SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Jason Zaman <jason@perfinion.com>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH 1/9] systemd: Add elogind support
Date: Thu, 26 Dec 2019 12:03:32 -0500
Message-ID: <c5960eb5-acb6-19b5-2690-f9956dd174a0@ieee.org> (raw)
In-Reply-To: <20191224101043.58122-1-jason@perfinion.com>

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Elogind is based off systemd-logind extracted to stand alone.

I'm not a fan of this.  Systemd is already a big mess of permissions by 
itself, and I'm relctant to add even more to it to support something else.


> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/admin/sudo.if       |  2 ++
>   policy/modules/system/authlogin.if |  5 +++++
>   policy/modules/system/systemd.fc   |  5 +++++
>   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
>   4 files changed, 38 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index c1459364..4f08af28 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -159,6 +159,8 @@ template(`sudo_role_template',`
>   
>   	optional_policy(`
>   		dbus_system_bus_client($1_sudo_t)
> +		systemd_dbus_chat_logind($1_sudo_t)
> +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
>   
>   		ifdef(`init_systemd',`
>   			init_dbus_chat($1_sudo_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index c16748f2..83837458 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
>   		optional_policy(`
>   			fprintd_dbus_chat($1)
>   		')
> +
> +		optional_policy(`
> +			systemd_dbus_chat_logind($1)
> +			systemd_write_inherited_logind_sessions_pipes($1)
> +		')
>   	')
>   
>   	optional_policy(`
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 607b1d88..e6831465 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -16,6 +16,10 @@
>   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
>   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>   
> +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +
>   # Systemd generators
>   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
>   
> @@ -56,6 +60,7 @@
>   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
>   
>   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
>   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
>   
>   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 1422d8e2..f13b7252 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
>   
>   type systemd_logind_t;
>   type systemd_logind_exec_t;
> +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
>   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>   
> @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
>   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
>   files_pid_file(systemd_logind_runtime_t)
>   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
>   
>   type systemd_logind_var_lib_t;
>   files_type(systemd_logind_var_lib_t)
> @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
>   # Logind local policy
>   #
>   
> -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
>   allow systemd_logind_t self:process { getcap setfscreate };
>   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
>   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
>   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
>   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
>   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> +
> +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
>   
>   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
>   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
>   
>   kernel_read_kernel_sysctls(systemd_logind_t)
>   
> +auth_write_login_records(systemd_logind_t)
> +
>   dev_getattr_dri_dev(systemd_logind_t)
>   dev_getattr_generic_usb_dev(systemd_logind_t)
>   dev_getattr_kvm_dev(systemd_logind_t)
> @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
>   
>   domain_obj_id_change_exemption(systemd_logind_t)
>   
> +files_purge_tmp(systemd_logind_t)
>   files_read_etc_files(systemd_logind_t)
>   files_search_pids(systemd_logind_t)
>   
>   fs_getattr_cgroup(systemd_logind_t)
> +fs_manage_cgroup_dirs(systemd_logind_t)
> +fs_manage_cgroup_files(systemd_logind_t)
>   fs_getattr_tmpfs(systemd_logind_t)
>   fs_getattr_tmpfs_dirs(systemd_logind_t)
>   fs_list_tmpfs(systemd_logind_t)
> @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
>   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
>   fs_unmount_tmpfs(systemd_logind_t)
>   
> +logging_send_audit_msgs(systemd_logind_t)
> +
>   selinux_get_enforce_mode(systemd_logind_t)
>   
>   storage_getattr_removable_dev(systemd_logind_t)
> @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
>   
>   auth_manage_faillog(systemd_logind_t)
>   
> +init_create_runtime_dirs(systemd_logind_t)
>   init_dbus_send_script(systemd_logind_t)
>   init_get_all_units_status(systemd_logind_t)
>   init_get_system_status(systemd_logind_t)
> @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
>   userdom_setattr_user_ttys(systemd_logind_t)
>   userdom_use_user_ttys(systemd_logind_t)
>   
> +tunable_policy(`use_nfs_home_dirs',`
> +       fs_read_nfs_files(systemd_logind_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> +       fs_read_cifs_files(systemd_logind_t)
> +')
> +
>   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
>   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
>   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> @@ -568,6 +589,10 @@ optional_policy(`
>   	policykit_dbus_chat(systemd_logind_t)
>   ')
>   
> +optional_policy(`
> +	shutdown_domtrans(systemd_logind_t)
> +')
> +
>   optional_policy(`
>   	xserver_read_state(systemd_logind_t)
>   	xserver_dbus_chat(systemd_logind_t)
> 


-- 
Chris PeBenito

  parent reply index

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-24 10:10 Jason Zaman
2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
2019-12-26 17:23   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
2019-12-26 17:06   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-26 17:03 ` Chris PeBenito [this message]
2019-12-28  4:35   ` [PATCH 1/9] systemd: Add elogind support Jason Zaman
2019-12-28 15:59     ` Dominick Grift

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c5960eb5-acb6-19b5-2690-f9956dd174a0@ieee.org \
    --to=pebenito@ieee.org \
    --cc=jason@perfinion.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git