1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
Subject: [PATCH] refpolicy: make unconfined_u the default selinux user
For targeted policy type, we define unconfined_u as the default selinux
user for root and normal users, so users could login in and run most
commands and services on unconfined domains.
Also add rules for users to run init scripts directly, instead of via
run_init.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
config/appconfig-mcs/seusers | 4 ++--
policy/modules/roles/sysadm.te | 1 +
policy/modules/system/init.if | 47 ++++++++++++++++++++++++++++++-------
policy/modules/system/unconfined.te | 7 ++++++
policy/users | 16 +++++--------
5 files changed, 55 insertions(+), 20 deletions(-)
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,2 +1,3 @@
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0
+
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -37,10 +37,11 @@ ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_admin(sysadm_t)
+init_script_role_transition(sysadm_r)
selinux_read_policy(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1394,30 +1394,31 @@ interface(`init_script_file_entry_type',
## </summary>
## </param>
#
interface(`init_spec_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
')
files_list_etc($1)
- spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`distro_gentoo',`
gen_require(`
type rc_exec_t;
')
domtrans_pattern($1, rc_exec_t, initrc_t)
')
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
@@ -1429,22 +1430,23 @@ interface(`init_spec_domtrans_script',`
## </summary>
## </param>
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
')
files_list_etc($1)
- domtrans_pattern($1, initrc_exec_t, initrc_t)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
@@ -2972,5 +2974,34 @@ interface(`init_admin',`
init_stop_all_units($1)
init_stop_generic_units($1)
init_stop_system($1)
init_telinit($1)
')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ role_transition $1 init_script_file_type system_r;
+')
+
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -18,10 +18,15 @@ init_system_domain(unconfined_t, unconfi
type unconfined_execmem_t;
type unconfined_execmem_exec_t;
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+role unconfined_r types unconfined_t;
+role system_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+allow unconfined_r system_r;
########################################
#
# Local policy
#
@@ -48,10 +53,12 @@ unconfined_domain(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(unconfined_t, unconfined_r)
+ init_domtrans_script(unconfined_t)
+ init_script_role_transition(unconfined_r)
')
',`
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r)
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
--- a/policy/users
+++ b/policy/users
@@ -13,37 +13,33 @@
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
ifdef(`direct_sysadm_daemon',`
- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ gen_user(unconfined_u, user, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
')
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
