Allow kernel_t to manage and have "execute" access to all files

This is needed to get early overlay mounts to work - see the comment and this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2154428 Allowing to manage all files may not be strictly necessary, but not allowing it may bite us later and there is not much point in confining kernel's file operations beyond the helper execution anyway. Fixes: 1e8688e ("Don't make kernel_t an unconfined domain") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
fedora-selinux · Jan 30, 2023 · f543800 · f543800
1 parent f5ad795
commit f543800
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 6 deletions.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
@@ -1798,6 +1798,32 @@ interface(`files_manage_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Grant execute access to all files on the filesystem,
+##	except the listed exceptions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_exec_all_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	mmap_exec_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of all directories on

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
@@ -362,12 +362,14 @@ domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
 domain_search_all_domains_state(kernel_t)
 
-files_list_root(kernel_t)
-files_list_etc(kernel_t)
-files_list_home(kernel_t)
-files_read_usr_files(kernel_t)
-files_manage_mounttab(kernel_t)
-files_manage_generic_spool_dirs(kernel_t)
+files_manage_all_files(kernel_t)
+# The 'execute' permission on lower inodes is checked against the mounter
+# cred by overlayfs, so we need to grant it to allow overlay mounts created
+# during early boot to work.
+# In itself, this doesn't allow the kernel to execute all files - an 
+# execute_no_trans permission or a type transition is also needed to grant
+# that ability (and we are much more strict about those).
+files_mmap_exec_all_files(kernel_t)
 
 mcs_process_set_categories(kernel_t)
 mcs_file_read_all(kernel_t)