[refpolicy] [PATCH] more systemd stuff

[refpolicy] [PATCH] more systemd stuff

[Russell Coker]

This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.

Index: refpolicy-2.20170410/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170410/policy/modules/system/systemd.if
@@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',`
 
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
+
+######################################
+## <summary>
+##  Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
Index: refpolicy-2.20170410/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170410/policy/modules/system/systemd.te
@@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 dev_getattr_dri_dev(systemd_logind_t)
+dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
 dev_getattr_sound_dev(systemd_logind_t)
+dev_getattr_video_dev(systemd_logind_t)
 dev_manage_wireless(systemd_logind_t)
 dev_read_urand(systemd_logind_t)
 dev_rw_dri(systemd_logind_t)
 dev_rw_input_dev(systemd_logind_t)
 dev_rw_sysfs(systemd_logind_t)
 dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
 dev_setattr_kvm_dev(systemd_logind_t)
 dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
 files_read_etc_files(systemd_logind_t)
+files_dontaudit_getattr_tmpfs_file(systemd_logind_t)
 files_search_pids(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
@@ -448,7 +453,7 @@ optional_policy(`
 # machined local policy
 #
 
-allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
 allow systemd_machined_t self:process setfscreate;
 allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
 
@@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
+fs_read_nsfs_files(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
 
Index: refpolicy-2.20170410/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170410/policy/modules/system/udev.te
@@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+init_domtrans_script(udev_t)
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -27,6 +29,7 @@ files_type(udev_rules_t)
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
 init_daemon_pid_file(udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
 
 ifdef(`enable_mcs',`
 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
@@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_search_tracefs_dirs(udev_t)
 
 mcs_ptrace_all(udev_t)
 
@@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t)
 sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
+sysnet_var_run_dirtrans_config(udev_t, "network")
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
+	# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
+	files_read_default_files(udev_t)
+
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
 	optional_policy(`
@@ -202,6 +213,11 @@ ifdef(`distro_debian',`
 	')
 ')
 
+optional_policy(`
+	# for systemd-udevd when starting xen domu
+	virt_read_config(udev_t)
+')
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existence to determine if we are in early booting
@@ -344,6 +360,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
+	fs_manage_xenfs_files(udev_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170410/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170410/policy/modules/kernel/files.if
@@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`
 
 ########################################
 ## <summary>
+##	Do not audit getattr of /dev/shm files
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_file',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all directories.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if
@@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',`
 ')
 
 ########################################
+## <summary>
+##      search directories on a tracefs filesystem
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_search_tracefs_dirs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+        allow $1 tracefs_t:dir search;
+')
+
+########################################
 ## <summary>
 ##      Get the attributes of files
 ##	on a trace filesystem.
Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if
@@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config',
 
 #######################################
 ## <summary>
+##	Create directories in /var/run with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sysnet_var_run_dirtrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_pid_filetrans($1, net_conf_t, dir, $2)
+	allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
 ##	Create, read, write, and delete network config files.
 ## </summary>
 ## <param name="domain">

[refpolicy] [PATCH] more systemd stuff

[Christian Göttsche]

2017-04-14 17:41 GMT+02:00 Russell Coker via refpolicy
<refpolicy@oss.tresys.com>:
> This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
> I'll add another patch to use shortly.
>
> It has a number of changes needed by systemd_logind_t to set permissions for
> local logins.
>
> It has some more permissions that systemd_machined_t needs, I don't think it's
> everything that systemd_machined_t needs but it's a start.
>
> It has some changes for udev_t for systemd-udevd.
>
> Index: refpolicy-2.20170410/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170410/policy/modules/system/systemd.if
> @@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',`
>
>         allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
>  ')
> +
> +######################################
> +## <summary>
> +##  Allow to domain to create systemd-passwd symlink
> +## </summary>
> +## <param name="domain">
> +##  <summary>
> +##  Domain allowed access.
> +##  </summary>
> +## </param>
> +#
> +interface(`systemd_manage_lnk_file_passwd_run',`
> +       gen_require(`
> +               type systemd_passwd_var_run_t;
> +       ')
> +
> +       allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
> +')
> Index: refpolicy-2.20170410/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170410/policy/modules/system/systemd.te
> @@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_
>  kernel_read_kernel_sysctls(systemd_logind_t)
>
>  dev_getattr_dri_dev(systemd_logind_t)
> +dev_getattr_generic_usb_dev(systemd_logind_t)
>  dev_getattr_kvm_dev(systemd_logind_t)
>  dev_getattr_sound_dev(systemd_logind_t)
> +dev_getattr_video_dev(systemd_logind_t)
>  dev_manage_wireless(systemd_logind_t)
>  dev_read_urand(systemd_logind_t)
>  dev_rw_dri(systemd_logind_t)
>  dev_rw_input_dev(systemd_logind_t)
>  dev_rw_sysfs(systemd_logind_t)
>  dev_setattr_dri_dev(systemd_logind_t)
> +dev_setattr_generic_usb_dev(systemd_logind_t)
>  dev_setattr_kvm_dev(systemd_logind_t)
>  dev_setattr_sound_dev(systemd_logind_t)
> +dev_setattr_video_dev(systemd_logind_t)
>
>  domain_obj_id_change_exemption(systemd_logind_t)
>
>  files_read_etc_files(systemd_logind_t)
> +files_dontaudit_getattr_tmpfs_file(systemd_logind_t)

do we want to dontaudit this?
i think it is related to
https://www.freedesktop.org/software/systemd/man/logind.conf.html#RemoveIPC=

