[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
Date:	Sun, 01 Jan 2017 16:37:57
Message-Id:	`1483287988.1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c.perfinion@gentoo`

1

commit:     1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c

2

Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>

3

AuthorDate: Sun Dec 18 20:58:44 2016 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan  1 16:26:28 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661

7

8

kernel: missing permissions for confined execution

9

10

This patch adds missing permissions in the kernel module that prevent

11

to run it without the unconfined module.

12

13

This second version improves the comment section of new interfaces:

14

"Domain" is replaced by "Domain allowed access".

15

16

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

17

18

 policy/modules/kernel/devices.if    |  56 +++++++++++++++

19

 policy/modules/kernel/files.if      | 131 ++++++++++++++++++++++++++++++++++++

20

 policy/modules/kernel/filesystem.if |  18 +++++

21

 policy/modules/kernel/kernel.if     |  18 +++++

22

 policy/modules/kernel/kernel.te     |  34 ++++++++++

23

 policy/modules/kernel/terminal.if   |  20 ++++++

24

 6 files changed, 277 insertions(+)

25

26

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

27

index 3f05417..7d99b29 100644

28

--- a/policy/modules/kernel/devices.if

29

+++ b/policy/modules/kernel/devices.if

30

@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`

31

32

 ########################################

33

 ## <summary>

34

+##	Set the attributes on generic

35

+##	block devices.

36

+## </summary>

37

+## <param name="domain">

38

+##	<summary>

39

+##	Domain allowed access.

40

+##	</summary>

41

+## </param>

42

+#

43

+interface(`dev_setattr_generic_blk_files',`

44

+	gen_require(`

45

+		type device_t;

46

+	')

47

+

48

+	allow $1 device_t:blk_file setattr;

49

+')

50

+

51

+########################################

52

+## <summary>

53

 ##	Dontaudit setattr on generic block devices.

54

 ## </summary>

55

 ## <param name="domain">

56

@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`

57

58

 ########################################

59

 ## <summary>

60

+##	Set the attributes for generic

61

+##	character device files.

62

+## </summary>

63

+## <param name="domain">

64

+##	<summary>

65

+##	Domain allowed access.

66

+##	</summary>

67

+## </param>

68

+#

69

+interface(`dev_setattr_generic_chr_files',`

70

+	gen_require(`

71

+		type device_t;

72

+	')

73

+

74

+	allow $1 device_t:chr_file setattr;

75

+')

76

+

77

+########################################

78

+## <summary>

79

 ##	Dontaudit setattr for generic character device files.

80

 ## </summary>

81

 ## <param name="domain">

82

@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',`

83

84

 ########################################

85

 ## <summary>

86

+##	Mount a filesystem on sysfs.

87

+## </summary>

88

+## <param name="domain">

89

+##	<summary>

90

+##	Domain allow access.

91

+##	</summary>

92

+## </param>

93

+#

94

+interface(`dev_mounton_sysfs',`

95

+	gen_require(`

96

+		type device_t;

97

+	')

98

+

99

+	allow $1 sysfs_t:dir mounton;

100

+')

101

+

102

+########################################

103

+## <summary>

104

 ##	Associate a file to a sysfs filesystem.

105

 ## </summary>

106

 ## <param name="file_type">

107

108

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if

109

index 3fc0487..b5eeaf8 100644

110

--- a/policy/modules/kernel/files.if

111

+++ b/policy/modules/kernel/files.if

112

@@ -1786,6 +1786,25 @@ interface(`files_list_root',`

113

114

 ########################################

115

 ## <summary>

116

+##	Delete symbolic links in the

117

+##	root directory.

118

+## </summary>

119

+## <param name="domain">

120

+##	<summary>

121

+##	Domain allowed access.

122

+##	</summary>

123

+## </param>

124

+#

125

+interface(`files_delete_root_symlinks',`

126

+	gen_require(`

127

+		type root_t;

128

+	')

129

+

130

+	allow $1 root_t:lnk_file delete_lnk_file_perms;

131

+')

132

+

133

+########################################

134

+## <summary>

135

 ##	Do not audit attempts to write to / dirs.

136

 ## </summary>

137

 ## <param name="domain">

138

@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',`

139

140

 ########################################

141

 ## <summary>

142

+##	Delete character device nodes in

143

+##	the root directory.

