[refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call

* [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call
@ 2016-12-27 22:56 Guido Trentalancia
  2016-12-28 19:02 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Guido Trentalancia @ 2016-12-27 22:56 UTC (permalink / raw)
  To: refpolicy

The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.

At the moment it has been fully tested only with sysvinit.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/devices.if |   18 ++++++++++++++++++
 policy/modules/kernel/kernel.if  |   18 ++++++++++++++++++
 policy/modules/system/init.te    |   11 +++++++----
 3 files changed, 43 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

--- a/policy/modules/kernel/devices.if	2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if	2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
 
 ########################################
 ## <summary>
+##	Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Associate a file to a sysfs filesystem.
 ## </summary>
 ## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if	2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if	2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
 
 ########################################
 ## <summary>
+##	Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+	gen_require(`
+		type proc_t;
+	')
+
+	allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
 ##	Unmount the proc filesystem.
 ## </summary>
 ## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te	2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te	2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
 dev_read_sysfs(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)
@@ -345,10 +367,6 @@ optional_policy(`
 	sssd_stream_connect(init_t)
 ')
 
-optional_policy(`
-	unconfined_domain(init_t)
-')
-
 ########################################
 #
 # Init script local policy

^ permalink raw reply	[flat|nested] 2+ messages in thread