From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Fri, 5 Feb 2021 14:44:21 -0500 [thread overview]
Message-ID: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> (raw)
In-Reply-To: <YBoZF4R5Pf4meO19@xev>
On 2/2/21 10:31 PM, Russell Coker wrote:
> Lots of littls changes related to systemd.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>
> ######################################
> ## <summary>
> +## Watch systemd-logind runtime dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_runtime_dir',`
systemd_watch_logind_runtime_dirs (plural)
> + gen_require(`
> + type systemd_logind_runtime_t;
> + ')
> +
> + allow $1 systemd_logind_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
> ## Use inherited systemd
> ## logind file descriptors.
> ## </summary>
> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>
> ######################################
> ## <summary>
> +## Watch logind sessions dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_logind_sessions_dir',`
systemd_watch_logind_sessions_dirs (plural)
> + gen_require(`
> + type systemd_sessions_runtime_t;
> + ')
> +
> + allow $1 systemd_sessions_runtime_t:dir watch;
> +')
> +
> +######################################
> +## <summary>
> ## Write inherited logind inhibit pipes.
> ## </summary>
> ## <param name="domain">
> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>
> ########################################
> ## <summary>
> +## Allow watching /run/systemd/machines
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can watch the machines files
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_watch_machines_dir',`
systemd_watch_machines_dirs (plural)
> + gen_require(`
> + type systemd_machined_runtime_t;
> + ')
> +
> + allow $1 systemd_machined_runtime_t:dir watch;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## systemd hostnamed over dbus.
> ## </summary>
> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
> ')
>
> - domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
domtrans_pattern() is the standard pattern. This change has no effect.
> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
> @@ -129,6 +129,7 @@ type systemd_logind_t;
> type systemd_logind_exec_t;
> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> +init_stream_connect(systemd_logind_t)
>
> type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
> files_runtime_file(systemd_logind_inhibit_runtime_t)
> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>
> +kernel_read_kernel_sysctls(systemd_backlight_t)
> +
> systemd_log_parse_environment(systemd_backlight_t)
>
> # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
> #
>
> allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
> +allow systemd_coredump_t self:unix_stream_socket connectto;
> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
net_admin? That doesn't seem necessary for core dumping.
[...]
> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>
> seutil_search_default_contexts(systemd_coredump_t)
>
> +allow systemd_generator_t self:fifo_file rw_file_perms;
> +allow systemd_generator_t self:process setfscreate;
> +
> +allow systemd_generator_t self:capability dac_override;
> +allow systemd_generator_t self:tcp_socket create;
> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
> +
> +corecmd_exec_bin(systemd_generator_t)
> +corecmd_exec_shell(systemd_generator_t)
> +files_exec_etc_files(systemd_generator_t)
> +fs_getattr_cgroup(systemd_generator_t)
> +fs_getattr_tmpfs(systemd_generator_t)
> +fs_rw_tmpfs_files(systemd_generator_t)
> +miscfiles_read_localization(systemd_generator_t)
> +
> +optional_policy(`
> + # for /lib/systemd/system-generators/openvpn-generator
> + openvpn_read_config(systemd_generator_t)
> +')
> +
> +optional_policy(`
> + # it runs postconf
> + # maybe /lib/systemd/system-generators/postfix-instance-generator
> + postfix_read_config(systemd_generator_t)
> +')
The systemd_generator_t rules need to move to proper places.
> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> +auth_read_shadow(systemd_logind_t)
If this is necessary, it seems Debian specific.
[...]
> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>
> +kernel_getattr_core_if(systemd_nspawn_t)
> +kernel_getattr_proc(systemd_nspawn_t)
> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
> +
> kernel_mount_proc(systemd_nspawn_t)
> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
> kernel_mounton_message_if(systemd_nspawn_t)
> kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_files(systemd_nspawn_t)
> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
With all of the mounting, perhaps we should consider coalescing on allowing it
to mount an all init_mountpoint_types.
[..]
> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> term_search_ptys(systemd_nspawn_t)
> term_setattr_generic_ptys(systemd_nspawn_t)
> term_use_ptmx(systemd_nspawn_t)
> +term_use_generic_ptys(systemd_nspawn_t)
Perhaps this should have a pty type?
> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> # systemd-user-runtime-dir local policy
> #
>
> -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
> +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };
sys_admin and mknod? What is sys_admin used for; also, I don't see any rules
for creating devices.
> allow systemd_user_runtime_dir_t self:process setfscreate;
>
> domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
> +
> files_read_etc_files(systemd_user_runtime_dir_t)
>
> fs_mount_tmpfs(systemd_user_runtime_dir_t)
> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
> seutil_libselinux_linked(systemd_user_runtime_dir_t)
>
> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
> userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>
> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## send dbus messages to dpkg_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_dbus_chat',`
> + gen_require(`
> + type dpkg_t;
> + ')
> +
> + allow $1 dpkg_t:dbus send_msg;
> +')
I'd prefer that the dbus chat interfaces are provided by the server process' domain.
--
Chris PeBenito
next prev parent reply other threads:[~2021-02-05 19:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-03 3:31 [PATCH] another systemd misc patch Russell Coker
2021-02-05 19:44 ` Chris PeBenito [this message]
2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito
2021-02-05 20:45 ` Dominick Grift
2021-10-09 10:05 Russell Coker
2021-10-27 13:09 ` Chris PeBenito
2021-10-09 10:17 Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).