144

+## </summary>

145

+## <param name="domain">

146

+##	<summary>

147

+##	Domain allowed access.

148

+##	</summary>

149

+## </param>

150

+#

151

+interface(`files_delete_root_chr_files',`

152

+	gen_require(`

153

+		type root_t;

154

+	')

155

+

156

+	allow $1 root_t:chr_file delete_chr_file_perms;

157

+')

158

+

159

+########################################

160

+## <summary>

161

 ##	Delete files in the root directory.

162

 ## </summary>

163

 ## <param name="domain">

164

@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',`

165

166

 ########################################

167

 ## <summary>

168

+##	Execute files in the root directory.

169

+## </summary>

170

+## <param name="domain">

171

+##	<summary>

172

+##	Domain allowed access.

173

+##	</summary>

174

+## </param>

175

+#

176

+interface(`files_exec_root_files',`

177

+	gen_require(`

178

+		type root_t;

179

+	')

180

+

181

+	allow $1 root_t:file exec_file_perms;

182

+')

183

+

184

+########################################

185

+## <summary>

186

 ##	Remove entries from the root directory.

187

 ## </summary>

188

 ## <param name="domain">

189

@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',`

190

191

 ########################################

192

 ## <summary>

193

+##	Manage the root directory.

194

+## </summary>

195

+## <param name="domain">

196

+##	<summary>

197

+##	Domain allowed access.

198

+##	</summary>

199

+## </param>

200

+#

201

+interface(`files_manage_root_dir',`

202

+	gen_require(`

203

+		type root_t;

204

+	')

205

+

206

+	allow $1 root_t:dir manage_dir_perms;

207

+')

208

+

209

+########################################

210

+## <summary>

211

+##	Get the attributes of a rootfs

212

+##	file system.

213

+## </summary>

214

+## <param name="domain">

215

+##	<summary>

216

+##	Domain allowed access.

217

+##	</summary>

218

+## </param>

219

+#

220

+interface(`files_getattr_rootfs',`

221

+	gen_require(`

222

+		type root_t;

223

+	')

224

+

225

+	allow $1 root_t:filesystem getattr;

226

+')

227

+

228

+########################################

229

+## <summary>

230

 ##	Associate to root file system.

231

 ## </summary>

232

 ## <param name="file_type">

233

@@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',`

234

235

 ########################################

236

 ## <summary>

237

+##	Get the attributes of the

238

+##	etc_runtime directories.

239

+## </summary>

240

+## <param name="domain">

241

+##	<summary>

242

+##	Domain allowed access.

243

+##	</summary>

244

+## </param>

245

+#

246

+interface(`files_getattr_etc_runtime_dirs',`

247

+	gen_require(`

248

+		type etc_runtime_t;

249

+	')

250

+

251

+	allow $1 etc_runtime_t:dir getattr;

252

+')

253

+

254

+########################################

255

+## <summary>

256

+##	Mount a filesystem on the

257

+##	etc_runtime directories.

258

+## </summary>

259

+## <param name="domain">

260

+##	<summary>

261

+##	Domain allowed access.

262

+##	</summary>

263

+## </param>

264

+#

265

+interface(`files_mounton_etc_runtime_dirs',`

266

+	gen_require(`

267

+		type etc_runtime_t;

268

+	')

269

+

270

+	allow $1 etc_runtime_t:dir mounton;

271

+')

272

+

273

+########################################

274

+## <summary>

275

 ##	Do not audit attempts to set the attributes of the etc_runtime files

276

 ## </summary>

277

 ## <param name="domain">

278

279

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if

280

index c85d805..23c7f08 100644

281

--- a/policy/modules/kernel/filesystem.if

282

+++ b/policy/modules/kernel/filesystem.if

283

@@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',`

284

285

 ########################################

286

 ## <summary>

287

+##	Delete tmpfs symbolic links.

