SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] Allow systemd to getattr configfile
@ 2020-01-13 18:27 Sugar, David
  2020-01-21 13:42 ` Chris PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Sugar, David @ 2020-01-13 18:27 UTC (permalink / raw)
  To: selinux-refpolicy

v2 update - rework, creating interface 'init_systemd_conditional'
as suggested.  This grants getattr access to the type provided.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/chronyd.te |  2 ++
 policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 5e680d39..7ae8bb5a 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
 chronyd_dgram_send_cli(chronyd_t)
 chronyd_read_config(chronyd_t)
 
+init_systemd_conditional(chronyd_conf_t)
+
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
 ')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 62ab4da8..5a0a78bf 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+
+########################################
+## <summary>
+##      Allow init_t getattr permissions.  Generally
+##      needed for types that are used in a Condition
+##      predicate.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      type accessible by init_t
+##      </summary>
+## </param>
+#
+interface(`init_systemd_conditional',`
+	gen_require(`
+		type init_t;
+	')
+	allow init_t $1:dir search_dir_perms;
+	allow init_t $1:lnk_file read_lnk_file_perms;
+	allow init_t $1:fifo_file getattr_fifo_file_perms;
+	allow init_t $1:sock_file getattr_sock_file_perms;
+	allow init_t $1:file getattr_file_perms;
+	allow init_t $1:blk_file getattr_blk_file_perms;
+	allow init_t $1:chr_file getattr_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
-- 
2.24.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Allow systemd to getattr configfile
  2020-01-13 18:27 [PATCH v2] Allow systemd to getattr configfile Sugar, David
@ 2020-01-21 13:42 ` Chris PeBenito
  2020-01-21 14:22   ` Sugar, David
  0 siblings, 1 reply; 4+ messages in thread
From: Chris PeBenito @ 2020-01-21 13:42 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/13/20 1:27 PM, Sugar, David wrote:
> v2 update - rework, creating interface 'init_systemd_conditional'
> as suggested.  This grants getattr access to the type provided.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/chronyd.te |  2 ++
>   policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
>   2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
> index 5e680d39..7ae8bb5a 100644
> --- a/policy/modules/services/chronyd.te
> +++ b/policy/modules/services/chronyd.te
> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>   chronyd_dgram_send_cli(chronyd_t)
>   chronyd_read_config(chronyd_t)
>   
> +init_systemd_conditional(chronyd_conf_t)
> +
>   optional_policy(`
>   	gpsd_rw_shm(chronyd_t)
>   ')
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 62ab4da8..5a0a78bf 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>   	allow $1 { init_script_file_type systemdunit }:service reload;
>   ')
>   
> +
> +########################################
> +## <summary>
> +##      Allow init_t getattr permissions.  Generally
> +##      needed for types that are used in a Condition
> +##      predicate.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      type accessible by init_t
> +##      </summary>
> +## </param>
> +#
> +interface(`init_systemd_conditional',`

systemd_ConditionPath is a more preferable name.


> +	gen_require(`
> +		type init_t;
> +	')
> +	allow init_t $1:dir search_dir_perms;
> +	allow init_t $1:lnk_file read_lnk_file_perms;
> +	allow init_t $1:fifo_file getattr_fifo_file_perms;
> +	allow init_t $1:sock_file getattr_sock_file_perms;
> +	allow init_t $1:file getattr_file_perms;
> +	allow init_t $1:blk_file getattr_blk_file_perms;
> +	allow init_t $1:chr_file getattr_chr_file_perms;
> +')
> +
>   ########################################
>   ## <summary>
>   ##      Allow unconfined access to send instructions to init
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Allow systemd to getattr configfile
  2020-01-21 13:42 ` Chris PeBenito
@ 2020-01-21 14:22   ` Sugar, David
  2020-01-22 10:41     ` Chris PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Sugar, David @ 2020-01-21 14:22 UTC (permalink / raw)
  To: Chris PeBenito, selinux-refpolicy



