
-init_use_fds(update_modules_t)
-init_use_script_fds(update_modules_t)
-init_use_script_ptys(update_modules_t)
-
-logging_send_syslog_msg(update_modules_t)
-
-miscfiles_read_localization(update_modules_t)
-
-modutils_run_insmod(update_modules_t, update_modules_roles)
-
-userdom_use_user_terminals(update_modules_t)
-userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
-ifdef(`distro_gentoo',`
-	kernel_list_unlabeled(update_modules_t) # /var
-
-	files_search_pids(update_modules_t)
-	files_getattr_usr_src_files(update_modules_t)
-
-	# update-modules on Gentoo throws errors when run because it
-	# sources /etc/init.d/functions.sh, which always scans
-	# /var/lib/init.d to set SOFTLEVEL environment var.
-	# This is never used by update-modules.
-	files_dontaudit_search_var_lib(update_modules_t)
-	init_dontaudit_read_script_status_files(update_modules_t)
-
-	optional_policy(`
-		consoletype_exec(update_modules_t)
-	')
-')
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(update_modules_t)
-	')
-')
Index: refpolicy-2.20160928/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20160928/policy/modules/kernel/kernel.te
@@ -278,6 +278,9 @@ selinux_load_policy(kernel_t)
 
 term_use_console(kernel_t)
 
+# for kdevtmpfs
+term_setattr_unlink_unallocated_ttys(kernel_t)
+
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
Index: refpolicy-2.20160928/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20160928/policy/modules/kernel/terminal.if
@@ -1121,6 +1121,26 @@ interface(`term_getattr_unallocated_ttys
 
 ########################################
 ## <summary>
+##	Setattr and unlink unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_unlink_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr setattr unlink };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of all unallocated tty device nodes.
 ## </summary>
Index: refpolicy-2.20160928/policy/modules/system/modutils.fc
===================================================================
--- refpolicy-2.20160928.orig/policy/modules/system/modutils.fc
+++ refpolicy-2.20160928/policy/modules/system/modutils.fc
@@ -1,4 +1,4 @@
-/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/bin/kmod		--	gen_context(system_u:object_r:kmod_exec_t,s0)
 
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
@@ -14,12 +14,13 @@ ifdef(`distro_gentoo',`
 
 /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
 
-/sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
-/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-/sbin/insmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/modprobe.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/modules-update	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
-/sbin/rmmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/depmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/insmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/modprobe.*	--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/modules-update	--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/rmmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/update-modules	--	gen_context(system_u:object_r:kmod_exec_t,s0)
 
-/usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/bin/kmod		--	gen_context(system_u:object_r:kmod_exec_t,s0)
+/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)

[refpolicy] [PATCH] single binary modutils

[Chris PeBenito]

On 10/21/16 04:35, Russell Coker wrote:
> On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
>> On 07/31/16 08:34, Russell Coker wrote:
>>> The following patch deals with a single binary for modutils, so depmod_t,
>>> and insmod_t are merged.
>>
>> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
>> modutils these days, I'm open to taking a patch that fully merges these
>> domains (in which case renaming to kmod_t, with proper aliasing seems
>> the best idea).
>>
>> However, it's been some time since I used a busybox-based system; does
>> busybox still have separated tools?  Yes, this is a bit of an obvious
>> question since busybox is also single-binary, but IIRC, the embedded
>> guys made some tiny helper scripts or executables so proper
>> transitioning could occur.  Separate domains may still make sense.
>
> As we have had no response from Busybox users in the last 3 months and also no
> response to the thread Luis started in 2013 I think it's safe to assume that
> they don't need this.
>
> I've attached a new patch which renames to kmod_t as you suggested.  Please
> consider it for inclusion.
>
> Description: Change modutils policy to match the use of a single binary
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2014-06-25
>
> Index: refpolicy-2.20160928/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20160928/policy/modules/system/modutils.te
> @@ -5,18 +5,15 @@ policy_module(modutils, 1.16.0)
>  # Declarations
>  #
>
> -attribute_role update_modules_roles;
> +type kmod_t;
> +typealias kmod_t alias { insmod_t depmod_t update_modules_t };

Nitpicky, but I'd prefer to have the aliases on the type declaration 
line here (and below)

> -type depmod_t;
> -type depmod_exec_t;
> -init_system_domain(depmod_t, depmod_exec_t)
> -role system_r types depmod_t;
> -
> -type insmod_t;
> -type insmod_exec_t;
> -application_domain(insmod_t, insmod_exec_t)
> -mls_file_write_all_levels(insmod_t)
> -role system_r types insmod_t;
> +type kmod_exec_t;
> +typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
> +
> +application_domain(kmod_t, kmod_exec_t)
> +mls_file_write_all_levels(kmod_t)
> +role system_r types kmod_t;
>
>  # module loading config
>  type modules_conf_t;
> @@ -26,306 +23,164 @@ files_type(modules_conf_t)
>  type modules_dep_t;
>  files_type(modules_dep_t)
>
> -type update_modules_t;
> -type update_modules_exec_t;
> -init_system_domain(update_modules_t, update_modules_exec_t)

It looks like the init_system_domain() was lost.

> -roleattribute system_r update_modules_roles;
> -role update_modules_roles types update_modules_t;

This removal appears to break modutils_run_update_mods() at least.


