* [refpolicy] [PATCH] strict mode policy
@ 2016-08-03 6:38 Russell Coker
2016-08-06 21:14 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2016-08-03 6:38 UTC (permalink / raw)
To: refpolicy
The following patch contains the changes that I needed to get a Debian system
running correctly in a "strict" configuration, IE the unconfined module is not
loaded.
diff -ru /home/rjc/src/pol-git/policy/modules/admin/usermanage.te ./policy/modules/admin/usermanage.te
--- /home/rjc/src/pol-git/policy/modules/admin/usermanage.te 2016-07-28 20:33:39.959961616 +1000
+++ ./policy/modules/admin/usermanage.te 2016-08-03 16:11:44.366831728 +1000
@@ -189,7 +189,7 @@
# Groupadd local policy
#
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_override fsetid chown kill setuid sys_resource audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apt.te ./policy/modules/contrib/apt.te
--- /home/rjc/src/pol-git/policy/modules/contrib/apt.te 2016-07-30 08:14:41.073649232 +1000
+++ ./policy/modules/contrib/apt.te 2016-08-03 16:11:44.362831615 +1000
@@ -69,6 +69,7 @@
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
@@ -76,6 +77,7 @@
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir list_dir_perms;
can_exec(apt_t, apt_exec_t)
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cron.te ./policy/modules/contrib/cron.te
--- /home/rjc/src/pol-git/policy/modules/contrib/cron.te 2016-07-30 08:14:41.089649654 +1000
+++ ./policy/modules/contrib/cron.te 2016-08-03 16:11:44.362831615 +1000
@@ -709,6 +709,7 @@
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
+role system_r types unconfined_cronjob_t;
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/dpkg.te ./policy/modules/contrib/dpkg.te
--- /home/rjc/src/pol-git/policy/modules/contrib/dpkg.te 2016-07-30 08:14:41.097649866 +1000
+++ ./policy/modules/contrib/dpkg.te 2016-08-03 16:16:31.978933663 +1000
@@ -69,6 +69,7 @@
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+can_exec(dpkg_t, dpkg_tmp_t)
manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
@@ -84,6 +85,9 @@
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
+# for dpkg-preconfigure
+kernel_request_load_module(dpkg_t)
+
corecmd_exec_all_executables(dpkg_t)
corenet_all_recvfrom_unlabeled(dpkg_t)
@@ -202,8 +206,8 @@
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod audit_write setfcap };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +218,8 @@
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
@@ -228,8 +234,11 @@
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+usermanage_domtrans_passwd(dpkg_script_t)
+
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)
+auth_manage_shadow(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
@@ -267,13 +276,13 @@
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
-auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/gnome.if ./policy/modules/contrib/gnome.if
--- /home/rjc/src/pol-git/policy/modules/contrib/gnome.if 2016-07-30 08:14:41.105650077 +1000
+++ ./policy/modules/contrib/gnome.if 2016-08-03 16:11:44.362831615 +1000
@@ -76,6 +76,8 @@
allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+ allow $3 gconfd_t:dbus send_msg;
+ allow gconfd_t $3:dbus send_msg;
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mta.if 2016-07-30 08:14:41.121650499 +1000
+++ ./policy/modules/contrib/mta.if 2016-08-03 16:11:44.358831503 +1000
@@ -121,6 +121,23 @@
########################################
## <summary>
+## Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`system_mail_role',`
+ gen_require(`
+ type system_mail_t;
+ ')
+ role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
## Make the specified domain usable for a mail server.
## </summary>
## <param name="type">
diff -ru /home/rjc/src/pol-git/policy/modules/kernel/corecommands.fc ./policy/modules/kernel/corecommands.fc
--- /home/rjc/src/pol-git/policy/modules/kernel/corecommands.fc 2016-07-28 20:33:39.959961616 +1000
+++ ./policy/modules/kernel/corecommands.fc 2016-08-03 16:11:44.366831728 +1000
@@ -335,6 +335,7 @@
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_gentoo', `
diff -ru /home/rjc/src/pol-git/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if
--- /home/rjc/src/pol-git/policy/modules/kernel/devices.if 2016-07-28 20:33:39.959961616 +1000
+++ ./policy/modules/kernel/devices.if 2016-08-03 16:11:44.366831728 +1000
@@ -5046,3 +5046,21 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+## <summary>
+## Create subdir of /dev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_subdir',`
+ gen_require(`
+ type device_t;
+ ')
+ allow $1 device_t:dir { add_entry_dir_perms create };
+ allow $1 device_t:dir search_dir_perms;
+')
diff -ru /home/rjc/src/pol-git/policy/modules/kernel/files.if ./policy/modules/kernel/files.if
--- /home/rjc/src/pol-git/policy/modules/kernel/files.if 2016-07-28 20:33:39.963961720 +1000
+++ ./policy/modules/kernel/files.if 2016-08-03 16:11:44.366831728 +1000
@@ -3194,6 +3194,26 @@
########################################
## <summary>
+## Relabel files and dirs to etc_runtime_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabelto_etc_runtime',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file relabelto;
+ allow $1 etc_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
## Create, etc runtime objects with an automatic
## type transition.
## </summary>
@@ -6095,6 +6115,24 @@
')
########################################
+## <summary>
+## Create a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_pid_dir',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
## <summary>
## Search the contents of runtime process
## ID directories (/var/run).
diff -ru /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if ./policy/modules/kernel/filesystem.if
--- /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if 2016-07-28 20:33:39.963961720 +1000
+++ ./policy/modules/kernel/filesystem.if 2016-08-03 16:19:16.127550295 +1000
@@ -767,6 +767,42 @@
########################################
## <summary>
+## Relabel pstore directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ relabel_dirs_pattern($1, pstore_t, pstore_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of a pstore filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getattr_pstorefs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+allow $1 pstore_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Relabel cgroup directories.
## </summary>
## <param name="domain">
@@ -806,6 +842,26 @@
########################################
## <summary>
+## Create cgroup lnk_files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_links',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Write cgroup files.
## </summary>
## <param name="domain">
@@ -836,7 +892,6 @@
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
-
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -4351,6 +4406,24 @@
')
########################################
+## <summary>
+## Relabelfrom tmpfs link files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
## <summary>
## Read and write character nodes on tmpfs filesystems.
## </summary>
diff -ru /home/rjc/src/pol-git/policy/modules/kernel/kernel.te ./policy/modules/kernel/kernel.te
--- /home/rjc/src/pol-git/policy/modules/kernel/kernel.te 2016-07-28 20:33:39.963961720 +1000
+++ ./policy/modules/kernel/kernel.te 2016-08-03 16:11:44.354831390 +1000
@@ -269,6 +269,15 @@
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+ifdef(`distro_debian',`
+ # for systemd access to /run before transition
+ fs_search_tmpfs(kernel_t)
+ # also for systemd before transition
+ selinux_compute_create_context(kernel_t)
+ kernel_read_unlabeled_state(kernel_t)
+')
+
+
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
diff -ru /home/rjc/src/pol-git/policy/modules/roles/sysadm.te ./policy/modules/roles/sysadm.te
--- /home/rjc/src/pol-git/policy/modules/roles/sysadm.te 2016-07-28 20:33:39.963961720 +1000
+++ ./policy/modules/roles/sysadm.te 2016-08-03 16:11:44.354831390 +1000
@@ -44,6 +44,8 @@
init_stop_generic_units(sysadm_t)
init_reload_generic_units(sysadm_t)
+selinux_read_policy(sysadm_t)
+
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -103,6 +105,10 @@
')
optional_policy(`
+ system_mail_role(sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')
diff -ru /home/rjc/src/pol-git/policy/modules/services/ssh.if ./policy/modules/services/ssh.if
--- /home/rjc/src/pol-git/policy/modules/services/ssh.if 2016-07-28 20:33:39.967961825 +1000
+++ ./policy/modules/services/ssh.if 2016-08-03 16:11:44.362831615 +1000
@@ -349,6 +349,8 @@
