SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
@ 2020-01-17 23:15 Henrik Grindal Bakken
  2020-01-18  7:11 ` Henrik Grindal Bakken
  2020-01-21 13:36 ` Chris PeBenito
  0 siblings, 2 replies; 7+ messages in thread
From: Henrik Grindal Bakken @ 2020-01-17 23:15 UTC (permalink / raw)
  To: selinux-refpolicy

From: Henrik Grindal Bakken <henribak@cisco.com>

This is the same behavious as files_*_non_auth_types have.
---
 policy/modules/kernel/files.if | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c9441..255d8a9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
 		attribute non_security_file_type;
 	')
 
+	manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
 	manage_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
 ########################################
@@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
 		attribute non_security_file_type;
 	')
 
+	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
 	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
 ')
 
 ########################################
-- 
2.10.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-17 23:15 [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Henrik Grindal Bakken
@ 2020-01-18  7:11 ` Henrik Grindal Bakken
  2020-01-21 13:36 ` Chris PeBenito
  1 sibling, 0 replies; 7+ messages in thread
From: Henrik Grindal Bakken @ 2020-01-18  7:11 UTC (permalink / raw)
  To: selinux-refpolicy

Henrik Grindal Bakken <hgb@ifi.uio.no> writes:

> From: Henrik Grindal Bakken <henribak@cisco.com>
>
> This is the same behavious as files_*_non_auth_types have.

The rationale for changing this is that the systemd-tmpfiles rules use
files_manage_non_security_files() (and ..._relabel_...), which doesn't
work well if you use tmpfiles for somewhat more exotic paths that the
standard setup.

An alternative to this approach is to change the rules in systemd.te for
systemd_tmpfiles_t, but it seems to me like this change would be more in
line with what's done for the similar interfaces.

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-17 23:15 [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Henrik Grindal Bakken
  2020-01-18  7:11 ` Henrik Grindal Bakken
@ 2020-01-21 13:36 ` Chris PeBenito
  2020-01-21 14:06   ` Henrik Grindal Bakken
  1 sibling, 1 reply; 7+ messages in thread
From: Chris PeBenito @ 2020-01-21 13:36 UTC (permalink / raw)
  To: Henrik Grindal Bakken, selinux-refpolicy

On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
> From: Henrik Grindal Bakken <henribak@cisco.com>
> 
> This is the same behavious as files_*_non_auth_types have.
> ---
>   policy/modules/kernel/files.if | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index f1c9441..255d8a9 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
>   		attribute non_security_file_type;
>   	')
>   
> +	manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
>   	manage_files_pattern($1, non_security_file_type, non_security_file_type)
> +	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> +	manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
>   ')
>   
>   ########################################
> @@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
>   		attribute non_security_file_type;
>   	')
>   
> +	relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
>   	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> +	relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
>   ')
>   
>   ########################################

NAK.  Access per object class is already split up across separate 
interfaces, so doing this would be confusing and prevent someone from 
getting file-only access.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-21 13:36 ` Chris PeBenito
@ 2020-01-21 14:06   ` Henrik Grindal Bakken
  2020-01-22 10:03     ` Chris PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Henrik Grindal Bakken @ 2020-01-21 14:06 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>> From: Henrik Grindal Bakken <henribak@cisco.com>
>>
>> This is the same behavious as files_*_non_auth_types have.

[...]

> NAK.  Access per object class is already split up across separate
> interfaces, so doing this would be confusing and prevent someone from
> getting file-only access.

Ok.  Then I would recomment rewriting the systemd_tmpfiles_t rules a
bit, because today it has a serious amount of AVC violations for pretty
standard usage.

There are no matching interfaces for lnk_files, at least.  Any
suggestions as to how to set up the tmpfiles rules?