288

+## </summary>

289

+## <param name="domain">

290

+##	<summary>

291

+##	Domain allowed access.

292

+##	</summary>

293

+## </param>

294

+#

295

+interface(`fs_delete_tmpfs_symlinks',`

296

+	gen_require(`

297

+		type tmpfs_t;

298

+	')

299

+

300

+	allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;

301

+')

302

+

303

+########################################

304

+## <summary>

305

 ##	Create, read, write, and delete

306

 ##	auto moutpoints.

307

 ## </summary>

308

309

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if

310

index 2c7ad0c..6887b00 100644

311

--- a/policy/modules/kernel/kernel.if

312

+++ b/policy/modules/kernel/kernel.if

313

@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',`

314

315

 ########################################

316

 ## <summary>

317

+##	Mount the directories in /proc.

318

+## </summary>

319

+## <param name="domain">

320

+##	<summary>

321

+##	Domain allowed access.

322

+##	</summary>

323

+## </param>

324

+#

325

+interface(`kernel_mounton_proc_dirs',`

326

+	gen_require(`

327

+		type proc_t;

328

+	')

329

+

330

+	allow $1 proc_t:dir mounton;

331

+')

332

+

333

+########################################

334

+## <summary>

335

 ##	Get the attributes of files in /proc.

336

 ## </summary>

337

 ## <param name="domain">

338

339

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te

340

index 7334dc9..2a6ab8e 100644

341

--- a/policy/modules/kernel/kernel.te

342

+++ b/policy/modules/kernel/kernel.te

343

@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;

344

 # connections with invalidated labels:

345

 allow kernel_t unlabeled_t:packet send;

346

347

+kernel_mounton_proc_dirs(kernel_t)

348

 kernel_request_load_module(kernel_t)

349

350

 # Allow unlabeled network traffic

351

@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)

352

 corenet_raw_send_generic_node(kernel_t)

353

 corenet_send_all_packets(kernel_t)

354

355

+dev_mounton_sysfs(kernel_t)

356

 dev_read_sysfs(kernel_t)

357

 dev_search_usbfs(kernel_t)

358

 # devtmpfs handling:

359

@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)

360

 dev_create_generic_chr_files(kernel_t)

361

 dev_delete_generic_chr_files(kernel_t)

362

 dev_mounton(kernel_t)

363

+dev_delete_generic_symlinks(kernel_t)

364

+dev_rw_generic_chr_files(kernel_t)

365

+dev_setattr_generic_blk_files(kernel_t)

366

+dev_setattr_generic_chr_files(kernel_t)

367

+dev_getattr_fs(kernel_t)

368

+dev_getattr_sysfs(kernel_t)

369

370

 # Mount root file system. Used when loading a policy

371

 # from initrd, then mounting the root filesystem

372

 fs_mount_all_fs(kernel_t)

373

 fs_unmount_all_fs(kernel_t)

374

375

+fs_getattr_tmpfs(kernel_t)

376

+fs_getattr_tmpfs_dirs(kernel_t)

377

+fs_manage_tmpfs_dirs(kernel_t)

378

+fs_manage_tmpfs_files(kernel_t)

379

+fs_manage_tmpfs_sockets(kernel_t)

380

+fs_delete_tmpfs_symlinks(kernel_t)

381

+

382

+selinux_getattr_fs(kernel_t)

383

 selinux_load_policy(kernel_t)

384

385

+term_getattr_pty_fs(kernel_t)

386

 term_use_console(kernel_t)

387

+term_use_generic_ptys(kernel_t)

388

389

 # for kdevtmpfs

390

 term_setattr_unlink_unallocated_ttys(kernel_t)

391

@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)

392

 domain_signal_all_domains(kernel_t)

393

 domain_search_all_domains_state(kernel_t)

394

395

+files_getattr_rootfs(kernel_t)

396

+files_manage_root_dir(kernel_t)

397

+files_delete_root_files(kernel_t)

398

+files_exec_root_files(kernel_t)

399

+files_delete_root_symlinks(kernel_t)

400

+files_delete_root_chr_files(kernel_t)

401

 files_list_root(kernel_t)

