From: Chris PeBenito <pebenito@ieee.org>
To: russell@coker.com.au
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] systemd misc
Date: Sun, 6 Jan 2019 13:18:16 -0500 [thread overview]
Message-ID: <f008dd12-b023-3a02-723f-42466d3c3bbf@ieee.org> (raw)
In-Reply-To: <2908877.gL7Ou1sHps@xev>
On 1/5/19 9:34 PM, Russell Coker wrote:
> I'm not sure. If this is a problem then skip the Postfix bit and merge the
> rest, I can investigate Postfix more later.
I've merged this, though I'd still prefer to hear more about the Postfix
change, if possible.
> On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote:
>> On 1/4/19 2:54 AM, Russell Coker wrote:
>>> This patch has policy changes related to systemd and the systemd versions
>>> of system programs.
>>>
>>> Also has some dbus policy which probably isn't strictly a systemd thing,
>>> but it all came at the same time.
>>
>> Is all the postfix dbus usage due to a postfix change or something else?
>> I want to look for a pattern if this is not due to postfix code changes.
>>
>> I don't think I have any issues with anything else in the patch, but
>> will wait for the above answer to try to merge in one shot.
>>
>>> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
>>> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
>>> @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
>>>
>>> #
>>>
>>> allow logrotate_t self:capability { chown dac_override dac_read_search
>>> fowner fsetid kill setgid setuid sys_nice sys_resource };>
>>> +# systemctl asks for net_admin
>>> +dontaudit logrotate_t self:capability net_admin;
>>>
>>> allow logrotate_t self:process { transition signal_perms getsched
>>> setsched getsession getpgid setpgid getcap setcap share getattr
>>> setfscreate noatsecure siginh setrlimit rlimitinh dyntransition
>>> setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use;
>>> allow logrotate_t self:key manage_key_perms;
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/cron.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
>>> +++ refpolicy-2.20180701/policy/modules/services/cron.te
>>> @@ -378,6 +378,10 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + init_dbus_chat(crond_t)
>>> + ')
>>> +
>>> + optional_policy(`
>>>
>>> unconfined_dbus_send(crond_t)
>>>
>>> ')
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
>>> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
>>> @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)
>>>
>>> domain_use_interactive_fds(NetworkManager_t)
>>> domain_read_all_domains_state(NetworkManager_t)
>>>
>>> +# /etc/resolv.conf is a symlink written by NM
>>> +files_manage_etc_symlinks(NetworkManager_t)
>>>
>>> files_read_etc_runtime_files(NetworkManager_t)
>>> files_read_usr_files(NetworkManager_t)
>>> files_read_usr_src_files(NetworkManager_t)
>>>
>>> @@ -346,6 +348,7 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + systemd_read_logind_pids(NetworkManager_t)
>>>
>>> systemd_read_logind_sessions_files(NetworkManager_t)
>>> systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
>>> +++ refpolicy-2.20180701/policy/modules/services/ntp.fc
>>> @@ -13,6 +13,7 @@
>>>
>>> /etc/rc\.d/init\.d/ntpd?
>>> -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
>>>
>>> /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
>>>
>>> +/run/systemd/timesync(/.*)?
> gen_context(system_u:object_r:ntpd_pid_t,s0
>>> )
>>>
>>> /usr/bin/ntpd --
> gen_context(system_u:object_r:ntpd_exec_t,s0)
>>> /usr/bin/ntpdate --
> gen_context(system_u:object_r:ntpdate_exec_t,s0)
>>>
>>> @@ -31,6 +32,7 @@
>>>
>>> /var/lib/ntp(/.*)?
> gen_context(system_u:object_r:ntp_drift_t,s0)
>>> /var/lib/sntp-kod(/.*)?
> gen_context(system_u:object_r:ntp_drift_t,s0)
>>> /var/lib/systemd/clock --
> gen_context(system_u:object_r:ntp_drift_t,s0
>>> )
>>>
>>> +/var/lib/private/systemd/timesync(/.*)?
