All of lore.kernel.org
 help / color / mirror / Atom feed
From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] machined
Date: Wed, 3 Feb 2021 02:07:12 +1100	[thread overview]
Message-ID: <YBlqoEgnMLc5oWAx@xev> (raw)

This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210203/policy/modules/services/ssh.te
@@ -265,9 +265,10 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`init_systemd',`
+	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
 	init_rw_stream_sockets(sshd_t)
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 
 tunable_policy(`ssh_sysadm_login',`
@@ -310,11 +311,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	systemd_write_inherited_logind_sessions_pipes(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
-')
-
-optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
 	xserver_link_xdm_keys(sshd_t)
 ')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210203/policy/modules/system/authlogin.if
@@ -91,6 +91,7 @@ interface(`auth_use_pam',`
 #
 interface(`auth_use_pam_systemd',`
 	dbus_system_bus_client($1)
+	systemd_connect_machined($1)
 	systemd_dbus_chat_logind($1)
 ')
 
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy
 files_runtime_file(systemd_machined_runtime_t)
 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
 
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
 type systemd_modules_load_t;
 type systemd_modules_load_exec_t;
 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
+dev_getattr_fs(systemd_machined_t)
+
 files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
@@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined
 
 seutil_search_default_contexts(systemd_machined_t)
 
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+term_getattr_pty_fs(systemd_machined_t)
+
 optional_policy(`
 	init_dbus_chat(systemd_machined_t)
 	init_dbus_send_script(systemd_machined_t)
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
@@ -19,12 +19,18 @@
 ##	The user domain for the role.
 ##	</summary>
 ## </param>
+## <param name="pty_type">
+##	<summary>
+##	The type for the user pty
+##	</summary>
+## </param>
 #
 template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-		type systemd_run_exec_t, systemd_analyze_exec_t;
+		type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
+		type systemd_machined_t;
 	')
 
 	#################################
@@ -56,9 +62,20 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:process { setsched rlimitinh };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
+	corecmd_shell_entry_type($1_systemd_t)
+	allow $1_systemd_t self:process signal;
+
+	files_search_home($1_systemd_t)
 
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
+	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
+
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;
 
 	# systemctl --user
 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +83,14 @@ template(`systemd_role_template',`
 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
 	dbus_system_bus_client($1_systemd_t)
+
+	selinux_use_status_page($1_systemd_t)
+	seutil_read_file_contexts($1_systemd_t)
+	seutil_search_default_contexts($1_systemd_t)
+
+	# for machinectl shell
+	term_user_pty($1_systemd_t, user_devpts_t)
+	allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
 ')
 
 ######################################
@@ -489,6 +514,24 @@ interface(`systemd_read_machines',`
 
 ########################################
 ## <summary>
+##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain that can access the socket
+##     </summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
 ##   Send and receive messages from
 ##   systemd hostnamed over dbus.
 ## </summary>
@@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', `
 	systemd_domtrans_sysusers($1)
 	roleattribute $2 systemd_sysusers_roles;
 ')
+
+########################################
+## <summary>
+##  receive and use a systemd_machined_devpts_t file handle
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_use_machined_devpts', `
+	gen_require(`
+		type systemd_machined_t, systemd_machined_devpts_t;
+	')
+
+	allow $1 systemd_machined_t:fd use;
+	allow $1 systemd_machined_devpts_t:chr_file { read write };
+')
Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20210203/policy/modules/system/locallogin.te
@@ -142,6 +142,7 @@ ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
 	init_dbus_chat(local_login_t)
+	systemd_connect_machined(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_runtime_pipes(local_login_t)
Index: refpolicy-2.20210203/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20210203/policy/modules/services/dbus.te
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
 
+# for machinectl shell
+term_use_ptmx(system_dbusd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 # read a file in ~/.local/share
@@ -184,6 +187,9 @@ optional_policy(`
 	systemd_read_logind_runtime_files(system_dbusd_t)
 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+
+	# for passing around terminal file handles for machinectl shell
+	systemd_use_machined_devpts(system_dbusd_t)
 ')
 
 optional_policy(`

             reply	other threads:[~2021-02-02 15:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-02 15:07 Russell Coker [this message]
2021-02-02 19:03 ` [PATCH] machined Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YBlqoEgnMLc5oWAx@xev \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.