Re: [PATCH] another systemd misc patch

From: Russell Coker <russell@coker.com.au>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Sat, 9 Oct 2021 21:17:34 +1100	[thread overview]
Message-ID: <YWFsPtICHUpvqMCA@xev.coker.com.au> (raw)

On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote:
> > +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)

Done.

> > +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)

Done.

> > +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)

Done.

> > -       domtrans_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> > +       domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> domtrans_pattern() is the standard pattern.  This change has no effect.

OK, I'll remove that.

> > -allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t
> > self:unix_stream_socket connectto;
> > +allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap net_admin sys_ptrace };
> net_admin? That doesn't seem necessary for core dumping.

That's one of the systemd programs that wanted netadmin to set socket buffers.  
I'll dontaudit it.

> > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
> >
> > seutil_search_default_contexts(systemd_coredump_t)
> >
> > +allow systemd_generator_t self:fifo_file rw_file_perms;
> > +allow systemd_generator_t self:process setfscreate;
> The systemd_generator_t rules need to move to proper places.

Done.

> > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
> >
> > kernel_read_kernel_sysctls(systemd_logind_t)
> >
> > +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.

I'll try removing it.

> > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> >
> > term_search_ptys(systemd_nspawn_t)
> > term_setattr_generic_ptys(systemd_nspawn_t)
> > term_use_ptmx(systemd_nspawn_t)
> >
> > +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?

OK.

> > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> >
> > # systemd-user-runtime-dir local policy
> > #
> >
> > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin
> > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t
> > self:capability { chown dac_override dac_read_search dac_override fowner
> > sys_admin mknod };
> sys_admin and mknod?  What is sys_admin used for; also,  I don't see any
> rules for creating devices.

That's because of something that I hadn't included in that patch.  It has to 
unlink device nodes labelled user_tmp_t.

I just sent another patch for this.