On 1/21/20 8:42 AM, Chris PeBenito wrote:
> On 1/13/20 1:27 PM, Sugar, David wrote:
>> v2 update - rework, creating interface 'init_systemd_conditional'
>> as suggested.  This grants getattr access to the type provided.
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/services/chronyd.te |  2 ++
>>   policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
>>   2 files changed, 28 insertions(+)
>>
>> diff --git a/policy/modules/services/chronyd.te 
>> b/policy/modules/services/chronyd.te
>> index 5e680d39..7ae8bb5a 100644
>> --- a/policy/modules/services/chronyd.te
>> +++ b/policy/modules/services/chronyd.te
>> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>>   chronyd_dgram_send_cli(chronyd_t)
>>   chronyd_read_config(chronyd_t)
>> +init_systemd_conditional(chronyd_conf_t)
>> +
>>   optional_policy(`
>>       gpsd_rw_shm(chronyd_t)
>>   ')
>> diff --git a/policy/modules/system/init.if 
>> b/policy/modules/system/init.if
>> index 62ab4da8..5a0a78bf 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>>       allow $1 { init_script_file_type systemdunit }:service reload;
>>   ')
>> +
>> +########################################
>> +## <summary>
>> +##      Allow init_t getattr permissions.  Generally
>> +##      needed for types that are used in a Condition
>> +##      predicate.
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      type accessible by init_t
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`init_systemd_conditional',`
> 
> systemd_ConditionPath is a more preferable name.
> 

I'm a little confused about the suggested name.  I think this interface 
belongs in init.if due to the requiring of init_t.  Due to this, I think 
it should have the init_ prefix.  I also don't think there are any camel 
case interface names.

Is the name 'init_systemd_condition_path' acceptable?  Or are some of my 
assumptions wrong?

> 
>> +    gen_require(`
>> +        type init_t;
>> +    ')
>> +    allow init_t $1:dir search_dir_perms;
>> +    allow init_t $1:lnk_file read_lnk_file_perms;
>> +    allow init_t $1:fifo_file getattr_fifo_file_perms;
>> +    allow init_t $1:sock_file getattr_sock_file_perms;
>> +    allow init_t $1:file getattr_file_perms;
>> +    allow init_t $1:blk_file getattr_blk_file_perms;
>> +    allow init_t $1:chr_file getattr_chr_file_perms;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##      Allow unconfined access to send instructions to init
>>
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Allow systemd to getattr configfile
  2020-01-21 14:22   ` Sugar, David
@ 2020-01-22 10:41     ` Chris PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2020-01-22 10:41 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/21/20 9:22 AM, Sugar, David wrote:
> On 1/21/20 8:42 AM, Chris PeBenito wrote:
>> On 1/13/20 1:27 PM, Sugar, David wrote:
>>> v2 update - rework, creating interface 'init_systemd_conditional'
>>> as suggested.  This grants getattr access to the type provided.
>>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>>    policy/modules/services/chronyd.te |  2 ++
>>>    policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
>>>    2 files changed, 28 insertions(+)
>>>
>>> diff --git a/policy/modules/services/chronyd.te
>>> b/policy/modules/services/chronyd.te
>>> index 5e680d39..7ae8bb5a 100644
>>> --- a/policy/modules/services/chronyd.te
>>> +++ b/policy/modules/services/chronyd.te
>>> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>>>    chronyd_dgram_send_cli(chronyd_t)
>>>    chronyd_read_config(chronyd_t)
>>> +init_systemd_conditional(chronyd_conf_t)
>>> +
>>>    optional_policy(`
>>>        gpsd_rw_shm(chronyd_t)
>>>    ')
>>> diff --git a/policy/modules/system/init.if
>>> b/policy/modules/system/init.if
>>> index 62ab4da8..5a0a78bf 100644
>>> --- a/policy/modules/system/init.if
>>> +++ b/policy/modules/system/init.if
>>> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>>>        allow $1 { init_script_file_type systemdunit }:service reload;
>>>    ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +##      Allow init_t getattr permissions.  Generally
>>> +##      needed for types that are used in a Condition
>>> +##      predicate.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##      <summary>
>>> +##      type accessible by init_t
>>> +##      </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_systemd_conditional',`
>>
>> systemd_ConditionPath is a more preferable name.
>>
> 
> I'm a little confused about the suggested name.  I think this interface
> belongs in init.if due to the requiring of init_t.  Due to this, I think
> it should have the init_ prefix.  I also don't think there are any camel
> case interface names.
> 
> Is the name 'init_systemd_condition_path' acceptable?  Or are some of my
> assumptions wrong?

No, you're right, my mistake.  However, this makes me reconsider the 
previous discussion on this.  Is it really an issue for systemd to be 
able to getattr all files?  Condition* works in many cases already since 
systemd already has lots of access all over the filesystem.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-13 18:27 [PATCH v2] Allow systemd to getattr configfile Sugar, David
2020-01-21 13:42 ` Chris PeBenito
2020-01-21 14:22   ` Sugar, David
2020-01-22 10:41     ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git