Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25

Index: refpolicy/policy/modules/system/modutils.te
===================================================================
--- refpolicy.orig/policy/modules/system/modutils.te
+++ refpolicy/policy/modules/system/modutils.te
@@ -5,15 +5,12 @@ policy_module(modutils, 1.16.0)
 # Declarations
 #
 
-attribute_role update_modules_roles;
-
-type depmod_t;
-type depmod_exec_t;
-init_system_domain(depmod_t, depmod_exec_t)
-role system_r types depmod_t;
-
 type insmod_t;
+typealias insmod_t alias { depmod_t update_modules_t };
+
 type insmod_exec_t;
+typealias insmod_exec_t alias { depmod_exec_t update_modules_exec_t };
+
 application_domain(insmod_t, insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
 role system_r types insmod_t;
@@ -26,77 +23,8 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type update_modules_t;
-type update_modules_exec_t;
-init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
-
-type update_modules_tmp_t;
-files_tmp_file(update_modules_tmp_t)
-
-########################################
-#
-# depmod local policy
-#
-
-can_exec(depmod_t, depmod_exec_t)
-
-# Read conf.modules.
-read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
-
-allow depmod_t modules_dep_t:file manage_file_perms;
-files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-
-kernel_read_system_state(depmod_t)
-
-corecmd_search_bin(depmod_t)
-
-domain_use_interactive_fds(depmod_t)
-
-files_read_kernel_symbol_table(depmod_t)
-files_read_kernel_modules(depmod_t)
-files_read_etc_runtime_files(depmod_t)
-files_read_etc_files(depmod_t)
-files_read_usr_src_files(depmod_t)
-files_list_usr(depmod_t)
-
-fs_getattr_xattr_fs(depmod_t)
-
-term_use_console(depmod_t)
-
-init_use_fds(depmod_t)
-init_use_script_fds(depmod_t)
-init_use_script_ptys(depmod_t)
-
-userdom_use_user_terminals(depmod_t)
-# Read System.map from home directories.
-files_list_home(depmod_t)
-userdom_read_user_home_content_files(depmod_t)
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(depmod_t)
-	')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
-	fs_read_nfs_files(depmod_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	fs_read_cifs_files(depmod_t)
-')
-
-optional_policy(`
-	rpm_rw_pipes(depmod_t)
-	rpm_manage_script_tmp_files(depmod_t)
-')
-
-optional_policy(`
-	# Read System.map from home directories.
-	unconfined_domain(depmod_t)
-')
+type kmod_var_run_t;
+files_pid_file(kmod_var_run_t)
 
 ########################################
 #
@@ -113,7 +41,10 @@ allow insmod_t self:rawip_socket create_
 list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
 read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
-read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+manage_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+filetrans_add_pattern(insmod_t, modules_object_t, modules_dep_t, file)
+create_files_pattern(insmod_t, modules_object_t, modules_dep_t)
+delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
 
 can_exec(insmod_t, insmod_exec_t)
 
@@ -136,6 +67,11 @@ kernel_dontaudit_search_unlabeled(insmod
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
 
+# for /run/tmpfiles.d/kmod.conf
+files_pid_filetrans(insmod_t, kmod_var_run_t, dir)
+allow insmod_t kmod_var_run_t:dir manage_dir_perms;
+allow insmod_t kmod_var_run_t:file manage_file_perms;
+
 dev_rw_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
 dev_rw_mtrr(insmod_t)
@@ -238,6 +174,7 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_domtrans_to(insmod_t, insmod_exec_t)
 ')
 
 optional_policy(`
@@ -247,85 +184,3 @@ optional_policy(`
 	xserver_getattr_log(insmod_t)
 ')
 
