Re: [PATCH] Allow systemd to getattr configfile

From: Dominick Grift <dac.override@gmail.com>
To: "Sugar, David" <dsugar@tresys.com>
Cc: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Allow systemd to getattr configfile
Date: Wed, 4 Dec 2019 18:31:34 +0100	[thread overview]
Message-ID: <20191204173134.GB1321684@brutus.lan> (raw)
In-Reply-To: <e3d4c752-899f-5454-37f5-851378426e8a@tresys.com>

[-- Attachment #1: Type: text/plain, Size: 5163 bytes --]

On Wed, Dec 04, 2019 at 05:22:55PM +0000, Sugar, David wrote:
> 
> 
> On 12/4/19 11:56 AM, Dominick Grift wrote:
> > On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote:
> >> Systemd has ConditionalPathExists which is used to check if a path exists to control starting a service.  But this requires getattr permissions on the file.  This is generally for configuration files.  We are mostly seeing this is in our own policy.  But this lvm denial also fits the example.
> >>
> >> type=AVC msg=audit(1575427946.229:1624): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0
> >>
> >> This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. Note that chronyd_conf_t is already a 'configfile'.
> >>
> >> type=AVC msg=audit(1575427959.882:1901): avc:  denied  { getattr } for  pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1
> > 
> > how about something a little more general?
> > 
> > systemd_ConditionPath(`,'
> > 	allow init_t $1:dir search_dir_perms;
> > 	allow init_t $1:lnk_file read_lnk_file_perms;
> > 	allow init_t $1:fifo_file getattr_fifo_file_perms;
> > 	allow init_t $1:sock_file getattr_sock_file_perms;
> > 	allow init_t $1:file getattr_file_perms;
> > 	allow init_t $1:blk_file getattr_blk_file_perms;
> > 	allow init_t $1:chr_file getattr_chr_file_perms;
> > ')
> > 
> I think you are suggesting an interface 'systemd_conditionpath' that 
> would exist in init.if and then need to be used by any module that wants 
> to grant access to a particular type to getattr?

Yes

> 
> So, for this case, I would need to modify chronyd.te and lvm.te to use 
> this interface?

Yes

> 
> I think you are also suggesting that ConditionPathExists usage in a unit 
> file could be trying to check for the existence of something other than 
> a configuration file.

Yes, and on top of that there are other "conditions" but generally it boils down to systemd "statting" the target

> 
> Taking it to the extreme, a unit file could be checking for the 
> existence of a file that is in a different SELinux domain.  Does it 
> instead make sense to use the 'files_getattr_all_files', 
> 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.te?

I would argue that this would be too broad/generic, not to mention that it could also apply to a device node (basicallu anything)

> 
> 
> >>
> >> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> >> ---
> >>   policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> >>   policy/modules/system/init.te  |  1 +
> >>   policy/modules/system/lvm.te   |  2 +-
> >>   3 files changed, 22 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> >> index f1c94411..87be07ae 100644
> >> --- a/policy/modules/kernel/files.if
> >> +++ b/policy/modules/kernel/files.if
> >> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
> >>   	relabel_dirs_pattern($1, configfile, configfile)
> >>   ')
> >>   
> >> +########################################
> >> +## <summary>
> >> +##	Getattr config files in /etc.
> >> +## </summary>
> >> +## <param name="domain">
> >> +##	<summary>
> >> +##	Domain allowed access.
> >> +##	</summary>
> >> +## </param>
> >> +#
> >> +interface(`files_getattr_config_files',`
> >> +	gen_require(`
> >> +		attribute configfile;
> >> +	')
> >> +
> >> +	allow $1 configfile:dir list_dir_perms;
> >> +	getattr_files_pattern($1, configfile, configfile)
> >> +	read_lnk_files_pattern($1, configfile, configfile)
> >> +')
> >> +
> >>   ########################################
> >>   ## <summary>
> >>   ##	Read config files in /etc.
> >> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> >> index 8973a622..747b696e 100644
> >> --- a/policy/modules/system/init.te
> >> +++ b/policy/modules/system/init.te
> >> @@ -320,6 +320,7 @@ ifdef(`init_systemd',`
> >>   	domain_subj_id_change_exemption(init_t)
> >>   	domain_role_change_exemption(init_t)
> >>   
> >> +	files_getattr_config_files(init_t)
> >>   	files_read_all_pids(init_t)
> >>   	files_list_usr(init_t)
> >>   	files_list_var(init_t)
> >> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> >> index ad4eb579..c05344e0 100644
> >> --- a/policy/modules/system/lvm.te
> >> +++ b/policy/modules/system/lvm.te
> >> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
> >>   role system_r types lvm_t;
> >>   
> >>   type lvm_etc_t;
> >> -files_type(lvm_etc_t)
> >> +files_config_file(lvm_etc_t)
> >>   
> >>   type lvm_lock_t;
> >>   files_lock_file(lvm_lock_t)
> >> -- 
> >> 2.21.0
> >>
> > 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]