From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] machined
Date: Tue, 2 Feb 2021 14:03:27 -0500 [thread overview]
Message-ID: <fd6d901a-13fc-3e1d-be24-0248f391ec9c@ieee.org> (raw)
In-Reply-To: <YBlqoEgnMLc5oWAx@xev>
On 2/2/21 10:07 AM, Russell Coker wrote:
> This patch is for systemd-machined. Some of it will probably need
> discussion but some is obviously good, so Chris maybe you could take
> the bits you like for this release?
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -265,9 +265,10 @@ ifdef(`distro_debian',`
> ')
>
> ifdef(`init_systemd',`
> + auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> - systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
>
> tunable_policy(`ssh_sysadm_login',`
> @@ -310,11 +311,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - systemd_write_inherited_logind_sessions_pipes(sshd_t)
> - systemd_dbus_chat_logind(sshd_t)
> -')
> -
> -optional_policy(`
> xserver_domtrans_xauth(sshd_t)
> xserver_link_xdm_keys(sshd_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20210203/policy/modules/system/authlogin.if
> @@ -91,6 +91,7 @@ interface(`auth_use_pam',`
> #
> interface(`auth_use_pam_systemd',`
> dbus_system_bus_client($1)
> + systemd_connect_machined($1)
> systemd_dbus_chat_logind($1)
> ')
>
> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy
> files_runtime_file(systemd_machined_runtime_t)
> init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
>
> +type systemd_machined_devpts_t;
> +term_login_pty(systemd_machined_devpts_t)
> +
> type systemd_modules_load_t;
> type systemd_modules_load_exec_t;
> init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
> @@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw
> allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
> init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
>
> +# for /run/systemd/userdb/io.systemd.Machine
> +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
> +
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> @@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine
> kernel_read_kernel_sysctls(systemd_machined_t)
> kernel_read_system_state(systemd_machined_t)
>
> +dev_getattr_fs(systemd_machined_t)
> +
> files_read_etc_files(systemd_machined_t)
>
> fs_getattr_cgroup(systemd_machined_t)
> @@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined
>
> seutil_search_default_contexts(systemd_machined_t)
>
> +term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
> +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
> +term_getattr_pty_fs(systemd_machined_t)
> +
> optional_policy(`
> init_dbus_chat(systemd_machined_t)
> init_dbus_send_script(systemd_machined_t)
> Index: refpolicy-2.20210203/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210203/policy/modules/system/systemd.if
> @@ -19,12 +19,18 @@
> ## The user domain for the role.
> ## </summary>
> ## </param>
> +## <param name="pty_type">
> +## <summary>
> +## The type for the user pty
> +## </summary>
> +## </param>
> #
> template(`systemd_role_template',`
> gen_require(`
> attribute systemd_user_session_type, systemd_log_parse_env_type;
> type systemd_user_runtime_t, systemd_user_runtime_notify_t;
> - type systemd_run_exec_t, systemd_analyze_exec_t;
> + type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
> + type systemd_machined_t;
> ')
>
> #################################
> @@ -56,9 +62,20 @@ template(`systemd_role_template',`
> allow $1_systemd_t $3:process { setsched rlimitinh };
> corecmd_shell_domtrans($1_systemd_t, $3)
> corecmd_bin_domtrans($1_systemd_t, $3)
> + corecmd_shell_entry_type($1_systemd_t)
> + allow $1_systemd_t self:process signal;
> +
> + files_search_home($1_systemd_t)
>
> # Allow using file descriptors for user environment generators
> allow $3 $1_systemd_t:fd use;
> + allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
> +
> + # for "machinectl shell"
> + allow $1_systemd_t systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:dbus send_msg;
> + allow systemd_machined_t $3:dbus send_msg;
I merged most of this except for this machinectl shell part.
> # systemctl --user
> stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
> @@ -66,6 +83,14 @@ template(`systemd_role_template',`
> can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
>
> dbus_system_bus_client($1_systemd_t)
> +
> + selinux_use_status_page($1_systemd_t)
> + seutil_read_file_contexts($1_systemd_t)
> + seutil_search_default_contexts($1_systemd_t)
> +
> + # for machinectl shell
> + term_user_pty($1_systemd_t, user_devpts_t)
> + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
> ')
>
> ######################################
> @@ -489,6 +514,24 @@ interface(`systemd_read_machines',`
>
> ########################################
> ## <summary>
> +## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can access the socket
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_connect_machined',`
> + gen_require(`
> + type systemd_machined_t;
> + ')
> +
> + allow $1 systemd_machined_t:unix_stream_socket connectto;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## systemd hostnamed over dbus.
> ## </summary>
> @@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', `
> systemd_domtrans_sysusers($1)
> roleattribute $2 systemd_sysusers_roles;
> ')
> +
> +########################################
> +## <summary>
> +## receive and use a systemd_machined_devpts_t file handle
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`systemd_use_machined_devpts', `
> + gen_require(`
> + type systemd_machined_t, systemd_machined_devpts_t;
> + ')
> +
> + allow $1 systemd_machined_t:fd use;
> + allow $1 systemd_machined_devpts_t:chr_file { read write };
> +')
> Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20210203/policy/modules/system/locallogin.te
> @@ -142,6 +142,7 @@ ifdef(`init_systemd',`
> auth_manage_faillog(local_login_t)
>
> init_dbus_chat(local_login_t)
> + systemd_connect_machined(local_login_t)
> systemd_dbus_chat_logind(local_login_t)
> systemd_use_logind_fds(local_login_t)
> systemd_manage_logind_runtime_pipes(local_login_t)
> Index: refpolicy-2.20210203/policy/modules/services/dbus.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
> +++ refpolicy-2.20210203/policy/modules/services/dbus.te
> @@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus
> seutil_read_config(system_dbusd_t)
> seutil_read_default_contexts(system_dbusd_t)
>
> +# for machinectl shell
> +term_use_ptmx(system_dbusd_t)
> +
> userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
> # read a file in ~/.local/share
> @@ -184,6 +187,9 @@ optional_policy(`
> systemd_read_logind_runtime_files(system_dbusd_t)
> systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
> systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
> +
> + # for passing around terminal file handles for machinectl shell
> + systemd_use_machined_devpts(system_dbusd_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
prev parent reply other threads:[~2021-02-02 19:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 15:07 [PATCH] machined Russell Coker
2021-02-02 19:03 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fd6d901a-13fc-3e1d-be24-0248f391ec9c@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.