From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=sUoU=Z2=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D478BC43603
	for <selinux-refpolicy@archiver.kernel.org>; Wed,  4 Dec 2019 16:56:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 9E0A82086D
	for <selinux-refpolicy@archiver.kernel.org>; Wed,  4 Dec 2019 16:56:20 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RwCPf9BB"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728388AbfLDQ4U (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 4 Dec 2019 11:56:20 -0500
Received: from mail-wr1-f65.google.com ([209.85.221.65]:36473 "EHLO
        mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726934AbfLDQ4U (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 4 Dec 2019 11:56:20 -0500
Received: by mail-wr1-f65.google.com with SMTP id z3so68600wru.3
        for <selinux-refpolicy@vger.kernel.org>; Wed, 04 Dec 2019 08:56:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=tVXBU076O0bbNvccvP0xjrdaiE7rTXVyNcg1o2cwok4=;
        b=RwCPf9BBeBQpTZKE8x6ViAP6sDpkz84lw04cLCzyw1N2t5A6mJfi+NEFeD8CNCPdoB
         AKWV7PRobPjy3K7/LcMJqFzNScvNB89f7+a1lqhOeKciqzVorF+kwSMPkDxCXyojVnaz
         PM6471irlfVyOke+fH2PHQNq7E++vvthrgWlIzZFjjBcD4RardVsKcdjN0o44Voj6xZF
         8zxvXkAZnj58NjLxXUcyujijnLQyHKAzEuD8AS0jESBo6lUs6ikv9J74Bg1o5gWCjVJ2
         +9umPhyXXB+gCXqK1SQhVlxoU3kQxBUCMpuLbEwh/mwt7oPEc5Zg2dTiXBmqhmmH93xh
         ArpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=tVXBU076O0bbNvccvP0xjrdaiE7rTXVyNcg1o2cwok4=;
        b=NwNpsIsBIntiDDc2L648oQCbeKY02j4vwRtNYsrjpKDeLDnfaXrVKr6SjOt20dwsq6
         kheiLRlkZu8LK+/HSmsXwa5GcNCXcsuJzvOO40RlWa3N1BjnuvS3fNJUxX1TEQ00JDpc
         DPxgHR7a060067mIGOJvTPfGC0fWbG/WToBuHHFMGmbtLp3xMkd4rmTN4/8WnE6cGFCZ
         mFRiR+mzB3h+Ey0FQRHno/Lv86z5weOPKeFx0IR1HfFCzzUeEsfm5d1jPIpqrlIKZyW+
         Bfnji1IHshaJQE6vwFxE8oEEyDsILpDMbGhp44wTIZ1pNHG6BvLUwUW4/j+iCnOq4XV7
         WvJQ==
X-Gm-Message-State: APjAAAXVpCLS2sPw8q4r8ibe+WgYkcW8FXL1FJ2yu+rY87adP20XDd3l
        hhE/mjGCU/06jY7+caC6oV/aUQNz
X-Google-Smtp-Source: APXvYqzzxaPULlhGZ/JTDctZiwUY8OVj8Zfc5xmLg95co8hBHLSwwKCkzuBl7Nj3uaFEAAnHdiGbGA==
X-Received: by 2002:a5d:5487:: with SMTP id h7mr5047740wrv.18.1575478577375;
        Wed, 04 Dec 2019 08:56:17 -0800 (PST)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id g9sm7599359wro.67.2019.12.04.08.56.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Dec 2019 08:56:16 -0800 (PST)
Date:   Wed, 4 Dec 2019 17:56:14 +0100
From:   Dominick Grift <dac.override@gmail.com>
To:     "Sugar, David" <dsugar@tresys.com>
Cc:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Allow systemd to getattr configfile
Message-ID: <20191204165614.GA1321684@brutus.lan>
Mail-Followup-To: "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
References: <20191204163306.16545-1-dsugar@tresys.com>
 <20191204163306.16545-2-dsugar@tresys.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L"
Content-Disposition: inline
In-Reply-To: <20191204163306.16545-2-dsugar@tresys.com>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote:
> Systemd has ConditionalPathExists which is used to check if a path exists=
 to control starting a service.  But this requires getattr permissions on t=
he file.  This is generally for configuration files.  We are mostly seeing =
this is in our own policy.  But this lvm denial also fits the example.
>=20
> type=3DAVC msg=3Daudit(1575427946.229:1624): avc:  denied  { getattr } fo=
r  pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D5=
1799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:lv=
m_etc_t:s0 tclass=3Dfile permissive=3D0
>=20
> This second example is from chronyd, but it is happening becuase I added =
the conditional in a drop-in file. Note that chronyd_conf_t is already a 'c=
onfigfile'.
>=20
> type=3DAVC msg=3Daudit(1575427959.882:1901): avc:  denied  { getattr } fo=
r  pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D53=
824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:chr=
onyd_conf_t:s0 tclass=3Dfile permissive=3D1

