From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Wed, 27 Oct 2021 09:09:07 -0400 [thread overview]
Message-ID: <fe8cdcaa-cfcd-75e5-783a-3fc2a441c8fe@ieee.org> (raw)
In-Reply-To: <YWFphFQ8fZmbEdGL@xev.coker.com.au>
On 10/9/21 06:05, Russell Coker wrote:
> Here's the latest version of this patch with the previous issues addressed.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210908/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210908/policy/modules/system/systemd.if
> @@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine
> allow $1 systemd_machined_t:fd use;
> allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
> ')
> +
> +########################################
> +## <summary>
> +## run systemd-nspawn in systemd_nspawn_t domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role of the object to create.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_run_nspawn', `
> + gen_require(`
> + type systemd_nspawn_t, systemd_nspawn_exec_t;
> + ')
> +
> + role $2 types systemd_nspawn_t;
> + domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
> +')
What is the use case? I see it later in the patch run by sysadm_t, but I don't
understand why sysadm would run it directly, instead of using the systemctl.
> Index: refpolicy-2.20210908/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210908/policy/modules/system/systemd.te
> @@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump
>
> seutil_search_default_contexts(systemd_coredump_t)
>
> +
> #######################################
> #
> # Systemd generator local policy
Please remove the extra endline.
> @@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file
> allow systemd_generator_t self:capability dac_override;
> allow systemd_generator_t self:process setfscreate;
>
> +allow systemd_generator_t self:tcp_socket create;
> +allow systemd_generator_t self:udp_socket create;
Create sockets but do nothing with them? i.e. read/write/ioctl
> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
> +
> allow systemd_generator_t systemd_unit_t:file getattr;
>
> +kernel_dontaudit_getattr_proc(systemd_generator_t)
> +kernel_read_kernel_sysctls(systemd_generator_t)
> +kernel_read_network_state(systemd_generator_t)
> +kernel_read_system_state(systemd_generator_t)
> +kernel_search_network_sysctl(systemd_generator_t)
> +kernel_use_fds(systemd_generator_t)
> +
> +corecmd_exec_bin(systemd_generator_t)
> corecmd_exec_shell(systemd_generator_t)
> -corecmd_getattr_bin_files(systemd_generator_t)
>
> dev_read_sysfs(systemd_generator_t)
> +dev_read_urand(systemd_generator_t)
> dev_write_kmsg(systemd_generator_t)
> dev_write_sysfs_dirs(systemd_generator_t)
>
> -files_read_etc_files(systemd_generator_t)
> +application_exec(systemd_generator_t)
> +domain_read_all_entry_files(systemd_generator_t)
These last two could use blank lines for separation.
[...]
> @@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>
> +term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t)
> +allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms;
Please move these up after the self block of rules.
> +kernel_getattr_core_if(systemd_nspawn_t)
> +kernel_getattr_proc(systemd_nspawn_t)
> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
> +
> kernel_mount_proc(systemd_nspawn_t)
> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
> kernel_mounton_message_if(systemd_nspawn_t)
> kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_files(systemd_nspawn_t)
> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
> +
> +kernel_read_irq_sysctls(systemd_nspawn_t)
> +kernel_read_network_state(systemd_nspawn_t)
> kernel_read_kernel_sysctls(systemd_nspawn_t)
> +kernel_read_sysctl(systemd_nspawn_t)
> kernel_read_system_state(systemd_nspawn_t)
> kernel_remount_proc(systemd_nspawn_t)
> +kernel_request_load_module(systemd_nspawn_t)
> +kernel_search_network_sysctl(systemd_nspawn_t)
Please remove the extra newlines.
> corecmd_exec_shell(systemd_nspawn_t)
> corecmd_search_bin(systemd_nspawn_t)
> @@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t)
> dev_read_rand(systemd_nspawn_t)
> dev_read_urand(systemd_nspawn_t)
>
> +files_getattr_default_dirs(systemd_nspawn_t)
> files_getattr_tmp_dirs(systemd_nspawn_t)
> files_manage_etc_files(systemd_nspawn_t)
> files_manage_mnt_dirs(systemd_nspawn_t)
> @@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw
>
> fs_getattr_cgroup(systemd_nspawn_t)
> fs_getattr_tmpfs(systemd_nspawn_t)
> +fs_getattr_xattr_fs(systemd_nspawn_t)
> +fs_manage_cgroup_dirs(systemd_nspawn_t)
> +fs_manage_cgroup_files(systemd_nspawn_t)
> +fs_manage_tmpfs_blk_files(systemd_nspawn_t)
> fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> +fs_mount_cgroup(systemd_nspawn_t)
> fs_mount_tmpfs(systemd_nspawn_t)
> +fs_mounton_cgroup(systemd_nspawn_t)
> +fs_read_nsfs_files(systemd_nspawn_t)
> fs_remount_tmpfs(systemd_nspawn_t)
> fs_remount_xattr_fs(systemd_nspawn_t)
> -fs_read_cgroup_files(systemd_nspawn_t)
>
> term_getattr_generic_ptys(systemd_nspawn_t)
> term_getattr_pty_fs(systemd_nspawn_t)
> @@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t)
> term_search_ptys(systemd_nspawn_t)
> term_setattr_generic_ptys(systemd_nspawn_t)
> term_use_ptmx(systemd_nspawn_t)
> +term_use_generic_ptys(systemd_nspawn_t)
>
> init_domtrans_script(systemd_nspawn_t)
> init_getrlimit(systemd_nspawn_t)
> @@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn
> init_spec_domtrans_script(systemd_nspawn_t)
>
> miscfiles_manage_localization(systemd_nspawn_t)
> +mount_exec(systemd_nspawn_t)
> +
> udev_read_runtime_files(systemd_nspawn_t)
>
> +sysnet_exec_ifconfig(systemd_nspawn_t)
> +
> # for writing inside chroot
> sysnet_manage_config(systemd_nspawn_t)
With all the mountons, it seems to make sense to switch it to mount on
init_mountpoint_type. See init.te:262, which is what we have for systemd.
[...]
> @@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor
> ')
>
> optional_policy(`
> + colord_read_lib_files(systemd_tmpfiles_t)
> + colord_relabel_lib(systemd_tmpfiles_t)
> +')
Instead of new interfaces and calling here, you should add
systemd_tmpfilesd_managed(colord_var_lib_t) in colord.te.
> Index: refpolicy-2.20210908/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210908/policy/modules/services/ssh.te
> @@ -270,6 +270,7 @@ ifdef(`init_systemd',`
> auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_dgram_nspawn(sshd_t)
> systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
Is this sshd running inside a namespace started by nspawn?
--
Chris PeBenito
next prev parent reply other threads:[~2021-10-27 13:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-09 10:05 [PATCH] another systemd misc patch Russell Coker
2021-10-27 13:09 ` Chris PeBenito [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-10-09 10:17 Russell Coker
2021-02-03 3:31 Russell Coker
2021-02-05 19:44 ` Chris PeBenito
2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito
2021-02-05 20:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe8cdcaa-cfcd-75e5-783a-3fc2a441c8fe@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).