allow $1_ssh_agent_t self:process { setrlimit signal };
allow $1_ssh_agent_t self:capability setgid;
+ allow $1_ssh_agent_t self:fifo_file rw_file_perms;
+
allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -432,6 +434,7 @@
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
+ xdm_sigchld($1_ssh_agent_t)
')
')
diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.te ./policy/modules/services/xserver.te
--- /home/rjc/src/pol-git/policy/modules/services/xserver.te 2016-07-28 20:33:39.967961825 +1000
+++ ./policy/modules/services/xserver.te 2016-08-03 16:11:44.362831615 +1000
@@ -260,6 +260,7 @@
allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")
kernel_request_load_module(xauth_t)
diff -ru /home/rjc/src/pol-git/policy/modules/system/fstools.if ./policy/modules/system/fstools.if
--- /home/rjc/src/pol-git/policy/modules/system/fstools.if 2016-07-28 20:33:39.967961825 +1000
+++ ./policy/modules/system/fstools.if 2016-08-03 16:11:44.366831728 +1000
@@ -172,3 +172,21 @@
allow $1 swapfile_t:file getattr;
')
+
+########################################
+## <summary>
+## Write to fsadm_log_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_write_log',`
+ gen_require(`
+ type fsadm_log_t;
+ ')
+
+ allow $1 fsadm_log_t:file write_file_perms;
+')
diff -ru /home/rjc/src/pol-git/policy/modules/system/init.te ./policy/modules/system/init.te
--- /home/rjc/src/pol-git/policy/modules/system/init.te 2016-07-28 20:33:39.967961825 +1000
+++ ./policy/modules/system/init.te 2016-08-03 16:31:49.272457522 +1000
@@ -125,9 +125,15 @@
allow init_t initrc_t:unix_stream_socket connectto;
# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)
+# for /run/initctl
+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
+
+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
+
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -138,12 +144,18 @@
kernel_share_state(init_t)
kernel_dontaudit_search_unlabeled(init_t)
+domain_read_all_domains_state(init_t)
+
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+fs_relabel_pstore_dirs(init_t)
+dev_read_urand(init_t)
+
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_relabel_generic_symlinks(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -156,6 +168,9 @@
files_rw_generic_pids(init_t)
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
+files_relabelto_etc_runtime(init_t)
+files_list_usr(init_t)
+
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs:
@@ -282,6 +297,9 @@
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
+ # for systemd to read udev status
+ udev_read_pid_files(init_t)
+
optional_policy(`
systemd_relabelto_kmod_files(init_t)
@@ -306,11 +324,21 @@
')
')
+fs_relabelfrom_tmpfs_symlinks(init_t)
+
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+ fs_manage_tmpfs_files(initrc_t)
+ sysnet_write_config(initrc_t)
+ sysnet_create_config(initrc_t)
+ sysnet_manage_config(initrc_t)
+
+ optional_policy(`
+ postfix_read_config(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
@@ -326,6 +354,12 @@
')
optional_policy(`
+ modutils_read_module_config(init_t)
+ modutils_read_module_deps(init_t)
+ modutils_read_module_objects(init_t)
+')
+
+optional_policy(`
auth_rw_login_records(init_t)
')
@@ -374,6 +408,9 @@
# Going to single user mode
init_telinit(initrc_t)
+# for logsave in strict configuration
+fstools_write_log(initrc_t)
+
can_exec(initrc_t, init_script_file_type)
create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
@@ -393,6 +430,8 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_create_pid_dir(initrc_t)
+files_setattr_pid_dirs(initrc_t)
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -439,6 +478,7 @@
corenet_tcp_connect_all_ports(initrc_t)
corenet_sendrecv_all_client_packets(initrc_t)
+dev_create_subdir(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
dev_write_kmsg(initrc_t)
@@ -726,6 +766,7 @@
')
ifdef(`init_systemd',`
+ kernel_load_module(init_t)
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
diff -ru /home/rjc/src/pol-git/policy/modules/system/libraries.fc ./policy/modules/system/libraries.fc
--- /home/rjc/src/pol-git/policy/modules/system/libraries.fc 2016-08-03 10:37:38.716348544 +1000
+++ ./policy/modules/system/libraries.fc 2016-08-03 16:11:44.362831615 +1000
@@ -91,7 +91,11 @@
#
# /sbin
#
+ifdef(`distro_debian',`
+/sbin/ldconfig.real -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+',`
/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+')
#
# /usr
diff -ru /home/rjc/src/pol-git/policy/modules/system/modutils.if ./policy/modules/system/modutils.if
--- /home/rjc/src/pol-git/policy/modules/system/modutils.if 2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/modutils.if 2016-08-03 16:11:44.358831503 +1000
@@ -39,6 +39,25 @@
########################################
## <summary>
+## Read the kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_objects',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_object_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read the configuration options used when
