From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00214C433E6 for ; Fri, 5 Feb 2021 19:48:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A172C64FBC for ; Fri, 5 Feb 2021 19:48:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233398AbhBESFt (ORCPT ); Fri, 5 Feb 2021 13:05:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233141AbhBESDh (ORCPT ); Fri, 5 Feb 2021 13:03:37 -0500 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8270C06174A for ; Fri, 5 Feb 2021 11:44:25 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id z32so5842085qtd.8 for ; Fri, 05 Feb 2021 11:44:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=4Mxh0WyVQFoINNx03qLcuSK4ZDkvon0IWaR6yLMGzK4=; b=Nh16r8HyN/S9ZqcfxvKRrLHyJQPXR9CQouFrM8lvMJINsKrPxSdNWQBOHMYLtEqTyJ gzh8LPs2UHVNO15gKDedsbG9UAyX1Z65/7KZH9OaH+Y5Ogz69mt7AnBv4p1aLkWHeDww 93FzWZnV3kwevUtJlFxSIPIjq79fthVqq3hmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=4Mxh0WyVQFoINNx03qLcuSK4ZDkvon0IWaR6yLMGzK4=; b=YHIr9GP9BDcxxkfMiLhJxft5zQ/8MAI3n9GW0ncVA7SBLkaeNZfnQbhhTlZEgPq/l2 QeCj9kwrKp6uEAC+zC+1NhsbCwPXdl2Cq0yinxKxfPz0S4424qQnLWRljVXc61FdWvaJ k1C0HWD4HlvARoEPpQAhI5r832BtVpXavQcOX/QSUgShwOVmnaDOzadSdBiAWhfyg1Cw IIkNP3rbYEsUCD6qIiSmKwvN7s0l6kemaCqcedr9w55Cciwiqp1m5p7s+ry3BtDLcVFG Smiv2L9d1QULIWNRBUEXbhXXzUTCbp5BDCkKas7d/1IrjsK5IGe0phOgxxnx+RszqfRo kwKg== X-Gm-Message-State: AOAM532pEBzUpD+xRPBj0Tl7DydXp1QlBkk9nQkzqFRMEMJlPfd8XrVN RUloMHBgZ6e0E+nP2gD9dmhbWJyWMMOfGA== X-Google-Smtp-Source: ABdhPJyb5FRt40u4w24GjayQ6sUsVqfAVLCUEzSQQPO3lSwvuElQjVP6i6N32SPJLVIG7UpYlF56qw== X-Received: by 2002:a05:622a:4d3:: with SMTP id q19mr5719287qtx.316.1612554264488; Fri, 05 Feb 2021 11:44:24 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id h63sm9095452qtd.14.2021.02.05.11.44.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Feb 2021 11:44:23 -0800 (PST) Subject: Re: [PATCH] another systemd misc patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> Date: Fri, 5 Feb 2021 14:44:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/2/21 10:31 PM, Russell Coker wrote: > Lots of littls changes related to systemd. > > Signed-off-by: Russell Coker > > @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_ > > ###################################### > ## > +## Watch systemd-logind runtime dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_watch_logind_runtime_dir',` systemd_watch_logind_runtime_dirs (plural) > + gen_require(` > + type systemd_logind_runtime_t; > + ') > + > + allow $1 systemd_logind_runtime_t:dir watch; > +') > + > +###################################### > +## > ## Use inherited systemd > ## logind file descriptors. > ## > @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login > > ###################################### > ## > +## Watch logind sessions dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_watch_logind_sessions_dir',` systemd_watch_logind_sessions_dirs (plural) > + gen_require(` > + type systemd_sessions_runtime_t; > + ') > + > + allow $1 systemd_sessions_runtime_t:dir watch; > +') > + > +###################################### > +## > ## Write inherited logind inhibit pipes. > ## > ## > @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',` > > ######################################## > ## > +## Allow watching /run/systemd/machines > +## > +## > +## > +## Domain that can watch the machines files > +## > +## > +# > +interface(`systemd_watch_machines_dir',` systemd_watch_machines_dirs (plural) > + gen_require(` > + type systemd_machined_runtime_t; > + ') > + > + allow $1 systemd_machined_runtime_t:dir watch; > +') > + > +######################################## > +## > ## Send and receive messages from > ## systemd hostnamed over dbus. > ## > @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',` > type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; > ') > > - domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) domtrans_pattern() is the standard pattern. This change has no effect. > Index: refpolicy-2.20210203/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210203/policy/modules/system/systemd.te > @@ -129,6 +129,7 @@ type systemd_logind_t; > type systemd_logind_exec_t; > init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) > init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) > +init_stream_connect(systemd_logind_t) > > type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t; > files_runtime_file(systemd_logind_inhibit_runtime_t) > @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli > init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) > manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) > > +kernel_read_kernel_sysctls(systemd_backlight_t) > + > systemd_log_parse_environment(systemd_backlight_t) > > # Allow