From: russell@coker.com.au (Russell Coker)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles
Date: Tue, 28 Feb 2017 21:30:03 +1100 [thread overview]
Message-ID: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au> (raw)
This patch goes after my patch for cgroups, hostnamed, and logind. It will
probably mostly work without it but I only ever tested it after the previous
patch.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-28
Index: refpolicy-2.20170227/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170227/policy/modules/system/systemd.te
@@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
+auth_use_nsswitch(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
-auth_use_nsswitch(systemd_resolved_t)
-
seutil_read_file_contexts(systemd_resolved_t)
-
systemd_log_parse_environment(systemd_resolved_t)
optional_policy(`
@@ -604,9 +688,17 @@ optional_policy(`
# Sessions local policy
#
+allow systemd_sessions_t self:process setfscreate;
+
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
systemd_log_parse_environment(systemd_sessions_t)
#########################################
@@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+create_relabel_var_lib_log(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-auth_manage_var_auth(systemd_tmpfiles_t)
-auth_manage_login_records(systemd_tmpfiles_t)
-auth_relabel_login_records(systemd_tmpfiles_t)
-auth_setattr_login_records(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
# for /run/tmpfiles.d/kmod.conf
modutils_read_var_run_files(systemd_tmpfiles_t)
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-
+sysnet_create_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
@@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
+
+optional_policy(`
+ dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xserver_create_console_pipes(systemd_tmpfiles_t)
+ xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xfs_create_dirs(systemd_tmpfiles_t)
+')
Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
+++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
@@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
########################################
## <summary>
+## Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_create_dirs',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## Connect to xfs with a unix
## domain stream socket.
## </summary>
Index: refpolicy-2.20170227/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170227/policy/modules/kernel/files.if
@@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
########################################
## <summary>
+## relabel directories to etc_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
## List the contents of /etc directories.
## </summary>
## <param name="domain">
@@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
########################################
## <summary>
+## Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
## Create objects in /home.
## </summary>
## <param name="domain">
@@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
########################################
## <summary>
+## Create and label /var/lib and /var/log
+## </summary>
+## <desc>
+## <p>
+## This allows programs to setup directories under /var
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`create_relabel_var_lib_log',`
+ gen_require(`
+ type var_t, var_lib_t, var_log_t;
+ ')
+
+ allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## contents of /var/lib.
## </summary>
@@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
')
########################################
+## <summary>
+## create and manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_run_t;
+ ')
+
+ create_dirs_pattern($1,var_run_t,pidfile)
+ allow $1 pidfile:dir manage_dir_perms;
+')
+
+########################################
## <summary>
## manage all pidfile directories
## in the /var/run directory.
Index: refpolicy-2.20170227/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/init.if
+++ refpolicy-2.20170227/policy/modules/system/init.if
@@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
########################################
## <summary>
+## relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
## </summary>
@@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
########################################
## <summary>
+## relabel from/to utmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
Index: refpolicy-2.20170227/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170227/policy/modules/system/logging.if
@@ -1138,3 +1138,23 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+## <summary>
+## setattr for syslogd_tmp_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_set_perms_syslogd_tmp',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
+')
+
Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
@@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
########################################
## <summary>
+## relabel man cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+ relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170227/policy/modules/system/userdomain.if
@@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
########################################
## <summary>
+## relabel to/from user_runtime_root_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## runtime dirs.
## </summary>
Index: refpolicy-2.20170227/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170227/policy/modules/services/xserver.if
@@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
gen_require(`
type xdm_t;
class dbus send_msg;
- ')
+ ')
allow $1 xdm_t:dbus send_msg;
allow xdm_t $1:dbus send_msg;
@@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+
+########################################
+## <summary>
+## Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+## Create xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dir',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir create;
+')
next reply other threads:[~2017-02-28 10:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 10:30 Russell Coker [this message]
2017-03-04 12:15 ` [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles Chris PeBenito
2017-03-26 10:51 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au \
--to=russell@coker.com.au \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.