[refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles

* [refpolicy]  [PATCH] systemd-resolvd, sessions, and tmpfiles
@ 2017-02-28 10:30 Russell Coker
  2017-03-04 12:15 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2017-02-28 10:30 UTC (permalink / raw)
  To: refpolicy

This patch goes after my patch for cgroups, hostnamed, and logind.  It will
probably mostly work without it but I only ever tested it after the previous
patch.


Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-28

Index: refpolicy-2.20170227/policy/modules/system/systemd.te
===================================================================

--- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170227/policy/modules/system/systemd.te
@@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 
+auth_use_nsswitch(systemd_resolved_t)
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
-auth_use_nsswitch(systemd_resolved_t)
-
 seutil_read_file_contexts(systemd_resolved_t)
-
 systemd_log_parse_environment(systemd_resolved_t)
 
 optional_policy(`
@@ -604,9 +688,17 @@ optional_policy(`
 # Sessions local policy
 #
 
+allow systemd_sessions_t self:process setfscreate;
+
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
 systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
@@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
 manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
 allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
 
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
 
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+create_relabel_var_lib_log(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
 
-auth_manage_var_auth(systemd_tmpfiles_t)
-auth_manage_login_records(systemd_tmpfiles_t)
-auth_relabel_login_records(systemd_tmpfiles_t)
-auth_setattr_login_records(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
 
 # for /run/tmpfiles.d/kmod.conf
 modutils_read_var_run_files(systemd_tmpfiles_t)
 
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+seutil_read_config(systemd_tmpfiles_t)
 seutil_read_file_contexts(systemd_tmpfiles_t)
-
+sysnet_create_config(systemd_tmpfiles_t)
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.
@@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
+
+optional_policy(`
+	dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xserver_create_console_pipes(systemd_tmpfiles_t)
+	xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xfs_create_dirs(systemd_tmpfiles_t)
+')
Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
+++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
@@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
 
 ########################################
 ## <summary>
+##	Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_create_dirs',`
+	gen_require(`
+		type xfs_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
 ##	Connect to xfs with a unix
 ##	domain stream socket.
 ## </summary>
Index: refpolicy-2.20170227/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170227/policy/modules/kernel/files.if
@@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
 
 ########################################
 ## <summary>
+##	relabel directories to etc_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
 ##	List the contents of /etc directories.
 ## </summary>
 ## <param name="domain">
@@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
 
 ########################################
 ## <summary>
+##	Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
 ##	Create objects in /home.
 ## </summary>
 ## <param name="domain">
@@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
 
 ########################################
 ## <summary>
+##	Create and label /var/lib and /var/log
+## </summary>
+## <desc>
+##	<p>
+##	This allows programs to setup directories under /var
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`create_relabel_var_lib_log',`
+	gen_require(`
+		type var_t, var_lib_t, var_log_t;
+	')
+
+	allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the
 ##	contents of /var/lib.
 ## </summary>
@@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
 ')
 
 ########################################
+## <summary>
+##     create and manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_manage_all_pid_dirs',`
+        gen_require(`
+                attribute pidfile;
+                type var_run_t;
+        ')
+
+        create_dirs_pattern($1,var_run_t,pidfile)
+        allow $1 pidfile:dir manage_dir_perms;
+')
+
+########################################
 ## <summary>
 ##     manage all pidfile directories
 ##     in the /var/run directory.
Index: refpolicy-2.20170227/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/init.if
+++ refpolicy-2.20170227/policy/modules/system/init.if
@@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
 
 ########################################
 ## <summary>
+##	relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create files in /var/lib/systemd
 ##	with an automatic type transition.
 ## </summary>
@@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
 
 ########################################
 ## <summary>
+##	relabel from/to utmp
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create files in /var/run with the
 ##	utmp file type.
 ## </summary>
Index: refpolicy-2.20170227/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170227/policy/modules/system/logging.if
@@ -1138,3 +1138,23 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	setattr for syslogd_tmp_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_set_perms_syslogd_tmp',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
+')
+
Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
@@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
 
 ########################################
 ## <summary>
+##      relabel man cache
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+	relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete man pages
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170227/policy/modules/system/userdomain.if
@@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
 
 ########################################
 ## <summary>
+##	relabel to/from user_runtime_root_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete user
 ##	runtime dirs.
 ## </summary>
Index: refpolicy-2.20170227/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170227/policy/modules/services/xserver.if
@@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
 	gen_require(`
 		type xdm_t;
 		class dbus send_msg;
-        ')
+	')
 
 	allow $1 xdm_t:dbus send_msg;
 	allow xdm_t $1:dbus send_msg;
@@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+
+########################################
+## <summary>
+##      Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+##      Create xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dir',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir create;
+')

^ permalink raw reply	[flat|nested] 3+ messages in thread