From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A7F0C2D0DC for ; Thu, 26 Dec 2019 16:56:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5D84C20838 for ; Thu, 26 Dec 2019 16:56:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="K78+gZIF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726513AbfLZQ4o (ORCPT ); Thu, 26 Dec 2019 11:56:44 -0500 Received: from mail-qk1-f196.google.com ([209.85.222.196]:40131 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726480AbfLZQ4o (ORCPT ); Thu, 26 Dec 2019 11:56:44 -0500 Received: by mail-qk1-f196.google.com with SMTP id c17so19787958qkg.7 for ; Thu, 26 Dec 2019 08:56:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=yDyHzjzWTApMo8LaE3nqPnnXsFCLuIHzQWkExejQIBg=; b=K78+gZIFXXXSpIcyMj4LLYO9vQvRqBk1XWvOzy+neGGNxGE/v3NGDaI7i4iPZW7hU7 B0OzGTUHKG0TDGsWmoCM1fjtzP9v8jwb9vfclSHQyVTqpuVndeZ6OwQjsB4P63R6LMfT crP7VThPeXfBJ7uuN7U8MTC9X+2R5XeHWWitM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=yDyHzjzWTApMo8LaE3nqPnnXsFCLuIHzQWkExejQIBg=; b=c/l7GR5GQhv5NAR9duCLnMG+wXCskyqAyeW2FUBcXHAelrXgn8utqplUrq2Q5N8qul z/VMISjO96/d09TlpkynlmqV6lcJQBK4VCbpWpn4PD5G/SmFgaOgmxKPOZVnYArDNglG ttfyYuysBBap5Bi0PckIuHDPedagfr61Sd+5qDGaipLXfINv+Lo8RTk9kyxfUhuE5UUU VfqDPbyXOOskAC5+/B+H0v6iAEdiTBH+b4agNwEcPg1jVp0uGJVP0OeFgcr9adcJKiql Wh72EuZIQsRFq19ldvolNaINxum3UfLwyRmqoUMx0qBwUz9AUFqmr6bKgYtg7k+XG3VO ptlQ== X-Gm-Message-State: APjAAAUwY3F6EOlioRwC+FMB4tAvgpol1mBUUh9aKPvjXt31XjC8kO9E JGxi8XrdjDq1vpZZAcIzRTPC650BD5g= X-Google-Smtp-Source: APXvYqxtrGNmYysk7BHHx24o6QhaMniPDEgMELUHeI+9W3NLDkK0BvT52oxQiBVAOGYbOYfOPFqSdg== X-Received: by 2002:a37:a70b:: with SMTP id q11mr39202451qke.393.1577379402562; Thu, 26 Dec 2019 08:56:42 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id u7sm6929132qtg.13.2019.12.26.08.56.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Dec 2019 08:56:42 -0800 (PST) Subject: Re: [PATCH] Allow systemd to getattr configfile To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20191204163306.16545-1-dsugar@tresys.com> <20191204163306.16545-2-dsugar@tresys.com> <20191204165614.GA1321684@brutus.lan> <20191204174343.GC1321684@brutus.lan> <20191205074628.GA1734091@brutus.lan> <394bf12e-7833-d4b9-1554-4f2755794152@tresys.com> From: Chris PeBenito Message-ID: <97b4ba82-53d8-d286-ae60-28a8f6c93f46@ieee.org> Date: Thu, 26 Dec 2019 11:56:41 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <394bf12e-7833-d4b9-1554-4f2755794152@tresys.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/5/19 8:19 AM, Sugar, David wrote: > > > On 12/5/19 2:46 AM, Dominick Grift wrote: >> On Wed, Dec 04, 2019 at 06:43:43PM +0100, Dominick Grift wrote: >>> On Wed, Dec 04, 2019 at 05:22:55PM +0000, Sugar, David wrote: >>>> >>>> >>>> On 12/4/19 11:56 AM, Dominick Grift wrote: >>>>> On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote: >>>>>> Systemd has ConditionalPathExists which is used to check if a path exists to control starting a service. But this requires getattr permissions on the file. This is generally for configuration files. We are mostly seeing this is in our own policy. But this lvm denial also fits the example. >>>>>> >>>>>> type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0 >>>>>> >>>>>> This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. Note that chronyd_conf_t is already a 'configfile'. >>>>>> >>>>>> type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1 >>>>> >>>>> how about something a little more general? >>>>> >>>>> systemd_ConditionPath(`,' >>>>> allow init_t $1:dir search_dir_perms; >>>>> allow init_t $1:lnk_file read_lnk_file_perms; >>>>> allow init_t $1:fifo_file getattr_fifo_file_perms; >>>>> allow init_t $1:sock_file getattr_sock_file_perms; >>>>> allow init_t $1:file getattr_file_perms; >>>>> allow init_t $1:blk_file getattr_blk_file_perms; >>>>> allow init_t $1:chr_file getattr_chr_file_perms; >>>>> ') >>>>> >>>> I think you are suggesting an interface 'systemd_conditionpath' that >>>> would exist in init.if and then need to be used by any module that wants >>>> to grant access to a particular type to getattr? >>>> >>>> So, for this case, I would need to modify chronyd.te and lvm.te to use >>>> this interface? >>>> >>>> I think you are also suggesting that ConditionPathExists usage in a unit >>>> file could be trying to check for the existence of something other than >>>> a configuration file. >>>> >>>> Taking it to the extreme, a unit file could be checking for the >>>> existence of a file that is in a different SELinux domain. Does it >>>> instead make sense to use the 'files_getattr_all_files', >>>> 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.te? >>>> >>> >>> $ man systemd.directives | grep -i conditionpath >>> ConditionPathExists= >>> ConditionPathExistsGlob= >>> ConditionPathIsDirectory= >>> ConditionPathIsMountPoint= >>> ConditionPathIsReadWrite= >>> ConditionPathIsSymbolicLink= >> >> Don't get me wrong though. In DSSP2 standard I allow systemd to read all config, which is also a less-than-optimal compromise. >> I basically do this because systemd often needs to be able to read environment config files in /etc/sysconfig (EnvironmentFile=) >> Ideally I would also narrow this down and maybe one day i will (or maybe not) >> >> The point i am trying to make wrt to this patch though, is that ConditionPath* is not limited to config files >> > > I agree with you, and I'm very much in favor of a more generic solution > that will cover as much of this type of stuff as possible. I just don't > have any other ideas yet. > > Looking at current refpolicy, it looks like most (but not all) of the > files in /etc/sysconfig are labeled etc_t (at least on my system) and > init_t can read etc_t files already. > > Maybe we need a mix of solutions here. Something added to init.te to > grant most of the obvious access needed to deal with many of these cases > and then an interface in init.if to give an ability to grant additional > access when the generic case isn't enough for some reason. Maybe grant > getattr access to all 'non_security_file_type'. > > Then an interface like the following (which is just an idea) where $1 is > the type that init_t needs to getattr for a Conditional* and $2 is one > (or more) object classes. > > interface(`init_systemd_conditional',' > gen_require(` > type init_t; > ') > > allow init_t $1:dir list_dir_perms; > allow init_t $1:{ $2 } { getattr }; > read_lnk_files_pattern(init_t, $1, $1) > ') > > Alternatively add a new attribute in init.te called > 'systemd_conditional' which init.te has getattr permission on and then > types can be added to that attribute that need to be used in a > Condition*. Granted that is very similar to what you initial proposed > just using an attribute instead. > > I'm also hoping that Chris will chime in with some opinion on this topic. My interface preference is what Dominick is suggesting though it should be an init interface. -- Chris PeBenito