SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/9] systemd: Add elogind support
@ 2019-12-24 10:10 Jason Zaman
  2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
                   ` (8 more replies)
  0 siblings, 9 replies; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

Elogind is based off systemd-logind extracted to stand alone.

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/admin/sudo.if       |  2 ++
 policy/modules/system/authlogin.if |  5 +++++
 policy/modules/system/systemd.fc   |  5 +++++
 policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index c1459364..4f08af28 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -159,6 +159,8 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		systemd_dbus_chat_logind($1_sudo_t)
+		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
 
 		ifdef(`init_systemd',`
 			init_dbus_chat($1_sudo_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c16748f2..83837458 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -71,6 +71,11 @@ interface(`auth_use_pam',`
 		optional_policy(`
 			fprintd_dbus_chat($1)
 		')
+
+		optional_policy(`
+			systemd_dbus_chat_logind($1)
+			systemd_write_inherited_logind_sessions_pipes($1)
+		')
 	')
 
 	optional_policy(`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 607b1d88..e6831465 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
+/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
 # Systemd generators
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 
@@ -56,6 +60,7 @@
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1422d8e2..f13b7252 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
 
 type systemd_logind_t;
 type systemd_logind_exec_t;
+dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
 init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
 init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
 
@@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
 type systemd_logind_runtime_t alias systemd_logind_var_run_t;
 files_pid_file(systemd_logind_runtime_t)
 init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
 
 type systemd_logind_var_lib_t;
 files_type(systemd_logind_var_lib_t)
@@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
 allow systemd_logind_t self:process { getcap setfscreate };
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
+files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
+
+create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 
 manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
@@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
 
 kernel_read_kernel_sysctls(systemd_logind_t)
 
+auth_write_login_records(systemd_logind_t)
+
 dev_getattr_dri_dev(systemd_logind_t)
 dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
@@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
+files_purge_tmp(systemd_logind_t)
 files_read_etc_files(systemd_logind_t)
 files_search_pids(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
+fs_manage_cgroup_dirs(systemd_logind_t)
+fs_manage_cgroup_files(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)
 fs_getattr_tmpfs_dirs(systemd_logind_t)
 fs_list_tmpfs(systemd_logind_t)
@@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 
+logging_send_audit_msgs(systemd_logind_t)
+
 selinux_get_enforce_mode(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)
@@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
 
 auth_manage_faillog(systemd_logind_t)
 
+init_create_runtime_dirs(systemd_logind_t)
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
@@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+       fs_read_nfs_files(systemd_logind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_read_cifs_files(systemd_logind_t)
+')
+
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
 # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -568,6 +589,10 @@ optional_policy(`
 	policykit_dbus_chat(systemd_logind_t)
 ')
 
+optional_policy(`
+	shutdown_domtrans(systemd_logind_t)
+')
+
 optional_policy(`
 	xserver_read_state(systemd_logind_t)
 	xserver_dbus_chat(systemd_logind_t)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:23   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
                   ` (7 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman, Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/udev.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 31ae8915..faae587f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -397,6 +397,10 @@ delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
 
+list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
+read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
+read_lnk_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
+
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 3/9] xserver: ICEauthority can be in /run/user
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
  2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:24   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
                   ` (6 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman, Jason Zaman

From: Jason Zaman <perfinion@gentoo.org>

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/xserver.fc | 2 ++
 policy/modules/services/xserver.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index fa8db862..df06151e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -143,6 +143,8 @@ ifndef(`distro_debian',`
 /run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 
+/run/user/%{USERID}/ICEauthority.*	--	gen_context(system_u:object_r:iceauth_home_t,s0)
+
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 ')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f016d429..499f03a6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
 
 type iceauth_home_t;
 userdom_user_home_content(iceauth_home_t)
+userdom_user_runtime_content(iceauth_home_t)
 
 type xauth_t;
 type xauth_exec_t;
@@ -211,6 +212,7 @@ optional_policy(`
 
 allow iceauth_t iceauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)
 
 allow xdm_t iceauth_home_t:file read_file_perms;
 
