1 |
commit: ef14bcd0189098ada222dd638183eb44073de691 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Thu Oct 12 21:42:23 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 29 12:59:08 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef14bcd0 |
7 |
|
8 |
init: Clean up line placement in init_systemd blocks. |
9 |
|
10 |
No rule changes. |
11 |
|
12 |
policy/modules/system/init.te | 196 ++++++++++++++++++++++-------------------- |
13 |
1 file changed, 102 insertions(+), 94 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
16 |
index 90291d34..75da7a62 100644 |
17 |
--- a/policy/modules/system/init.te |
18 |
+++ b/policy/modules/system/init.te |
19 |
@@ -216,11 +216,23 @@ ifdef(`init_systemd',` |
20 |
# handle instances where an old labeled init script is encountered. |
21 |
typeattribute init_t init_run_all_scripts_domain; |
22 |
|
23 |
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto }; |
24 |
+ allow init_t self:process { setsockcreate setfscreate setrlimit }; |
25 |
+ allow init_t self:process { getcap setcap getsched setsched }; |
26 |
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
27 |
+ allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; |
28 |
+ allow init_t self:netlink_selinux_socket create_socket_perms; |
29 |
+ allow init_t self:system { status reboot halt reload }; |
30 |
+ # Until systemd is fixed |
31 |
+ allow init_t self:udp_socket create_socket_perms; |
32 |
+ allow init_t self:netlink_route_socket create_netlink_socket_perms; |
33 |
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms; |
34 |
+ allow init_t self:capability2 audit_read; |
35 |
+ |
36 |
# for /run/systemd/inaccessible/{chr,blk} |
37 |
allow init_t init_var_run_t:blk_file { create getattr }; |
38 |
allow init_t init_var_run_t:chr_file { create getattr }; |
39 |
|
40 |
- |
41 |
allow init_t systemprocess:process { dyntransition siginh }; |
42 |
allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; |
43 |
allow init_t systemprocess:unix_dgram_socket create_socket_perms; |
44 |
@@ -257,18 +269,47 @@ ifdef(`init_systemd',` |
45 |
|
46 |
kernel_dyntrans_to(init_t) |
47 |
kernel_read_network_state(init_t) |
48 |
- kernel_read_kernel_sysctls(init_t) |
49 |
- kernel_read_vm_sysctls(init_t) |
50 |
kernel_dgram_send(init_t) |
51 |
kernel_stream_connect(init_t) |
52 |
kernel_getattr_proc(init_t) |
53 |
kernel_read_fs_sysctls(init_t) |
54 |
+ kernel_list_unlabeled(init_t) |
55 |
+ kernel_load_module(init_t) |
56 |
+ kernel_rw_kernel_sysctl(init_t) |
57 |
+ kernel_rw_net_sysctls(init_t) |
58 |
+ kernel_read_all_sysctls(init_t) |
59 |
+ kernel_read_software_raid_state(init_t) |
60 |
+ kernel_unmount_debugfs(init_t) |
61 |
+ kernel_setsched(init_t) |
62 |
+ kernel_rw_unix_sysctls(init_t) |
63 |
+ |
64 |
+ # run systemd misc initializations |
65 |
+ # in the initrc_t domain, as would be |
66 |
+ # done in traditional sysvinit/upstart. |
67 |
+ corecmd_bin_domtrans(init_t, initrc_t) |
68 |
+ corecmd_shell_domtrans(init_t, initrc_t) |
69 |
|
70 |
- dev_create_generic_dirs(init_t) |
71 |
dev_manage_input_dev(init_t) |
72 |
dev_relabel_all_sysfs(init_t) |
73 |
dev_relabel_generic_symlinks(init_t) |
74 |
dev_read_urand(init_t) |
75 |
+ dev_write_kmsg(init_t) |
76 |
+ dev_write_urand(init_t) |
77 |
+ dev_rw_lvm_control(init_t) |
78 |
+ dev_rw_autofs(init_t) |
79 |
+ dev_manage_generic_symlinks(init_t) |
80 |
