* [PATCH] machined
@ 2021-02-02 15:07 Russell Coker
2021-02-02 19:03 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2021-02-02 15:07 UTC (permalink / raw)
To: selinux-refpolicy
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210203/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210203/policy/modules/services/ssh.te
@@ -265,9 +265,10 @@ ifdef(`distro_debian',`
')
ifdef(`init_systemd',`
+ auth_use_pam_systemd(sshd_t)
init_dbus_chat(sshd_t)
- systemd_dbus_chat_logind(sshd_t)
init_rw_stream_sockets(sshd_t)
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
')
tunable_policy(`ssh_sysadm_login',`
@@ -310,11 +311,6 @@ optional_policy(`
')
optional_policy(`
- systemd_write_inherited_logind_sessions_pipes(sshd_t)
- systemd_dbus_chat_logind(sshd_t)
-')
-
-optional_policy(`
xserver_domtrans_xauth(sshd_t)
xserver_link_xdm_keys(sshd_t)
')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210203/policy/modules/system/authlogin.if
@@ -91,6 +91,7 @@ interface(`auth_use_pam',`
#
interface(`auth_use_pam_systemd',`
dbus_system_bus_client($1)
+ systemd_connect_machined($1)
systemd_dbus_chat_logind($1)
')
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy
files_runtime_file(systemd_machined_runtime_t)
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
type systemd_modules_load_t;
type systemd_modules_load_exec_t;
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
+dev_getattr_fs(systemd_machined_t)
+
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
@@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined
seutil_search_default_contexts(systemd_machined_t)
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+term_getattr_pty_fs(systemd_machined_t)
+
optional_policy(`
init_dbus_chat(systemd_machined_t)
init_dbus_send_script(systemd_machined_t)
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
@@ -19,12 +19,18 @@
## The user domain for the role.
## </summary>
## </param>
+## <param name="pty_type">
+## <summary>
+## The type for the user pty
+## </summary>
+## </param>
#
template(`systemd_role_template',`
gen_require(`
attribute systemd_user_session_type, systemd_log_parse_env_type;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
- type systemd_run_exec_t, systemd_analyze_exec_t;
+ type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
+ type systemd_machined_t;
')
#################################
@@ -56,9 +62,20 @@ template(`systemd_role_template',`
allow $1_systemd_t $3:process { setsched rlimitinh };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
+ corecmd_shell_entry_type($1_systemd_t)
+ allow $1_systemd_t self:process signal;
+
+ files_search_home($1_systemd_t)
# Allow using file descriptors for user environment generators
allow $3 $1_systemd_t:fd use;
+ allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
+
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
# systemctl --user
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +83,14 @@ template(`systemd_role_template',`
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
dbus_system_bus_client($1_systemd_t)
+
+ selinux_use_status_page($1_systemd_t)
+ seutil_read_file_contexts($1_systemd_t)
+ seutil_search_default_contexts($1_systemd_t)
+
+ # for machinectl shell
+ term_user_pty($1_systemd_t, user_devpts_t)
+ allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
')
######################################
@@ -489,6 +514,24 @@ interface(`systemd_read_machines',`
########################################
## <summary>
+## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the socket
+## </summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+ gen_require(`
+ type systemd_machined_t;
+ ')
+
+ allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## systemd hostnamed over dbus.
## </summary>
@@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', `
systemd_domtrans_sysusers($1)
roleattribute $2 systemd_sysusers_roles;
')
+
+########################################
+## <summary>
+## receive and use a systemd_machined_devpts_t file handle
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_use_machined_devpts', `
+ gen_require(`
+ type systemd_machined_t, systemd_machined_devpts_t;
+ ')
+
+ allow $1 systemd_machined_t:fd use;
+ allow $1 systemd_machined_devpts_t:chr_file { read write };
+')
Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20210203/policy/modules/system/locallogin.te
@@ -142,6 +142,7 @@ ifdef(`init_systemd',`
auth_manage_faillog(local_login_t)
init_dbus_chat(local_login_t)
+ systemd_connect_machined(local_login_t)
systemd_dbus_chat_logind(local_login_t)
systemd_use_logind_fds(local_login_t)
systemd_manage_logind_runtime_pipes(local_login_t)
Index: refpolicy-2.20210203/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20210203/policy/modules/services/dbus.te
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
+# for machinectl shell
+term_use_ptmx(system_dbusd_t)
+
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
# read a file in ~/.local/share
@@ -184,6 +187,9 @@ optional_policy(`
systemd_read_logind_runtime_files(system_dbusd_t)
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+
+ # for passing around terminal file handles for machinectl shell
+ systemd_use_machined_devpts(system_dbusd_t)
')
optional_policy(`
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] machined
2021-02-02 15:07 [PATCH] machined Russell Coker
@ 2021-02-02 19:03 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2021-02-02 19:03 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 2/2/21 10:07 AM, Russell Coker wrote:
> This patch is for systemd-machined. Some of it will probably need
> discussion but some is obviously good, so Chris maybe you could take
> the bits you like for this release?