>  files_search_pids(systemd_logind_t)
>
>  fs_getattr_cgroup(systemd_logind_t)
> @@ -448,7 +453,7 @@ optional_policy(`
>  # machined local policy
>  #
>
> -allow systemd_machined_t self:capability sys_ptrace;
> +allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
>  allow systemd_machined_t self:process setfscreate;
>  allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
>
> @@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t)
>
>  fs_getattr_cgroup(systemd_machined_t)
>  fs_getattr_tmpfs(systemd_machined_t)
> +fs_read_nsfs_files(systemd_machined_t)
>
>  selinux_getattr_fs(systemd_machined_t)
>
> Index: refpolicy-2.20170410/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170410/policy/modules/system/udev.te
> @@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
>  init_daemon_domain(udev_t, udev_exec_t)
>  init_named_socket_activation(udev_t, udev_var_run_t)
>
> +init_domtrans_script(udev_t)
> +
>  type udev_etc_t alias etc_udev_t;
>  files_config_file(udev_etc_t)
>
> @@ -27,6 +29,7 @@ files_type(udev_rules_t)
>  type udev_var_run_t;
>  files_pid_file(udev_var_run_t)
>  init_daemon_pid_file(udev_var_run_t, dir, "udev")
> +files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
>
>  ifdef(`enable_mcs',`
>         kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent
>  allow udev_t self:netlink_generic_socket create_socket_perms;
>  allow udev_t self:rawip_socket create_socket_perms;
>
> +# for systemd-udevd to rename interfaces
> +allow udev_t self:netlink_route_socket nlmsg_write;
> +
>  allow udev_t udev_exec_t:file write;
>  can_exec(udev_t, udev_exec_t)
>
> @@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t)
>  fs_list_inotifyfs(udev_t)
>  fs_read_cgroup_files(udev_t)
>  fs_rw_anon_inodefs_files(udev_t)
> +fs_search_tracefs_dirs(udev_t)
>
>  mcs_ptrace_all(udev_t)
>
> @@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t)
>  sysnet_signal_dhcpc(udev_t)
>  sysnet_manage_config(udev_t)
>  sysnet_etc_filetrans_config(udev_t)
> +sysnet_var_run_dirtrans_config(udev_t, "network")
>
>  userdom_dontaudit_search_user_home_content(udev_t)
>
>  ifdef(`distro_debian',`
> +       # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
> +       files_read_default_files(udev_t)
> +
>         files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
>
>         optional_policy(`
> @@ -202,6 +213,11 @@ ifdef(`distro_debian',`
>         ')
>  ')
>
> +optional_policy(`
> +       # for systemd-udevd when starting xen domu
> +       virt_read_config(udev_t)
> +')
> +
>  ifdef(`distro_gentoo',`
>         # during boot, init scripts use /dev/.rcsysinit
>         # existence to determine if we are in early booting
> @@ -344,6 +360,7 @@ optional_policy(`
>         kernel_read_xen_state(udev_t)
>         xen_manage_log(udev_t)
>         xen_read_image_files(udev_t)
> +       fs_manage_xenfs_files(udev_t)
>  ')
>
>  optional_policy(`
> Index: refpolicy-2.20170410/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170410/policy/modules/kernel/files.if
> @@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`
>
>  ########################################
>  ## <summary>
> +##     Do not audit getattr of /dev/shm files
> +## </summary>
> +## <param name="type">
> +##     <summary>
> +##     Domain to not audit
> +##     </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_getattr_tmpfs_file',`
> +       gen_require(`
> +               attribute tmpfsfile;
> +       ')
> +
> +       dontaudit $1 tmpfsfile:file getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##     Get the attributes of all directories.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if
> @@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',`
>  ')
>
>  ########################################
> +## <summary>
> +##      search directories on a tracefs filesystem
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`fs_search_tracefs_dirs',`
> +       gen_require(`
> +               type tracefs_t;
> +       ')
> +
> +        allow $1 tracefs_t:dir search;
> +')
> +
> +########################################
>  ## <summary>
>  ##      Get the attributes of files
>  ##     on a trace filesystem.
> Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if
> @@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config',
>
>  #######################################
>  ## <summary>
> +##     Create directories in /var/run with the type used for
> +##     the network config files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="name" optional="true">
> +##     <summary>
> +##     The name of the object being created.
> +##     </summary>
> +## </param>
> +#
> +interface(`sysnet_var_run_dirtrans_config',`
> +       gen_require(`
> +               type net_conf_t;
> +       ')
> +
> +       files_pid_filetrans($1, net_conf_t, dir, $2)
> +       allow $1 net_conf_t:dir create_dir_perms;
> +')
> +
> +#######################################
> +## <summary>
>  ##     Create, read, write, and delete network config files.
>  ## </summary>
>  ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH] more systemd stuff

[Chris PeBenito]

On 04/14/2017 11:41 AM, Russell Coker via refpolicy wrote:
> This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
> I'll add another patch to use shortly.
>
> It has a number of changes needed by systemd_logind_t to set permissions for
> local logins.
>
> It has some more permissions that systemd_machined_t needs, I don't think it's
> everything that systemd_machined_t needs but it's a start.
>
> It has some changes for udev_t for systemd-udevd.

I merged this except for the one other question posed and:

> +interface(`sysnet_var_run_dirtrans_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_pid_filetrans($1, net_conf_t, dir, $2)
> +	allow $1 net_conf_t:dir create_dir_perms;
> +')

This should be split into two interfaces.

-- 
Chris PeBenito