>>> -- gen_context(system_u:object_r:ntp_drift_t,s0)>
>>> /var/lock/ntpdate --
>>> gen_context(system_u:object_r:ntpd_lock_t,s0)>
>>> Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
>>> +++ refpolicy-2.20180701/policy/modules/services/openvpn.te
>>> @@ -175,3 +175,7 @@ optional_policy(`
>>>
>>> networkmanager_dbus_chat(openvpn_t)
>>>
>>> ')
>>>
>>> ')
>>>
>>> +
>>> +optional_policy(`
>>> + systemd_use_passwd_agent(openvpn_t)
>>> +')
>>> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
>>> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
>>> @@ -347,6 +347,12 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(postfix_master_t)
>>> + dbus_system_bus_client(postfix_master_t)
>>> + init_dbus_chat(postfix_master_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>
>>> sendmail_signal(postfix_master_t)
>>>
>>> ')
>>>
>>> @@ -376,6 +382,10 @@ optional_policy(`
>>>
>>> init_dbus_chat(postfix_bounce_t)
>>>
>>> ')
>>>
>>> +optional_policy(`
>>> + dbus_system_bus_client(postfix_bounce_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Cleanup local policy
>>>
>>> @@ -420,6 +430,12 @@ optional_policy(`
>>>
>>> mailman_read_data_files(postfix_cleanup_t)
>>>
>>> ')
>>>
>>> +optional_policy(`
>>> + dbus_send_system_bus(postfix_cleanup_t)
>>> + dbus_system_bus_client(postfix_cleanup_t)
>>> + init_dbus_chat(postfix_cleanup_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Local local policy
>>>
>>> @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p
>>>
>>> mcs_file_read_all(postfix_pickup_t)
>>> mcs_file_write_all(postfix_pickup_t)
>>>
>>> +optional_policy(`
>>> + dbus_system_bus_client(postfix_pickup_t)
>>> + init_dbus_chat(postfix_pickup_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Pipe local policy
>>>
>>> @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po
>>>
>>> corecmd_exec_bin(postfix_qmgr_t)
>>>
>>> +optional_policy(`
>>> + dbus_send_system_bus(postfix_qmgr_t)
>>> + dbus_system_bus_client(postfix_qmgr_t)
>>> + init_dbus_chat(postfix_qmgr_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Showq local policy
>>>
>>> @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
>>>
>>> mta_map_aliases(postfix_smtpd_t)
>>>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(postfix_smtp_t)
>>> + dbus_system_bus_client(postfix_smtp_t)
>>> + init_dbus_chat(postfix_smtp_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>
>>> dovecot_stream_connect_auth(postfix_smtpd_t)
>>> dovecot_stream_connect(postfix_smtpd_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
>>> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
>>> @@ -278,6 +278,7 @@ ifdef(`distro_debian',`
>>>
>>> ')
>>>
>>> ifdef(`init_systemd',`
>>>
>>> + init_dbus_chat(sshd_t)
>>>
>>> systemd_dbus_chat_logind(sshd_t)
>>> init_rw_stream_sockets(sshd_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/tor.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
>>> +++ refpolicy-2.20180701/policy/modules/services/tor.te
>>> @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
>>>
>>> files_read_usr_files(tor_t)
>>>
>>> fs_search_tmpfs(tor_t)
>>>
>>> +# for log symlink on a tmpfs filesystem systemd creates for it
>>> +fs_read_tmpfs_symlinks(tor_t)
>>>
>>> auth_use_nsswitch(tor_t)
>>>
>>> Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
>>> +++ refpolicy-2.20180701/policy/modules/system/systemd.fc
>>> @@ -50,6 +50,8 @@
>>>
>>> /run/\.nologin[^/]* --
> gen_context(system_u:object_r:systemd_sessions_va
>>> r_run_t,s0)
>>> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_
>>> t,s0)>
>>> +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_pas
>>> swd_var_run_t,s0)
>>> +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:syst
>>> emd_passwd_var_run_t,s0)>
>>> /run/systemd/resolve(/.*)?