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
  2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
  2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:24   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
                   ` (5 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

type=AVC msg=audit(1563073723.106:232): avc:  denied  { read } for  pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563073723.106:232): cwd="/"
type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/devicekit.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 3331bd00..0622b6cf 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -192,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	mount_domtrans(devicekit_disk_t)
+	mount_rw_runtime_files(devicekit_disk_t)
 ')
 
 optional_policy(`
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 5/9] dirmngr: accept unix stream socket
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (2 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:28   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
                   ` (4 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr

type=AVC msg=audit(1554175286.968:2720907): avc:  denied  { accept } for  pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/dirmngr.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te
index 056cd97b..e34295e7 100644
--- a/policy/modules/services/dirmngr.te
+++ b/policy/modules/services/dirmngr.te
@@ -37,6 +37,7 @@ userdom_user_home_content(dirmngr_home_t)
 #
 
 allow dirmngr_t self:fifo_file rw_file_perms;
+allow dirmngr_t self:unix_stream_socket rw_stream_socket_perms;
 
 allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
 allow dirmngr_t dirmngr_conf_t:file read_file_perms;
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 6/9] fstools: add zfs-auto-snapshot
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (3 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:06   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
                   ` (3 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/system/fstools.fc | 1 +
 policy/modules/system/fstools.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
 /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 8d37e323..64b61485 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,7 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+mount_exec(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 # losetup: bind mount_loopback_t files to loop devices
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 7/9] chromium: allow dbus chat to inhibit power
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (4 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:28   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
                   ` (2 subsequent siblings)
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

Chromium will inhibit power saving when playing videos.

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/apps/chromium.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
index 2ded3279..f236171e 100644
--- a/policy/modules/apps/chromium.if
+++ b/policy/modules/apps/chromium.if
@@ -22,6 +22,7 @@ interface(`chromium_role',`
 		type chromium_sandbox_t;
 		type chromium_naclhelper_t;
 		type chromium_exec_t;
+		class dbus send_msg;
 	')
 
 	role $1 types chromium_t;
@@ -42,6 +43,9 @@ interface(`chromium_role',`
 
 	allow chromium_sandbox_t $2:fd use;
 	allow chromium_naclhelper_t $2:fd use;
+
+	allow $2 chromium_t:dbus send_msg;
+	allow chromium_t $2:dbus send_msg;
 ')
 
 #######################################
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (5 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:28   ` Chris PeBenito
  2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
  2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

avc:  denied  { listen } for  pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/virt.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 0d5d1b25..d4c5d05a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1323,6 +1323,7 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow virtlockd_t virtd_t:dir list_dir_perms;
 allow virtlockd_t virtd_t:file read_file_perms;
@@ -1362,6 +1363,7 @@ virt_read_config(virtlockd_t)
 #
 
 allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow virtlogd_t virtd_t:dir list_dir_perms;
 allow virtlogd_t virtd_t:file read_file_perms;
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 9/9] virt: allow lvm_control access
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (6 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
@ 2019-12-24 10:10 ` Jason Zaman
  2019-12-26 17:28   ` Chris PeBenito
  2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
  8 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-24 10:10 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Jason Zaman

type=AVC msg=audit(1563034372.505:40675): avc:  denied  { read write } for  pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563034372.505:40675): cwd="/"
type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index d4c5d05a..fb985f12 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -622,6 +622,7 @@ dev_rw_sysfs(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
 dev_rw_kvm(virtd_t)
+dev_rw_lvm_control(virtd_t)
 dev_getattr_all_chr_files(virtd_t)
 dev_rw_mtrr(virtd_t)
 dev_rw_vhost(virtd_t)
-- 
2.24.1


^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/9] systemd: Add elogind support
  2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
                   ` (7 preceding siblings ...)
  2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
@ 2019-12-26 17:03 ` Chris PeBenito
  2019-12-28  4:35   ` Jason Zaman
  8 siblings, 1 reply; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:03 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Elogind is based off systemd-logind extracted to stand alone.

I'm not a fan of this.  Systemd is already a big mess of permissions by 
itself, and I'm relctant to add even more to it to support something else.


> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/admin/sudo.if       |  2 ++
>   policy/modules/system/authlogin.if |  5 +++++
>   policy/modules/system/systemd.fc   |  5 +++++
>   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
>   4 files changed, 38 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index c1459364..4f08af28 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -159,6 +159,8 @@ template(`sudo_role_template',`
>   
>   	optional_policy(`
>   		dbus_system_bus_client($1_sudo_t)
> +		systemd_dbus_chat_logind($1_sudo_t)
> +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
>   
>   		ifdef(`init_systemd',`
>   			init_dbus_chat($1_sudo_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index c16748f2..83837458 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
>   		optional_policy(`
>   			fprintd_dbus_chat($1)
>   		')
> +
> +		optional_policy(`
> +			systemd_dbus_chat_logind($1)
> +			systemd_write_inherited_logind_sessions_pipes($1)
> +		')
>   	')
>   
>   	optional_policy(`
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 607b1d88..e6831465 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -16,6 +16,10 @@
>   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
>   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>   
> +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +
>   # Systemd generators
>   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
>   
> @@ -56,6 +60,7 @@
>   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
>   
>   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
>   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
>   
>   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 1422d8e2..f13b7252 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
>   
>   type systemd_logind_t;
>   type systemd_logind_exec_t;
> +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
>   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>   
> @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
>   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
>   files_pid_file(systemd_logind_runtime_t)
>   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
>   
>   type systemd_logind_var_lib_t;
>   files_type(systemd_logind_var_lib_t)
> @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
>   # Logind local policy
>   #
>   
> -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
>   allow systemd_logind_t self:process { getcap setfscreate };
>   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
>   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
>   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
>   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
>   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> +
> +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
>   
>   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
>   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
>   
>   kernel_read_kernel_sysctls(systemd_logind_t)
>   
> +auth_write_login_records(systemd_logind_t)
> +
>   dev_getattr_dri_dev(systemd_logind_t)
>   dev_getattr_generic_usb_dev(systemd_logind_t)
>   dev_getattr_kvm_dev(systemd_logind_t)
> @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
>   
>   domain_obj_id_change_exemption(systemd_logind_t)
>   
> +files_purge_tmp(systemd_logind_t)
>   files_read_etc_files(systemd_logind_t)
>   files_search_pids(systemd_logind_t)
>   
>   fs_getattr_cgroup(systemd_logind_t)
> +fs_manage_cgroup_dirs(systemd_logind_t)
> +fs_manage_cgroup_files(systemd_logind_t)
>   fs_getattr_tmpfs(systemd_logind_t)
>   fs_getattr_tmpfs_dirs(systemd_logind_t)
>   fs_list_tmpfs(systemd_logind_t)
> @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
>   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
>   fs_unmount_tmpfs(systemd_logind_t)
>   
> +logging_send_audit_msgs(systemd_logind_t)
> +
>   selinux_get_enforce_mode(systemd_logind_t)
>   
>   storage_getattr_removable_dev(systemd_logind_t)
> @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
>   
>   auth_manage_faillog(systemd_logind_t)
>   
> +init_create_runtime_dirs(systemd_logind_t)
>   init_dbus_send_script(systemd_logind_t)
>   init_get_all_units_status(systemd_logind_t)
>   init_get_system_status(systemd_logind_t)
> @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
>   userdom_setattr_user_ttys(systemd_logind_t)
>   userdom_use_user_ttys(systemd_logind_t)
>   
> +tunable_policy(`use_nfs_home_dirs',`
> +       fs_read_nfs_files(systemd_logind_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> +       fs_read_cifs_files(systemd_logind_t)
> +')
> +
>   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
>   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
>   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> @@ -568,6 +589,10 @@ optional_policy(`
>   	policykit_dbus_chat(systemd_logind_t)
>   ')
>   
> +optional_policy(`
> +	shutdown_domtrans(systemd_logind_t)
> +')
> +
>   optional_policy(`
>   	xserver_read_state(systemd_logind_t)
>   	xserver_dbus_chat(systemd_logind_t)
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 6/9] fstools: add zfs-auto-snapshot
  2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
@ 2019-12-26 17:06   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:06 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Should be in domain fstools_t, and needs to run zpool which is
> mount_exec_t.
> 
> type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563084061.269:2472): cwd="/root"
> type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/fstools.fc | 1 +
>   policy/modules/system/fstools.te | 1 +
>   2 files changed, 2 insertions(+)
> 
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 8fbd5ce4..d871294e 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -49,6 +49,7 @@
>   /usr/bin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/usr/bin/zfs-auto-snapshot	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>   /usr/bin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 8d37e323..64b61485 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -154,6 +154,7 @@ logging_send_syslog_msg(fsadm_t)
>   
>   miscfiles_read_localization(fsadm_t)
>   
> +mount_exec(fsadm_t)
>   # for /run/mount/utab
>   mount_getattr_runtime_files(fsadm_t)
>   # losetup: bind mount_loopback_t files to loop devices

