Re: [PATCH] another systemd misc patch

From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Fri, 5 Feb 2021 14:44:21 -0500	[thread overview]
Message-ID: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> (raw)
In-Reply-To: <YBoZF4R5Pf4meO19@xev>

On 2/2/21 10:31 PM, Russell Coker wrote:
> Lots of littls changes related to systemd.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 

> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>   
>   ######################################
>   ## <summary>
> +##     Watch systemd-logind runtime dirs
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_runtime_dir',`

systemd_watch_logind_runtime_dirs (plural)

> +	gen_require(`
> +		type systemd_logind_runtime_t;
> +	')
> +
> +	allow $1 systemd_logind_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
>   ##   Use inherited systemd
>   ##   logind file descriptors.
>   ## </summary>
> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>   
>   ######################################
>   ## <summary>
> +##      Watch logind sessions dirs.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_sessions_dir',`

systemd_watch_logind_sessions_dirs (plural)

> +	gen_require(`
> +		type systemd_sessions_runtime_t;
> +	')
> +
> +	allow $1 systemd_sessions_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
>   ##      Write inherited logind inhibit pipes.
>   ## </summary>
>   ## <param name="domain">
> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>   
>   ########################################
>   ## <summary>
> +##	Allow watching /run/systemd/machines
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain that can watch the machines files
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_watch_machines_dir',`

systemd_watch_machines_dirs (plural)

> +	gen_require(`
> +		type systemd_machined_runtime_t;
> +	')
> +
> +	allow $1 systemd_machined_runtime_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
>   ##   Send and receive messages from
>   ##   systemd hostnamed over dbus.
>   ## </summary>
> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
>   		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
>   	')
>   
> -	domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
> +	domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)

domtrans_pattern() is the standard pattern.  This change has no effect.

> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -129,6 +129,7 @@ type systemd_logind_t;
>   type systemd_logind_exec_t;
>   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> +init_stream_connect(systemd_logind_t)
>   
>   type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
>   files_runtime_file(systemd_logind_inhibit_runtime_t)
> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
>   init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
>   manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>   
> +kernel_read_kernel_sysctls(systemd_backlight_t)
> +
>   systemd_log_parse_environment(systemd_backlight_t)
>   
>   # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
>   #
>   
>   allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
> +allow systemd_coredump_t self:unix_stream_socket connectto;
> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };

net_admin? That doesn't seem necessary for core dumping.

[...]
> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>   
>   seutil_search_default_contexts(systemd_coredump_t)
>   
> +allow systemd_generator_t self:fifo_file rw_file_perms;
> +allow systemd_generator_t self:process setfscreate;
> +
> +allow systemd_generator_t self:capability dac_override;
> +allow systemd_generator_t self:tcp_socket create;
> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
> +
> +corecmd_exec_bin(systemd_generator_t)
> +corecmd_exec_shell(systemd_generator_t)
> +files_exec_etc_files(systemd_generator_t)
> +fs_getattr_cgroup(systemd_generator_t)
> +fs_getattr_tmpfs(systemd_generator_t)
> +fs_rw_tmpfs_files(systemd_generator_t)
> +miscfiles_read_localization(systemd_generator_t)
> +
> +optional_policy(`
> +	# for /lib/systemd/system-generators/openvpn-generator
> +	openvpn_read_config(systemd_generator_t)
> +')
> +
> +optional_policy(`
> +	# it runs postconf
> +	# maybe /lib/systemd/system-generators/postfix-instance-generator
> +	postfix_read_config(systemd_generator_t)
> +')

The systemd_generator_t rules need to move to proper places.

> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>   
>   kernel_read_kernel_sysctls(systemd_logind_t)
>   
> +auth_read_shadow(systemd_logind_t)

If this is necessary, it seems Debian specific.

[...]
> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>   # for /run/systemd/nspawn/incoming in chroot
>   allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>   
> +kernel_getattr_core_if(systemd_nspawn_t)
> +kernel_getattr_proc(systemd_nspawn_t)
> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
> +
>   kernel_mount_proc(systemd_nspawn_t)
>   kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>   kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>   kernel_mounton_message_if(systemd_nspawn_t)
>   kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_files(systemd_nspawn_t)
> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)

With all of the mounting, perhaps we should consider coalescing on allowing it 
to mount an all init_mountpoint_types.

[..]
> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
>   term_search_ptys(systemd_nspawn_t)
>   term_setattr_generic_ptys(systemd_nspawn_t)
>   term_use_ptmx(systemd_nspawn_t)
> +term_use_generic_ptys(systemd_nspawn_t)

Perhaps this should have a pty type?

> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
>   # systemd-user-runtime-dir local policy
>   #
>   
> -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
> +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };

sys_admin and mknod?  What is sys_admin used for; also,  I don't see any rules 
for creating devices.

>   allow systemd_user_runtime_dir_t self:process setfscreate;
>   
>   domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>   
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
> +
>   files_read_etc_files(systemd_user_runtime_dir_t)
>   
>   fs_mount_tmpfs(systemd_user_runtime_dir_t)
> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
>   seutil_libselinux_linked(systemd_user_runtime_dir_t)
>   
>   userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
>   userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
>   userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
>   userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
>   userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>   
>   	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>   ')
> +
> +########################################
> +## <summary>
> +##	send dbus messages to dpkg_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_dbus_chat',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:dbus send_msg;
> +')

I'd prefer that the dbus chat interfaces are provided by the server process' domain.

-- 
Chris PeBenito