diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index d6ec546..f8fad77 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1,5 +1,5 @@ ## -## Policy for kernel threads, proc filesystem, +## Policy for kernel threads, proc filesystem, ## and unlabeled processes and objects. ## ## @@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',` type kernel_t; ') - kernel_domtrans_to($1,$2) + kernel_domtrans_to($1, $2) ifdef(`enable_mcs',` range_transition kernel_t $2:process $3; @@ -485,11 +485,30 @@ interface(`kernel_clear_ring_buffer',` ######################################## ## +## Allows caller to request the kernel to load a module +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_request_load_module',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:system module_request; +') + +######################################## +## ## Get information on all System V IPC objects. ## ## ## -## +## Domain allowed access. ## ## # @@ -941,6 +960,28 @@ interface(`kernel_dontaudit_getattr_core_if',` ######################################## ## +## Allows caller to read the core kernel interface. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_read_core_if',` + gen_require(` + type proc_t, proc_kcore_t; + attribute can_dump_kernel; + ') + + read_files_pattern($1, proc_t, proc_kcore_t) + list_dirs_pattern($1, proc_t, proc_t) + + typeattribute $1 can_dump_kernel; +') + +######################################## +## ## Allow caller to read kernel messages ## using the /proc/kmsg interface. ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index faf39a5..42a4d05 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel, 1.11.0) +policy_module(kernel, 1.11.1) ######################################## # @@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0) # assertion related attributes attribute can_load_kernmodule; attribute can_receive_kernel_messages; +attribute can_dump_kernel; neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; @@ -37,7 +38,7 @@ ifdef(`enable_mls',` # # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. -# +# type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) mls_rangetrans_source(kernel_t) @@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge # /proc kcore: inaccessible type proc_kcore_t, proc_type; -neverallow ~kern_unconfined proc_kcore_t:file ~getattr; +neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; @@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) -# Mount root file system. Used when loading a policy +# Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) fs_unmount_all_fs(kernel_t) @@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) -mls_file_read_all_levels(kernel_t) +mls_file_read_all_levels(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 @@ -309,7 +310,7 @@ optional_policy(` allow kernel_t self:tcp_socket create_stream_socket_perms; allow kernel_t self:udp_socket create_socket_perms; - # nfs kernel server needs kernel UDP access. It is less risky and painful + # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. corenet_udp_sendrecv_generic_if(kernel_t) corenet_udp_sendrecv_generic_node(kernel_t) @@ -326,7 +327,7 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) - rpc_udp_rw_nfs_sockets(kernel_t) + rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) @@ -355,7 +356,7 @@ optional_policy(` ') optional_policy(` - unconfined_domain(kernel_t) + unconfined_domain_noaudit(kernel_t) ') ########################################