Please add a comment that this is for the zfs command.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t
  2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
@ 2019-12-26 17:23   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:23 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy; +Cc: Jason Zaman

On 12/24/19 5:10 AM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/system/udev.te | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 31ae8915..faae587f 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -397,6 +397,10 @@ delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
>   
> +list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
> +read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
> +read_lnk_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t)
> +
>   dev_rw_sysfs(udevadm_t)
>   dev_read_urand(udevadm_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 3/9] xserver: ICEauthority can be in /run/user
  2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
@ 2019-12-26 17:24   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:24 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy; +Cc: Jason Zaman

On 12/24/19 5:10 AM, Jason Zaman wrote:
> From: Jason Zaman <perfinion@gentoo.org>
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/xserver.fc | 2 ++
>   policy/modules/services/xserver.te | 2 ++
>   2 files changed, 4 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index fa8db862..df06151e 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -143,6 +143,8 @@ ifndef(`distro_debian',`
>   /run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   /run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
>   
> +/run/user/%{USERID}/ICEauthority.*	--	gen_context(system_u:object_r:iceauth_home_t,s0)
> +
>   ifdef(`distro_suse',`
>   /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
>   ')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f016d429..499f03a6 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
>   
>   type iceauth_home_t;
>   userdom_user_home_content(iceauth_home_t)
> +userdom_user_runtime_content(iceauth_home_t)
>   
>   type xauth_t;
>   type xauth_exec_t;
> @@ -211,6 +212,7 @@ optional_policy(`
>   
>   allow iceauth_t iceauth_home_t:file manage_file_perms;
>   userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
> +userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)
>   
>   allow xdm_t iceauth_home_t:file read_file_perms;

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock
  2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
@ 2019-12-26 17:24   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:24 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> type=AVC msg=audit(1563073723.106:232): avc:  denied  { read } for  pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563073723.106:232): cwd="/"
> type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/devicekit.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
> index 3331bd00..0622b6cf 100644
> --- a/policy/modules/services/devicekit.te
> +++ b/policy/modules/services/devicekit.te
> @@ -192,6 +192,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	mount_domtrans(devicekit_disk_t)
> +	mount_rw_runtime_files(devicekit_disk_t)
>   ')
>   
>   optional_policy(`

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 5/9] dirmngr: accept unix stream socket
  2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
@ 2019-12-26 17:28   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:28 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr
> 
> type=AVC msg=audit(1554175286.968:2720907): avc:  denied  { accept } for  pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/dirmngr.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te
> index 056cd97b..e34295e7 100644
> --- a/policy/modules/services/dirmngr.te
> +++ b/policy/modules/services/dirmngr.te
> @@ -37,6 +37,7 @@ userdom_user_home_content(dirmngr_home_t)
>   #
>   
>   allow dirmngr_t self:fifo_file rw_file_perms;
> +allow dirmngr_t self:unix_stream_socket rw_stream_socket_perms;
>   
>   allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
>   allow dirmngr_t dirmngr_conf_t:file read_file_perms;

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 7/9] chromium: allow dbus chat to inhibit power
  2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
@ 2019-12-26 17:28   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:28 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Chromium will inhibit power saving when playing videos.
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/apps/chromium.if | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
> index 2ded3279..f236171e 100644
> --- a/policy/modules/apps/chromium.if
> +++ b/policy/modules/apps/chromium.if
> @@ -22,6 +22,7 @@ interface(`chromium_role',`
>   		type chromium_sandbox_t;
>   		type chromium_naclhelper_t;
>   		type chromium_exec_t;
> +		class dbus send_msg;
>   	')
>   
>   	role $1 types chromium_t;
> @@ -42,6 +43,9 @@ interface(`chromium_role',`
>   
>   	allow chromium_sandbox_t $2:fd use;
>   	allow chromium_naclhelper_t $2:fd use;
> +
> +	allow $2 chromium_t:dbus send_msg;
> +	allow chromium_t $2:dbus send_msg;
>   ')
>   
>   #######################################

