From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB8B7C2BA2B for ; Fri, 10 Apr 2020 08:11:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A6E8B20753 for ; Fri, 10 Apr 2020 08:11:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725912AbgDJILB (ORCPT ); Fri, 10 Apr 2020 04:11:01 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:60896 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725839AbgDJILB (ORCPT ); Fri, 10 Apr 2020 04:11:01 -0400 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id AB7952A0DAC; Fri, 10 Apr 2020 10:11:00 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: another memlockd patch References: <20200410060317.GB35896@xev> Date: Fri, 10 Apr 2020 10:10:57 +0200 In-Reply-To: <20200410060317.GB35896@xev> (Russell Coker's message of "Fri, 10 Apr 2020 16:03:17 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Signed-off-by: Russell Coker > > I think this resolves all issues Chris raised. > > > Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc > @@ -0,0 +1 @@ > +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) > Index: refpolicy-2.20200410/policy/modules/services/memlockd.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.if > @@ -0,0 +1,2 @@ > +##

memory lock daemon, keeps important files in RAM.

> + > Index: refpolicy-2.20200410/policy/modules/services/memlockd.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.te > @@ -0,0 +1,37 @@ > +policy_module(memlockd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type memlockd_t; > +type memlockd_exec_t; > +init_daemon_domain(memlockd_t, memlockd_exec_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow memlockd_t self:capability { setgid setuid ipc_lock }; > +allow memlockd_t self:fifo_file rw_file_perms; > +allow memlockd_t self:unix_dgram_socket { create connect }; the unix dgram socket creating is probably redundant and implied with logging_send_logs_msg() as journald uses dgram_sendto for logging? > + > +# cache /etc/shadow too > +auth_read_shadow(memlockd_t) Hmm since /etc/shadow is mode 000, how is memlock able to read this without cap_dac_read_search access. is that implied? > +auth_map_shadow(memlockd_t) > + > +corecmd_exec_all_executables(memlockd_t) > +corecmd_exec_bin(memlockd_t) > +corecmd_exec_shell(memlockd_t) > +corecmd_read_all_executables(memlockd_t) > +corecmd_search_bin(memlockd_t) > +files_read_etc_files(memlockd_t) > +libs_exec_ld_so(memlockd_t) > +files_map_etc_files(memlockd_t) > + > +logging_send_syslog_msg(memlockd_t) > +miscfiles_read_localization(memlockd_t) > + > +sysnet_mmap_read_config(memlockd_t) > Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if > @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',` > > ####################################### > ##

> +## map network config files. > +##

> +## > +##

> +## Allow the specified domain to mmap the > +## general network configuration files. > +##

> +## > +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`sysnet_mmap_read_config',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_search_etc($1) > + allow $1 net_conf_t:file mmap_read_file_perms; > +') > + > +####################################### > +##

> ## Do not audit attempts to read network config files. > ##

> ## > Index: refpolicy-2.20200410/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20200410/policy/modules/system/authlogin.if > @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` > > ######################################## > ##

> +## Map the shadow passwords file (/etc/shadow) > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`auth_map_shadow',` > + gen_require(` > + type shadow_t; > + ') > + allow $1 shadow_t:file map; > +') > + > +######################################## > +##

> ## Pass shadow assertion for reading. > ##

> ## -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift