SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] Add interface to create unit files with specified type via filetrans.
@ 2019-01-11 15:30 Sugar, David
  2019-01-11 15:30 ` [PATCH] Add interface to start/stop iptables service Sugar, David
                   ` (4 more replies)
  0 siblings, 5 replies; 12+ messages in thread
From: Sugar, David @ 2019-01-11 15:30 UTC (permalink / raw)
  To: selinux-refpolicy

This is adding an interface to perform a filetrans when creating
systemd unit files (in systemd_unit_t directory).  Something like this
is required if creating new unit files for systemd and you want them
to have something other than the generic systemd_unit_t type.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 5beb21e9..caed4867 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+########################################
+## <summary>
+##	Create systemd_unit_t objects with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_unit_filetrans',`
+	gen_require(`
+		type systemd_unit_t;
+	')
+
+	filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH] Add interface to start/stop iptables service
  2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
@ 2019-01-11 15:30 ` Sugar, David
  2019-01-12 19:32   ` Chris PeBenito
  2019-01-11 15:30 ` [PATCH] Alternate ClamAV temp directory Sugar, David
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 12+ messages in thread
From: Sugar, David @ 2019-01-11 15:30 UTC (permalink / raw)
  To: selinux-refpolicy

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/iptables.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 725a6a3d..a36277a6 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
 	dontaudit $1 iptables_runtime_t:file read;
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to start and stop iptables service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_startstop',`
+	gen_require(`
+		type iptables_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 iptables_unit_t:service { start stop };
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to get status of iptables service
-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH] Alternate ClamAV temp directory
  2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
  2019-01-11 15:30 ` [PATCH] Add interface to start/stop iptables service Sugar, David
@ 2019-01-11 15:30 ` Sugar, David
  2019-01-12 19:34   ` Chris PeBenito
  2019-01-11 15:30 ` [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname Sugar, David
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 12+ messages in thread
From: Sugar, David @ 2019-01-11 15:30 UTC (permalink / raw)
  To: selinux-refpolicy

ClamAV configuration controls where temporary files are stored.
Default is /tmp but the configuration option 'TemporaryDirectory'
allows for this location to be changed.  This change allows for
the type of this directory to be something other than 'tmp_t'
and have files created in this directory still be clamd_tmp_t.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/clamav.te |  2 ++
 2 files changed, 31 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7b6df49e..a8d1603c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
 
+#######################################
+## <summary>
+##	Denote a particular directory type to
+##	be a temporary working directory for ClamAV
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to be a directory to be
+##	used by ClamAV for temp files.  This is only needed
+##	if the TemporaryDirectory in the clamd.conf is
+##	modified to point to a directory that is not already
+##	labeled tmp_t.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type of directory to hold clamd temp files.
+##	</summary>
+## </param>
+#
+interface(`clamav_temp_dir',`
+	gen_require(`
+		attribute clam_tmp_type;
+	')
+
+	typeattribute $1 clam_tmp_type;
+')
+
+
 ########################################
 ## <summary>
 ##	Allow specified domain to enable clamd units
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 84a0bc76..6fc9cc7e 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
 # Declarations
 #
 attribute clam_scannable_type;
+attribute clam_tmp_type;
 
 type clamd_t;
 type clamd_exec_t;
@@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
 manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
 
 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname
  2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
  2019-01-11 15:30 ` [PATCH] Add interface to start/stop iptables service Sugar, David
  2019-01-11 15:30 ` [PATCH] Alternate ClamAV temp directory Sugar, David
@ 2019-01-11 15:30 ` Sugar, David
  2019-01-11 15:30 ` [PATCH 2/2] Setup private type for /etc/hostname Sugar, David
  2019-01-12 19:30 ` [PATCH] Add interface to create unit files with specified type via filetrans Chris PeBenito
  4 siblings, 0 replies; 12+ messages in thread
From: Sugar, David @ 2019-01-11 15:30 UTC (permalink / raw)
  To: selinux-refpolicy