402

 files_list_etc(kernel_t)

403

+files_getattr_etc_runtime_dirs(kernel_t)

404

+files_mounton_etc_runtime_dirs(kernel_t)

405

 files_list_home(kernel_t)

406

 files_read_usr_files(kernel_t)

407

408

@@ -343,6 +369,7 @@ optional_policy(`

409

')

410

411

 optional_policy(`

412

+	logging_manage_generic_logs(kernel_t)

413

 	logging_send_syslog_msg(kernel_t)

414

')

415

416

@@ -356,6 +383,12 @@ optional_policy(`

417

')

418

419

 optional_policy(`

420

+	plymouthd_read_lib_files(kernel_t)

421

+	term_use_ptmx(kernel_t)

422

+	term_use_unallocated_ttys(kernel_t)

423

+')

424

+

425

+optional_policy(`

426

 	# nfs kernel server needs kernel UDP access. It is less risky and painful

427

 	# to just give it everything.

428

 	allow kernel_t self:tcp_socket create_stream_socket_perms;

429

@@ -405,6 +438,7 @@ optional_policy(`

430

 optional_policy(`

431

 	seutil_read_config(kernel_t)

432

 	seutil_read_bin_policy(kernel_t)

433

+	seutil_domtrans_setfiles(kernel_t)

434

')

435

436

 optional_policy(`

437

438

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if

439

index 86692b0..05be047 100644

440

--- a/policy/modules/kernel/terminal.if

441

+++ b/policy/modules/kernel/terminal.if

442

@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`

443

444

 ########################################

445

 ## <summary>

446

+##	Get the attributes of the

447

+##	/dev/pts directory.

448

+## </summary>

449

+## <param name="domain">

450

+##	<summary>

451

+##	Domain allowed access.

452

+##	</summary>

453

+## </param>

454

+#

455

+interface(`term_getattr_pty_dirs',`

456

+	gen_require(`

457

+		type devpts_t;

458

+	')

459

+

460

+	allow $1 devpts_t:dir getattr;

461

+')

462

+

463

+########################################

464

+## <summary>

465

 ##	Do not audit attempts to get the

466

 ##	attributes of the /dev/pts directory.

467

 ## </summary>

468

@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`

469

470

 	allow $1 devpts_t:chr_file getattr;

471

')

