From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] systemd related interfaces
Date: Sat, 5 Jan 2019 14:18:51 -0500 [thread overview]
Message-ID: <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org> (raw)
In-Reply-To: <20190104075118.GA11721@aaa.coker.com.au>
On 1/4/19 2:51 AM, Russell Coker wrote:
> This patch has interface changes related to systemd support as well as policy
> that uses the new interfaces.
>
> Index: refpolicy-2.20180701/policy/modules/admin/sudo.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/sudo.if
> +++ refpolicy-2.20180701/policy/modules/admin/sudo.if
> @@ -154,6 +154,9 @@ template(`sudo_role_template',`
>
> optional_policy(`
> dbus_system_bus_client($1_sudo_t)
> + ifdef(`init_systemd',`
> + init_dbus_chat($1_sudo_t)
> + ')
> ')
>
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20180701/policy/modules/services/dbus.if
> @@ -318,6 +318,25 @@ interface(`dbus_read_lib_files',`
>
> ########################################
> ## <summary>
> +## Relabel system dbus lib directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dbus_relabel_lib_dirs',`
> + gen_require(`
> + type system_dbusd_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## system dbus lib files.
> ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/init.if
> +++ refpolicy-2.20180701/policy/modules/system/init.if
> @@ -1134,6 +1134,25 @@ interface(`init_dbus_chat',`
>
> ########################################
> ## <summary>
> +## read/follow symlinks under /var/lib/systemd/
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_var_lib_links',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + allow $1 init_var_lib_t:dir list_dir_perms;
> + allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## List /var/lib/systemd/ dir
> ## </summary>
> ## <param name="domain">
> @@ -1304,23 +1323,13 @@ interface(`init_pid_filetrans',`
> ## </param>
> #
> interface(`init_getattr_initctl',`
> - ifdef(`init_systemd',`
> - # stat /run/systemd/initctl/fifo
> - gen_require(`
> - type init_var_run_t;
> - ')
> -
> - allow $1 init_var_run_t:fifo_file getattr;
> - allow $1 init_var_run_t:dir list_dir_perms;
> - ',`
> - gen_require(`
> - type initctl_t;
> - ')
> -
> - dev_list_all_dev_nodes($1)
> - files_search_pids($1)
> - allow $1 initctl_t:fifo_file getattr;
> + gen_require(`
> + type initctl_t;
> ')
> +
> + files_search_pids($1)
> + dev_list_all_dev_nodes($1)
> + allow $1 initctl_t:fifo_file getattr;
> ')
>
> ########################################
> @@ -1859,6 +1868,25 @@ interface(`init_ptrace',`
>
> ########################################
> ## <summary>
> +## get init process stats
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_getattr',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Write an init script unnamed pipe.
> ## </summary>
> ## <param name="domain">
> @@ -2822,6 +2850,25 @@ interface(`init_search_units',`
> fs_search_tmpfs($1)
> ')
>
> +######################################
> +## <summary>
> +## read systemd unit lnk files (usually under /run/systemd/units/)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_unit_links',`
> + gen_require(`
> + type init_var_run_t, systemd_unit_t;
> + ')
> +
> + search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
> + allow $1 init_var_run_t:lnk_file read_lnk_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Get status of generic systemd units.
> @@ -3030,3 +3077,21 @@ interface(`init_admin',`
> init_stop_system($1)
> init_telinit($1)
> ')
> +
> +########################################
> +## <summary>
> +## Allow getting init_t rlimit
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Source domain
> +## </summary>
> +## </param>
> +#
> +interface(`init_getrlimit',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process getrlimit;
> +')
> Index: refpolicy-2.20180701/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20180701/policy/modules/system/systemd.if
> @@ -307,6 +307,8 @@ interface(`systemd_use_passwd_agent',`
> manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
>
> allow systemd_passwd_agent_t $1:process signull;
> + allow systemd_passwd_agent_t $1:dir search;
> + allow systemd_passwd_agent_t $1:file read_file_perms;
I'd rather see something like ps_process_pattern().
Otherwise merged.
> allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> ')
>
> @@ -828,3 +830,22 @@ interface(`systemd_getattr_updated_runti
>
> getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Allow domain to list dirs under /run/systemd/netif
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain permitted the access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_list_netif',`
> + gen_require(`
> + type systemd_networkd_var_run_t;
> + ')
> +
> + init_list_pids($1)
> + allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/ntp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
> +++ refpolicy-2.20180701/policy/modules/services/ntp.te
> @@ -142,6 +142,8 @@ ifdef(`init_systemd',`
> dbus_connect_system_bus(ntpd_t)
> init_dbus_chat(ntpd_t)
> init_get_system_status(ntpd_t)
> + # for /var/lib/systemd/timesync
> + init_read_var_lib_links(ntpd_t)
> allow ntpd_t self:capability { fowner setpcap };
> init_read_state(ntpd_t)
> init_reload(ntpd_t)
> @@ -150,7 +152,7 @@ ifdef(`init_systemd',`
> init_list_var_lib_dirs(ntpd_t)
>
> # for /run/systemd/netif/links
> - init_list_pids(ntpd_t)
> + systemd_list_netif(ntpd_t)
>
> optional_policy(`
> unconfined_dbus_send(ntpd_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -736,6 +736,7 @@ term_setattr_generic_ptys(systemd_nspawn
> term_use_ptmx(systemd_nspawn_t)
>
> init_domtrans_script(systemd_nspawn_t)
> +init_getrlimit(systemd_nspawn_t)
> init_kill_scripts(systemd_nspawn_t)
> init_read_state(systemd_nspawn_t)
> init_search_run(systemd_nspawn_t)
> @@ -1027,6 +1028,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>
> optional_policy(`
> dbus_read_lib_files(systemd_tmpfiles_t)
> + dbus_relabel_lib_dirs(systemd_tmpfiles_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20180701/policy/modules/system/logging.te
> @@ -541,15 +541,19 @@ ifdef(`init_systemd',`
> dev_read_urand(syslogd_t)
> dev_write_kmsg(syslogd_t)
>
> + domain_getattr_all_domains(syslogd_t)
> domain_read_all_domains_state(syslogd_t)
>
> init_create_pid_dirs(syslogd_t)
> init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
> + init_getattr(syslogd_t)
> init_rename_pid_files(syslogd_t)
> init_delete_pid_files(syslogd_t)
> init_dgram_send(syslogd_t)
> init_read_pid_pipes(syslogd_t)
> init_read_state(syslogd_t)
> + # for /run/systemd/units/invocation:* links
> + init_read_unit_links(syslogd_t)
>
> systemd_manage_journal_files(syslogd_t)
>
>
--
Chris PeBenito
next prev parent reply other threads:[~2019-01-05 19:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 7:51 [PATCH] systemd related interfaces Russell Coker
2019-01-05 19:18 ` Chris PeBenito [this message]
2019-01-05 21:39 ` Nicolas Iooss
2019-01-05 21:49 ` Dominick Grift
2019-01-06 18:39 ` Chris PeBenito
2019-01-06 22:10 ` Nicolas Iooss
2019-01-07 23:36 ` Chris PeBenito
2019-01-10 23:10 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).