how about something a little more general?

systemd_ConditionPath(`,'
	allow init_t $1:dir search_dir_perms;
	allow init_t $1:lnk_file read_lnk_file_perms;
	allow init_t $1:fifo_file getattr_fifo_file_perms;
	allow init_t $1:sock_file getattr_sock_file_perms;
	allow init_t $1:file getattr_file_perms;
	allow init_t $1:blk_file getattr_blk_file_perms;
	allow init_t $1:chr_file getattr_chr_file_perms;
')

>=20
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/kernel/files.if | 20 ++++++++++++++++++++
>  policy/modules/system/init.te  |  1 +
>  policy/modules/system/lvm.te   |  2 +-
>  3 files changed, 22 insertions(+), 1 deletion(-)
>=20
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files=
=2Eif
> index f1c94411..87be07ae 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
>  	relabel_dirs_pattern($1, configfile, configfile)
>  ')
> =20
> +########################################
> +## <summary>
> +##	Getattr config files in /etc.
> +## </summary>
> +## <param name=3D"domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_getattr_config_files',`
> +	gen_require(`
> +		attribute configfile;
> +	')
> +
> +	allow $1 configfile:dir list_dir_perms;
> +	getattr_files_pattern($1, configfile, configfile)
> +	read_lnk_files_pattern($1, configfile, configfile)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Read config files in /etc.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8973a622..747b696e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -320,6 +320,7 @@ ifdef(`init_systemd',`
>  	domain_subj_id_change_exemption(init_t)
>  	domain_role_change_exemption(init_t)
> =20
> +	files_getattr_config_files(init_t)
>  	files_read_all_pids(init_t)
>  	files_list_usr(init_t)
>  	files_list_var(init_t)
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index ad4eb579..c05344e0 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
>  role system_r types lvm_t;
> =20
>  type lvm_etc_t;
> -files_type(lvm_etc_t)
> +files_config_file(lvm_etc_t)
> =20
>  type lvm_lock_t;
>  files_lock_file(lvm_lock_t)
> --=20
> 2.21.0
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl3n5SoACgkQJXSOVTf5
R2k/DAwAiEPU530KLVbbnGRbycDffTZSvsI7ouoxKw3IG5Y4yoQ9LGhV0KUXbyD1
30SRCr5vyvXGhTf7ORiEUGbKCGk8wNZm6r886gI2cM9BkKFz7VOYvFSfvD1tPiOU
sHH46pQPyJruE7TJjGRKTx/UFdCD+sndSNdCWnMZFMnxHUZOHAoYyqMoCzSxRHR+
K/uuP/yPZ2fgHGI7qY98SE7eXeawbipzuvLPd211+h3OoAgruD96HZgpDpdKm1n1
PZbUMhezoSB7NsvNSzCkjzB/7ySltvtqCxVWC4mJIQJWB81OTvNaD4vayT+w6IXC
6XWd/JLeRmaNfllibWadOvp6xVwYnEk5sEICoTp2/mMuU7uk2rkLT8fcaEKMgONn
t5VCiakX6VLpbenZqOLuHQgERzeV44wYRayDjPQ9MDdzAxuU6UsbyPNZiaCISVkz
IyZb8WQZzq7PQEuGVElworTfGnLvucu7P7fXH0ynfQ9Bv65QhL4/1f23n9GiL1+z
r4rWNUsc
=I4sN
-----END PGP SIGNATURE-----

--FCuugMFkClbJLl1L--