SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Jason Zaman <jason@perfinion.com>
Cc: Chris PeBenito <pebenito@ieee.org>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH 1/9] systemd: Add elogind support
Date: Sat, 28 Dec 2019 16:59:21 +0100
Message-ID: <20191228155921.GA2360617@brutus.lan> (raw)
In-Reply-To: <20191228043504.GA38088@baraddur.perfinion.com>

[-- Attachment #1: Type: text/plain, Size: 11001 bytes --]

On Sat, Dec 28, 2019 at 12:35:04PM +0800, Jason Zaman wrote:
> On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> > On 12/24/19 5:10 AM, Jason Zaman wrote:
> > > Elogind is based off systemd-logind extracted to stand alone.
> > 
> > I'm not a fan of this.  Systemd is already a big mess of permissions by 
> > itself, and I'm relctant to add even more to it to support something else.
> 
> I'm not super happy about it either. I tried to make elogind_t
> standalone originally. it didnt end up working that well cuz it really
> *is* systemd-logind, just without systemd as pid1. The problem is all
> the paths are the same, everything in /run and /var and all that gets
> used exactly the same, so the fcontexts would conflict. A lot of the
> perms I ended up adding seem like things that systemd-logind should be
> able to do anyway too (like purging tmp to clean up /run/user when
> people logout, or sending audit logs) or do these things end up done by
> pid1 instead if its systemd?
> 
> It's a similar issue to how tmpfiles works on gentoo. We made a policy
> for opentmpfiles (originally in openrc) then later the systemd policy in
> upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
> around those fcontexts and it kind of works but its pretty awkward and
> makes switching between openrc/systemd more annoying than it should be.
> 
> I'd be up for modularizing systemd.te if it'd make things easier but I'm
> not completely sure how. I see a few different parts that need to be
> handled carefully: 1) the paths on disk, these should ideally be the
> same for all the implementations of things. 2) the daemons themselves,
> these could be the same or different domains makes little difference. 3)
> how other programs interact with the daemons. I'm not really sure
> duplicating perms in every other policy is the right way to go? like
> everything would have to call both systemd_logind_foo() and
> elogind_foo()?
> 
> If you have better ideas how to approach this, I'm all ears :)

I guess there are two options here. Either make your elogind module depend on whatever module has the types declared that need to be used by both logind and elogind (less optimal but less intrusive), or strip the "shared" types from the module that currently has it declared and declare it in a separate "shared" module so that both logind and elogind can tap into that (would require some refactoring but should be doable and be more optimal i suspect i suspect).

The same would apply to tmpfiles i gather.