type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9c70afc9..740b3a92 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_hostnamed',`
+	gen_require(`
+		type systemd_hostnamed_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_hostnamed_t:dbus send_msg;
+	allow systemd_hostnamed_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##      allow systemd_passwd_agent to inherit fds
-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [PATCH 2/2] Setup private type for /etc/hostname.
  2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
                   ` (2 preceding siblings ...)
  2019-01-11 15:30 ` [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname Sugar, David
@ 2019-01-11 15:30 ` Sugar, David
  2019-01-12  1:11   ` Russell Coker
  2019-01-12 19:30 ` [PATCH] Add interface to create unit files with specified type via filetrans Chris PeBenito
  4 siblings, 1 reply; 12+ messages in thread
From: Sugar, David @ 2019-01-11 15:30 UTC (permalink / raw)
  To: selinux-refpolicy

hostnamectl updates /etc/hostname.
This change is setting up a private type for the file /etc/hostname (was etc_t)
and granting hostnamectl permission to edit this file.  Note that hostnamectl
is initially creating a new file .#hostname????? which is why the create
permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.fc | 1 +
 policy/modules/system/systemd.te | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index eefcfaf1..2277fc1e 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -1,3 +1,4 @@
+/etc/hostname				--	gen_context(system_u:object_r:hostname_etc_t,s0)
 /etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
 
 /run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5f7dc1b..3704b756 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -77,6 +77,9 @@ type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
 
+type hostname_etc_t;
+files_config_file(hostname_etc_t)
+
 type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
@@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
 # Hostnamed policy
 #
 
+allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
+
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
 
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
 files_read_etc_files(systemd_hostnamed_t)
 
 seutil_read_file_contexts(systemd_hostnamed_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 2/2] Setup private type for /etc/hostname.
  2019-01-11 15:30 ` [PATCH 2/2] Setup private type for /etc/hostname Sugar, David
@ 2019-01-12  1:11   ` Russell Coker
  2019-01-12  3:49     ` Sugar, David
  0 siblings, 1 reply; 12+ messages in thread
From: Russell Coker @ 2019-01-12  1:11 UTC (permalink / raw)
  To: Sugar, David; +Cc: selinux-refpolicy

Are we really gaining anything from not using net_conf_t?  Yes writing to 
net_conf_t allows doing more things than changing the hostname, but changing 
the hostname is a privileged operation anyway.

Are we getting a benefit to make up for the increase in types?

On Saturday, 12 January 2019 2:30:54 AM AEDT Sugar, David wrote:
> hostnamectl updates /etc/hostname.
> This change is setting up a private type for the file /etc/hostname (was
> etc_t) and granting hostnamectl permission to edit this file.  Note that
> hostnamectl is initially creating a new file .#hostname????? which is why
> the create permissions are requied.
> 
> type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for 
> pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564
> comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
> msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8
> a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="systemd-hostnam"
> exe="/usr/lib/systemd/systemd-hostnamed"
> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
> msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
> msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0
> a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed"
> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
> msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
> msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564
> comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/system/systemd.fc | 1 +
>  policy/modules/system/systemd.te | 6 ++++++
>  2 files changed, 7 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.fc
> b/policy/modules/system/systemd.fc index eefcfaf1..2277fc1e 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -1,3 +1,4 @@
> +/etc/hostname				--	gen_context(system_u:object_r:hostname_etc_t,s0)
>  /etc/udev/hwdb\.bin			--	
gen_context(system_u:object_r:systemd_hwdb_t,s0)
> 
>  /run/log/journal(/.*)?				
gen_context(system_u:object_r:systemd_journal_t,s
> 0) diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te index f5f7dc1b..3704b756 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -77,6 +77,9 @@ type systemd_detect_virt_t;
>  type systemd_detect_virt_exec_t;
>  init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
> 
> +type hostname_etc_t;
> +files_config_file(hostname_etc_t)
> +
>  type systemd_hostnamed_t;
>  type systemd_hostnamed_exec_t;
>  init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
> @@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
>  # Hostnamed policy
>  #
> 
> +allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
> +
>  kernel_read_kernel_sysctls(systemd_hostnamed_t)
> 
>  dev_read_sysfs(systemd_hostnamed_t)
> 
> +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
>  files_read_etc_files(systemd_hostnamed_t)
> 
>  seutil_read_file_contexts(systemd_hostnamed_t)


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH 2/2] Setup private type for /etc/hostname.
  2019-01-12  1:11   ` Russell Coker
@ 2019-01-12  3:49     ` Sugar, David
  0 siblings, 0 replies; 12+ messages in thread
From: Sugar, David @ 2019-01-12  3:49 UTC (permalink / raw)
  To: russell; +Cc: selinux-refpolicy



On 1/11/19 8:11 PM, Russell Coker wrote:
> Are we really gaining anything from not using net_conf_t?  Yes writing to
> net_conf_t allows doing more things than changing the hostname, but changing
> the hostname is a privileged operation anyway.
> 
> Are we getting a benefit to make up for the increase in types?
> 
Only that I didn't think of using net_conf_t in this instance.  And that 
is probably a reasonable type to use for /etc/hostname.  I will resubmit 
this patch with that change.

