[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Nicolas Iooss]

systemd defines in /usr/lib/systemd several directories which can
contain scripts or executable files:
- system-environment-generators/ and user-environment-generators/
  documented in
  https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
- system-shutdown/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
- system-sleep/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html

Currently the content of these directories is labelled lib_t, which
causes the following AVC on Arch Linux:

    avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
    path="/usr/lib/systemd/system-environment-generators/10-arch"
    dev="vda1" ino=543182 scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:lib_t tclass=file permissive=1

For information /usr/lib/systemd/system-environment-generators/10-arch
only defines $PATH and its content is available on
https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
---
 policy/modules/kernel/corecommands.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c2b93ecf5039..f2e4f5118d5f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
 /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
-- 
2.15.0

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Dominick Grift]

On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
> systemd defines in /usr/lib/systemd several directories which can
> contain scripts or executable files:
> - system-environment-generators/ and user-environment-generators/
>   documented in
>   https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
> - system-shutdown/ documented in
>   https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
> - system-sleep/ documented in
>   https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
> 
> Currently the content of these directories is labelled lib_t, which
> causes the following AVC on Arch Linux:
> 
>     avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
>     path="/usr/lib/systemd/system-environment-generators/10-arch"
>     dev="vda1" ino=543182 scontext=system_u:system_r:init_t
>     tcontext=system_u:object_r:lib_t tclass=file permissive=1

Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.

In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.

Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;

Its a matter of taste, subjective.

> 
> For information /usr/lib/systemd/system-environment-generators/10-arch
> only defines $PATH and its content is available on
> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
> ---
>  policy/modules/kernel/corecommands.fc | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index c2b93ecf5039..f2e4f5118d5f 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
>  /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
> -- 
> 2.15.0
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171216/3a23b676/attachment.bin 

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Chris PeBenito]

On 12/15/2017 04:48 PM, Nicolas Iooss via refpolicy wrote:
> systemd defines in /usr/lib/systemd several directories which can
> contain scripts or executable files:
> - system-environment-generators/ and user-environment-generators/
>    documented in
>    https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
> - system-shutdown/ documented in
>    https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
> - system-sleep/ documented in
>    https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
> 
> Currently the content of these directories is labelled lib_t, which
> causes the following AVC on Arch Linux:
> 
>      avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
>      path="/usr/lib/systemd/system-environment-generators/10-arch"
>      dev="vda1" ino=543182 scontext=system_u:system_r:init_t
>      tcontext=system_u:object_r:lib_t tclass=file permissive=1
> 
> For information /usr/lib/systemd/system-environment-generators/10-arch
> only defines $PATH and its content is available on
> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
> ---
>   policy/modules/kernel/corecommands.fc | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index c2b93ecf5039..f2e4f5118d5f 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
>   /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
>   /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Chris PeBenito]

On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote:
> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
>> systemd defines in /usr/lib/systemd several directories which can
>> contain scripts or executable files:
>> - system-environment-generators/ and user-environment-generators/
>>    documented in
>>    https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
>> - system-shutdown/ documented in
>>    https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
>> - system-sleep/ documented in
>>    https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
>>
>> Currently the content of these directories is labelled lib_t, which
>> causes the following AVC on Arch Linux:
>>
>>      avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
>>      path="/usr/lib/systemd/system-environment-generators/10-arch"
>>      dev="vda1" ino=543182 scontext=system_u:system_r:init_t
>>      tcontext=system_u:object_r:lib_t tclass=file permissive=1
> 
> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.
> 
> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.
> 
> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;
> 
> Its a matter of taste, subjective.

I don't think it's as subjective as you think.  It keeps init_t from 
getting extra permissions over time which PID 1 doesn't need.  initrc_t 
gets big, yes, but those are short-running processes, while init_t is 
long-running.


>> For information /usr/lib/systemd/system-environment-generators/10-arch
>> only defines $PATH and its content is available on
>> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
>> ---
>>   policy/modules/kernel/corecommands.fc | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
>> index c2b93ecf5039..f2e4f5118d5f 100644
>> --- a/policy/modules/kernel/corecommands.fc
>> +++ b/policy/modules/kernel/corecommands.fc
>> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
>>   /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>>   /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
>>   /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>   /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>   /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>>   /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
>>   /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)


-- 
Chris PeBenito

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Dominick Grift]

On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote:
> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote:
> > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
> >> systemd defines in /usr/lib/systemd several directories which can
> >> contain scripts or executable files:
> >> - system-environment-generators/ and user-environment-generators/
> >>    documented in
> >>    https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
> >> - system-shutdown/ documented in
> >>    https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
> >> - system-sleep/ documented in
> >>    https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
> >>
> >> Currently the content of these directories is labelled lib_t, which
> >> causes the following AVC on Arch Linux:
> >>
> >>      avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
> >>      path="/usr/lib/systemd/system-environment-generators/10-arch"
> >>      dev="vda1" ino=543182 scontext=system_u:system_r:init_t
> >>      tcontext=system_u:object_r:lib_t tclass=file permissive=1
> > 
> > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.
> > 
> > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.
> > 
> > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;
> > 
> > Its a matter of taste, subjective.
> 
> I don't think it's as subjective as you think.  It keeps init_t from 
> getting extra permissions over time which PID 1 doesn't need.  initrc_t 
> gets big, yes, but those are short-running processes, while init_t is 
> long-running.

Yes except in practice it does not:

take:

cat /usr/lib/systemd/system-shutdown/mdadm.shutdown
#!/bin/sh
# We need to ensure all md arrays with external metadata
# (e.g. IMSM, DDF) are clean before completing the shutdown.
/usr/sbin/mdadm --wait-clean --scan

If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t

> 
> 
> >> For information /usr/lib/systemd/system-environment-generators/10-arch
> >> only defines $PATH and its content is available on
> >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
> >> ---
> >>   policy/modules/kernel/corecommands.fc | 4 ++++
> >>   1 file changed, 4 insertions(+)
> >>
> >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> >> index c2b93ecf5039..f2e4f5118d5f 100644
> >> --- a/policy/modules/kernel/corecommands.fc
> >> +++ b/policy/modules/kernel/corecommands.fc
> >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
> >>   /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> >>   /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> >>   /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
> >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> >>   /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> >> +/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> >> +/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> >>   /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> >>   /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
> >>   /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
> 
> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/6e0d044f/attachment.bin 

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Dominick Grift]

On Wed, Dec 20, 2017 at 05:33:23PM +0100, Dominick Grift wrote:
> On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote:
> > On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote:
> > > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
> > >> systemd defines in /usr/lib/systemd several directories which can
> > >> contain scripts or executable files:
> > >> - system-environment-generators/ and user-environment-generators/
> > >>    documented in
> > >>    https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
> > >> - system-shutdown/ documented in
> > >>    https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
> > >> - system-sleep/ documented in
> > >>    https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
> > >>
> > >> Currently the content of these directories is labelled lib_t, which
> > >> causes the following AVC on Arch Linux:
> > >>
> > >>      avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
> > >>      path="/usr/lib/systemd/system-environment-generators/10-arch"
> > >>      dev="vda1" ino=543182 scontext=system_u:system_r:init_t
> > >>      tcontext=system_u:object_r:lib_t tclass=file permissive=1
> > > 
> > > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.
> > > 
> > > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.
> > > 
> > > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;
> > > 
> > > Its a matter of taste, subjective.
> > 
> > I don't think it's as subjective as you think.  It keeps init_t from 
> > getting extra permissions over time which PID 1 doesn't need.  initrc_t 
> > gets big, yes, but those are short-running processes, while init_t is 
> > long-running.
> 
> Yes except in practice it does not:
> 
> take:
> 
> cat /usr/lib/systemd/system-shutdown/mdadm.shutdown
> #!/bin/sh
> # We need to ensure all md arrays with external metadata
> # (e.g. IMSM, DDF) are clean before completing the shutdown.
> /usr/sbin/mdadm --wait-clean --scan
> 
> If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t

Actually 's/systemd/systemd-shutdown/' but in refpolicies case it does not matter since systemd-shutdown_t runs in init_t

> 
> > 
> > 
> > >> For information /usr/lib/systemd/system-environment-generators/10-arch
> > >> only defines $PATH and its content is available on
> > >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
> > >> ---
> > >>   policy/modules/kernel/corecommands.fc | 4 ++++
> > >>   1 file changed, 4 insertions(+)
> > >>
> > >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> > >> index c2b93ecf5039..f2e4f5118d5f 100644
> > >> --- a/policy/modules/kernel/corecommands.fc
> > >> +++ b/policy/modules/kernel/corecommands.fc
> > >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
> > >>   /usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> > >>   /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
> > >>   /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
> > >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> > >>   /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> > >> +/usr/lib/systemd/system-shutdown(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> > >> +/usr/lib/systemd/system-sleep(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> > >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
> > >>   /usr/lib/systemd/user-generators(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> > >>   /usr/lib/tumbler-1/tumblerd	--	gen_context(system_u:object_r:bin_t,s0)
> > >>   /usr/lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
> > 
> > 
> > -- 
> > Chris PeBenito
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/ef2ddf77/attachment-0001.bin 

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Chris PeBenito]

On 12/20/2017 11:33 AM, Dominick Grift via refpolicy wrote:
> On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote:
>> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote:
>>> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
>>>> systemd defines in /usr/lib/systemd several directories which can
>>>> contain scripts or executable files:
>>>> - system-environment-generators/ and user-environment-generators/
>>>>     documented in
>>>>     https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
>>>> - system-shutdown/ documented in
>>>>     https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
>>>> - system-sleep/ documented in
>>>>     https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
>>>>
>>>> Currently the content of these directories is labelled lib_t, which
>>>> causes the following AVC on Arch Linux:
>>>>
>>>>       avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
>>>>       path="/usr/lib/systemd/system-environment-generators/10-arch"
>>>>       dev="vda1" ino=543182 scontext=system_u:system_r:init_t
>>>>       tcontext=system_u:object_r:lib_t tclass=file permissive=1
>>>
>>> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.
>>>
>>> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.
>>>
>>> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;
>>>
>>> Its a matter of taste, subjective.
>>
>> I don't think it's as subjective as you think.  It keeps init_t from
>> getting extra permissions over time which PID 1 doesn't need.  initrc_t
>> gets big, yes, but those are short-running processes, while init_t is
>> long-running.
> 
> Yes except in practice it does not:
> 
> take:
> 
> cat /usr/lib/systemd/system-shutdown/mdadm.shutdown
> #!/bin/sh
> # We need to ensure all md arrays with external metadata
> # (e.g. IMSM, DDF) are clean before completing the shutdown.
> /usr/sbin/mdadm --wait-clean --scan
> 
> If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t

No.  The script transitions to initrc_t, and when the script execs 
mdadm, that process transitions to mdadm_t.

-- 
Chris PeBenito

[refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t

[Dominick Grift]

On Wed, Dec 20, 2017 at 11:44:59AM -0500, Chris PeBenito via refpolicy wrote:
> On 12/20/2017 11:33 AM, Dominick Grift via refpolicy wrote:
> > On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote:
> >> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote:
> >>> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote:
> >>>> systemd defines in /usr/lib/systemd several directories which can
> >>>> contain scripts or executable files:
> >>>> - system-environment-generators/ and user-environment-generators/
> >>>>     documented in
> >>>>     https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
> >>>> - system-shutdown/ documented in
> >>>>     https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
> >>>> - system-sleep/ documented in

> >>>>     https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
> >>>>
> >>>> Currently the content of these directories is labelled lib_t, which
> >>>> causes the following AVC on Arch Linux:
> >>>>
> >>>>       avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
> >>>>       path="/usr/lib/systemd/system-environment-generators/10-arch"
> >>>>       dev="vda1" ino=543182 scontext=system_u:system_r:init_t
> >>>>       tcontext=system_u:object_r:lib_t tclass=file permissive=1
> >>>
> >>> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want.
> >>>
> >>> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t.
> >>>
> >>> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans;
> >>>
> >>> Its a matter of taste, subjective.
> >>
> >> I don't think it's as subjective as you think.  It keeps init_t from
> >> getting extra permissions over time which PID 1 doesn't need.  initrc_t
> >> gets big, yes, but those are short-running processes, while init_t is
> >> long-running.
> > 
> > Yes except in practice it does not:
> > 
> > take:
> > 
> > cat /usr/lib/systemd/system-shutdown/mdadm.shutdown
> > #!/bin/sh
> > # We need to ensure all md arrays with external metadata
> > # (e.g. IMSM, DDF) are clean before completing the shutdown.
> > /usr/sbin/mdadm --wait-clean --scan
> > 
> > If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t
> 
> No.  The script transitions to initrc_t, and when the script execs 
> mdadm, that process transitions to mdadm_t.

Yes my bad, i overlooked that part.

> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/70c9acf9/attachment.bin