472

+

473

 ########################################

474

 ## <summary>

475

 ##	Do not audit attempts to get the attributes

1	commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c
2	Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3	AuthorDate: Sun Dec 18 20:58:44 2016 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 1 16:26:28 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661
7
8	kernel: missing permissions for confined execution
9
10	This patch adds missing permissions in the kernel module that prevent
11	to run it without the unconfined module.
12
13	This second version improves the comment section of new interfaces:
14	"Domain" is replaced by "Domain allowed access".
15
16	Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
17
18	policy/modules/kernel/devices.if \| 56 +++++++++++++++
19	policy/modules/kernel/files.if \| 131 ++++++++++++++++++++++++++++++++++++
20	policy/modules/kernel/filesystem.if \| 18 +++++
21	policy/modules/kernel/kernel.if \| 18 +++++
22	policy/modules/kernel/kernel.te \| 34 ++++++++++
23	policy/modules/kernel/terminal.if \| 20 ++++++
24	6 files changed, 277 insertions(+)
25
26	diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
27	index 3f05417..7d99b29 100644
28	--- a/policy/modules/kernel/devices.if
29	+++ b/policy/modules/kernel/devices.if
30	@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
31
32	########################################
33	## <summary>
34	+## Set the attributes on generic
35	+## block devices.
36	+## </summary>
37	+## <param name="domain">
38	+## <summary>
39	+## Domain allowed access.
40	+## </summary>
41	+## </param>
42	+#
43	+interface(`dev_setattr_generic_blk_files',`
44	+ gen_require(`
45	+ type device_t;
46	+ ')
47	+
48	+ allow $1 device_t:blk_file setattr;
49	+')
50	+
51	+########################################
52	+## <summary>
53	## Dontaudit setattr on generic block devices.
54	## </summary>
55	## <param name="domain">
56	@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
57
58	########################################
59	## <summary>
60	+## Set the attributes for generic
61	+## character device files.
62	+## </summary>
63	+## <param name="domain">
64	+## <summary>
65	+## Domain allowed access.
66	+## </summary>
67	+## </param>
68	+#
69	+interface(`dev_setattr_generic_chr_files',`
70	+ gen_require(`
71	+ type device_t;
72	+ ')
73	+
74	+ allow $1 device_t:chr_file setattr;
75	+')
76	+
77	+########################################
78	+## <summary>
79	## Dontaudit setattr for generic character device files.
80	## </summary>
81	## <param name="domain">
82	@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',`
83
84	########################################
85	## <summary>
86	+## Mount a filesystem on sysfs.
87	+## </summary>
88	+## <param name="domain">
89	+## <summary>
90	+## Domain allow access.
91	+## </summary>
92	+## </param>
93	+#
94	+interface(`dev_mounton_sysfs',`
95	+ gen_require(`
96	+ type device_t;
97	+ ')
98	+
99	+ allow $1 sysfs_t:dir mounton;
100	+')
101	+
102	+########################################
103	+## <summary>
104	## Associate a file to a sysfs filesystem.
105	## </summary>
106	## <param name="file_type">
107
108	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
109	index 3fc0487..b5eeaf8 100644
110	--- a/policy/modules/kernel/files.if
111	+++ b/policy/modules/kernel/files.if
112	@@ -1786,6 +1786,25 @@ interface(`files_list_root',`
113
114	########################################
115	## <summary>
116	+## Delete symbolic links in the
117	+## root directory.
118	+## </summary>
119	+## <param name="domain">
120	+## <summary>
121	+## Domain allowed access.
122	+## </summary>
123	+## </param>
124	+#
125	+interface(`files_delete_root_symlinks',`
126	+ gen_require(`
127	+ type root_t;
128	+ ')
129	+
130	+ allow $1 root_t:lnk_file delete_lnk_file_perms;
131	+')
132	+
133	+########################################
134	+## <summary>
135	## Do not audit attempts to write to / dirs.
136	## </summary>
137	## <param name="domain">
138	@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',`
139
140	########################################
141	## <summary>
142	+## Delete character device nodes in
143	+## the root directory.
144	+## </summary>
145	+## <param name="domain">
146	+## <summary>
147	+## Domain allowed access.
148	+## </summary>
149	+## </param>
150	+#
151	+interface(`files_delete_root_chr_files',`
152	+ gen_require(`
153	+ type root_t;
154	+ ')
155	+
156	+ allow $1 root_t:chr_file delete_chr_file_perms;
157	+')
158	+
159	+########################################
160	+## <summary>
161	## Delete files in the root directory.
162	## </summary>
163	## <param name="domain">
164	@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',`
165
166	########################################
167	## <summary>
168	+## Execute files in the root directory.
169	+## </summary>
170	+## <param name="domain">
171	+## <summary>
172	+## Domain allowed access.
173	+## </summary>
174	+## </param>
175	+#
176	+interface(`files_exec_root_files',`
177	+ gen_require(`
178	+ type root_t;
179	+ ')
180	+
181	+ allow $1 root_t:file exec_file_perms;
182	+')
183	+
184	+########################################
185	+## <summary>
186	## Remove entries from the root directory.
187	## </summary>
188	## <param name="domain">
189	@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',`
190
191	########################################
192	## <summary>
193	+## Manage the root directory.
194	+## </summary>
195	+## <param name="domain">
196	+## <summary>
197	+## Domain allowed access.
198	+## </summary>
199	+## </param>
200	+#
201	+interface(`files_manage_root_dir',`
202	+ gen_require(`
203	+ type root_t;
204	+ ')
205	+
206	+ allow $1 root_t:dir manage_dir_perms;
207	+')
208	+
209	+########################################
210	+## <summary>
211	+## Get the attributes of a rootfs
212	+## file system.
213	+## </summary>
214	+## <param name="domain">
215	+## <summary>
216	+## Domain allowed access.
217	+## </summary>
218	+## </param>
219	+#
220	+interface(`files_getattr_rootfs',`
221	+ gen_require(`
222	+ type root_t;
223	+ ')
224	+
225	+ allow $1 root_t:filesystem getattr;
226	+')
227	+
228	+########################################
229	+## <summary>
230	## Associate to root file system.
231	## </summary>
232	## <param name="file_type">
233	@@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',`
234
235	########################################
236	## <summary>
237	+## Get the attributes of the
238	+## etc_runtime directories.
239	+## </summary>
240	+## <param name="domain">
241	+## <summary>
242	+## Domain allowed access.
243	+## </summary>
244	+## </param>
245	+#
246	+interface(`files_getattr_etc_runtime_dirs',`
247	+ gen_require(`
248	+ type etc_runtime_t;
249	+ ')
250	+
251	+ allow $1 etc_runtime_t:dir getattr;
252	+')
253	+
254	+########################################
255	+## <summary>
256	+## Mount a filesystem on the
257	+## etc_runtime directories.
258	+## </summary>
259	+## <param name="domain">
260	+## <summary>
261	+## Domain allowed access.
262	+## </summary>
263	+## </param>
264	+#
265	+interface(`files_mounton_etc_runtime_dirs',`
266	+ gen_require(`
267	+ type etc_runtime_t;
268	+ ')
269	+
270	+ allow $1 etc_runtime_t:dir mounton;
271	+')
272	+
273	+########################################
274	+## <summary>
275	## Do not audit attempts to set the attributes of the etc_runtime files
276	## </summary>
277	## <param name="domain">
278
279	diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
280	index c85d805..23c7f08 100644
281	--- a/policy/modules/kernel/filesystem.if
282	+++ b/policy/modules/kernel/filesystem.if
283	@@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
284
285	########################################
286	## <summary>
287	+## Delete tmpfs symbolic links.
288	+## </summary>
289	+## <param name="domain">
290	+## <summary>
291	+## Domain allowed access.
292	+## </summary>
293	+## </param>
294	+#
295	+interface(`fs_delete_tmpfs_symlinks',`
296	+ gen_require(`
297	+ type tmpfs_t;
298	+ ')
299	+
300	+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
301	+')
302	+
303	+########################################
304	+## <summary>
305	## Create, read, write, and delete
306	## auto moutpoints.
307	## </summary>
308
309	diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
310	index 2c7ad0c..6887b00 100644
311	--- a/policy/modules/kernel/kernel.if
312	+++ b/policy/modules/kernel/kernel.if
313	@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',`
314
315	########################################
316	## <summary>
317	+## Mount the directories in /proc.
318	+## </summary>
319	+## <param name="domain">
320	+## <summary>
321	+## Domain allowed access.
322	+## </summary>
323	+## </param>
324	+#
325	+interface(`kernel_mounton_proc_dirs',`
326	+ gen_require(`
327	+ type proc_t;
328	+ ')
329	+
330	+ allow $1 proc_t:dir mounton;