> On Saturday, 12 January 2019 2:30:54 AM AEDT Sugar, David wrote:
>> hostnamectl updates /etc/hostname.
>> This change is setting up a private type for the file /etc/hostname (was
>> etc_t) and granting hostnamectl permission to edit this file.  Note that
>> hostnamectl is initially creating a new file .#hostname????? which is why
>> the create permissions are requied.
>>
>> type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for
>> pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564
>> comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
>> msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8
>> a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=(none) ses=4294967295 comm="systemd-hostnam"
>> exe="/usr/lib/systemd/systemd-hostnamed"
>> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
>> msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
>> msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0
>> a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>> comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed"
>> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
>> msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
>> msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564
>> comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/system/systemd.fc | 1 +
>>   policy/modules/system/systemd.te | 6 ++++++
>>   2 files changed, 7 insertions(+)
>>
>> diff --git a/policy/modules/system/systemd.fc
>> b/policy/modules/system/systemd.fc index eefcfaf1..2277fc1e 100644
>> --- a/policy/modules/system/systemd.fc
>> +++ b/policy/modules/system/systemd.fc
>> @@ -1,3 +1,4 @@
>> +/etc/hostname				--	gen_context(system_u:object_r:hostname_etc_t,s0)
>>   /etc/udev/hwdb\.bin			--	
> gen_context(system_u:object_r:systemd_hwdb_t,s0)
>>
>>   /run/log/journal(/.*)?				
> gen_context(system_u:object_r:systemd_journal_t,s
>> 0) diff --git a/policy/modules/system/systemd.te
>> b/policy/modules/system/systemd.te index f5f7dc1b..3704b756 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -77,6 +77,9 @@ type systemd_detect_virt_t;
>>   type systemd_detect_virt_exec_t;
>>   init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
>>
>> +type hostname_etc_t;
>> +files_config_file(hostname_etc_t)
>> +
>>   type systemd_hostnamed_t;
>>   type systemd_hostnamed_exec_t;
>>   init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
>> @@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
>>   # Hostnamed policy
>>   #
>>
>> +allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
>> +
>>   kernel_read_kernel_sysctls(systemd_hostnamed_t)
>>
>>   dev_read_sysfs(systemd_hostnamed_t)
>>
>> +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
>>   files_read_etc_files(systemd_hostnamed_t)
>>
>>   seutil_read_file_contexts(systemd_hostnamed_t)
> 
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] Add interface to create unit files with specified type via filetrans.
  2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
                   ` (3 preceding siblings ...)
  2019-01-11 15:30 ` [PATCH 2/2] Setup private type for /etc/hostname Sugar, David
@ 2019-01-12 19:30 ` Chris PeBenito
  2019-01-15 21:27   ` Sugar, David
  4 siblings, 1 reply; 12+ messages in thread
From: Chris PeBenito @ 2019-01-12 19:30 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/11/19 10:30 AM, Sugar, David wrote:
> This is adding an interface to perform a filetrans when creating
> systemd unit files (in systemd_unit_t directory).  Something like this
> is required if creating new unit files for systemd and you want them
> to have something other than the generic systemd_unit_t type.