> 
> -- Jason
> 
> 
> > 
> > 
> > > Signed-off-by: Jason Zaman <jason@perfinion.com>
> > > ---
> > >   policy/modules/admin/sudo.if       |  2 ++
> > >   policy/modules/system/authlogin.if |  5 +++++
> > >   policy/modules/system/systemd.fc   |  5 +++++
> > >   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
> > >   4 files changed, 38 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > > index c1459364..4f08af28 100644
> > > --- a/policy/modules/admin/sudo.if
> > > +++ b/policy/modules/admin/sudo.if
> > > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> > >   
> > >   	optional_policy(`
> > >   		dbus_system_bus_client($1_sudo_t)
> > > +		systemd_dbus_chat_logind($1_sudo_t)
> > > +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> > >   
> > >   		ifdef(`init_systemd',`
> > >   			init_dbus_chat($1_sudo_t)
> > > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > > index c16748f2..83837458 100644
> > > --- a/policy/modules/system/authlogin.if
> > > +++ b/policy/modules/system/authlogin.if
> > > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> > >   		optional_policy(`
> > >   			fprintd_dbus_chat($1)
> > >   		')
> > > +
> > > +		optional_policy(`
> > > +			systemd_dbus_chat_logind($1)
> > > +			systemd_write_inherited_logind_sessions_pipes($1)
> > > +		')
> > >   	')
> > >   
> > >   	optional_policy(`
> > > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > > index 607b1d88..e6831465 100644
> > > --- a/policy/modules/system/systemd.fc
> > > +++ b/policy/modules/system/systemd.fc
> > > @@ -16,6 +16,10 @@
> > >   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> > >   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> > >   
> > > +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +
> > >   # Systemd generators
> > >   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> > >   
> > > @@ -56,6 +60,7 @@
> > >   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> > >   
> > >   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > > +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> > >   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > >   
> > >   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > > index 1422d8e2..f13b7252 100644
> > > --- a/policy/modules/system/systemd.te
> > > +++ b/policy/modules/system/systemd.te
> > > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> > >   
> > >   type systemd_logind_t;
> > >   type systemd_logind_exec_t;
> > > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> > >   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> > >   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> > >   
> > > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> > >   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> > >   files_pid_file(systemd_logind_runtime_t)
> > >   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> > >   
> > >   type systemd_logind_var_lib_t;
> > >   files_type(systemd_logind_var_lib_t)
> > > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> > >   # Logind local policy
> > >   #
> > >   
> > > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> > >   allow systemd_logind_t self:process { getcap setfscreate };
> > >   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> > >   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> > >   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > >   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > >   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > > +
> > > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> > >   
> > >   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > >   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> > >   
> > >   kernel_read_kernel_sysctls(systemd_logind_t)
> > >   
> > > +auth_write_login_records(systemd_logind_t)
> > > +
> > >   dev_getattr_dri_dev(systemd_logind_t)
> > >   dev_getattr_generic_usb_dev(systemd_logind_t)
> > >   dev_getattr_kvm_dev(systemd_logind_t)
> > > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> > >   
> > >   domain_obj_id_change_exemption(systemd_logind_t)
> > >   
> > > +files_purge_tmp(systemd_logind_t)
> > >   files_read_etc_files(systemd_logind_t)
> > >   files_search_pids(systemd_logind_t)
> > >   
> > >   fs_getattr_cgroup(systemd_logind_t)
> > > +fs_manage_cgroup_dirs(systemd_logind_t)
> > > +fs_manage_cgroup_files(systemd_logind_t)
> > >   fs_getattr_tmpfs(systemd_logind_t)
> > >   fs_getattr_tmpfs_dirs(systemd_logind_t)
> > >   fs_list_tmpfs(systemd_logind_t)
> > > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> > >   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> > >   fs_unmount_tmpfs(systemd_logind_t)
> > >   
> > > +logging_send_audit_msgs(systemd_logind_t)
> > > +
> > >   selinux_get_enforce_mode(systemd_logind_t)
> > >   
> > >   storage_getattr_removable_dev(systemd_logind_t)
> > > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> > >   
> > >   auth_manage_faillog(systemd_logind_t)
> > >   
> > > +init_create_runtime_dirs(systemd_logind_t)
> > >   init_dbus_send_script(systemd_logind_t)
> > >   init_get_all_units_status(systemd_logind_t)
> > >   init_get_system_status(systemd_logind_t)
> > > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > >   userdom_setattr_user_ttys(systemd_logind_t)
> > >   userdom_use_user_ttys(systemd_logind_t)
> > >   
> > > +tunable_policy(`use_nfs_home_dirs',`
> > > +       fs_read_nfs_files(systemd_logind_t)
> > > +')
> > > +
> > > +tunable_policy(`use_samba_home_dirs',`
> > > +       fs_read_cifs_files(systemd_logind_t)
> > > +')
> > > +
> > >   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> > >   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> > >   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > > @@ -568,6 +589,10 @@ optional_policy(`
> > >   	policykit_dbus_chat(systemd_logind_t)
> > >   ')
> > >   
> > > +optional_policy(`
> > > +	shutdown_domtrans(systemd_logind_t)
> > > +')
> > > +
> > >   optional_policy(`
> > >   	xserver_read_state(systemd_logind_t)
> > >   	xserver_dbus_chat(systemd_logind_t)
> > > 
> > 
> > 
> > -- 
> > Chris PeBenito

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

      reply index

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-24 10:10 Jason Zaman
2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
2019-12-26 17:23   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
2019-12-26 17:06   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
2019-12-28  4:35   ` Jason Zaman
2019-12-28 15:59     ` Dominick Grift [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191228155921.GA2360617@brutus.lan \
    --to=dac.override@gmail.com \
    --cc=jason@perfinion.com \
    --cc=pebenito@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git