SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: "Sugar, David" <dsugar@tresys.com>
To: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Allow systemd to getattr configfile
Date: Wed, 4 Dec 2019 16:33:20 +0000
Message-ID: <20191204163306.16545-2-dsugar@tresys.com> (raw)
In-Reply-To: <20191204163306.16545-1-dsugar@tresys.com>

Systemd has ConditionalPathExists which is used to check if a path exists to control starting a service.  But this requires getattr permissions on the file.  This is generally for configuration files.  We are mostly seeing this is in our own policy.  But this lvm denial also fits the example.

type=AVC msg=audit(1575427946.229:1624): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0

This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. Note that chronyd_conf_t is already a 'configfile'.

type=AVC msg=audit(1575427959.882:1901): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/files.if | 20 ++++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 policy/modules/system/lvm.te   |  2 +-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c94411..87be07ae 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
 	relabel_dirs_pattern($1, configfile, configfile)
 ')
 
+########################################
+## <summary>
+##	Getattr config files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	allow $1 configfile:dir list_dir_perms;
+	getattr_files_pattern($1, configfile, configfile)
+	read_lnk_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Read config files in /etc.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8973a622..747b696e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -320,6 +320,7 @@ ifdef(`init_systemd',`
 	domain_subj_id_change_exemption(init_t)
 	domain_role_change_exemption(init_t)
 
+	files_getattr_config_files(init_t)
 	files_read_all_pids(init_t)
 	files_list_usr(init_t)
 	files_list_var(init_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ad4eb579..c05344e0 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
 role system_r types lvm_t;
 
 type lvm_etc_t;
-files_type(lvm_etc_t)
+files_config_file(lvm_etc_t)
 
 type lvm_lock_t;
 files_lock_file(lvm_lock_t)
-- 
2.21.0


  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-04 16:33 [PATCH] Allow syslog to write to the runtime socket Sugar, David
2019-12-04 16:33 ` Sugar, David [this message]
2019-12-04 16:56   ` [PATCH] Allow systemd to getattr configfile Dominick Grift
2019-12-04 17:22     ` Sugar, David
2019-12-04 17:31       ` Dominick Grift
2019-12-04 17:43       ` Dominick Grift
2019-12-05  7:46         ` Dominick Grift
2019-12-05 13:19           ` Sugar, David

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191204163306.16545-2-dsugar@tresys.com \
    --to=dsugar@tresys.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git