I'm not against this change, but why wouldn't they be installed by the 
package manager?  It seems less likely that this would be otherwise needed.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
>   1 file changed, 34 insertions(+)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 5beb21e9..caed4867 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
>   	allow $1 { init_script_file_type systemdunit }:service reload;
>   ')
>   
> +########################################
> +## <summary>
> +##	Create systemd_unit_t objects with a private
> +##	type using a type_transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="file_type">
> +##	<summary>
> +##	Private file type.
> +##	</summary>
> +## </param>
> +## <param name="class">
> +##	<summary>
> +##	Object classes to be created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_unit_filetrans',`
> +	gen_require(`
> +		type systemd_unit_t;
> +	')
> +
> +	filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
> +')
> +
>   ########################################
>   ## <summary>
>   ##      Allow unconfined access to send instructions to init
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] Add interface to start/stop iptables service
  2019-01-11 15:30 ` [PATCH] Add interface to start/stop iptables service Sugar, David
@ 2019-01-12 19:32   ` Chris PeBenito
  0 siblings, 0 replies; 12+ messages in thread
From: Chris PeBenito @ 2019-01-12 19:32 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/11/19 10:30 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/iptables.if | 19 +++++++++++++++++++
>   1 file changed, 19 insertions(+)
> 
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 725a6a3d..a36277a6 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
>   	dontaudit $1 iptables_runtime_t:file read;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow specified domain to start and stop iptables service
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`iptables_startstop',`
> +	gen_require(`
> +		type iptables_unit_t;
> +		class service { start stop };
> +	')
> +
> +	allow $1 iptables_unit_t:service { start stop };
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow specified domain to get status of iptables service

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] Alternate ClamAV temp directory
  2019-01-11 15:30 ` [PATCH] Alternate ClamAV temp directory Sugar, David
@ 2019-01-12 19:34   ` Chris PeBenito
  2019-01-15 21:31     ` Sugar, David
  0 siblings, 1 reply; 12+ messages in thread
From: Chris PeBenito @ 2019-01-12 19:34 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/11/19 10:30 AM, Sugar, David wrote:
> ClamAV configuration controls where temporary files are stored.
> Default is /tmp but the configuration option 'TemporaryDirectory'
> allows for this location to be changed.  This change allows for
> the type of this directory to be something other than 'tmp_t'
> and have files created in this directory still be clamd_tmp_t.

In this case, it would seem to be more appropriate to simply label this 
alternative tmp directory as clamd_tmp_t.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
>   policy/modules/services/clamav.te |  2 ++
>   2 files changed, 31 insertions(+)
> 
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 7b6df49e..a8d1603c 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
>   	typeattribute $1 clam_scannable_type;
>   ')
>   
> +#######################################
> +## <summary>
> +##	Denote a particular directory type to
> +##	be a temporary working directory for ClamAV
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to be a directory to be
> +##	used by ClamAV for temp files.  This is only needed
> +##	if the TemporaryDirectory in the clamd.conf is
> +##	modified to point to a directory that is not already
> +##	labeled tmp_t.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Type of directory to hold clamd temp files.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_temp_dir',`
> +	gen_require(`
> +		attribute clam_tmp_type;
> +	')
> +
> +	typeattribute $1 clam_tmp_type;
> +')
> +
> +
>   ########################################
>   ## <summary>
>   ##	Allow specified domain to enable clamd units
> diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
> index 84a0bc76..6fc9cc7e 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
>   # Declarations
>   #
>   attribute clam_scannable_type;
> +attribute clam_tmp_type;
>   
>   type clamd_t;
>   type clamd_exec_t;
> @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
>   manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>   manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>   files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
> +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
>   
>   manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>   manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] Add interface to create unit files with specified type via filetrans.
  2019-01-12 19:30 ` [PATCH] Add interface to create unit files with specified type via filetrans Chris PeBenito
@ 2019-01-15 21:27   ` Sugar, David
  0 siblings, 0 replies; 12+ messages in thread
From: Sugar, David @ 2019-01-15 21:27 UTC (permalink / raw)
  To: selinux-refpolicy



On 1/12/19 2:30 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> This is adding an interface to perform a filetrans when creating
>> systemd unit files (in systemd_unit_t directory).  Something like this
>> is required if creating new unit files for systemd and you want them
>> to have something other than the generic systemd_unit_t type.
> 
> I'm not against this change, but why wouldn't they be installed by the 
> package manager?  It seems less likely that this would be otherwise needed.
> 
> 
In this case the service files were being created by a system 
configuration program.  I have updated the way this works to have 
default service files installed by the package manager and the service 
disabled.  Then the configuration program just updates as needed and 
enables the service.  This will work without this change in reference 
policy.

This patch can be discarded.

