Signed-off-by: Russell Coker <russell@coker.com.au> I think this resolves all issues Chris raised. Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc =================================================================== --- /dev/null +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc @@ -0,0 +1 @@ +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) Index: refpolicy-2.20200410/policy/modules/services/memlockd.if =================================================================== --- /dev/null +++ refpolicy-2.20200410/policy/modules/services/memlockd.if @@ -0,0 +1,2 @@ +## <summary>memory lock daemon, keeps important files in RAM.</summary> + Index: refpolicy-2.20200410/policy/modules/services/memlockd.te =================================================================== --- /dev/null +++ refpolicy-2.20200410/policy/modules/services/memlockd.te @@ -0,0 +1,37 @@ +policy_module(memlockd, 1.0.0) + +######################################## +# +# Declarations +# + +type memlockd_t; +type memlockd_exec_t; +init_daemon_domain(memlockd_t, memlockd_exec_t) + +######################################## +# +# Local policy +# + +allow memlockd_t self:capability { setgid setuid ipc_lock }; +allow memlockd_t self:fifo_file rw_file_perms; +allow memlockd_t self:unix_dgram_socket { create connect }; + +# cache /etc/shadow too +auth_read_shadow(memlockd_t) +auth_map_shadow(memlockd_t) + +corecmd_exec_all_executables(memlockd_t) +corecmd_exec_bin(memlockd_t) +corecmd_exec_shell(memlockd_t) +corecmd_read_all_executables(memlockd_t) +corecmd_search_bin(memlockd_t) +files_read_etc_files(memlockd_t) +libs_exec_ld_so(memlockd_t) +files_map_etc_files(memlockd_t) + +logging_send_syslog_msg(memlockd_t) +miscfiles_read_localization(memlockd_t) + +sysnet_mmap_read_config(memlockd_t) Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',` ####################################### ## <summary> +## map network config files. +## </summary> +## <desc> +## <p> +## Allow the specified domain to mmap the +## general network configuration files. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sysnet_mmap_read_config',` + gen_require(` + type net_conf_t; + ') + + files_search_etc($1) + allow $1 net_conf_t:file mmap_read_file_perms; +') + +####################################### +## <summary> ## Do not audit attempts to read network config files. ## </summary> ## <param name="domain"> Index: refpolicy-2.20200410/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20200410/policy/modules/system/authlogin.if @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` ######################################## ## <summary> +## Map the shadow passwords file (/etc/shadow) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_map_shadow',` + gen_require(` + type shadow_t; + ') + allow $1 shadow_t:file map; +') + +######################################## +## <summary> ## Pass shadow assertion for reading. ## </summary> ## <desc>
Russell Coker <russell@coker.com.au> writes: > Signed-off-by: Russell Coker <russell@coker.com.au> > > I think this resolves all issues Chris raised. > > > Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc > @@ -0,0 +1 @@ > +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) > Index: refpolicy-2.20200410/policy/modules/services/memlockd.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.if > @@ -0,0 +1,2 @@ > +## <summary>memory lock daemon, keeps important files in RAM.</summary> > + > Index: refpolicy-2.20200410/policy/modules/services/memlockd.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.te > @@ -0,0 +1,37 @@ > +policy_module(memlockd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type memlockd_t; > +type memlockd_exec_t; > +init_daemon_domain(memlockd_t, memlockd_exec_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow memlockd_t self:capability { setgid setuid ipc_lock }; > +allow memlockd_t self:fifo_file rw_file_perms; > +allow memlockd_t self:unix_dgram_socket { create connect }; the unix dgram socket creating is probably redundant and implied with logging_send_logs_msg() as journald uses dgram_sendto for logging? > + > +# cache /etc/shadow too > +auth_read_shadow(memlockd_t) Hmm since /etc/shadow is mode 000, how is memlock able to read this without cap_dac_read_search access. is that implied? > +auth_map_shadow(memlockd_t) > + > +corecmd_exec_all_executables(memlockd_t) > +corecmd_exec_bin(memlockd_t) > +corecmd_exec_shell(memlockd_t) > +corecmd_read_all_executables(memlockd_t) > +corecmd_search_bin(memlockd_t) > +files_read_etc_files(memlockd_t) > +libs_exec_ld_so(memlockd_t) > +files_map_etc_files(memlockd_t) > + > +logging_send_syslog_msg(memlockd_t) > +miscfiles_read_localization(memlockd_t) > + > +sysnet_mmap_read_config(memlockd_t) > Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if > @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',` > > ####################################### > ## <summary> > +## map network config files. > +## </summary> > +## <desc> > +## <p> > +## Allow the specified domain to mmap the > +## general network configuration files. > +## </p> > +## </desc> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`sysnet_mmap_read_config',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_search_etc($1) > + allow $1 net_conf_t:file mmap_read_file_perms; > +') > + > +####################################### > +## <summary> > ## Do not audit attempts to read network config files. > ## </summary> > ## <param name="domain"> > Index: refpolicy-2.20200410/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20200410/policy/modules/system/authlogin.if > @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` > > ######################################## > ## <summary> > +## Map the shadow passwords file (/etc/shadow) > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`auth_map_shadow',` > + gen_require(` > + type shadow_t; > + ') > + allow $1 shadow_t:file map; > +') > + > +######################################## > +## <summary> > ## Pass shadow assertion for reading. > ## </summary> > ## <desc> -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote: > > +allow memlockd_t self:unix_dgram_socket { create connect }; > > the unix dgram socket creating is probably redundant and implied with > logging_send_logs_msg() as journald uses dgram_sendto for logging? You are correct, that is redundant. Chris shall I submit the patch again or would it be easier to just delete that line when you merge? > > +# cache /etc/shadow too > > +auth_read_shadow(memlockd_t) > > Hmm since /etc/shadow is mode 000, how is memlock able to read this > without cap_dac_read_search access. is that implied? /etc/shadow is mode 640 on Debian. On other distributions the choice is either more permissions for memlockd or a configuration that doesn't cache /etc/shadow. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 4/10/20 5:40 AM, Russell Coker wrote: > On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote: >>> +allow memlockd_t self:unix_dgram_socket { create connect }; >> >> the unix dgram socket creating is probably redundant and implied with >> logging_send_logs_msg() as journald uses dgram_sendto for logging? > > You are correct, that is redundant. Chris shall I submit the patch again or > would it be easier to just delete that line when you merge? Please resubmit with below change too. >>> +# cache /etc/shadow too >>> +auth_read_shadow(memlockd_t) >> >> Hmm since /etc/shadow is mode 000, how is memlock able to read this >> without cap_dac_read_search access. is that implied? > > /etc/shadow is mode 640 on Debian. > > On other distributions the choice is either more permissions for memlockd or a > configuration that doesn't cache /etc/shadow. Seems that we need an ifndef(`distro_debian' block with dac_read_search; -- Chris PeBenito