331	+')
332	+
333	+########################################
334	+## <summary>
335	## Get the attributes of files in /proc.
336	## </summary>
337	## <param name="domain">
338
339	diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
340	index 7334dc9..2a6ab8e 100644
341	--- a/policy/modules/kernel/kernel.te
342	+++ b/policy/modules/kernel/kernel.te
343	@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
344	# connections with invalidated labels:
345	allow kernel_t unlabeled_t:packet send;
346
347	+kernel_mounton_proc_dirs(kernel_t)
348	kernel_request_load_module(kernel_t)
349
350	# Allow unlabeled network traffic
351	@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
352	corenet_raw_send_generic_node(kernel_t)
353	corenet_send_all_packets(kernel_t)
354
355	+dev_mounton_sysfs(kernel_t)
356	dev_read_sysfs(kernel_t)
357	dev_search_usbfs(kernel_t)
358	# devtmpfs handling:
359	@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
360	dev_create_generic_chr_files(kernel_t)
361	dev_delete_generic_chr_files(kernel_t)
362	dev_mounton(kernel_t)
363	+dev_delete_generic_symlinks(kernel_t)
364	+dev_rw_generic_chr_files(kernel_t)
365	+dev_setattr_generic_blk_files(kernel_t)
366	+dev_setattr_generic_chr_files(kernel_t)
367	+dev_getattr_fs(kernel_t)
368	+dev_getattr_sysfs(kernel_t)
369
370	# Mount root file system. Used when loading a policy
371	# from initrd, then mounting the root filesystem
372	fs_mount_all_fs(kernel_t)
373	fs_unmount_all_fs(kernel_t)
374
375	+fs_getattr_tmpfs(kernel_t)
376	+fs_getattr_tmpfs_dirs(kernel_t)
377	+fs_manage_tmpfs_dirs(kernel_t)
378	+fs_manage_tmpfs_files(kernel_t)
379	+fs_manage_tmpfs_sockets(kernel_t)
380	+fs_delete_tmpfs_symlinks(kernel_t)
381	+
382	+selinux_getattr_fs(kernel_t)
383	selinux_load_policy(kernel_t)
384
385	+term_getattr_pty_fs(kernel_t)
386	term_use_console(kernel_t)
387	+term_use_generic_ptys(kernel_t)
388
389	# for kdevtmpfs
390	term_setattr_unlink_unallocated_ttys(kernel_t)
391	@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
392	domain_signal_all_domains(kernel_t)
393	domain_search_all_domains_state(kernel_t)
394
395	+files_getattr_rootfs(kernel_t)
396	+files_manage_root_dir(kernel_t)
397	+files_delete_root_files(kernel_t)
398	+files_exec_root_files(kernel_t)
399	+files_delete_root_symlinks(kernel_t)
400	+files_delete_root_chr_files(kernel_t)
401	files_list_root(kernel_t)
402	files_list_etc(kernel_t)
403	+files_getattr_etc_runtime_dirs(kernel_t)
404	+files_mounton_etc_runtime_dirs(kernel_t)
405	files_list_home(kernel_t)
406	files_read_usr_files(kernel_t)
407
408	@@ -343,6 +369,7 @@ optional_policy(`
409	')
410
411	optional_policy(`
412	+ logging_manage_generic_logs(kernel_t)
413	logging_send_syslog_msg(kernel_t)
414	')
415
416	@@ -356,6 +383,12 @@ optional_policy(`
417	')
418
419	optional_policy(`
420	+ plymouthd_read_lib_files(kernel_t)
421	+ term_use_ptmx(kernel_t)
422	+ term_use_unallocated_ttys(kernel_t)
423	+')
424	+
425	+optional_policy(`
426	# nfs kernel server needs kernel UDP access. It is less risky and painful
427	# to just give it everything.
428	allow kernel_t self:tcp_socket create_stream_socket_perms;
429	@@ -405,6 +438,7 @@ optional_policy(`
430	optional_policy(`
431	seutil_read_config(kernel_t)
432	seutil_read_bin_policy(kernel_t)
433	+ seutil_domtrans_setfiles(kernel_t)
434	')
435
436	optional_policy(`
437
438	diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
439	index 86692b0..05be047 100644
440	--- a/policy/modules/kernel/terminal.if
441	+++ b/policy/modules/kernel/terminal.if
442	@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
443
444	########################################
445	## <summary>
446	+## Get the attributes of the
447	+## /dev/pts directory.
448	+## </summary>
449	+## <param name="domain">
450	+## <summary>
451	+## Domain allowed access.
452	+## </summary>
453	+## </param>
454	+#
455	+interface(`term_getattr_pty_dirs',`
456	+ gen_require(`
457	+ type devpts_t;
458	+ ')
459	+
460	+ allow $1 devpts_t:dir getattr;
461	+')
462	+
463	+########################################
464	+## <summary>
465	## Do not audit attempts to get the
466	## attributes of the /dev/pts directory.
467	## </summary>
468	@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
469
470	allow $1 devpts_t:chr_file getattr;
471	')
472	+
473	########################################
474	## <summary>
475	## Do not audit attempts to get the attributes

Gentoo Archives: gentoo-commits