>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
>>   1 file changed, 34 insertions(+)
>>
>> diff --git a/policy/modules/system/init.if 
>> b/policy/modules/system/init.if
>> index 5beb21e9..caed4867 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
>>       allow $1 { init_script_file_type systemdunit }:service reload;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Create systemd_unit_t objects with a private
>> +##    type using a type_transition.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <param name="file_type">
>> +##    <summary>
>> +##    Private file type.
>> +##    </summary>
>> +## </param>
>> +## <param name="class">
>> +##    <summary>
>> +##    Object classes to be created.
>> +##    </summary>
>> +## </param>
>> +## <param name="name" optional="true">
>> +##    <summary>
>> +##    The name of the object being created.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`init_unit_filetrans',`
>> +    gen_require(`
>> +        type systemd_unit_t;
>> +    ')
>> +
>> +    filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##      Allow unconfined access to send instructions to init
>>
> 
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] Alternate ClamAV temp directory
  2019-01-12 19:34   ` Chris PeBenito
@ 2019-01-15 21:31     ` Sugar, David
  0 siblings, 0 replies; 12+ messages in thread
From: Sugar, David @ 2019-01-15 21:31 UTC (permalink / raw)
  To: selinux-refpolicy



On 1/12/19 2:34 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> ClamAV configuration controls where temporary files are stored.
>> Default is /tmp but the configuration option 'TemporaryDirectory'
>> allows for this location to be changed.  This change allows for
>> the type of this directory to be something other than 'tmp_t'
>> and have files created in this directory still be clamd_tmp_t.
> 
> In this case, it would seem to be more appropriate to simply label this 
> alternative tmp directory as clamd_tmp_t.
> 
In this case the directory wasn't labeled clamd_tmp_t and was labeled 
for primary access by program controlling files sent to clamd.  I was 
just adding this as a directory for clam to use as temp files also.  I 
have altered the configuration a bit more to make the temp directory for 
clam elsewhere (on the same partition) and labeled it clamd_tmp_t.  This 
should work for our use case at this point without this patch.  And this 
patch can be ignored.

> 
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
>>   policy/modules/services/clamav.te |  2 ++
>>   2 files changed, 31 insertions(+)
>>
>> diff --git a/policy/modules/services/clamav.if 
>> b/policy/modules/services/clamav.if
>> index 7b6df49e..a8d1603c 100644
>> --- a/policy/modules/services/clamav.if
>> +++ b/policy/modules/services/clamav.if
>> @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
>>       typeattribute $1 clam_scannable_type;
>>   ')
>> +#######################################
>> +## <summary>
>> +##    Denote a particular directory type to
>> +##    be a temporary working directory for ClamAV
>> +## </summary>
>> +## <desc>
>> +##    <p>
>> +##    Allow the specified domain to be a directory to be
>> +##    used by ClamAV for temp files.  This is only needed
>> +##    if the TemporaryDirectory in the clamd.conf is
>> +##    modified to point to a directory that is not already
>> +##    labeled tmp_t.
>> +##    </p>
>> +## </desc>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Type of directory to hold clamd temp files.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`clamav_temp_dir',`
>> +    gen_require(`
>> +        attribute clam_tmp_type;
>> +    ')
>> +
>> +    typeattribute $1 clam_tmp_type;
>> +')
>> +
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow specified domain to enable clamd units
>> diff --git a/policy/modules/services/clamav.te 
>> b/policy/modules/services/clamav.te
>> index 84a0bc76..6fc9cc7e 100644
>> --- a/policy/modules/services/clamav.te
>> +++ b/policy/modules/services/clamav.te
>> @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
>>   # Declarations
>>   #
>>   attribute clam_scannable_type;
>> +attribute clam_tmp_type;
>>   type clamd_t;
>>   type clamd_exec_t;
>> @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, 
>> clamd_etc_t)
>>   manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>>   manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>>   files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
>> +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
>>   manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>>   manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>>
> 
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, back to index

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-11 15:30 [PATCH] Add interface to create unit files with specified type via filetrans Sugar, David
2019-01-11 15:30 ` [PATCH] Add interface to start/stop iptables service Sugar, David
2019-01-12 19:32   ` Chris PeBenito
2019-01-11 15:30 ` [PATCH] Alternate ClamAV temp directory Sugar, David
2019-01-12 19:34   ` Chris PeBenito
2019-01-15 21:31     ` Sugar, David
2019-01-11 15:30 ` [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname Sugar, David
2019-01-11 15:30 ` [PATCH 2/2] Setup private type for /etc/hostname Sugar, David
2019-01-12  1:11   ` Russell Coker
2019-01-12  3:49     ` Sugar, David
2019-01-12 19:30 ` [PATCH] Add interface to create unit files with specified type via filetrans Chris PeBenito
2019-01-15 21:27   ` Sugar, David

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox