From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles
Date: Sat, 4 Mar 2017 07:15:08 -0500 [thread overview]
Message-ID: <a878fd65-89b7-b2b2-fe5f-b35df4dd3926@ieee.org> (raw)
In-Reply-To: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au>
On 02/28/17 05:30, Russell Coker via refpolicy wrote:
> This patch goes after my patch for cgroups, hostnamed, and logind. It will
> probably mostly work without it but I only ever tested it after the previous
> patch.
A few trivial things.
> Description: systemd-resolved, sessions, and tmpfiles patches
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-02-28
>
> Index: refpolicy-2.20170227/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170227/policy/modules/system/systemd.te
> @@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
> kernel_read_crypto_sysctls(systemd_resolved_t)
> kernel_read_kernel_sysctls(systemd_resolved_t)
>
> +auth_use_nsswitch(systemd_resolved_t)
> corenet_tcp_bind_generic_node(systemd_resolved_t)
> corenet_tcp_bind_llmnr_port(systemd_resolved_t)
> corenet_udp_bind_generic_node(systemd_resolved_t)
> corenet_udp_bind_llmnr_port(systemd_resolved_t)
>
> -auth_use_nsswitch(systemd_resolved_t)
> -
> seutil_read_file_contexts(systemd_resolved_t)
> -
> systemd_log_parse_environment(systemd_resolved_t)
>
> optional_policy(`
> @@ -604,9 +688,17 @@ optional_policy(`
> # Sessions local policy
> #
>
> +allow systemd_sessions_t self:process setfscreate;
> +
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> +selinux_get_enforce_mode(systemd_sessions_t)
> +selinux_get_fs_mount(systemd_sessions_t)
> +seutil_read_config(systemd_sessions_t)
> +seutil_read_default_contexts(systemd_sessions_t)
> +seutil_read_file_contexts(systemd_sessions_t)
> +
> systemd_log_parse_environment(systemd_sessions_t)
>
> #########################################
> @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
> # Tmpfiles local policy
> #
>
> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
> +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
> allow systemd_tmpfiles_t self:process { setfscreate getcap };
>
> +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
> +
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
> +
> manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
>
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> +kernel_read_network_state(systemd_tmpfiles_t)
>
> +auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_login_records(systemd_tmpfiles_t)
> +auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_login_records(systemd_tmpfiles_t)
> +auth_setattr_login_records(systemd_tmpfiles_t)
> +create_relabel_var_lib_log(systemd_tmpfiles_t)
> +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> +dev_read_urand(systemd_tmpfiles_t)
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
>
> +files_create_lock_dirs(systemd_tmpfiles_t)
> +files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
> +files_delete_usr_files(systemd_tmpfiles_t)
> +files_list_home(systemd_tmpfiles_t)
> +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
> +files_purge_tmp(systemd_tmpfiles_t)
> files_read_etc_files(systemd_tmpfiles_t)
> files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
> -auth_manage_var_auth(systemd_tmpfiles_t)
> -auth_manage_login_records(systemd_tmpfiles_t)
> -auth_relabel_login_records(systemd_tmpfiles_t)
> -auth_setattr_login_records(systemd_tmpfiles_t)
> +files_relabelfrom_home(systemd_tmpfiles_t)
> +files_relabelto_home(systemd_tmpfiles_t)
> +files_relabelto_etc_dirs(systemd_tmpfiles_t)
> +# for /etc/mtab
> +files_manage_etc_symlinks(systemd_tmpfiles_t)
> +fs_getattr_xattr_fs(systemd_tmpfiles_t)
> +
> +init_manage_utmp(systemd_tmpfiles_t)
> +init_manage_var_lib_files(systemd_tmpfiles_t)
> +# for /proc/1/environ
> +init_read_state(systemd_tmpfiles_t)
> +
> +init_relabel_utmp(systemd_tmpfiles_t)
> +init_relabel_var_lib_dirs(systemd_tmpfiles_t)
> +logging_manage_generic_logs(systemd_tmpfiles_t)
> +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
> +miscfiles_manage_man_pages(systemd_tmpfiles_t)
> +miscfiles_relabel_man_cache(systemd_tmpfiles_t)
>
> # for /run/tmpfiles.d/kmod.conf
> modutils_read_var_run_files(systemd_tmpfiles_t)
>
> +selinux_get_fs_mount(systemd_tmpfiles_t)
> +selinux_search_fs(systemd_tmpfiles_t)
> +seutil_read_config(systemd_tmpfiles_t)
> seutil_read_file_contexts(systemd_tmpfiles_t)
Several of the block above could use more blank lines.