systemd-backlight to write to /sys/class/backlight/*/brightness > @@ -358,13 +361,15 @@ ifdef(`enable_mls',` > # > > allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; > -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; > +allow systemd_coredump_t self:unix_stream_socket connectto; > +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace }; net_admin? That doesn't seem necessary for core dumping. [...] > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump > > seutil_search_default_contexts(systemd_coredump_t) > > +allow systemd_generator_t self:fifo_file rw_file_perms; > +allow systemd_generator_t self:process setfscreate; > + > +allow systemd_generator_t self:capability dac_override; > +allow systemd_generator_t self:tcp_socket create; > +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; > + > +corecmd_exec_bin(systemd_generator_t) > +corecmd_exec_shell(systemd_generator_t) > +files_exec_etc_files(systemd_generator_t) > +fs_getattr_cgroup(systemd_generator_t) > +fs_getattr_tmpfs(systemd_generator_t) > +fs_rw_tmpfs_files(systemd_generator_t) > +miscfiles_read_localization(systemd_generator_t) > + > +optional_policy(` > + # for /lib/systemd/system-generators/openvpn-generator > + openvpn_read_config(systemd_generator_t) > +') > + > +optional_policy(` > + # it runs postconf > + # maybe /lib/systemd/system-generators/postfix-instance-generator > + postfix_read_config(systemd_generator_t) > +') The systemd_generator_t rules need to move to proper places. > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ > > kernel_read_kernel_sysctls(systemd_logind_t) > > +auth_read_shadow(systemd_logind_t) If this is necessary, it seems Debian specific. [...] > @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm > # for /run/systemd/nspawn/incoming in chroot > allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; > > +kernel_getattr_core_if(systemd_nspawn_t) > +kernel_getattr_proc(systemd_nspawn_t) > +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) > + > kernel_mount_proc(systemd_nspawn_t) > kernel_mounton_sysctl_dirs(systemd_nspawn_t) > kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) > kernel_mounton_message_if(systemd_nspawn_t) > kernel_mounton_proc(systemd_nspawn_t) > +kernel_mounton_sysctl_files(systemd_nspawn_t) > +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) With all of the mounting, perhaps we should consider coalescing on allowing it to mount an all init_mountpoint_types. [..] > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) > term_search_ptys(systemd_nspawn_t) > term_setattr_generic_ptys(systemd_nspawn_t) > term_use_ptmx(systemd_nspawn_t) > +term_use_generic_ptys(systemd_nspawn_t) Perhaps this should have a pty type? > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se > # systemd-user-runtime-dir local policy > # > > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override }; > +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod }; sys_admin and mknod? What is sys_admin used for; also, I don't see any rules for creating devices. > allow systemd_user_runtime_dir_t self:process setfscreate; > > domain_obj_id_change_exemption(systemd_user_runtime_dir_t) > > +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms; > +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink; > +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink; > + > files_read_etc_files(systemd_user_runtime_dir_t) > > fs_mount_tmpfs(systemd_user_runtime_dir_t) > @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r > seutil_libselinux_linked(systemd_user_runtime_dir_t) > > userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) > +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t) > userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) > +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t) > +userdom_list_user_tmp(systemd_user_runtime_dir_t) > userdom_search_user_runtime_root(systemd_user_runtime_dir_t) > userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) > userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) > Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if > +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if > @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks > > allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; > ') > + > +######################################## > +## > +## send dbus messages to dpkg_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_dbus_chat',` > + gen_require(` > + type dpkg_t; > + ') > + > + allow $1 dpkg_t:dbus send_msg; > +') I'd prefer that the dbus chat interfaces are provided by the server process' domain. -- Chris PeBenito