+ dev_manage_generic_dirs(init_t) |
81 |
+ dev_manage_generic_files(init_t) |
82 |
+ dev_manage_null_service(initrc_t) |
83 |
+ dev_read_generic_chr_files(init_t) |
84 |
+ dev_relabel_generic_dev_dirs(init_t) |
85 |
+ dev_relabel_all_dev_nodes(init_t) |
86 |
+ dev_relabel_all_dev_files(init_t) |
87 |
+ dev_manage_sysfs_dirs(init_t) |
88 |
+ dev_relabel_sysfs_dirs(init_t) |
89 |
+ dev_read_usbfs(initrc_t) |
90 |
+ # systemd writes to /dev/watchdog on shutdown |
91 |
+ dev_write_watchdog(init_t) |
92 |
|
93 |
domain_read_all_domains_state(init_t) |
94 |
|
95 |
@@ -283,21 +324,47 @@ ifdef(`init_systemd',` |
96 |
files_relabelto_etc_runtime_files(init_t) |
97 |
files_read_all_locks(init_t) |
98 |
files_search_kernel_modules(init_t) |
99 |
+ files_create_all_pid_pipes(init_t) |
100 |
+ files_create_all_pid_sockets(init_t) |
101 |
+ files_create_all_spool_sockets(init_t) |
102 |
+ files_create_lock_dirs(init_t) |
103 |
+ files_delete_all_pids(init_t) |
104 |
+ files_delete_all_spool_sockets(init_t) |
105 |
+ files_exec_generic_pid_files(init_t) |
106 |
+ files_list_locks(init_t) |
107 |
+ files_list_spool(init_t) |
108 |
+ files_manage_all_pid_dirs(init_t) |
109 |
+ files_manage_generic_tmp_dirs(init_t) |
110 |
+ files_manage_urandom_seed(init_t) |
111 |
+ files_mounton_all_mountpoints(init_t) |
112 |
+ files_read_boot_files(initrc_t) |
113 |
+ files_relabel_all_lock_dirs(init_t) |
114 |
+ files_relabel_all_pid_dirs(init_t) |
115 |
+ files_relabel_all_pid_files(init_t) |
116 |
+ files_search_all(init_t) |
117 |
+ files_unmount_all_file_type_fs(init_t) |
118 |
# for privatetmp functions |
119 |
files_mounton_tmp(init_t) |
120 |
# for ProtectSystem |
121 |
files_mounton_etc_dirs(init_t) |
122 |
|
123 |
fs_relabel_cgroup_dirs(init_t) |
124 |
- fs_rw_cgroup_files(init_t) |
125 |
fs_list_auto_mountpoints(init_t) |
126 |
fs_mount_autofs(init_t) |
127 |
fs_manage_hugetlbfs_dirs(init_t) |
128 |
fs_getattr_tmpfs(init_t) |
129 |
fs_read_tmpfs_files(init_t) |
130 |
- fs_read_cgroup_files(init_t) |
131 |
fs_relabel_pstore_dirs(init_t) |
132 |
fs_dontaudit_getattr_xattr_fs(init_t) |
133 |
+ fs_create_cgroup_links(init_t) |
134 |
+ fs_getattr_all_fs(init_t) |
135 |
+ fs_manage_cgroup_dirs(init_t) |
136 |
+ fs_manage_cgroup_files(init_t) |
137 |
+ fs_manage_tmpfs_dirs(init_t) |
138 |
+ fs_mount_all_fs(init_t) |
139 |
+ fs_remount_all_fs(init_t) |
140 |
+ fs_relabelfrom_tmpfs_symlinks(init_t) |
141 |
+ fs_unmount_all_fs(init_t) |
142 |
# for privatetmp functions |
143 |
fs_relabel_tmpfs_dirs(init_t) |
144 |
fs_relabel_tmpfs_files(init_t) |
145 |
@@ -308,20 +375,32 @@ ifdef(`init_systemd',` |
146 |
# for network namespaces |
147 |
fs_read_nsfs_files(init_t) |
148 |
|
149 |
- # need write to /var/run/systemd/notify |
150 |
- init_write_pid_socket(daemon) |
151 |
+ init_read_script_state(init_t) |
152 |
|
153 |
# systemd_socket_activated policy |
154 |
mls_socket_write_all_levels(init_t) |
155 |
|
156 |
+ selinux_unmount_fs(init_t) |
157 |
+ selinux_validate_context(init_t) |
158 |
selinux_compute_create_context(init_t) |
159 |
selinux_compute_access_vector(init_t) |
160 |
|
161 |
+ storage_getattr_removable_dev(init_t) |
162 |
+ |
163 |
+ term_relabel_pty_dirs(init_t) |
164 |
+ |
165 |
+ auth_manage_var_auth(init_t) |
166 |
+ auth_relabel_login_records(init_t) |
167 |
+ auth_relabel_pam_console_data_dirs(init_t) |
168 |
+ |
169 |
logging_manage_pid_sockets(init_t) |
