From 0366c6e71fa7b7f70ad1c372c60ba97e78dc574f Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Fri, 6 Oct 2023 14:39:11 +0200 Subject: [PATCH 1/2] Add missing optional_policy() to files_relabel_all_files() The calls to interfaces from other modules must be enclosed in optional_policy(), otherwise the usage of this interface may lead to build errors. Signed-off-by: Ondrej Mosnacek --- policy/modules/kernel/files.if | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 2e2af528be..008b6ec719 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1765,8 +1765,12 @@ interface(`files_relabel_all_files',` relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: - seutil_relabelto_bin_policy($1) - auth_relabelto_shadow($1) + optional_policy(` + seutil_relabelto_bin_policy($1) + ') + optional_policy(` + auth_relabelto_shadow($1) + ') ') ######################################## From 2f172413e104c7ff5ad9799c2030464e29422d53 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Fri, 6 Oct 2023 11:10:48 +0200 Subject: [PATCH 2/2] Allow kernel_t to manage and relabel all files Extend the abitlity to manage all files also to character & block device files and also allow relabeling any file. This is required for early boot overlay mounts to fully work, but may be needed for other legitimate oprations as well. See also: https://github.com/ostreedev/ostree/pull/3062 Signed-off-by: Ondrej Mosnacek --- policy/modules/kernel/files.if | 38 +++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 3 +++ 2 files changed, 41 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 008b6ec719..d8bb82e7aa 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1839,6 +1839,44 @@ interface(`files_manage_all_files',` ') ') +######################################## +## +## Manage all block device files on the filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_all_blk_files',` + gen_require(` + attribute file_type; + ') + + manage_blk_files_pattern($1, file_type, file_type) +') + +######################################## +## +## Manage all character device files on the filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_all_chr_files',` + gen_require(` + attribute file_type; + ') + + manage_chr_files_pattern($1, file_type, file_type) +') + ######################################## ## ## Grant execute access to all files on the filesystem, diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index ccb914f4a4..9bb09e25f1 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -385,6 +385,9 @@ domain_rw_all_sockets(kernel_t) domain_obj_id_change_exemption(kernel_t) files_manage_all_files(kernel_t) +files_manage_all_blk_files(kernel_t) +files_manage_all_chr_files(kernel_t) +files_relabel_all_files(kernel_t) # The 'execute' permission on lower inodes is checked against the mounter # cred by overlayfs, so we need to grant it to allow overlay mounts created # during early boot to work.