> +sysnet_create_config(systemd_tmpfiles_t)
> systemd_log_parse_environment(systemd_tmpfiles_t)
>
> +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
> +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
> @@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
> files_relabel_non_security_dirs(systemd_tmpfiles_t)
> files_relabel_non_security_files(systemd_tmpfiles_t)
> ')
> +
> +optional_policy(`
> + dbus_read_lib_files(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> + xserver_create_console_pipes(systemd_tmpfiles_t)
> + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> + xfs_create_dirs(systemd_tmpfiles_t)
> +')
This block is out of order
> Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
> +++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
> @@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
>
> ########################################
> ## <summary>
> +## Create xfs temporary dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xfs_create_dirs',`
> + gen_require(`
> + type xfs_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + allow $1 xfs_tmp_t:dir create;
> +')
> +
> +########################################
> +## <summary>
> ## Connect to xfs with a unix
> ## domain stream socket.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170227/policy/modules/kernel/files.if
> @@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
>
> ########################################
> ## <summary>
> +## relabel directories to etc_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabelto_etc_dirs',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
> ## List the contents of /etc directories.
> ## </summary>
> ## <param name="domain">
> @@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
>
> ########################################
> ## <summary>
> +## Relabel from user home root (/home).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabelfrom_home',`
> + gen_require(`
> + type home_root_t;
> + ')
> +
> + allow $1 home_root_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
> ## Create objects in /home.
> ## </summary>
> ## <param name="domain">
> @@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
>
> ########################################
> ## <summary>
> +## Create and label /var/lib and /var/log
> +## </summary>
> +## <desc>
> +## <p>
> +## This allows programs to setup directories under /var
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`create_relabel_var_lib_log',`
> + gen_require(`
> + type var_t, var_lib_t, var_log_t;
> + ')
> +
> + allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
> +')
This needs to be broken up by type and also relabelto/from vs.
manage_dir_perms.
> +########################################
> +## <summary>
> ## Do not audit attempts to search the
> ## contents of /var/lib.
> ## </summary>
> @@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
> ')
>
> ########################################
> +## <summary>
> +## create and manage all pidfile directories
> +## in the /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_manage_all_pid_dirs',`
> + gen_require(`
> + attribute pidfile;
> + type var_run_t;
> + ')
> +
> + create_dirs_pattern($1,var_run_t,pidfile)
> + allow $1 pidfile:dir manage_dir_perms;
> +')
I'm confused about what this interface is intending. Create is a subset
of manage.
> +########################################
> ## <summary>
> ## manage all pidfile directories
> ## in the /var/run directory.
> Index: refpolicy-2.20170227/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170227/policy/modules/system/init.if
> @@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
>
> ########################################
> ## <summary>
> +## relabel dirs in /var/lib/systemd/.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_relabel_var_lib_dirs',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + allow $1 init_var_lib_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create files in /var/lib/systemd
> ## with an automatic type transition.
> ## </summary>
> @@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
>
> ########################################
> ## <summary>
> +## relabel from/to utmp
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_relabel_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + allow $1 initrc_var_run_t:file { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create files in /var/run with the
> ## utmp file type.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170227/policy/modules/system/logging.if
> @@ -1138,3 +1138,23 @@ interface(`logging_admin',`
> logging_admin_audit($1, $2)
> logging_admin_syslog($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## setattr for syslogd_tmp_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`logging_set_perms_syslogd_tmp',`
> + gen_require(`
> + type syslogd_tmp_t;
> + ')
> +
> + allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
> +')
Please split out the setattr and separate dir/file.
> Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
> @@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
>
> ########################################
> ## <summary>
> +## relabel man cache
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_relabel_man_cache',`
> + gen_require(`
> + type man_cache_t;
> + ')
> +
> + relabel_dirs_pattern($1, man_cache_t, man_cache_t)
> + relabel_files_pattern($1, man_cache_t, man_cache_t)
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete man pages
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170227/policy/modules/system/userdomain.if
> @@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
>
> ########################################
> ## <summary>
> +## relabel to/from user_runtime_root_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_runtime_root_dirs',`
> + gen_require(`
> + type user_runtime_root_t;
> + ')
> +
> + allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete user
> ## runtime dirs.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170227/policy/modules/services/xserver.if
> @@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
> gen_require(`
> type xdm_t;
> class dbus send_msg;
> - ')
> + ')
>
> allow $1 xdm_t:dbus send_msg;
> allow xdm_t $1:dbus send_msg;
> @@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +
> +########################################
> +## <summary>
> +## Create the X windows console named pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_create_console_pipes',`
> + gen_require(`
> + type xconsole_device_t;
> + ')
> +
> + allow $1 xconsole_device_t:fifo_file create;
> +')
> +
> +########################################
> +## <summary>
> +## Create xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_create_xdm_tmp_dir',`
> + gen_require(`
> + type xdm_tmp_t;
> + ')
> +
> + allow $1 xdm_tmp_t:dir create;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
next prev parent reply other threads:[~2017-03-04 12:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 10:30 [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles Russell Coker
2017-03-04 12:15 ` Chris PeBenito [this message]
2017-03-26 10:51 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a878fd65-89b7-b2b2-fe5f-b35df4dd3926@ieee.org \
--to=pebenito@ieee.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.