170 |
logging_send_audit_msgs(init_t) |
171 |
logging_relabelto_devlog_sock_files(init_t) |
172 |
logging_relabel_generic_log_dirs(init_t) |
173 |
|
174 |
+ # lvm2-activation-generator checks file labels |
175 |
+ seutil_read_file_contexts(init_t) |
176 |
+ |
177 |
systemd_manage_passwd_runtime_symlinks(init_t) |
178 |
systemd_use_passwd_agent(init_t) |
179 |
systemd_list_tmpfiles_conf(init_t) |
180 |
@@ -329,6 +408,7 @@ ifdef(`init_systemd',` |
181 |
systemd_relabelto_tmpfiles_conf_files(init_t) |
182 |
systemd_relabelto_journal_dirs(init_t) |
183 |
systemd_relabelto_journal_files(init_t) |
184 |
+ systemd_manage_all_units(init_t) |
185 |
|
186 |
term_create_devpts_dirs(init_t) |
187 |
|
188 |
@@ -853,21 +933,8 @@ ifdef(`enabled_mls',` |
189 |
') |
190 |
|
191 |
ifdef(`init_systemd',` |
192 |
- allow init_t self:system { status reboot halt reload }; |
193 |
- |
194 |
- allow init_t self:unix_dgram_socket { create_socket_perms sendto }; |
195 |
- allow init_t self:process { setsockcreate setfscreate setrlimit }; |
196 |
- allow init_t self:process { getcap setcap getsched setsched }; |
197 |
- allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
198 |
- allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; |
199 |
- allow init_t self:netlink_selinux_socket create_socket_perms; |
200 |
- # Until systemd is fixed |
201 |
- allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; |
202 |
- allow init_t self:udp_socket create_socket_perms; |
203 |
- allow init_t self:netlink_route_socket create_netlink_socket_perms; |
204 |
- allow init_t initrc_t:unix_dgram_socket create_socket_perms; |
205 |
allow initrc_t init_t:system { start status reboot halt reload }; |
206 |
- allow init_t self:capability2 audit_read; |
207 |
+ |
208 |
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) |
209 |
files_lock_filetrans(initrc_t, initrc_lock_t, file) |
210 |
|
211 |
@@ -890,106 +957,37 @@ ifdef(`init_systemd',` |
212 |
allow initrc_t init_script_file_type:service { stop start status reload }; |
213 |
|
214 |
kernel_dgram_send(initrc_t) |
215 |
- kernel_list_unlabeled(init_t) |
216 |
- kernel_load_module(init_t) |
217 |
- kernel_rw_kernel_sysctl(init_t) |
218 |
- kernel_rw_net_sysctls(init_t) |
219 |
- kernel_read_all_sysctls(init_t) |
220 |
- kernel_read_software_raid_state(init_t) |
221 |
- kernel_unmount_debugfs(init_t) |
222 |
- kernel_setsched(init_t) |
223 |
- kernel_rw_unix_sysctls(init_t) |
224 |
- |
225 |
- auth_manage_var_auth(init_t) |
226 |
- auth_relabel_login_records(init_t) |
227 |
- auth_relabel_pam_console_data_dirs(init_t) |
228 |
|
229 |
# run systemd misc initializations |
230 |
# in the initrc_t domain, as would be |
231 |
# done in traditional sysvinit/upstart. |
232 |
corecmd_bin_entry_type(initrc_t) |
233 |
- corecmd_bin_domtrans(init_t, initrc_t) |
234 |
- corecmd_shell_domtrans(init_t, initrc_t) |
235 |
|
236 |
dev_create_generic_dirs(initrc_t) |
237 |
- dev_write_kmsg(init_t) |
238 |
- dev_write_urand(init_t) |
239 |
- dev_rw_lvm_control(init_t) |
240 |
- dev_rw_autofs(init_t) |
241 |
- dev_manage_generic_symlinks(init_t) |
242 |
- dev_manage_generic_dirs(init_t) |
243 |
- dev_manage_generic_files(init_t) |
244 |
- dev_manage_null_service(initrc_t) |
245 |
- dev_read_generic_chr_files(init_t) |
246 |
- dev_relabel_generic_dev_dirs(init_t) |
247 |
- dev_relabel_all_dev_nodes(init_t) |
