From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9568FC433F5 for ; Wed, 27 Oct 2021 13:09:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7541F60F39 for ; Wed, 27 Oct 2021 13:09:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236853AbhJ0NLk (ORCPT ); Wed, 27 Oct 2021 09:11:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234339AbhJ0NLj (ORCPT ); Wed, 27 Oct 2021 09:11:39 -0400 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5158AC061570 for ; Wed, 27 Oct 2021 06:09:14 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id i9so1819224qki.3 for ; Wed, 27 Oct 2021 06:09:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:from:subject:to:references :content-language:in-reply-to:content-transfer-encoding; bh=I+daxt7D8pJh+fbZWI5fUurTIZ8RLo/go3o/rfsZV+c=; b=QfvII5JwHw/4OHlMinojeKcbkKbApwjPNRXtKS+6AosiVJm3U1qHpGI8gz3MngOF9t ITDEALrN48XGt7wV79ly6lgb+1EYe1vjqL2DJ/MlmCHje15AzhdG0nAcj2AE0I+hvk66 LFsSBXSCLdCe5hVpNAwzmksPvG/ndmLxr0tC4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:to:references:content-language:in-reply-to :content-transfer-encoding; bh=I+daxt7D8pJh+fbZWI5fUurTIZ8RLo/go3o/rfsZV+c=; b=ZxBCx8JrR9cx/PvvJCJBMy5+yQeV8HtQAL+e8r3G9yvOjfq2Wfig/fUs/V+HFIXMGb BkPFQyTP1uLVW7YDUzDIc0i0JpW+WrykYFyhURPOhTxD9JtT0Gih0ZScrPG42ddb7VsC KSKGOmoh7uzfwwnsAIF91kckDsH2Ht60I9dTcy7M3m0Jbdcm47m1HU0INIPUjjFX78HH MjWLe56tImW4dNNEexryJjRRoguEBNlBXVPoV7hYDEHy1np03BD4LrtQoXfQnemrjssf 6PCa4RWcnGOZZhJ/SxL7lAHFJoRoq1A9pytYa4rEN0kN7nU+Qcj1Dl7PnpCvDn5SQSK/ aqTQ== X-Gm-Message-State: AOAM532dc+kzluvuLRE1cs+OnAo2iYTwicBlNJnBhKoQ0qZgcCSHq0cx ytL0ymSGRQm7P5nJjr0Y+uXxew== X-Google-Smtp-Source: ABdhPJxpwa2u/bt87sd3J8UpX5a77SP7XWYaQcs0x1N8MiD2J4Yp3hHHDWAiUj1iMwdUvcaBNgHj0g== X-Received: by 2002:ae9:e210:: with SMTP id c16mr8728708qkc.184.1635340148918; Wed, 27 Oct 2021 06:09:08 -0700 (PDT) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id o11sm13073591qkp.77.2021.10.27.06.09.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Oct 2021 06:09:08 -0700 (PDT) Message-ID: Date: Wed, 27 Oct 2021 09:09:07 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 From: Chris PeBenito Subject: Re: [PATCH] another systemd misc patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 10/9/21 06:05, Russell Coker wrote: > Here's the latest version of this patch with the previous issues addressed. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210908/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20210908/policy/modules/system/systemd.if > @@ -1911,3 +1971,45 @@ interface(`systemd_use_inherited_machine > allow $1 systemd_machined_t:fd use; > allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; > ') > + > +######################################## > +## > +## run systemd-nspawn in systemd_nspawn_t domain > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The role of the object to create. > +## > +## > +# > +interface(`systemd_run_nspawn', ` > + gen_require(` > + type systemd_nspawn_t, systemd_nspawn_exec_t; > + ') > + > + role $2 types systemd_nspawn_t; > + domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t) > +') What is the use case? I see it later in the patch run by sysadm_t, but I don't understand why sysadm would run it directly, instead of using the systemctl. > Index: refpolicy-2.20210908/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210908/policy/modules/system/systemd.te > @@ -427,6 +445,7 @@ logging_send_syslog_msg(systemd_coredump > > seutil_search_default_contexts(systemd_coredump_t) > > + > ####################################### > # > # Systemd generator local policy Please remove the extra endline. > @@ -436,26 +455,44 @@ allow systemd_generator_t self:fifo_file > allow systemd_generator_t self:capability dac_override; > allow systemd_generator_t self:process setfscreate; > > +allow systemd_generator_t self:tcp_socket create; > +allow systemd_generator_t self:udp_socket create; Create sockets but do nothing with them? i.e. read/write/ioctl > +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; > + > allow systemd_generator_t systemd_unit_t:file