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -265,9 +265,10 @@ ifdef(`distro_debian',`
> ')
>
> ifdef(`init_systemd',`
> + auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> - systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
>
> tunable_policy(`ssh_sysadm_login',`
> @@ -310,11 +311,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - systemd_write_inherited_logind_sessions_pipes(sshd_t)
> - systemd_dbus_chat_logind(sshd_t)
> -')
> -
> -optional_policy(`
> xserver_domtrans_xauth(sshd_t)
> xserver_link_xdm_keys(sshd_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20210203/policy/modules/system/authlogin.if
> @@ -91,6 +91,7 @@ interface(`auth_use_pam',`
> #
> interface(`auth_use_pam_systemd',`
> dbus_system_bus_client($1)
> + systemd_connect_machined($1)
> systemd_dbus_chat_logind($1)
> ')
>
> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy
> files_runtime_file(systemd_machined_runtime_t)
> init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
>
> +type systemd_machined_devpts_t;
> +term_login_pty(systemd_machined_devpts_t)
> +
> type systemd_modules_load_t;
> type systemd_modules_load_exec_t;
> init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
> @@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw
> allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
> init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
>
> +# for /run/systemd/userdb/io.systemd.Machine
> +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
> +
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> @@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine
> kernel_read_kernel_sysctls(systemd_machined_t)
> kernel_read_system_state(systemd_machined_t)
>
> +dev_getattr_fs(systemd_machined_t)
> +
> files_read_etc_files(systemd_machined_t)
>
> fs_getattr_cgroup(systemd_machined_t)
> @@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined
>
> seutil_search_default_contexts(systemd_machined_t)
>
> +term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
> +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
> +term_getattr_pty_fs(systemd_machined_t)
> +
> optional_policy(`
> init_dbus_chat(systemd_machined_t)
> init_dbus_send_script(systemd_machined_t)
> Index: refpolicy-2.20210203/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210203/policy/modules/system/systemd.if
> @@ -19,12 +19,18 @@
> ## The user domain for the role.
> ## </summary>
> ## </param>
> +## <param name="pty_type">
> +## <summary>
> +## The type for the user pty
> +## </summary>
> +## </param>
> #
> template(`systemd_role_template',`
> gen_require(`
> attribute systemd_user_session_type, systemd_log_parse_env_type;
> type systemd_user_runtime_t, systemd_user_runtime_notify_t;
> - type systemd_run_exec_t, systemd_analyze_exec_t;
> + type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
> + type systemd_machined_t;
> ')
>
> #################################
> @@ -56,9 +62,20 @@ template(`systemd_role_template',`
> allow $1_systemd_t $3:process { setsched rlimitinh };
> corecmd_shell_domtrans($1_systemd_t, $3)
> corecmd_bin_domtrans($1_systemd_t, $3)
> + corecmd_shell_entry_type($1_systemd_t)
> + allow $1_systemd_t self:process signal;
> +
> + files_search_home($1_systemd_t)
>
> # Allow using file descriptors for user environment generators
> allow $3 $1_systemd_t:fd use;
> + allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
> +
> + # for "machinectl shell"
> + allow $1_systemd_t systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:dbus send_msg;
> + allow systemd_machined_t $3:dbus send_msg;
I merged most of this except for this machinectl shell part.
> # systemctl --user
> stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
> @@ -66,6 +83,14 @@ template(`systemd_role_template',`
> can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
>
> dbus_system_bus_client($1_systemd_t)
> +
> + selinux_use_status_page($1_systemd_t)
> + seutil_read_file_contexts($1_systemd_t)
> + seutil_search_default_contexts($1_systemd_t)
> +
> + # for machinectl shell
> + term_user_pty($1_systemd_t, user_devpts_t)
> + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
> ')
>
> ######################################
> @@ -489,6 +514,24 @@ interface(`systemd_read_machines',`
>
> ########################################
> ## <summary>
> +## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can access the socket
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_connect_machined',`
> + gen_require(`
> + type systemd_machined_t;
> + ')
> +
> + allow $1 systemd_machined_t:unix_stream_socket connectto;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## systemd hostnamed over dbus.
> ## </summary>
> @@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', `
> systemd_domtrans_sysusers($1)
> roleattribute $2 systemd_sysusers_roles;
> ')
> +
> +########################################
> +## <summary>
> +## receive and use a systemd_machined_devpts_t file handle
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`systemd_use_machined_devpts', `
> + gen_require(`
> + type systemd_machined_t, systemd_machined_devpts_t;
> + ')
> +
> + allow $1 systemd_machined_t:fd use;
> + allow $1 systemd_machined_devpts_t:chr_file { read write };
> +')
> Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20210203/policy/modules/system/locallogin.te
> @@ -142,6 +142,7 @@ ifdef(`init_systemd',`
> auth_manage_faillog(local_login_t)
>
> init_dbus_chat(local_login_t)
> + systemd_connect_machined(local_login_t)
> systemd_dbus_chat_logind(local_login_t)
> systemd_use_logind_fds(local_login_t)
> systemd_manage_logind_runtime_pipes(local_login_t)
> Index: refpolicy-2.20210203/policy/modules/services/dbus.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
> +++ refpolicy-2.20210203/policy/modules/services/dbus.te
> @@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus
> seutil_read_config(system_dbusd_t)
> seutil_read_default_contexts(system_dbusd_t)
>
> +# for machinectl shell
> +term_use_ptmx(system_dbusd_t)
> +
> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
> # read a file in ~/.local/share
> @@ -184,6 +187,9 @@ optional_policy(`
> systemd_read_logind_runtime_files(system_dbusd_t)
> systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
> systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
> +
> + # for passing around terminal file handles for machinectl shell
> + systemd_use_machined_devpts(system_dbusd_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-02 19:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 15:07 [PATCH] machined Russell Coker
2021-02-02 19:03 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.