248 |
- dev_relabel_all_dev_files(init_t) |
249 |
- dev_manage_sysfs_dirs(init_t) |
250 |
- dev_relabel_sysfs_dirs(init_t) |
251 |
- dev_read_usbfs(initrc_t) |
252 |
- # systemd writes to /dev/watchdog on shutdown |
253 |
- dev_write_watchdog(init_t) |
254 |
|
255 |
# Allow initrc_t to check /etc/fstab "service." It appears that |
256 |
# systemd is conflating files and services. |
257 |
- files_create_all_pid_pipes(init_t) |
258 |
- files_create_all_pid_sockets(init_t) |
259 |
- files_create_all_spool_sockets(init_t) |
260 |
- files_create_lock_dirs(init_t) |
261 |
- files_create_pid_dirs(initrc_t) |
262 |
- files_delete_all_pids(init_t) |
263 |
- files_delete_all_spool_sockets(init_t) |
264 |
- files_exec_generic_pid_files(init_t) |
265 |
files_get_etc_unit_status(initrc_t) |
266 |
- files_list_locks(init_t) |
267 |
- files_list_spool(init_t) |
268 |
- files_manage_all_pid_dirs(init_t) |
269 |
- files_manage_generic_tmp_dirs(init_t) |
270 |
- files_manage_urandom_seed(init_t) |
271 |
- files_mounton_all_mountpoints(init_t) |
272 |
- files_read_boot_files(initrc_t) |
273 |
- files_relabel_all_lock_dirs(init_t) |
274 |
- files_relabel_all_pid_dirs(init_t) |
275 |
- files_relabel_all_pid_files(init_t) |
276 |
- files_search_all(init_t) |
277 |
+ files_create_pid_dirs(initrc_t) |
278 |
files_setattr_pid_dirs(initrc_t) |
279 |
- files_unmount_all_file_type_fs(init_t) |
280 |
- |
281 |
- fs_create_cgroup_links(init_t) |
282 |
- fs_getattr_all_fs(init_t) |
283 |
- fs_manage_cgroup_dirs(init_t) |
284 |
- fs_manage_cgroup_files(init_t) |
285 |
- fs_manage_tmpfs_dirs(init_t) |
286 |
- fs_mount_all_fs(init_t) |
287 |
- fs_remount_all_fs(init_t) |
288 |
- fs_relabelfrom_tmpfs_symlinks(init_t) |
289 |
- fs_unmount_all_fs(init_t) |
290 |
- fs_search_cgroup_dirs(daemon) |
291 |
|
292 |
# for logsave in strict configuration |
293 |
fstools_write_log(initrc_t) |
294 |
|
295 |
+ selinux_set_enforce_mode(initrc_t) |
296 |
+ |
297 |
init_get_all_units_status(initrc_t) |
298 |
init_manage_var_lib_files(initrc_t) |
299 |
- init_read_script_state(init_t) |
300 |
init_rw_stream_sockets(initrc_t) |
301 |
|
302 |
# Create /etc/audit.rules.prev after firstboot remediation |
303 |
logging_manage_audit_config(initrc_t) |
304 |
|
305 |
- selinux_set_enforce_mode(initrc_t) |
306 |
- selinux_unmount_fs(init_t) |
307 |
- selinux_validate_context(init_t) |
308 |
# lvm2-activation-generator checks file labels |
309 |
seutil_read_file_contexts(initrc_t) |
310 |
- seutil_read_file_contexts(init_t) |
311 |
|
312 |
- storage_getattr_removable_dev(init_t) |
313 |
- systemd_manage_all_units(init_t) |
314 |
systemd_start_power_units(initrc_t) |
315 |
|
316 |
- term_relabel_pty_dirs(init_t) |
317 |
- |
318 |
optional_policy(` |
319 |
# create /var/lock/lvm/ |
320 |
lvm_create_lock_dirs(initrc_t) |
321 |
@@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon) |
322 |
# when using run_init |
323 |
init_use_script_ptys(daemon) |
324 |
|
325 |
+ifdef(`init_systemd',` |
326 |
+ # Until systemd is fixed |
327 |
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; |
328 |
+ |
329 |
+ fs_search_cgroup_dirs(daemon) |
330 |
+ |
331 |
+ # need write to /var/run/systemd/notify |
332 |
+ init_write_pid_socket(daemon) |
333 |
+') |
334 |
+ |
335 |
tunable_policy(`init_daemons_use_tty',` |
336 |
term_use_unallocated_ttys(daemon) |
337 |
term_use_generic_ptys(daemon) |