getattr; > > +kernel_dontaudit_getattr_proc(systemd_generator_t) > +kernel_read_kernel_sysctls(systemd_generator_t) > +kernel_read_network_state(systemd_generator_t) > +kernel_read_system_state(systemd_generator_t) > +kernel_search_network_sysctl(systemd_generator_t) > +kernel_use_fds(systemd_generator_t) > + > +corecmd_exec_bin(systemd_generator_t) > corecmd_exec_shell(systemd_generator_t) > -corecmd_getattr_bin_files(systemd_generator_t) > > dev_read_sysfs(systemd_generator_t) > +dev_read_urand(systemd_generator_t) > dev_write_kmsg(systemd_generator_t) > dev_write_sysfs_dirs(systemd_generator_t) > > -files_read_etc_files(systemd_generator_t) > +application_exec(systemd_generator_t) > +domain_read_all_entry_files(systemd_generator_t) These last two could use blank lines for separation. [...] > @@ -974,14 +1047,29 @@ allow systemd_nspawn_t systemd_nspawn_tm > # for /run/systemd/nspawn/incoming in chroot > allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; > > +term_create_pty(systemd_nspawn_t, systemd_nspawn_devpts_t) > +allow systemd_nspawn_t systemd_nspawn_devpts_t:chr_file manage_chr_file_perms; Please move these up after the self block of rules. > +kernel_getattr_core_if(systemd_nspawn_t) > +kernel_getattr_proc(systemd_nspawn_t) > +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) > + > kernel_mount_proc(systemd_nspawn_t) > kernel_mounton_sysctl_dirs(systemd_nspawn_t) > kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) > kernel_mounton_message_if(systemd_nspawn_t) > kernel_mounton_proc(systemd_nspawn_t) > +kernel_mounton_sysctl_files(systemd_nspawn_t) > +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) > + > +kernel_read_irq_sysctls(systemd_nspawn_t) > +kernel_read_network_state(systemd_nspawn_t) > kernel_read_kernel_sysctls(systemd_nspawn_t) > +kernel_read_sysctl(systemd_nspawn_t) > kernel_read_system_state(systemd_nspawn_t) > kernel_remount_proc(systemd_nspawn_t) > +kernel_request_load_module(systemd_nspawn_t) > +kernel_search_network_sysctl(systemd_nspawn_t) Please remove the extra newlines. > corecmd_exec_shell(systemd_nspawn_t) > corecmd_search_bin(systemd_nspawn_t) > @@ -998,6 +1086,7 @@ dev_read_sysfs(systemd_nspawn_t) > dev_read_rand(systemd_nspawn_t) > dev_read_urand(systemd_nspawn_t) > > +files_getattr_default_dirs(systemd_nspawn_t) > files_getattr_tmp_dirs(systemd_nspawn_t) > files_manage_etc_files(systemd_nspawn_t) > files_manage_mnt_dirs(systemd_nspawn_t) > @@ -1009,11 +1098,17 @@ files_setattr_runtime_dirs(systemd_nspaw > > fs_getattr_cgroup(systemd_nspawn_t) > fs_getattr_tmpfs(systemd_nspawn_t) > +fs_getattr_xattr_fs(systemd_nspawn_t) > +fs_manage_cgroup_dirs(systemd_nspawn_t) > +fs_manage_cgroup_files(systemd_nspawn_t) > +fs_manage_tmpfs_blk_files(systemd_nspawn_t) > fs_manage_tmpfs_chr_files(systemd_nspawn_t) > +fs_mount_cgroup(systemd_nspawn_t) > fs_mount_tmpfs(systemd_nspawn_t) > +fs_mounton_cgroup(systemd_nspawn_t) > +fs_read_nsfs_files(systemd_nspawn_t) > fs_remount_tmpfs(systemd_nspawn_t) > fs_remount_xattr_fs(systemd_nspawn_t) > -fs_read_cgroup_files(systemd_nspawn_t) > > term_getattr_generic_ptys(systemd_nspawn_t) > term_getattr_pty_fs(systemd_nspawn_t) > @@ -1021,6 +1116,7 @@ term_mount_devpts(systemd_nspawn_t) > term_search_ptys(systemd_nspawn_t) > term_setattr_generic_ptys(systemd_nspawn_t) > term_use_ptmx(systemd_nspawn_t) > +term_use_generic_ptys(systemd_nspawn_t) > > init_domtrans_script(systemd_nspawn_t) > init_getrlimit(systemd_nspawn_t) > @@ -1031,8 +1127,12 @@ init_write_runtime_socket(systemd_nspawn > init_spec_domtrans_script(systemd_nspawn_t) > > miscfiles_manage_localization(systemd_nspawn_t) > +mount_exec(systemd_nspawn_t) > + > udev_read_runtime_files(systemd_nspawn_t) > > +sysnet_exec_ifconfig(systemd_nspawn_t) > + > # for writing inside chroot > sysnet_manage_config(systemd_nspawn_t) With all the mountons, it seems to make sense to switch it to mount on init_mountpoint_type. See init.te:262, which is what we have for systemd. [...] > @@ -1491,6 +1599,11 @@ tunable_policy(`systemd_tmpfilesd_factor > ') > > optional_policy(` > + colord_read_lib_files(systemd_tmpfiles_t) > + colord_relabel_lib(systemd_tmpfiles_t) > +') Instead of new interfaces and calling here, you should add systemd_tmpfilesd_managed(colord_var_lib_t) in colord.te. > Index: refpolicy-2.20210908/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20210908/policy/modules/services/ssh.te > @@ -270,6 +270,7 @@ ifdef(`init_systemd',` > auth_use_pam_systemd(sshd_t) > init_dbus_chat(sshd_t) > init_rw_stream_sockets(sshd_t) > + systemd_dgram_nspawn(sshd_t) > systemd_write_inherited_logind_sessions_pipes(sshd_t) > ') Is this sshd running inside a namespace started by nspawn? -- Chris PeBenito