From: Russell Coker <russell@coker.com.au>
To: "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
Subject: strict patch
Date: Wed, 12 Feb 2020 13:43:38 +1100 [thread overview]
Message-ID: <1687678.FLogphAbyu@xev> (raw)
[-- Attachment #1: Type: text/plain, Size: 402 bytes --]
The attached patch has a bunch of minor changes which are mostly needed in a
"strict" configuration when running with systemd.
It also removes the systemd_analyze_t domain which doesn't provide any
benefit. This patch is against the git refpolicy from 3 days ago and I think
it's ready for merging.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
[-- Attachment #2: strict.diff --]
[-- Type: text/x-patch, Size: 7452 bytes --]
Index: refpolicy-2.20200209/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20200209/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
+ kernel_read_crypto_sysctls($1_t)
+ kernel_read_vm_overcommit_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
libs_exec_ld_so($1_t)
+ logging_send_syslog_msg($1_t)
+
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
sysnet_read_config($1_t)
+ userdom_write_all_user_runtime_named_sockets($1_t)
+
# kdeinit wants systemd status
init_get_system_status($1_t)
@@ -861,6 +867,10 @@ template(`userdom_common_user_template',
')
optional_policy(`
+ udev_read_pid_files($1_t)
+ ')
+
+ optional_policy(`
usernetctl_run($1_t, $1_r)
')
@@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template',
optional_policy(`
systemd_dbus_chat_logind($1_t)
+ systemd_use_logind_fds($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
+ systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+ # kwalletd5 inherits a socket from init
+ init_rw_inherited_stream_socket($1_t)
+ init_use_fds($1_t)
+ # for polkit-kde-auth
+ init_read_state($1_t)
')
')
@@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti
')
########################################
+## <summary>
+## write user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
## <summary>
## Create objects in the pid directory
## with an automatic type transition to
Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20200209/policy/modules/roles/sysadm.te
@@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t)
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(sysadm_t, sysadm_r)
@@ -1107,6 +1110,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
tboot_run_txtstat(sysadm_t, sysadm_r)
')
@@ -1174,6 +1181,7 @@ optional_policy(`
')
optional_policy(`
+ dev_rw_generic_usb_dev(sysadm_t)
usbmodules_run(sysadm_t, sysadm_r)
')
Index: refpolicy-2.20200209/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200209/policy/modules/services/xserver.if
@@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
+ xserver_use_user_fonts($2)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($2)
# gnome-session creates socket under /tmp/.ICE-unix/
@@ -140,7 +141,7 @@ interface(`xserver_role',`
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
- type mesa_shader_cache_t;
+ type mesa_shader_cache_t, xdm_t;
')
xserver_restricted_role($1, $2)
@@ -183,6 +184,8 @@ interface(`xserver_role',`
xserver_read_xkb_libs($2)
+ allow $2 xdm_t:unix_stream_socket accept;
+
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
@@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
allow $1 xkb_var_lib_t:dir list_dir_perms;
read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+ allow $1 xkb_var_lib_t:file map;
')
########################################
Index: refpolicy-2.20200209/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20200209/policy/modules/services/dbus.if
@@ -84,6 +84,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:fd use;
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
@@ -99,9 +100,14 @@ template(`dbus_role_template',`
allow $1_dbusd_t $3:process sigkill;
+ allow $1_dbusd_t self:process getcap;
+
corecmd_bin_domtrans($1_dbusd_t, $3)
corecmd_shell_domtrans($1_dbusd_t, $3)
+ dev_read_sysfs($1_dbusd_t)
+ xdg_read_data_files($1_dbusd_t)
+
auth_use_nsswitch($1_dbusd_t)
ifdef(`hide_broken_symptoms',`
@@ -109,6 +115,11 @@ template(`dbus_role_template',`
')
optional_policy(`
+ init_dbus_chat($1_dbusd_t)
+ dbus_system_bus_client($1_dbusd_t)
+ ')
+
+ optional_policy(`
systemd_read_logind_pids($1_dbusd_t)
')
')
Index: refpolicy-2.20200209/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200209/policy/modules/services/ssh.if
@@ -437,6 +437,7 @@ template(`ssh_role_template',`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
xserver_sigchld_xdm($1_ssh_agent_t)
+ xserver_write_inherited_xsession_log($1_ssh_agent_t)
')
')
Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te
+++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
#
# bin_t is the type of files in the system bin/sbin directories.
#
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
corecmd_executable_file(bin_t)
dev_associate(bin_t) #For /dev/MAKEDEV
Index: refpolicy-2.20200209/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20200209/policy/modules/system/systemd.te
@@ -37,10 +37,6 @@ type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
-type systemd_analyze_t;
-type systemd_analyze_exec_t;
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
-
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
@@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_
')
optional_policy(`
+ dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')
next reply other threads:[~2020-02-12 2:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-12 2:43 Russell Coker [this message]
2020-02-16 15:04 ` strict patch Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1687678.FLogphAbyu@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).