[refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles

From: russell@coker.com.au (Russell Coker)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles
Date: Sun, 26 Mar 2017 21:51:18 +1100	[thread overview]
Message-ID: <35491590.mkBOhF3hQv@russell.coker.com.au> (raw)
In-Reply-To: <a878fd65-89b7-b2b2-fe5f-b35df4dd3926@ieee.org>

On Saturday, 4 March 2017 7:15:08 AM AEDT Chris PeBenito via refpolicy wrote:
> > @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
> > 
> >  # Tmpfiles local policy
> >  #
> > 
> > -allow systemd_tmpfiles_t self:capability  { chown dac_override fowner
> > fsetid mknod }; +allow systemd_tmpfiles_t self:capability { chown
> > dac_override fowner fsetid mknod net_admin sys_admin };> 
> >  allow systemd_tmpfiles_t self:process { setfscreate getcap };
> > 
> > +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom
> > relabelto manage_file_perms }; +
> > +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
> > relabelto manage_dir_perms }; +allow systemd_tmpfiles_t
> > systemd_coredump_var_lib_t:file manage_file_perms; +
> > 
> >  manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t,
> >  systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t,
> >  systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t
> >  systemd_journal_t:dir { relabelfrom relabelto }; allow
> >  systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
> >  
> >  kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> > 
> > +kernel_read_network_state(systemd_tmpfiles_t)
> > 
> > +auth_manage_faillog(systemd_tmpfiles_t)
> > +auth_manage_login_records(systemd_tmpfiles_t)
> > +auth_manage_var_auth(systemd_tmpfiles_t)
> > +auth_relabel_login_records(systemd_tmpfiles_t)
> > +auth_setattr_login_records(systemd_tmpfiles_t)
> > +create_relabel_var_lib_log(systemd_tmpfiles_t)
> > +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> > +dev_read_urand(systemd_tmpfiles_t)
> > 
> >  dev_relabel_all_sysfs(systemd_tmpfiles_t)
> >  dev_read_urand(systemd_tmpfiles_t)
> >  dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> > 
> > +files_create_lock_dirs(systemd_tmpfiles_t)
> > +files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
> > +files_delete_usr_files(systemd_tmpfiles_t)
> > +files_list_home(systemd_tmpfiles_t)
> > +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
> > +files_purge_tmp(systemd_tmpfiles_t)
> > 
> >  files_read_etc_files(systemd_tmpfiles_t)
> >  files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> >  files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> >  files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
> > 
> > -auth_manage_var_auth(systemd_tmpfiles_t)
> > -auth_manage_login_records(systemd_tmpfiles_t)
> > -auth_relabel_login_records(systemd_tmpfiles_t)
> > -auth_setattr_login_records(systemd_tmpfiles_t)
> > +files_relabelfrom_home(systemd_tmpfiles_t)
> > +files_relabelto_home(systemd_tmpfiles_t)
> > +files_relabelto_etc_dirs(systemd_tmpfiles_t)
> > +# for /etc/mtab
> > +files_manage_etc_symlinks(systemd_tmpfiles_t)
> > +fs_getattr_xattr_fs(systemd_tmpfiles_t)
> > +
> > +init_manage_utmp(systemd_tmpfiles_t)
> > +init_manage_var_lib_files(systemd_tmpfiles_t)
> > +# for /proc/1/environ
> > +init_read_state(systemd_tmpfiles_t)
> > +
> > +init_relabel_utmp(systemd_tmpfiles_t)
> > +init_relabel_var_lib_dirs(systemd_tmpfiles_t)
> > +logging_manage_generic_logs(systemd_tmpfiles_t)
> > +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
> > +miscfiles_manage_man_pages(systemd_tmpfiles_t)
> > +miscfiles_relabel_man_cache(systemd_tmpfiles_t)
> > 
> >  # for /run/tmpfiles.d/kmod.conf
> >  modutils_read_var_run_files(systemd_tmpfiles_t)
> > 
> > +selinux_get_fs_mount(systemd_tmpfiles_t)
> > +selinux_search_fs(systemd_tmpfiles_t)
> > +seutil_read_config(systemd_tmpfiles_t)
> > 
> >  seutil_read_file_contexts(systemd_tmpfiles_t)
> 
> Several of the block above could use more blank lines.

Which ones?

> > +
> > +optional_policy(`
> > +	dbus_read_lib_files(systemd_tmpfiles_t)
> > +')
> > +
> > +optional_policy(`
> > +	xserver_create_console_pipes(systemd_tmpfiles_t)
> > +	xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
> > +')
> > +
> > +optional_policy(`
> > +	xfs_create_dirs(systemd_tmpfiles_t)
> > +')
> 
> This block is out of order

OK.

> > +interface(`create_relabel_var_lib_log',`
> > +	gen_require(`
> > +		type var_t, var_lib_t, var_log_t;
> > +	')
> > +
> > +	allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto
> > manage_dir_perms }; +')
> 
> This needs to be broken up by type and also relabelto/from vs.
> manage_dir_perms.

OK.

> > +## <summary>
> > +##     create and manage all pidfile directories
> > +##     in the /var/run directory.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`files_create_manage_all_pid_dirs',`
> > +        gen_require(`
> > +                attribute pidfile;
> > +                type var_run_t;
> > +        ')
> > +
> > +        create_dirs_pattern($1,var_run_t,pidfile)
> > +        allow $1 pidfile:dir manage_dir_perms;
> > +')
> 
> I'm confused about what this interface is intending.  Create is a subset
> of manage.

OK, renamed.

> > +########################################
> > +## <summary>
> > +##	setattr for syslogd_tmp_t
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`logging_set_perms_syslogd_tmp',`
> > +	gen_require(`
> > +		type syslogd_tmp_t;
> > +	')
> > +
> > +	allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
> > +')
> 
> Please split out the setattr and separate dir/file.

OK.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/