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd
  2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
@ 2019-12-26 17:28   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:28 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> avc:  denied  { listen } for  pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/virt.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 0d5d1b25..d4c5d05a 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -1323,6 +1323,7 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
>   
>   allow virtlockd_t self:capability dac_override;
>   allow virtlockd_t self:fifo_file rw_fifo_file_perms;
> +allow virtlockd_t self:unix_stream_socket create_stream_socket_perms;
>   
>   allow virtlockd_t virtd_t:dir list_dir_perms;
>   allow virtlockd_t virtd_t:file read_file_perms;
> @@ -1362,6 +1363,7 @@ virt_read_config(virtlockd_t)
>   #
>   
>   allow virtlogd_t self:fifo_file rw_fifo_file_perms;
> +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
>   
>   allow virtlogd_t virtd_t:dir list_dir_perms;
>   allow virtlogd_t virtd_t:file read_file_perms;

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 9/9] virt: allow lvm_control access
  2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
@ 2019-12-26 17:28   ` Chris PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:28 UTC (permalink / raw)
  To: Jason Zaman, selinux-refpolicy

On 12/24/19 5:10 AM, Jason Zaman wrote:
> type=AVC msg=audit(1563034372.505:40675): avc:  denied  { read write } for  pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
> type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563034372.505:40675): cwd="/"
> type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>   policy/modules/services/virt.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index d4c5d05a..fb985f12 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -622,6 +622,7 @@ dev_rw_sysfs(virtd_t)
>   dev_read_urand(virtd_t)
>   dev_read_rand(virtd_t)
>   dev_rw_kvm(virtd_t)
> +dev_rw_lvm_control(virtd_t)
>   dev_getattr_all_chr_files(virtd_t)
>   dev_rw_mtrr(virtd_t)
>   dev_rw_vhost(virtd_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/9] systemd: Add elogind support
  2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
@ 2019-12-28  4:35   ` Jason Zaman
  2019-12-28 15:59     ` Dominick Grift
  0 siblings, 1 reply; 20+ messages in thread
From: Jason Zaman @ 2019-12-28  4:35 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> On 12/24/19 5:10 AM, Jason Zaman wrote:
> > Elogind is based off systemd-logind extracted to stand alone.
> 
> I'm not a fan of this.  Systemd is already a big mess of permissions by 
> itself, and I'm relctant to add even more to it to support something else.

I'm not super happy about it either. I tried to make elogind_t
standalone originally. it didnt end up working that well cuz it really
*is* systemd-logind, just without systemd as pid1. The problem is all
the paths are the same, everything in /run and /var and all that gets
used exactly the same, so the fcontexts would conflict. A lot of the
perms I ended up adding seem like things that systemd-logind should be
able to do anyway too (like purging tmp to clean up /run/user when
people logout, or sending audit logs) or do these things end up done by
pid1 instead if its systemd?

It's a similar issue to how tmpfiles works on gentoo. We made a policy
for opentmpfiles (originally in openrc) then later the systemd policy in
upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
around those fcontexts and it kind of works but its pretty awkward and
makes switching between openrc/systemd more annoying than it should be.

I'd be up for modularizing systemd.te if it'd make things easier but I'm
not completely sure how. I see a few different parts that need to be
handled carefully: 1) the paths on disk, these should ideally be the
same for all the implementations of things. 2) the daemons themselves,
these could be the same or different domains makes little difference. 3)
how other programs interact with the daemons. I'm not really sure
duplicating perms in every other policy is the right way to go? like
everything would have to call both systemd_logind_foo() and
elogind_foo()?

If you have better ideas how to approach this, I'm all ears :)