A new interface like this:

interface(`manage_non_security_somethingsomething',`
        gen_require(`
            attribute non_security_file_type;
        ')

       manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
       manage_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
       manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')

or

interface(`manage_stuff',`
       manage_dirs_pattern($1, $2, $2)
       manage_files_pattern($1, $2, $2)
       manage_lnk_files_pattern($1, $2, $2)
       manage_fifo_files_pattern($1, $2, $2)
       manage_sock_files_pattern($1, $2, $2)
')

or call the manage_*_pattern() stuff directly from systemd.te?

(I guess one should add stuff for chr_file, etc)

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-21 14:06   ` Henrik Grindal Bakken
@ 2020-01-22 10:03     ` Chris PeBenito
  2020-01-22 20:24       ` Henrik Grindal Bakken
  0 siblings, 1 reply; 7+ messages in thread
From: Chris PeBenito @ 2020-01-22 10:03 UTC (permalink / raw)
  To: Henrik Grindal Bakken; +Cc: selinux-refpolicy

On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
> Chris PeBenito <pebenito@ieee.org> writes:
> 
>> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>>> From: Henrik Grindal Bakken <henribak@cisco.com>
>>>
>>> This is the same behavious as files_*_non_auth_types have.
> 
> [...]
> 
>> NAK.  Access per object class is already split up across separate
>> interfaces, so doing this would be confusing and prevent someone from
>> getting file-only access.
> 
> Ok.  Then I would recomment rewriting the systemd_tmpfiles_t rules a
> bit, because today it has a serious amount of AVC violations for pretty
> standard usage.

Perhaps.  However, it depends on what you consider standard usage.


> There are no matching interfaces for lnk_files, at least.  Any
> suggestions as to how to set up the tmpfiles rules?

By adding new interfaces that are like the existing 
files_manage_non_security_files() interface, but for lnk_file.


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-22 10:03     ` Chris PeBenito
@ 2020-01-22 20:24       ` Henrik Grindal Bakken
  2020-02-08 14:49         ` Chris PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Henrik Grindal Bakken @ 2020-01-22 20:24 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
>
>> Ok.  Then I would recomment rewriting the systemd_tmpfiles_t rules a
>> bit, because today it has a serious amount of AVC violations for pretty
>> standard usage.
>
> Perhaps.  However, it depends on what you consider standard usage.

I suppose.  It might not be standard out-of-the-distro-box, but it
supports managing all of these classes of files, and I would've
preferred my policy to support that.

>> There are no matching interfaces for lnk_files, at least.  Any
>> suggestions as to how to set up the tmpfiles rules?
>
> By adding new interfaces that are like the existing
> files_manage_non_security_files() interface, but for lnk_file.

Ok.  Is there interest in a patch for that, or should I just conjure up
something locally that works for me?

-- 
Henrik Grindal Bakken <hgb@ifi.uio.no>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types
  2020-01-22 20:24       ` Henrik Grindal Bakken
@ 2020-02-08 14:49         ` Chris PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2020-02-08 14:49 UTC (permalink / raw)
  To: Henrik Grindal Bakken; +Cc: selinux-refpolicy

On 1/22/20 3:24 PM, Henrik Grindal Bakken wrote:
> Chris PeBenito <pebenito@ieee.org> writes:
>> On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
>>> There are no matching interfaces for lnk_files, at least.  Any
>>> suggestions as to how to set up the tmpfiles rules?
>>
>> By adding new interfaces that are like the existing
>> files_manage_non_security_files() interface, but for lnk_file.
> 
> Ok.  Is there interest in a patch for that, or should I just conjure up
> something locally that works for me?

I'd take a patch that adds that and calls it in the 
systemd_tmpfiles_manage_all tunable block.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-17 23:15 [RFC] files: Make files_{relabel,manage}_non_security_types work on all file types Henrik Grindal Bakken
2020-01-18  7:11 ` Henrik Grindal Bakken
2020-01-21 13:36 ` Chris PeBenito
2020-01-21 14:06   ` Henrik Grindal Bakken
2020-01-22 10:03     ` Chris PeBenito
2020-01-22 20:24       ` Henrik Grindal Bakken
2020-02-08 14:49         ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git