* [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call
@ 2016-12-27 22:56 Guido Trentalancia
2016-12-28 19:02 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Guido Trentalancia @ 2016-12-27 22:56 UTC (permalink / raw)
To: refpolicy
The aim of this patch is to start securing the init module so
that it can run in confined mode instead of in the most unsafe
unconfined mode.
At the moment it has been fully tested only with sysvinit.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 11 +++++++----
3 files changed, 43 insertions(+), 4 deletions(-)
diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
+++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
@@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
########################################
## <summary>
+## Mount a sysfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
--- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
+++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
@@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
--- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
+++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
@@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+kernel_mounton_proc_dirs(init_t)
+kernel_mount_proc(init_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
@@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
+dev_mounton_sysfs(init_t)
+dev_mount_sysfs(init_t)
dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
+fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
mls_process_write_all_levels(init_t)
mls_fd_use_all_levels(init_t)
+selinux_load_policy(init_t)
+selinux_mount_fs(init_t)
selinux_set_all_booleans(init_t)
term_use_all_terms(init_t)
@@ -345,10 +367,6 @@ optional_policy(`
sssd_stream_connect(init_t)
')
-optional_policy(`
- unconfined_domain(init_t)
-')
-
########################################
#
# Init script local policy
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call
2016-12-27 22:56 [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call Guido Trentalancia
@ 2016-12-28 19:02 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2016-12-28 19:02 UTC (permalink / raw)
To: refpolicy
On 12/27/16 17:56, Guido Trentalancia via refpolicy wrote:
> The aim of this patch is to start securing the init module so
> that it can run in confined mode instead of in the most unsafe
> unconfined mode.
>
> At the moment it has been fully tested only with sysvinit.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 11 +++++++----
> 3 files changed, 43 insertions(+), 4 deletions(-)
>
> diff -pru a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> --- a/policy/modules/kernel/devices.if 2016-12-27 22:41:00.650390161 +0100
> +++ b/policy/modules/kernel/devices.if 2016-12-27 22:50:19.301315139 +0100
> @@ -3953,6 +3953,24 @@ interface(`dev_mounton_sysfs',`
>
> ########################################
> ## <summary>
> +## Mount a sysfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Associate a file to a sysfs filesystem.
> ## </summary>
> ## <param name="file_type">
> diff -pru a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> --- a/policy/modules/kernel/kernel.if 2016-12-27 22:41:00.652390190 +0100
> +++ b/policy/modules/kernel/kernel.if 2016-12-27 22:51:01.009904157 +0100
> @@ -828,6 +828,24 @@ interface(`kernel_mount_kvmfs',`
>
> ########################################
> ## <summary>
> +## Mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Unmount the proc filesystem.
> ## </summary>
> ## <param name="domain">
> diff -pru a/policy/modules/system/init.te b/policy/modules/system/init.te
> --- a/policy/modules/system/init.te 2016-12-22 23:12:47.784929729 +0100
> +++ b/policy/modules/system/init.te 2016-12-27 23:05:37.731451479 +0100
> @@ -134,6 +134,8 @@ dev_filetrans(init_t, initctl_t, fifo_fi
> # Modify utmp.
> allow init_t initrc_var_run_t:file { rw_file_perms setattr };
>
> +kernel_mounton_proc_dirs(init_t)
> +kernel_mount_proc(init_t)
> kernel_read_system_state(init_t)
> kernel_share_state(init_t)
> kernel_dontaudit_search_unlabeled(init_t)
> @@ -141,6 +143,8 @@ kernel_dontaudit_search_unlabeled(init_t
> corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> +dev_mounton_sysfs(init_t)
> +dev_mount_sysfs(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
> @@ -162,6 +166,7 @@ files_exec_etc_files(init_t)
> files_dontaudit_rw_root_files(init_t)
> files_dontaudit_rw_root_chr_files(init_t)
>
> +fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> @@ -174,6 +179,8 @@ mls_file_write_all_levels(init_t)
> mls_process_write_all_levels(init_t)
> mls_fd_use_all_levels(init_t)
>
> +selinux_load_policy(init_t)
> +selinux_mount_fs(init_t)
> selinux_set_all_booleans(init_t)
Sysvinit shouldn't need this access since it only loads the policy if it
hasn't been loaded yet. I still run sysvinit systems and don't have
these rules.
> @@ -345,10 +367,6 @@ optional_policy(`
> sssd_stream_connect(init_t)
> ')
>
> -optional_policy(`
> - unconfined_domain(init_t)
> -')
> -
Don't remove this.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-28 19:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-27 22:56 [refpolicy] [PATCH v2] init: run sysvinit without the dangerous unconfined_domain() call Guido Trentalancia
2016-12-28 19:02 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.