SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* strict patch
@ 2020-02-12  2:43 Russell Coker
  2020-02-16 15:04 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-02-12  2:43 UTC (permalink / raw)
  To: selinux-refpolicy


[-- Attachment #1: Type: text/plain, Size: 402 bytes --]

The attached patch has a bunch of minor changes which are mostly needed in a 
"strict" configuration when running with systemd.

It also removes the systemd_analyze_t domain which doesn't provide any 
benefit.  This patch is against the git refpolicy from 3 days ago and I think 
it's ready for merging.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[-- Attachment #2: strict.diff --]
[-- Type: text/x-patch, Size: 7452 bytes --]

Index: refpolicy-2.20200209/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20200209/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_crypto_sysctls($1_t)
+	kernel_read_vm_overcommit_sysctl($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
 
 	libs_exec_ld_so($1_t)
 
+	logging_send_syslog_msg($1_t)
+
 	miscfiles_read_localization($1_t)
 	miscfiles_read_generic_certs($1_t)
 
 	sysnet_read_config($1_t)
 
+	userdom_write_all_user_runtime_named_sockets($1_t)
+
 	# kdeinit wants systemd status
 	init_get_system_status($1_t)
 
@@ -861,6 +867,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		udev_read_pid_files($1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
 
@@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template',
 
 	optional_policy(`
 		systemd_dbus_chat_logind($1_t)
+		systemd_use_logind_fds($1_t)
+		systemd_dbus_chat_hostnamed($1_t)
+		systemd_write_inherited_logind_inhibit_pipes($1_t)
+
+		# kwalletd5 inherits a socket from init
+		init_rw_inherited_stream_socket($1_t)
+		init_use_fds($1_t)
+		# for polkit-kde-auth
+		init_read_state($1_t)
 	')
 ')
 
@@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##	write user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to
Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20200209/policy/modules/roles/sysadm.te
@@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)
@@ -1107,6 +1110,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
 	tboot_run_txtstat(sysadm_t, sysadm_r)
 ')
 
@@ -1174,6 +1181,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dev_rw_generic_usb_dev(sysadm_t)
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20200209/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200209/policy/modules/services/xserver.if
@@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
 	xserver_stream_connect_xdm($2)
+	xserver_use_user_fonts($2)
 	# certain apps want to read xdm.pid file
 	xserver_read_xdm_pid($2)
 	# gnome-session creates socket under /tmp/.ICE-unix/
@@ -140,7 +141,7 @@ interface(`xserver_role',`
 	gen_require(`
 		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-		type mesa_shader_cache_t;
+		type mesa_shader_cache_t, xdm_t;
 	')
 
 	xserver_restricted_role($1, $2)
@@ -183,6 +184,8 @@ interface(`xserver_role',`
 
 	xserver_read_xkb_libs($2)
 
+	allow $2 xdm_t:unix_stream_socket accept;
+
 	optional_policy(`
 		xdg_manage_all_cache($2)
 		xdg_relabel_all_cache($2)
@@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
 	allow $1 xkb_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+	allow $1 xkb_var_lib_t:file map;
 ')
 
 ########################################
Index: refpolicy-2.20200209/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20200209/policy/modules/services/dbus.if
@@ -84,6 +84,7 @@ template(`dbus_role_template',`
 
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t $3:dbus send_msg;
 	allow $3 $1_dbusd_t:fd use;
 
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
@@ -99,9 +100,14 @@ template(`dbus_role_template',`
 
 	allow $1_dbusd_t $3:process sigkill;
 
+	allow $1_dbusd_t self:process getcap;
+
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	dev_read_sysfs($1_dbusd_t)
+	xdg_read_data_files($1_dbusd_t)
+
 	auth_use_nsswitch($1_dbusd_t)
 
 	ifdef(`hide_broken_symptoms',`
@@ -109,6 +115,11 @@ template(`dbus_role_template',`
 	')
 
 	optional_policy(`
+		init_dbus_chat($1_dbusd_t)
+		dbus_system_bus_client($1_dbusd_t)
+	')
+
+	optional_policy(`
 		systemd_read_logind_pids($1_dbusd_t)
 	')
 ')
Index: refpolicy-2.20200209/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200209/policy/modules/services/ssh.if
@@ -437,6 +437,7 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 		xserver_sigchld_xdm($1_ssh_agent_t)
+		xserver_write_inherited_xsession_log($1_ssh_agent_t)
 	')
 ')
 
Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te
+++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
 #
 # bin_t is the type of files in the system bin/sbin directories.
 #
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
 corecmd_executable_file(bin_t)
 dev_associate(bin_t)	#For /dev/MAKEDEV
 
Index: refpolicy-2.20200209/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20200209.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20200209/policy/modules/system/systemd.te
@@ -37,10 +37,6 @@ type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
 
-type systemd_analyze_t;
-type systemd_analyze_exec_t;
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
-
 type systemd_backlight_t;
 type systemd_backlight_exec_t;
 init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
@@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: strict patch
  2020-02-12  2:43 strict patch Russell Coker
@ 2020-02-16 15:04 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-02-16 15:04 UTC (permalink / raw)
  To: russell, selinux-refpolicy

On 2/11/20 9:43 PM, Russell Coker wrote:
> The attached patch has a bunch of minor changes which are mostly needed in a
> "strict" configuration when running with systemd.
> 
> It also removes the systemd_analyze_t domain which doesn't provide any
> benefit.  This patch is against the git refpolicy from 3 days ago and I think
> it's ready for merging.

Please inline the patch and add signed-off-by.

> Index: refpolicy-2.20200209/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20200209/policy/modules/system/userdomain.if
[...]
> @@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
>  
>  	libs_exec_ld_so($1_t)
>  
> +	logging_send_syslog_msg($1_t)
> +
>  	miscfiles_read_localization($1_t)
>  	miscfiles_read_generic_certs($1_t)
>  
>  	sysnet_read_config($1_t)
>  
> +	userdom_write_all_user_runtime_named_sockets($1_t)
> +
>  	# kdeinit wants systemd status
>  	init_get_system_status($1_t)
>  

I would be ok with these in one of the other templates, but not the base 
template.


> @@ -861,6 +867,10 @@ template(`userdom_common_user_template',
>  	')
>  
>  	optional_policy(`
> +		udev_read_pid_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		usernetctl_run($1_t, $1_r)
>  	')
>  

Why?


> @@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template',
>  
>  	optional_policy(`
>  		systemd_dbus_chat_logind($1_t)
> +		systemd_use_logind_fds($1_t)
> +		systemd_dbus_chat_hostnamed($1_t)
> +		systemd_write_inherited_logind_inhibit_pipes($1_t)

What features are these needed for?


> +		# kwalletd5 inherits a socket from init
> +		init_rw_inherited_stream_socket($1_t)
> +		init_use_fds($1_t)
> +		# for polkit-kde-auth
> +		init_read_state($1_t)
>  	')
>  ')
>  
> @@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti
>  ')
>  
>  ########################################
> +## <summary>
> +##	write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> +	gen_require(`
> +		attribute user_runtime_content_type;
> +	')
> +
> +	allow $1 user_runtime_content_type:dir list_dir_perms;
> +	allow $1 user_runtime_content_type:sock_file write;

Which processes is this related to?

> +')
> +
> +########################################
>  ## <summary>
>  ##	Create objects in the pid directory
>  ##	with an automatic type transition to
> Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20200209/policy/modules/roles/sysadm.te
> @@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t)
>  userdom_manage_user_home_dirs(sysadm_t)
>  userdom_home_filetrans_user_home_dir(sysadm_t)
>  
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)
> +
>  ifdef(`direct_sysadm_daemon',`
>  	optional_policy(`
>  		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1107,6 +1110,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
>  	tboot_run_txtstat(sysadm_t, sysadm_r)
>  ')
>  
> @@ -1174,6 +1181,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)
>  	usbmodules_run(sysadm_t, sysadm_r)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200209/policy/modules/services/xserver.if
> @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
>  	xserver_xsession_entry_type($2)
>  	xserver_dontaudit_write_log($2)
>  	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>  	# certain apps want to read xdm.pid file
>  	xserver_read_xdm_pid($2)
>  	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -140,7 +141,7 @@ interface(`xserver_role',`
>  	gen_require(`
>  		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>  		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>  	')
>  
>  	xserver_restricted_role($1, $2)
> @@ -183,6 +184,8 @@ interface(`xserver_role',`
>  
>  	xserver_read_xkb_libs($2)
>  
> +	allow $2 xdm_t:unix_stream_socket accept;
> +
>  	optional_policy(`
>  		xdg_manage_all_cache($2)
>  		xdg_relabel_all_cache($2)
> @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
>  	allow $1 xkb_var_lib_t:dir list_dir_perms;
>  	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>  	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>  ')
>  
>  ########################################
> Index: refpolicy-2.20200209/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20200209/policy/modules/services/dbus.if
> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>  
>  	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>  	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;
>  	allow $3 $1_dbusd_t:fd use;
>  
>  	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
> @@ -99,9 +100,14 @@ template(`dbus_role_template',`
>  
>  	allow $1_dbusd_t $3:process sigkill;
>  
> +	allow $1_dbusd_t self:process getcap;
> +
>  	corecmd_bin_domtrans($1_dbusd_t, $3)
>  	corecmd_shell_domtrans($1_dbusd_t, $3)
>  
> +	dev_read_sysfs($1_dbusd_t)
> +	xdg_read_data_files($1_dbusd_t)

This xdg access needs to be optional.

> +
>  	auth_use_nsswitch($1_dbusd_t)
>  
>  	ifdef(`hide_broken_symptoms',`
> @@ -109,6 +115,11 @@ template(`dbus_role_template',`
>  	')
>  
>  	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)
> +	')
> +
> +	optional_policy(`
>  		systemd_read_logind_pids($1_dbusd_t)
>  	')
>  ')
> Index: refpolicy-2.20200209/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200209/policy/modules/services/ssh.if
> @@ -437,6 +437,7 @@ template(`ssh_role_template',`
>  		xserver_use_xdm_fds($1_ssh_agent_t)
>  		xserver_rw_xdm_pipes($1_ssh_agent_t)
>  		xserver_sigchld_xdm($1_ssh_agent_t)
> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
>  	')
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
>  #
>  # bin_t is the type of files in the system bin/sbin directories.
>  #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
>  corecmd_executable_file(bin_t)
>  dev_associate(bin_t)	#For /dev/MAKEDEV
>  
> Index: refpolicy-2.20200209/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20200209/policy/modules/system/systemd.te
> @@ -37,10 +37,6 @@ type systemd_activate_t;
>  type systemd_activate_exec_t;
>  init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>  
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
>  type systemd_backlight_t;
>  type systemd_backlight_exec_t;
>  init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>  ')
>  
>  optional_policy(`
> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>  	dbus_read_lib_files(systemd_tmpfiles_t)
>  	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>  ')




-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-12  2:43 strict patch Russell Coker
2020-02-16 15:04 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git