SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Jason Zaman <jason@perfinion.com>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH 1/9] systemd: Add elogind support
Date: Sat, 28 Dec 2019 12:35:04 +0800
Message-ID: <20191228043504.GA38088@baraddur.perfinion.com> (raw)
In-Reply-To: <c5960eb5-acb6-19b5-2690-f9956dd174a0@ieee.org>

On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> On 12/24/19 5:10 AM, Jason Zaman wrote:
> > Elogind is based off systemd-logind extracted to stand alone.
> 
> I'm not a fan of this.  Systemd is already a big mess of permissions by 
> itself, and I'm relctant to add even more to it to support something else.

I'm not super happy about it either. I tried to make elogind_t
standalone originally. it didnt end up working that well cuz it really
*is* systemd-logind, just without systemd as pid1. The problem is all
the paths are the same, everything in /run and /var and all that gets
used exactly the same, so the fcontexts would conflict. A lot of the
perms I ended up adding seem like things that systemd-logind should be
able to do anyway too (like purging tmp to clean up /run/user when
people logout, or sending audit logs) or do these things end up done by
pid1 instead if its systemd?

It's a similar issue to how tmpfiles works on gentoo. We made a policy
for opentmpfiles (originally in openrc) then later the systemd policy in
upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
around those fcontexts and it kind of works but its pretty awkward and
makes switching between openrc/systemd more annoying than it should be.

I'd be up for modularizing systemd.te if it'd make things easier but I'm
not completely sure how. I see a few different parts that need to be
handled carefully: 1) the paths on disk, these should ideally be the
same for all the implementations of things. 2) the daemons themselves,
these could be the same or different domains makes little difference. 3)
how other programs interact with the daemons. I'm not really sure
duplicating perms in every other policy is the right way to go? like
everything would have to call both systemd_logind_foo() and
elogind_foo()?

If you have better ideas how to approach this, I'm all ears :)

-- Jason


> 
> 
> > Signed-off-by: Jason Zaman <jason@perfinion.com>
> > ---
> >   policy/modules/admin/sudo.if       |  2 ++
> >   policy/modules/system/authlogin.if |  5 +++++
> >   policy/modules/system/systemd.fc   |  5 +++++
> >   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
> >   4 files changed, 38 insertions(+), 1 deletion(-)
> > 
> > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > index c1459364..4f08af28 100644
> > --- a/policy/modules/admin/sudo.if
> > +++ b/policy/modules/admin/sudo.if
> > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> >   
> >   	optional_policy(`
> >   		dbus_system_bus_client($1_sudo_t)
> > +		systemd_dbus_chat_logind($1_sudo_t)
> > +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> >   
> >   		ifdef(`init_systemd',`
> >   			init_dbus_chat($1_sudo_t)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index c16748f2..83837458 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> >   		optional_policy(`
> >   			fprintd_dbus_chat($1)
> >   		')
> > +
> > +		optional_policy(`
> > +			systemd_dbus_chat_logind($1)
> > +			systemd_write_inherited_logind_sessions_pipes($1)
> > +		')
> >   	')
> >   
> >   	optional_policy(`
> > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > index 607b1d88..e6831465 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -16,6 +16,10 @@
> >   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> >   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> >   
> > +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +
> >   # Systemd generators
> >   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> >   
> > @@ -56,6 +60,7 @@
> >   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> >   
> >   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> >   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> >   
> >   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > index 1422d8e2..f13b7252 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> >   
> >   type systemd_logind_t;
> >   type systemd_logind_exec_t;
> > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> >   
> > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> >   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> >   files_pid_file(systemd_logind_runtime_t)
> >   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> >   
> >   type systemd_logind_var_lib_t;
> >   files_type(systemd_logind_var_lib_t)
> > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> >   # Logind local policy
> >   #
> >   
> > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> >   allow systemd_logind_t self:process { getcap setfscreate };
> >   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> >   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> >   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > +
> > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> >   
> >   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> >   
> >   kernel_read_kernel_sysctls(systemd_logind_t)
> >   
> > +auth_write_login_records(systemd_logind_t)
> > +
> >   dev_getattr_dri_dev(systemd_logind_t)
> >   dev_getattr_generic_usb_dev(systemd_logind_t)
> >   dev_getattr_kvm_dev(systemd_logind_t)
> > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> >   
> >   domain_obj_id_change_exemption(systemd_logind_t)
> >   
> > +files_purge_tmp(systemd_logind_t)
> >   files_read_etc_files(systemd_logind_t)
> >   files_search_pids(systemd_logind_t)
> >   
> >   fs_getattr_cgroup(systemd_logind_t)
> > +fs_manage_cgroup_dirs(systemd_logind_t)
> > +fs_manage_cgroup_files(systemd_logind_t)
> >   fs_getattr_tmpfs(systemd_logind_t)
> >   fs_getattr_tmpfs_dirs(systemd_logind_t)
> >   fs_list_tmpfs(systemd_logind_t)
> > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> >   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> >   fs_unmount_tmpfs(systemd_logind_t)
> >   
> > +logging_send_audit_msgs(systemd_logind_t)
> > +
> >   selinux_get_enforce_mode(systemd_logind_t)
> >   
> >   storage_getattr_removable_dev(systemd_logind_t)
> > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> >   
> >   auth_manage_faillog(systemd_logind_t)
> >   
> > +init_create_runtime_dirs(systemd_logind_t)
> >   init_dbus_send_script(systemd_logind_t)
> >   init_get_all_units_status(systemd_logind_t)
> >   init_get_system_status(systemd_logind_t)
> > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> >   userdom_setattr_user_ttys(systemd_logind_t)
> >   userdom_use_user_ttys(systemd_logind_t)
> >   
> > +tunable_policy(`use_nfs_home_dirs',`
> > +       fs_read_nfs_files(systemd_logind_t)
> > +')
> > +
> > +tunable_policy(`use_samba_home_dirs',`
> > +       fs_read_cifs_files(systemd_logind_t)
> > +')
> > +
> >   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> >   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> >   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > @@ -568,6 +589,10 @@ optional_policy(`
> >   	policykit_dbus_chat(systemd_logind_t)
> >   ')
> >   
> > +optional_policy(`
> > +	shutdown_domtrans(systemd_logind_t)
> > +')
> > +
> >   optional_policy(`
> >   	xserver_read_state(systemd_logind_t)
> >   	xserver_dbus_chat(systemd_logind_t)
> > 
> 
> 
> -- 
> Chris PeBenito

  reply index

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-24 10:10 Jason Zaman
2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
2019-12-26 17:23   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
2019-12-26 17:06   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
2019-12-28  4:35   ` Jason Zaman [this message]
2019-12-28 15:59     ` Dominick Grift

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191228043504.GA38088@baraddur.perfinion.com \
    --to=jason@perfinion.com \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git