From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87569C33CA2 for ; Sun, 12 Jan 2020 17:48:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5F8F621569 for ; Sun, 12 Jan 2020 17:48:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733121AbgALRsv (ORCPT ); Sun, 12 Jan 2020 12:48:51 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:39001 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732957AbgALRsv (ORCPT ); Sun, 12 Jan 2020 12:48:51 -0500 X-Greylist: delayed 408 seconds by postgrey-1.27 at vger.kernel.org; Sun, 12 Jan 2020 12:48:51 EST Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com [209.85.167.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id BB4C15611E1 for ; Sun, 12 Jan 2020 18:42:00 +0100 (CET) Received: by mail-oi1-f169.google.com with SMTP id i1so6257489oie.8 for ; Sun, 12 Jan 2020 09:42:00 -0800 (PST) X-Gm-Message-State: APjAAAW1DoBbTsJTjwGWC1mPTrqP4J7+PjPwQZ4e4P2Vvo+dxmRwZP19 7HHPvcizoScwhgvN+vuBM3ZN7AoPGcW808iHKf4= X-Google-Smtp-Source: APXvYqyhpTcAgRY9p4eBXinniECNPTShv7YaRDQDRW2eG8Z24pTWURthPNh1JJAvL4hv5jICG9c/CF4Z0AkGcv9FNm8= X-Received: by 2002:aca:1103:: with SMTP id 3mr9483404oir.70.1578850919696; Sun, 12 Jan 2020 09:41:59 -0800 (PST) MIME-Version: 1.0 References: <3418ebca-80c0-b10e-c0a2-a80427fdbf71@ieee.org> <20200109214240.GA2283901@brutus.lan> In-Reply-To: <20200109214240.GA2283901@brutus.lan> From: Nicolas Iooss Date: Sun, 12 Jan 2020 18:41:48 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC] refining systemd mountpoints To: Chris PeBenito , refpolicy Content-Type: text/plain; charset="UTF-8" X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Jan 12 18:42:01 2020 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thu, Jan 9, 2020 at 10:42 PM Dominick Grift wrote: > > On Thu, Jan 09, 2020 at 04:06:38PM -0500, Chris PeBenito wrote: > > I'd like to refine how the policy handles systemd's mounton so that it works > > similar to how we manage mountpoints for mount_t. Since systemd can be made > > to mount over just about anything, I'm looking at adding a new conditional > > that would allow init_t to mounton non_security_file_type, and then an > > interface like files_mountpoint(). > > > > The question is for the implementation of the interface; I see two options, > > either the interface allows mounton for all file-like classes, or the > > classes are specified as a parameter: > > > > -------- > > init.te: > > attribute init_mountpoint_type; > > allow init_t init_mountpoint_type:dir_file_class_set mounton; > > > > init.if: > > interface(`init_mountpoint',` > > typeattribute $1 init_mountpoint_type; > > ') > > -------- > > > > or > > > > -------- > > init.if: > > interface(`init_mountpoint',` > > allow init_t $1:$2 mounton; > > ') > > -------- > > > > I like the first option because it is clearer since you can see the mounton > > in init.te, but that is excessive access. The second option could be made > > to look like the first option, but it would need several attributes and > > interfaces, e.g. init_dir_mountpoint_type, init_file_mountpoint_type, etc. > > which isn't so desirable. > > > > Any thoughts on this? > > I implemented the former in my policy. ie the dir_file_class_set equiv.. > > 4163 (allow subj bind_path_obj_type_attribute (dirs (create))) > 4164 (allow subj bind_path_obj_type_attribute list_dir_perms) > 4165 (allow subj bind_path_obj_type_attribute (dir (mounton))) > 4166 (allow subj bind_path_obj_type_attribute create_file_perms) > 4167 (allow subj bind_path_obj_type_attribute (file (mounton))) > > As you can see i even allow systemd to create the mountpoint in case it does not exist. For example if /etc/machine-id does not exist and I have a BindReadOnlyPath=/etc/machine-id then systemd will touch /etc/machine-id and mount it ro > > It also generally buggy. Systemd does not (alway's) use setfscreatecon to create the mountpoints. And sometimes it does use setfscreatecon where it shouldnt. > > https://github.com/systemd/systemd/issues/13762 > Using dir_file_class_set in the first option seems excessive. For example systemd mounts /dev/kmsg as chr_file, as explained in https://github.com/SELinuxProject/refpolicy/pull/144, and allowing mounting on kmsg_device_t:dir would not make sense. Nevertheless, as systemd seems to be the only things I know that mounts over /dev/kmsg, it seems that dev_mounton_kmsg(init_t) could be replaced by init_mountpoint(kmsg_device_t, chr_file) or init_chr_mountpoint(kmsg_device_t). That being said, I personally prefer the first option (with an attribute) for types that are regular files and directories, as having files labeled like directories is quite common. In short, what about this? -------- init.te: attribute init_mountpoint_type; allow init_t init_mountpoint_type:{dir, file} mounton; init.if: interface(`init_mountpoint',` typeattribute $1 init_mountpoint_type; ') interface(`init_mounton_chr',` # Or "init_chr_mountpoint"? allow init_t $1:chr_file mounton; # An attribute could also be used here ') -------- Cheers, Nicolas