## loading modules.
## </summary>
diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc ./policy/modules/system/selinuxutil.fc
--- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc 2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/selinuxutil.fc 2016-08-03 16:11:44.366831728 +1000
@@ -25,6 +25,7 @@
/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/bin/dpkg-statoverride -- gen_context(system_u:object_r:setfiles_exec_t,s0)
#
# /usr
diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te ./policy/modules/system/selinuxutil.te
--- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te 2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/selinuxutil.te 2016-08-03 16:11:44.362831615 +1000
@@ -192,6 +192,7 @@
userdom_use_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -324,6 +325,8 @@
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
+kernel_getattr_debugfs(restorecond_t)
+getattr_pstorefs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
@@ -455,6 +458,7 @@
kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)
dev_read_urand(semanage_t)
@@ -537,6 +541,8 @@
kernel_rw_unix_dgram_sockets(setfiles_t)
kernel_dontaudit_list_all_proc(setfiles_t)
kernel_dontaudit_list_all_sysctls(setfiles_t)
+kernel_getattr_debugfs(setfiles_t)
+getattr_pstorefs(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t)
# to handle when /dev/console needs to be relabeled
@@ -598,6 +604,11 @@
fs_rw_tmpfs_chr_files(setfiles_t)
')
+# for dpkg-statoverride running as setfiles_t
+optional_policy(`
+ dpkg_read_db(setfiles_t)
+')
+
ifdef(`distro_redhat', `
fs_rw_tmpfs_chr_files(setfiles_t)
fs_rw_tmpfs_blk_files(setfiles_t)
diff -ru /home/rjc/src/pol-git/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- /home/rjc/src/pol-git/policy/modules/system/userdomain.if 2016-08-03 10:37:38.724348763 +1000
+++ ./policy/modules/system/userdomain.if 2016-08-03 16:11:44.362831615 +1000
@@ -67,6 +67,7 @@
dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
+ kernel_read_vm_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -78,6 +79,12 @@
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)
+ # for X session unlock
+ allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+
+ # for KDE
+ allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
+
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state($1_t)
@@ -108,6 +115,14 @@
sysnet_read_config($1_t)
+ # kdeinit wants systemd status
+ init_status($1_t)
+
+ optional_policy(`
+ apt_read_cache($1_t)
+ apt_read_db($1_t)
+ ')
+
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
allow $1_t self:process execmem;
diff -ru /home/rjc/src/pol-git/policy/modules/system/userdomain.te ./policy/modules/system/userdomain.te
--- /home/rjc/src/pol-git/policy/modules/system/userdomain.te 2016-08-03 10:37:38.724348763 +1000
+++ ./policy/modules/system/userdomain.te 2016-08-03 16:11:44.362831615 +1000
@@ -53,6 +53,10 @@
# all user domains
attribute userdomain;
+ifdef(`distro_debian', `
+ dpkg_read_db(userdomain)
+')
+
# unprivileged user domains
attribute unpriv_userdomain;
diff -ru /home/rjc/src/pol-git/policy/support/file_patterns.spt ./policy/support/file_patterns.spt
--- /home/rjc/src/pol-git/policy/support/file_patterns.spt 2016-07-28 20:33:39.971961928 +1000
+++ ./policy/support/file_patterns.spt 2016-08-03 16:11:44.366831728 +1000
@@ -489,7 +489,7 @@
define(`create_chr_files_pattern',`
allow $1 self:capability mknod;
allow $1 $2:dir add_entry_dir_perms;
- allow $1 $3:chr_file create_chr_file_perms;
+ allow $1 $3:chr_file { create_chr_file_perms setattr };
')
define(`delete_chr_files_pattern',`
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] strict mode policy
2016-08-03 6:38 [refpolicy] [PATCH] strict mode policy Russell Coker
@ 2016-08-06 21:14 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2016-08-06 21:14 UTC (permalink / raw)
To: refpolicy
On 08/03/16 02:38, Russell Coker wrote:
> The following patch contains the changes that I needed to get a Debian system
> running correctly in a "strict" configuration, IE the unconfined module is not
> loaded.
> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mta.if 2016-07-30 08:14:41.121650499 +1000
> +++ ./policy/modules/contrib/mta.if 2016-08-03 16:11:44.358831503 +1000
> @@ -121,6 +121,23 @@
>
> ########################################
> ## <summary>
> +## Enable system_mail_t to run in the specified role
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`system_mail_role',`
> + gen_require(`
> + type system_mail_t;
> + ')
> + role $1 types system_mail_t;
> +')
Why is this needed? I see it below, but why wouldn't roles be using
user_mail_t instead?
> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/devices.if 2016-07-28 20:33:39.959961616 +1000
> +++ ./policy/modules/kernel/devices.if 2016-08-03 16:11:44.366831728 +1000
> @@ -5046,3 +5046,21 @@
>
> typeattribute $1 devices_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Create subdir of /dev
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_create_subdir',`
dev_create_generic_dirs() already exists, though it has read on
device_t:dir.
> + gen_require(`
> + type device_t;
> + ')
> + allow $1 device_t:dir { add_entry_dir_perms create };
> + allow $1 device_t:dir search_dir_perms;
> +')
> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/files.if ./policy/modules/kernel/files.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/files.if 2016-07-28 20:33:39.963961720 +1000
> +++ ./policy/modules/kernel/files.if 2016-08-03 16:11:44.366831728 +1000
> @@ -3194,6 +3194,26 @@
>
> ########################################
> ## <summary>
> +## Relabel files and dirs to etc_runtime_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_relabelto_etc_runtime',`
> + gen_require(`
> + type etc_runtime_t;
> + ')
> +
> + allow $1 etc_runtime_t:file relabelto;
> + allow $1 etc_runtime_t:dir relabelto;
> +')
This should be broken up into two interfaces.
> @@ -6095,6 +6115,24 @@
> ')
>
> ########################################
> +## <summary>
> +## Create a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_pid_dir',`
Should be named files_create_generic_pid_dirs().
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + allow $1 var_run_t:dir create_dir_perms;
> +')
> +
> +########################################
> ## <summary>
> ## Search the contents of runtime process
> ## ID directories (/var/run).
> diff -ru /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if ./policy/modules/kernel/filesystem.if
> --- /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if 2016-07-28 20:33:39.963961720 +1000
> +++ ./policy/modules/kernel/filesystem.if 2016-08-03 16:19:16.127550295 +1000
> @@ -767,6 +767,42 @@
>
> ########################################
> ## <summary>
> +## Relabel pstore directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabel_pstore_dirs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> + relabel_dirs_pattern($1, pstore_t, pstore_t)
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of a pstore filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`getattr_pstorefs',`
> + gen_require(`
> + type pstore_t;
> + ')
> +
> +allow $1 pstore_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Relabel cgroup directories.
> ## </summary>
> ## <param name="domain">
> @@ -806,6 +842,26 @@
>
> ########################################
> ## <summary>
> +## Create cgroup lnk_files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_create_cgroup_links',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + create_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
> + dev_search_sysfs($1)
This interface is "create", but I don't think that the rw perms are
necessary.
> diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te ./policy/modules/system/selinuxutil.te
> --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te 2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/selinuxutil.te 2016-08-03 16:11:44.362831615 +1000
> @@ -192,6 +192,7 @@
>
> userdom_use_user_terminals(load_policy_t)
> userdom_use_all_users_fds(load_policy_t)
> +dev_read_urand(load_policy_t)
Is this related to SSP?
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-08-06 21:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-03 6:38 [refpolicy] [PATCH] strict mode policy Russell Coker
2016-08-06 21:14 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.