> -type update_modules_tmp_t;
> -files_tmp_file(update_modules_tmp_t)
> -
> -########################################
> -#
> -# depmod local policy
> -#
> -
> -can_exec(depmod_t, depmod_exec_t)
> -
> -# Read conf.modules.
> -read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
> -
> -allow depmod_t modules_dep_t:file manage_file_perms;
> -files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
> -
> -kernel_read_system_state(depmod_t)
> -
> -corecmd_search_bin(depmod_t)
> -
> -domain_use_interactive_fds(depmod_t)
> -
> -files_read_kernel_symbol_table(depmod_t)
> -files_read_kernel_modules(depmod_t)
> -files_read_etc_runtime_files(depmod_t)
> -files_read_etc_files(depmod_t)
> -files_read_usr_src_files(depmod_t)
> -files_list_usr(depmod_t)
> -
> -fs_getattr_xattr_fs(depmod_t)
> -
> -term_use_console(depmod_t)
> -
> -init_use_fds(depmod_t)
> -init_use_script_fds(depmod_t)
> -init_use_script_ptys(depmod_t)
> -
> -userdom_use_user_terminals(depmod_t)
> -# Read System.map from home directories.
> -files_list_home(depmod_t)
> -userdom_read_user_home_content_files(depmod_t)
> -
> -ifdef(`distro_ubuntu',`
> -	optional_policy(`
> -		unconfined_domain(depmod_t)
> -	')
> -')
> -
> -tunable_policy(`use_nfs_home_dirs',`
> -	fs_read_nfs_files(depmod_t)
> -')
> -
> -tunable_policy(`use_samba_home_dirs',`
> -	fs_read_cifs_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	rpm_rw_pipes(depmod_t)
> -	rpm_manage_script_tmp_files(depmod_t)
> -')
> -
> -optional_policy(`
> -	# Read System.map from home directories.
> -	unconfined_domain(depmod_t)
> -')
> +type kmod_var_run_t;
> +files_pid_file(kmod_var_run_t)

Please move these above the modules_*_t declarations.


>  ########################################
>  #
>  # insmod local policy
>  #
>
> -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> -allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> +allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> +allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
>
> -allow insmod_t self:udp_socket create_socket_perms;
> -allow insmod_t self:rawip_socket create_socket_perms;
> +allow kmod_t self:udp_socket create_socket_perms;
> +allow kmod_t self:rawip_socket create_socket_perms;
>
>  # Read module config and dependency information
> -list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
> -read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
> -list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
> -read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
> -
> -can_exec(insmod_t, insmod_exec_t)
> -
> -kernel_load_module(insmod_t)
> -kernel_request_load_module(insmod_t)
> -kernel_read_system_state(insmod_t)
> -kernel_read_network_state(insmod_t)
> -kernel_write_proc_files(insmod_t)
> -kernel_mount_debugfs(insmod_t)
> -kernel_mount_kvmfs(insmod_t)
> -kernel_read_debugfs(insmod_t)
> +list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
> +read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
> +list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
> +create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +
> +can_exec(kmod_t, kmod_exec_t)
> +
> +kernel_load_module(kmod_t)
> +kernel_request_load_module(kmod_t)
> +kernel_read_system_state(kmod_t)
> +kernel_read_network_state(kmod_t)
> +kernel_write_proc_files(kmod_t)
> +kernel_mount_debugfs(kmod_t)
> +kernel_mount_kvmfs(kmod_t)
> +kernel_read_debugfs(kmod_t)
>  # Rules for /proc/sys/kernel/tainted
> -kernel_read_kernel_sysctls(insmod_t)
> -kernel_rw_kernel_sysctl(insmod_t)
> -kernel_read_hotplug_sysctls(insmod_t)
> -kernel_setsched(insmod_t)
> +kernel_read_kernel_sysctls(kmod_t)
> +kernel_rw_kernel_sysctl(kmod_t)
> +kernel_read_hotplug_sysctls(kmod_t)
> +kernel_setsched(kmod_t)
>  # for when /var is not mounted early in the boot:
> -kernel_dontaudit_search_unlabeled(insmod_t)
> +kernel_dontaudit_search_unlabeled(kmod_t)
>
> -corecmd_exec_bin(insmod_t)
> -corecmd_exec_shell(insmod_t)
> +corecmd_exec_bin(kmod_t)
> +corecmd_exec_shell(kmod_t)
>
> -dev_rw_sysfs(insmod_t)
> -dev_search_usbfs(insmod_t)
> -dev_rw_mtrr(insmod_t)
> -dev_read_urand(insmod_t)
> -dev_rw_agp(insmod_t)
> -dev_read_sound(insmod_t)
> -dev_write_sound(insmod_t)
> -dev_rw_apm_bios(insmod_t)
> -
> -domain_signal_all_domains(insmod_t)
> -domain_use_interactive_fds(insmod_t)
> -
> -files_read_kernel_modules(insmod_t)
> -files_read_etc_runtime_files(insmod_t)
> -files_read_etc_files(insmod_t)
> -files_read_usr_files(insmod_t)
> -files_exec_etc_files(insmod_t)
> +# for /run/tmpfiles.d/kmod.conf
> +files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
> +allow kmod_t kmod_var_run_t:dir manage_dir_perms;
> +allow kmod_t kmod_var_run_t:file manage_file_perms;

Please move these three kmod_var_run_t lines above the modules_conf_t 
group of lines (line 35 from what I see).

[...]

>  # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
> Index: refpolicy-2.20160928/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy-2.20160928.orig/policy/modules/kernel/terminal.if
> +++ refpolicy-2.20160928/policy/modules/kernel/terminal.if
> @@ -1121,6 +1121,26 @@ interface(`term_getattr_unallocated_ttys
>
>  ########################################
>  ## <summary>
> +##	Setattr and unlink unallocated tty device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`term_setattr_unlink_unallocated_ttys',`

There already are term_(get|set)attr_unallocated_ttys, so I'd prefer to 
add a delete one for the unlink perm.


> +	gen_require(`
> +		type tty_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 tty_device_t:chr_file { getattr setattr unlink };
> +')
> +


-- 
Chris PeBenito