-#################################
-#
-# update-modules local policy
-#
-
-allow update_modules_t self:fifo_file rw_fifo_file_perms;
-
-allow update_modules_t modules_dep_t:file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-can_exec(update_modules_t, update_modules_exec_t)
-
-# manage module loading configuration
-manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
-files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
-files_etc_filetrans(update_modules_t, modules_conf_t, file)
-
-# transition to depmod
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-allow update_modules_t depmod_t:fd use;
-allow depmod_t update_modules_t:fd use;
-allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
-
-manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(update_modules_t)
-kernel_read_system_state(update_modules_t)
-
-corecmd_exec_bin(update_modules_t)
-corecmd_exec_shell(update_modules_t)
-
-dev_read_urand(update_modules_t)
-
-domain_use_interactive_fds(update_modules_t)
-
-files_read_etc_runtime_files(update_modules_t)
-files_read_etc_files(update_modules_t)
-files_exec_etc_files(update_modules_t)
-
-fs_getattr_xattr_fs(update_modules_t)
-
-term_use_console(update_modules_t)
-
-init_use_fds(update_modules_t)
-init_use_script_fds(update_modules_t)
-init_use_script_ptys(update_modules_t)
-
-logging_send_syslog_msg(update_modules_t)
-
-miscfiles_read_localization(update_modules_t)
-
-modutils_run_insmod(update_modules_t, update_modules_roles)
-
-userdom_use_user_terminals(update_modules_t)
-userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
-ifdef(`distro_gentoo',`
-	kernel_list_unlabeled(update_modules_t) # /var
-
-	files_search_pids(update_modules_t)
-	files_getattr_usr_src_files(update_modules_t)
-
-	# update-modules on Gentoo throws errors when run because it
-	# sources /etc/init.d/functions.sh, which always scans
-	# /var/lib/init.d to set SOFTLEVEL environment var.
-	# This is never used by update-modules.
-	files_dontaudit_search_var_lib(update_modules_t)
-	init_dontaudit_read_script_status_files(update_modules_t)
-
-	optional_policy(`
-		consoletype_exec(update_modules_t)
-	')
-')
-
-ifdef(`distro_ubuntu',`
-	optional_policy(`
-		unconfined_domain(update_modules_t)
-	')
-')
Index: refpolicy/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.te
+++ refpolicy/policy/modules/kernel/kernel.te
@@ -278,6 +278,9 @@ selinux_load_policy(kernel_t)
 
 term_use_console(kernel_t)
 
+# for kdevtmpfs
+term_setattr_unlink_unallocated_ttys(kernel_t)
+
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
Index: refpolicy/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/terminal.if
+++ refpolicy/policy/modules/kernel/terminal.if
@@ -1121,6 +1121,26 @@ interface(`term_getattr_unallocated_ttys
 
 ########################################
 ## <summary>
+##	Setattr and unlink unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_unlink_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tty_device_t:chr_file { getattr setattr unlink };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the attributes
 ##	of all unallocated tty device nodes.
 ## </summary>
Index: refpolicy/policy/modules/system/modutils.fc
===================================================================
--- refpolicy.orig/policy/modules/system/modutils.fc
+++ refpolicy/policy/modules/system/modutils.fc
@@ -23,3 +23,4 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)
Index: refpolicy/policy/modules/system/modutils.if
===================================================================
--- refpolicy.orig/policy/modules/system/modutils.if
+++ refpolicy/policy/modules/system/modutils.if
@@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',`
 	corecmd_search_bin($1)
 	can_exec($1, update_modules_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read kmod_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_var_run_files',`
+	gen_require(`
+		type kmod_var_run_t;
+	')
+
+	allow $1 kmod_var_run_t:file read_file_perms;
+')
Index: refpolicy/policy/modules/system/systemd.te
===================================================================
--- refpolicy.orig/policy/modules/system/systemd.te
+++ refpolicy/policy/modules/system/systemd.te
@@ -661,6 +661,9 @@ userdom_relabel_user_runtime_root_dirs(s
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
 
+# for /run/tmpfiles.d/kmod.conf
+modutils_var_run_files(systemd_tmpfiles_t)
+
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
