SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] strict patches
@ 2021-01-12 10:31 Russell Coker
  2021-01-12 14:15 ` Daniel Burgener
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2021-01-12 10:31 UTC (permalink / raw)
  To: selinux-refpolicy

This patch has a number of small patches most of which are needed in a
"strict" configuration.  Also remove the systemd_analyze_t domain which
does no good.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210112/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210112/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_crypto_sysctls($1_t)
+	kernel_read_vm_overcommit_sysctl($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
Index: refpolicy-2.20210112/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210112/policy/modules/roles/sysadm.te
@@ -33,11 +33,22 @@ ifndef(`enable_mls',`
 # Local policy
 #
 
+allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
+
+# for ptrace
+allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };
+
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:system status;
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
+domain_getsched_all_domains(sysadm_t)
+
+dev_read_cpuid(sysadm_t)
 dev_read_kmsg(sysadm_t)
 
 mls_process_read_all_levels(sysadm_t)
@@ -55,6 +66,9 @@ init_admin(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)
@@ -1117,6 +1131,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
 	tboot_run_txtstat(sysadm_t, sysadm_r)
 ')
 
@@ -1184,6 +1202,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dev_rw_generic_usb_dev(sysadm_t)
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20210112/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210112/policy/modules/services/xserver.if
@@ -100,6 +100,7 @@ interface(`xserver_restricted_role',`
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
 	xserver_stream_connect_xdm($2)
+	xserver_use_user_fonts($2)
 	# certain apps want to read xdm.pid file
 	xserver_read_xdm_runtime_files($2)
 	# gnome-session creates socket under /tmp/.ICE-unix/
@@ -141,7 +142,7 @@ interface(`xserver_role',`
 	gen_require(`
 		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-		type mesa_shader_cache_t;
+		type mesa_shader_cache_t, xdm_t;
 	')
 
 	xserver_restricted_role($1, $2)
@@ -184,6 +185,8 @@ interface(`xserver_role',`
 
 	xserver_read_xkb_libs($2)
 
+	allow $2 xdm_t:unix_stream_socket accept;
+
 	optional_policy(`
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
@@ -1239,6 +1242,7 @@ interface(`xserver_read_xkb_libs',`
 	allow $1 xkb_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+	allow $1 xkb_var_lib_t:file map;
 ')
 
 ########################################
Index: refpolicy-2.20210112/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210112/policy/modules/services/dbus.if
@@ -84,6 +84,7 @@ template(`dbus_role_template',`
 
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t $3:dbus send_msg;
 	allow $3 $1_dbusd_t:fd use;
 
 	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
@@ -99,9 +100,13 @@ template(`dbus_role_template',`
 
 	allow $1_dbusd_t $3:process sigkill;
 
+	allow $1_dbusd_t self:process getcap;
+
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	dev_read_sysfs($1_dbusd_t)
+
 	auth_use_nsswitch($1_dbusd_t)
 
 	ifdef(`hide_broken_symptoms',`
@@ -111,6 +116,15 @@ template(`dbus_role_template',`
 	optional_policy(`
 		systemd_read_logind_runtime_files($1_dbusd_t)
 	')
+
+	optional_policy(`
+		init_dbus_chat($1_dbusd_t)
+		dbus_system_bus_client($1_dbusd_t)
+	')
+
+	optional_policy(`
+		xdg_read_data_files($1_dbusd_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20210112/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20210112/policy/modules/services/ssh.if
@@ -439,6 +439,7 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 		xserver_sigchld_xdm($1_ssh_agent_t)
+		xserver_write_inherited_xsession_log($1_ssh_agent_t)
 	')
 ')
 
Index: refpolicy-2.20210112/policy/modules/kernel/corecommands.te
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/kernel/corecommands.te
+++ refpolicy-2.20210112/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
 #
 # bin_t is the type of files in the system bin/sbin directories.
 #
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
 corecmd_executable_file(bin_t)
 dev_associate(bin_t)	#For /dev/MAKEDEV
 
Index: refpolicy-2.20210112/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210112/policy/modules/system/systemd.te
@@ -55,10 +55,6 @@ type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
 
-type systemd_analyze_t;
-type systemd_analyze_exec_t;
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
-
 type systemd_backlight_t;
 type systemd_backlight_exec_t;
 init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
@@ -1363,6 +1359,7 @@ tunable_policy(`systemd_tmpfiles_manage_
 ')
 
 optional_policy(`
+	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
Index: refpolicy-2.20210112/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210112/policy/modules/services/cron.te
@@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
 kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
Index: refpolicy-2.20210112/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20210112.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20210112/policy/modules/apps/pulseaudio.te
@@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
 userdom_manage_user_tmp_dirs(pulseaudio_t)
 userdom_manage_user_tmp_files(pulseaudio_t)
 userdom_manage_user_tmp_sockets(pulseaudio_t)
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
 
 tunable_policy(`pulseaudio_execmem',`
 	allow pulseaudio_t self:process execmem;

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] strict patches
  2021-01-12 10:31 [PATCH] strict patches Russell Coker
@ 2021-01-12 14:15 ` Daniel Burgener
  2021-01-12 14:18   ` Daniel Burgener
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel Burgener @ 2021-01-12 14:15 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/12/21 5:31 AM, Russell Coker wrote:
> Also remove the systemd_analyze_t domain which
> does no good.

I proposed this same change on github: 
https://github.com/SELinuxProject/refpolicy/pull/321

The consensus there was that having a separate domain for this access 
would add value and the better direction would be to flesh out the 
permissions it needs.  We have a bit of a starting point locally on 
that.  I'm not sure what shape it's in with regard to upstreaming, but 
I'll talk to the developer who worked on it.

-Daniel


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] strict patches
  2021-01-12 14:15 ` Daniel Burgener
@ 2021-01-12 14:18   ` Daniel Burgener
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel Burgener @ 2021-01-12 14:18 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/12/21 9:15 AM, Daniel Burgener wrote:
> On 1/12/21 5:31 AM, Russell Coker wrote:
>> Also remove the systemd_analyze_t domain which
>> does no good.
>
> I proposed this same change on github: 
> https://github.com/SELinuxProject/refpolicy/pull/321
>
> The consensus there was that having a separate domain for this access 
> would add value and the better direction would be to flesh out the 
> permissions it needs.  We have a bit of a starting point locally on 
> that.  I'm not sure what shape it's in with regard to upstreaming, but 
> I'll talk to the developer who worked on it.
>
> -Daniel

My mistake - looks like we ended up granting the needed permissions to 
the parent domain in our environment, so I don't have any 
systemd-analyze policy available for upstream.  I still might try 
developing some, but I don't expect that I'm likely to get to it soon.

-Daniel


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-12 10:31 [PATCH] strict patches Russell Coker
2021-01-12 14:15 ` Daniel Burgener
2021-01-12 14:18   ` Daniel Burgener

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git