>>> gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
>>> /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions
>>> _var_run_t,s0)
>>> /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessi
>>> ons_var_run_t,s0)>
>>> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
>>> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
>>> @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys
>>>
>>> type systemd_nspawn_t;
>>> type systemd_nspawn_exec_t;
>>> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
>>>
>>> +mcs_killall(systemd_nspawn_t)
>>>
>>> type systemd_nspawn_var_run_t;
>>> files_pid_file(systemd_nspawn_var_run_t)
>>>
>>> @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste
>>>
>>> #
>>>
>>> dev_read_sysfs(systemd_gpt_generator_t)
>>>
>>> +files_list_usr(systemd_gpt_generator_t)
>>>
>>> files_read_etc_files(systemd_gpt_generator_t)
>>> fs_getattr_xattr_fs(systemd_gpt_generator_t)
>>> storage_raw_read_fixed_disk(systemd_gpt_generator_t)
>>>
>>> @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars
>>>
>>> # Logind local policy
>>> #
>>>
>>> -allow systemd_logind_t self:capability { chown dac_override fowner
>>> sys_admin sys_tty_config }; +allow systemd_logind_t self:capability {
>>> chown dac_override dac_read_search fowner sys_admin sys_tty_config };>
>>> allow systemd_logind_t self:process { getcap setfscreate };
>>> allow systemd_logind_t self:netlink_kobject_uevent_socket
>>> create_socket_perms; allow systemd_logind_t self:unix_dgram_socket
>>> create_socket_perms;>
>>> @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti
>>>
>>> # Nspawn local policy
>>> #
>>>
>>> -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill
>>> };
>>> -allow systemd_nspawn_t self:capability { dac_override fsetid mknod
>>> net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow
>>> systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit
>>> sigkill }; +allow systemd_nspawn_t self:capability { dac_override
>>> dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin
>>> sys_chroot };>
>>> allow systemd_nspawn_t self:capability2 wake_alarm;
>>> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
>>>
>>> @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va
>>>
>>> allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
>>> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>>>
>>> -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
>>> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
>>>
>>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
>>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
>>>
>>> +# for /tmp/.#inaccessible*
>>> +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
>>>
>>> # for /run/systemd/nspawn/incoming in chroot
>>> allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
>>>
>>> @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
>>>
>>> files_mounton_mnt(systemd_nspawn_t)
>>> files_mounton_root(systemd_nspawn_t)
>>> files_mounton_tmp(systemd_nspawn_t)
>>>
>>> +files_read_kernel_symbol_table(systemd_nspawn_t)
>>>
>>> files_setattr_pid_dirs(systemd_nspawn_t)
>>>
>>> fs_getattr_tmpfs(systemd_nspawn_t)
>>>
>>> @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)
>>>
>>> userdom_manage_user_home_dirs(systemd_nspawn_t)
>>>
>>> tunable_policy(`systemd_nspawn_labeled_namespace',`
>>>
>>> + corecmd_exec_bin(systemd_nspawn_t)
>>>
>>> corecmd_exec_shell(systemd_nspawn_t)
>>>
>>> dev_mounton(systemd_nspawn_t)
>>>
>>> @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n
>>>
>>> fs_write_cgroup_files(systemd_nspawn_t)
>>>
>>> selinux_getattr_fs(systemd_nspawn_t)
>>>
>>> + selinux_remount_fs(systemd_nspawn_t)
>>>
>>> selinux_search_fs(systemd_nspawn_t)
>>>
>>> init_domtrans(systemd_nspawn_t)
>>>
>>> @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass
>>>
>>> seutil_search_default_contexts(systemd_passwd_agent_t)
>>>
>>> +userdom_use_user_ttys(systemd_passwd_agent_t)
>>>
>>> userdom_use_user_ptys(systemd_passwd_agent_t)
>>>
>>> optional_policy(`
>>>
>>> @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se
>>>
>>> # Tmpfiles local policy
>>> #
>>>
>>> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner
>>> fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t
>>> self:capability { chown dac_override dac_read_search fowner fsetid mknod
>>> net_admin sys_admin };>
>>> allow systemd_tmpfiles_t self:process { setfscreate getcap };
>>>
>>> allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
>>> relabelto manage_dir_perms };>
>>> @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal
>>>
>>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
>>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
>>> read_file_perms;
>>>
>>> +kernel_getattr_proc(systemd_tmpfiles_t)
>>>
>>> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
>>> kernel_read_network_state(systemd_tmpfiles_t)
>>>
>>> +dev_getattr_fs(systemd_tmpfiles_t)
>>>
>>> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
>>> dev_read_urand(systemd_tmpfiles_t)
>>> dev_relabel_all_sysfs(systemd_tmpfiles_t)
>>>
>>> @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t
>>>
>>> files_manage_var_lib_dirs(systemd_tmpfiles_t)
>>> files_purge_tmp(systemd_tmpfiles_t)
>>> files_read_etc_files(systemd_tmpfiles_t)
>>>
>>> +files_read_etc_runtime_files(systemd_tmpfiles_t)
>>>
>>> files_relabel_all_lock_dirs(systemd_tmpfiles_t)
>>> files_relabel_all_pid_dirs(systemd_tmpfiles_t)
>>> files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
>
--
Chris PeBenito
prev parent reply other threads:[~2019-01-06 19:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 7:54 [PATCH] systemd misc Russell Coker
2019-01-05 19:29 ` Chris PeBenito
2019-01-06 2:34 ` Russell Coker
2019-01-06 18:18 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f008dd12-b023-3a02-723f-42466d3c3bbf@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).