-- Jason


> 
> 
> > Signed-off-by: Jason Zaman <jason@perfinion.com>
> > ---
> >   policy/modules/admin/sudo.if       |  2 ++
> >   policy/modules/system/authlogin.if |  5 +++++
> >   policy/modules/system/systemd.fc   |  5 +++++
> >   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
> >   4 files changed, 38 insertions(+), 1 deletion(-)
> > 
> > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > index c1459364..4f08af28 100644
> > --- a/policy/modules/admin/sudo.if
> > +++ b/policy/modules/admin/sudo.if
> > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> >   
> >   	optional_policy(`
> >   		dbus_system_bus_client($1_sudo_t)
> > +		systemd_dbus_chat_logind($1_sudo_t)
> > +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> >   
> >   		ifdef(`init_systemd',`
> >   			init_dbus_chat($1_sudo_t)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index c16748f2..83837458 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> >   		optional_policy(`
> >   			fprintd_dbus_chat($1)
> >   		')
> > +
> > +		optional_policy(`
> > +			systemd_dbus_chat_logind($1)
> > +			systemd_write_inherited_logind_sessions_pipes($1)
> > +		')
> >   	')
> >   
> >   	optional_policy(`
> > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > index 607b1d88..e6831465 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -16,6 +16,10 @@
> >   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> >   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> >   
> > +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +
> >   # Systemd generators
> >   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> >   
> > @@ -56,6 +60,7 @@
> >   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> >   
> >   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> >   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> >   
> >   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > index 1422d8e2..f13b7252 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> >   
> >   type systemd_logind_t;
> >   type systemd_logind_exec_t;
> > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> >   
> > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> >   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> >   files_pid_file(systemd_logind_runtime_t)
> >   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> >   
> >   type systemd_logind_var_lib_t;
> >   files_type(systemd_logind_var_lib_t)
> > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> >   # Logind local policy
> >   #
> >   
> > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> >   allow systemd_logind_t self:process { getcap setfscreate };
> >   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> >   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> >   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > +
> > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> >   
> >   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> >   
> >   kernel_read_kernel_sysctls(systemd_logind_t)
> >   
> > +auth_write_login_records(systemd_logind_t)
> > +
> >   dev_getattr_dri_dev(systemd_logind_t)
> >   dev_getattr_generic_usb_dev(systemd_logind_t)
> >   dev_getattr_kvm_dev(systemd_logind_t)
> > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> >   
> >   domain_obj_id_change_exemption(systemd_logind_t)
> >   
> > +files_purge_tmp(systemd_logind_t)
> >   files_read_etc_files(systemd_logind_t)
> >   files_search_pids(systemd_logind_t)
> >   
> >   fs_getattr_cgroup(systemd_logind_t)
> > +fs_manage_cgroup_dirs(systemd_logind_t)
> > +fs_manage_cgroup_files(systemd_logind_t)
> >   fs_getattr_tmpfs(systemd_logind_t)
> >   fs_getattr_tmpfs_dirs(systemd_logind_t)
> >   fs_list_tmpfs(systemd_logind_t)
> > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> >   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> >   fs_unmount_tmpfs(systemd_logind_t)
> >   
> > +logging_send_audit_msgs(systemd_logind_t)
> > +
> >   selinux_get_enforce_mode(systemd_logind_t)
> >   
> >   storage_getattr_removable_dev(systemd_logind_t)
> > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> >   
> >   auth_manage_faillog(systemd_logind_t)
> >   
> > +init_create_runtime_dirs(systemd_logind_t)
> >   init_dbus_send_script(systemd_logind_t)
> >   init_get_all_units_status(systemd_logind_t)
> >   init_get_system_status(systemd_logind_t)
> > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> >   userdom_setattr_user_ttys(systemd_logind_t)
> >   userdom_use_user_ttys(systemd_logind_t)
> >   
> > +tunable_policy(`use_nfs_home_dirs',`
> > +       fs_read_nfs_files(systemd_logind_t)
> > +')
> > +
> > +tunable_policy(`use_samba_home_dirs',`
> > +       fs_read_cifs_files(systemd_logind_t)
> > +')
> > +
> >   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> >   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> >   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > @@ -568,6 +589,10 @@ optional_policy(`
> >   	policykit_dbus_chat(systemd_logind_t)
> >   ')
> >   
> > +optional_policy(`
> > +	shutdown_domtrans(systemd_logind_t)
> > +')
> > +
> >   optional_policy(`
> >   	xserver_read_state(systemd_logind_t)
> >   	xserver_dbus_chat(systemd_logind_t)
> > 
> 
> 
> -- 
> Chris PeBenito

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/9] systemd: Add elogind support
  2019-12-28  4:35   ` Jason Zaman
@ 2019-12-28 15:59     ` Dominick Grift
  0 siblings, 0 replies; 20+ messages in thread
From: Dominick Grift @ 2019-12-28 15:59 UTC (permalink / raw)
  To: Jason Zaman; +Cc: Chris PeBenito, selinux-refpolicy

[-- Attachment #1: Type: text/plain, Size: 11001 bytes --]

On Sat, Dec 28, 2019 at 12:35:04PM +0800, Jason Zaman wrote:
> On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> > On 12/24/19 5:10 AM, Jason Zaman wrote:
> > > Elogind is based off systemd-logind extracted to stand alone.
> > 
> > I'm not a fan of this.  Systemd is already a big mess of permissions by 
> > itself, and I'm relctant to add even more to it to support something else.
> 
> I'm not super happy about it either. I tried to make elogind_t
> standalone originally. it didnt end up working that well cuz it really
> *is* systemd-logind, just without systemd as pid1. The problem is all
> the paths are the same, everything in /run and /var and all that gets
> used exactly the same, so the fcontexts would conflict. A lot of the
> perms I ended up adding seem like things that systemd-logind should be
> able to do anyway too (like purging tmp to clean up /run/user when
> people logout, or sending audit logs) or do these things end up done by
> pid1 instead if its systemd?
> 
> It's a similar issue to how tmpfiles works on gentoo. We made a policy
> for opentmpfiles (originally in openrc) then later the systemd policy in
> upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
> around those fcontexts and it kind of works but its pretty awkward and
> makes switching between openrc/systemd more annoying than it should be.
> 
> I'd be up for modularizing systemd.te if it'd make things easier but I'm
> not completely sure how. I see a few different parts that need to be
> handled carefully: 1) the paths on disk, these should ideally be the
> same for all the implementations of things. 2) the daemons themselves,
> these could be the same or different domains makes little difference. 3)
> how other programs interact with the daemons. I'm not really sure
> duplicating perms in every other policy is the right way to go? like
> everything would have to call both systemd_logind_foo() and
> elogind_foo()?
> 
> If you have better ideas how to approach this, I'm all ears :)

I guess there are two options here. Either make your elogind module depend on whatever module has the types declared that need to be used by both logind and elogind (less optimal but less intrusive), or strip the "shared" types from the module that currently has it declared and declare it in a separate "shared" module so that both logind and elogind can tap into that (would require some refactoring but should be doable and be more optimal i suspect i suspect).

The same would apply to tmpfiles i gather.

> 
> -- Jason
> 
> 
> > 
> > 
> > > Signed-off-by: Jason Zaman <jason@perfinion.com>
> > > ---
> > >   policy/modules/admin/sudo.if       |  2 ++
> > >   policy/modules/system/authlogin.if |  5 +++++
> > >   policy/modules/system/systemd.fc   |  5 +++++
> > >   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
> > >   4 files changed, 38 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > > index c1459364..4f08af28 100644
> > > --- a/policy/modules/admin/sudo.if
> > > +++ b/policy/modules/admin/sudo.if
> > > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> > >   
> > >   	optional_policy(`
> > >   		dbus_system_bus_client($1_sudo_t)
> > > +		systemd_dbus_chat_logind($1_sudo_t)
> > > +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> > >   
> > >   		ifdef(`init_systemd',`
> > >   			init_dbus_chat($1_sudo_t)
> > > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > > index c16748f2..83837458 100644
> > > --- a/policy/modules/system/authlogin.if
> > > +++ b/policy/modules/system/authlogin.if
> > > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> > >   		optional_policy(`
> > >   			fprintd_dbus_chat($1)
> > >   		')
> > > +
> > > +		optional_policy(`
> > > +			systemd_dbus_chat_logind($1)
> > > +			systemd_write_inherited_logind_sessions_pipes($1)
> > > +		')
> > >   	')
> > >   
> > >   	optional_policy(`
> > > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > > index 607b1d88..e6831465 100644
> > > --- a/policy/modules/system/systemd.fc
> > > +++ b/policy/modules/system/systemd.fc
> > > @@ -16,6 +16,10 @@
> > >   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> > >   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> > >   
> > > +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +
> > >   # Systemd generators
> > >   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> > >   
> > > @@ -56,6 +60,7 @@
> > >   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> > >   
> > >   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > > +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> > >   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > >   
> > >   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > > index 1422d8e2..f13b7252 100644
> > > --- a/policy/modules/system/systemd.te
> > > +++ b/policy/modules/system/systemd.te
> > > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> > >   
> > >   type systemd_logind_t;
> > >   type systemd_logind_exec_t;
> > > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> > >   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> > >   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> > >   
> > > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> > >   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> > >   files_pid_file(systemd_logind_runtime_t)
> > >   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> > >   
> > >   type systemd_logind_var_lib_t;
> > >   files_type(systemd_logind_var_lib_t)
> > > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> > >   # Logind local policy
> > >   #
> > >   
> > > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> > >   allow systemd_logind_t self:process { getcap setfscreate };
> > >   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> > >   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> > >   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > >   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > >   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > > +
> > > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> > >   
> > >   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > >   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> > >   
> > >   kernel_read_kernel_sysctls(systemd_logind_t)
> > >   
> > > +auth_write_login_records(systemd_logind_t)
> > > +
> > >   dev_getattr_dri_dev(systemd_logind_t)
> > >   dev_getattr_generic_usb_dev(systemd_logind_t)
> > >   dev_getattr_kvm_dev(systemd_logind_t)
> > > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> > >   
> > >   domain_obj_id_change_exemption(systemd_logind_t)
> > >   
> > > +files_purge_tmp(systemd_logind_t)
> > >   files_read_etc_files(systemd_logind_t)
> > >   files_search_pids(systemd_logind_t)
> > >   
> > >   fs_getattr_cgroup(systemd_logind_t)
> > > +fs_manage_cgroup_dirs(systemd_logind_t)
> > > +fs_manage_cgroup_files(systemd_logind_t)
> > >   fs_getattr_tmpfs(systemd_logind_t)
> > >   fs_getattr_tmpfs_dirs(systemd_logind_t)
> > >   fs_list_tmpfs(systemd_logind_t)
> > > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> > >   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> > >   fs_unmount_tmpfs(systemd_logind_t)
> > >   
> > > +logging_send_audit_msgs(systemd_logind_t)
> > > +
> > >   selinux_get_enforce_mode(systemd_logind_t)
> > >   
> > >   storage_getattr_removable_dev(systemd_logind_t)
> > > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> > >   
> > >   auth_manage_faillog(systemd_logind_t)
> > >   
> > > +init_create_runtime_dirs(systemd_logind_t)
> > >   init_dbus_send_script(systemd_logind_t)
> > >   init_get_all_units_status(systemd_logind_t)
> > >   init_get_system_status(systemd_logind_t)
> > > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > >   userdom_setattr_user_ttys(systemd_logind_t)
> > >   userdom_use_user_ttys(systemd_logind_t)
> > >   
> > > +tunable_policy(`use_nfs_home_dirs',`
> > > +       fs_read_nfs_files(systemd_logind_t)
> > > +')
> > > +
> > > +tunable_policy(`use_samba_home_dirs',`
> > > +       fs_read_cifs_files(systemd_logind_t)
> > > +')
> > > +
> > >   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> > >   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> > >   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > > @@ -568,6 +589,10 @@ optional_policy(`
> > >   	policykit_dbus_chat(systemd_logind_t)
> > >   ')
> > >   
> > > +optional_policy(`
> > > +	shutdown_domtrans(systemd_logind_t)
> > > +')
> > > +
> > >   optional_policy(`
> > >   	xserver_read_state(systemd_logind_t)
> > >   	xserver_dbus_chat(systemd_logind_t)
> > > 
> > 
> > 
> > -- 
> > Chris PeBenito

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 20+ messages in thread

end of thread, back to index

Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-24 10:10 [PATCH 1/9] systemd: Add elogind support Jason Zaman
2019-12-24 10:10 ` [PATCH 2/9] udev: Allow udevadm access to udev_tbl_t Jason Zaman
2019-12-26 17:23   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 3/9] xserver: ICEauthority can be in /run/user Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock Jason Zaman
2019-12-26 17:24   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 5/9] dirmngr: accept unix stream socket Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 6/9] fstools: add zfs-auto-snapshot Jason Zaman
2019-12-26 17:06   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 7/9] chromium: allow dbus chat to inhibit power Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-24 10:10 ` [PATCH 9/9] virt: allow lvm_control access Jason Zaman
2019-12-26 17:28   ` Chris PeBenito
2019-12-26 17:03 ` [PATCH 1/9] systemd: Add elogind support Chris PeBenito
2019-12-28  4:35   ` Jason Zaman
2019-12-28 15:59     ` Dominick Grift

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git