From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31EEDC433E0 for ; Fri, 5 Feb 2021 20:19:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E24CF64FCC for ; Fri, 5 Feb 2021 20:19:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233184AbhBESgh (ORCPT ); Fri, 5 Feb 2021 13:36:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233385AbhBESga (ORCPT ); Fri, 5 Feb 2021 13:36:30 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5CF1DC06174A for ; Fri, 5 Feb 2021 12:18:15 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 7BED02A12B5; Fri, 5 Feb 2021 21:18:11 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 7BED02A12B5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1612556292; bh=q6JxCXUjFSwgbDbPIaoVv8cOkx16XdNuGnCM8TvmHgs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=PMHIM9d7u5mEV9Hclr2pVAVvhxiOqVeOsQFXFPxQqmIGj3rBbKXpzX23cJN1XhNtO Vm4uU7JYwPT0z4ZHKrFz64OOpMP/MpeDiAND/pTkS+4NARp5J/DGZEyenGDDxZlGAy +3egZurCmx8BTTRUKKNq7E9O01pgClPYSS0l1FLU= From: Dominick Grift To: Chris PeBenito Cc: Russell Coker , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] another systemd misc patch References: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> Date: Fri, 05 Feb 2021 21:18:09 +0100 In-Reply-To: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> (Chris PeBenito's message of "Fri, 5 Feb 2021 14:44:21 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Chris PeBenito writes: > On 2/2/21 10:31 PM, Russell Coker wrote: >> Lots of littls changes related to systemd. >> Signed-off-by: Russell Coker >> > >> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_ >> ###################################### >> ##

>> +## Watch systemd-logind runtime dirs >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +# >> +interface(`systemd_watch_logind_runtime_dir',` > > systemd_watch_logind_runtime_dirs (plural) > >> + gen_require(` >> + type systemd_logind_runtime_t; >> + ') >> + >> + allow $1 systemd_logind_runtime_t:dir watch; >> +') >> + >> +###################################### >> +##

>> ## Use inherited systemd >> ## logind file descriptors. >> ##

>> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login >> ###################################### >> ##

>> +## Watch logind sessions dirs. >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +# >> +interface(`systemd_watch_logind_sessions_dir',` > > systemd_watch_logind_sessions_dirs (plural) > >> + gen_require(` >> + type systemd_sessions_runtime_t; >> + ') >> + >> + allow $1 systemd_sessions_runtime_t:dir watch; >> +') >> + >> +###################################### >> +##

>> ## Write inherited logind inhibit pipes. >> ##

>> ## >> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',` >> ######################################## >> ##

>> +## Allow watching /run/systemd/machines >> +##

>> +## >> +##

>> +## Domain that can watch the machines files >> +##

>> +## >> +# >> +interface(`systemd_watch_machines_dir',` > > systemd_watch_machines_dirs (plural) > >> + gen_require(` >> + type systemd_machined_runtime_t; >> + ') >> + >> + allow $1 systemd_machined_runtime_t:dir watch; >> +') >> + >> +######################################## >> +##

>> ## Send and receive messages from >> ## systemd hostnamed over dbus. >> ##

>> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',` >> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; >> ') >> - domtrans_pattern($1, systemd_passwd_agent_exec_t, >> systemd_passwd_agent_t) >> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) > > domtrans_pattern() is the standard pattern. This change has no effect. > > > >> Index: refpolicy-2.20210203/policy/modules/system/systemd.te >> =================================================================== >> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te >> +++ refpolicy-2.20210203/policy/modules/system/systemd.te >> @@ -129,6 +129,7 @@ type systemd_logind_t; >> type systemd_logind_exec_t; >> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) >> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) >> +init_stream_connect(systemd_logind_t) >> type systemd_logind_inhibit_runtime_t alias >> systemd_logind_inhibit_var_run_t; >> files_runtime_file(systemd_logind_inhibit_runtime_t) >> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli >> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) >> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) >> +kernel_read_kernel_sysctls(systemd_backlight_t) >> + >> systemd_log_parse_environment(systemd_backlight_t) >> # Allow systemd-backlight to write to >> /sys/class/backlight/*/brightness >> @@ -358,13 +361,15 @@ ifdef(`enable_mls',` >> # >> allow systemd_coredump_t self:unix_dgram_socket { create write >> connect getopt setopt }; >> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; >> +allow systemd_coredump_t self:unix_stream_socket connectto; >> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace }; > > net_admin? That doesn't seem necessary for core dumping. > > > [...] >> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump >> seutil_search_default_contexts(systemd_coredump_t) >> +allow systemd_generator_t self:fifo_file rw_file_perms; >> +allow systemd_generator_t self:process setfscreate; >> + >> +allow systemd_generator_t self:capability dac_override; >> +allow systemd_generator_t self:tcp_socket create; >> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; >> + >> +corecmd_exec_bin(systemd_generator_t) >> +corecmd_exec_shell(systemd_generator_t) >> +files_exec_etc_files(systemd_generator_t) >> +fs_getattr_cgroup(systemd_generator_t) >> +fs_getattr_tmpfs(systemd_generator_t) >> +fs_rw_tmpfs_files(systemd_generator_t) >> +miscfiles_read_localization(systemd_generator_t) >> + >> +optional_policy(` >> + # for /lib/systemd/system-generators/openvpn-generator >> + openvpn_read_config(systemd_generator_t) >> +') >> + >> +optional_policy(` >> + # it runs postconf >> + # maybe /lib/systemd/system-generators/postfix-instance-generator >> + postfix_read_config(systemd_generator_t) >> +') > > The systemd_generator_t rules need to move to proper places. > > > >> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ >> kernel_read_kernel_sysctls(systemd_logind_t) >> +auth_read_shadow(systemd_logind_t) > > If this is necessary, it seems Debian specific. This also happens on fedora (not sure why) > > [...] >> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm >> # for /run/systemd/nspawn/incoming in chroot >> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; >> +kernel_getattr_core_if(systemd_nspawn_t) >> +kernel_getattr_proc(systemd_nspawn_t) >> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) >> + >> kernel_mount_proc(systemd_nspawn_t) >> kernel_mounton_sysctl_dirs(systemd_nspawn_t) >> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) >> kernel_mounton_message_if(systemd_nspawn_t) >> kernel_mounton_proc(systemd_nspawn_t) >> +kernel_mounton_sysctl_files(systemd_nspawn_t) >> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) > > With all of the mounting, perhaps we should consider coalescing on > allowing it to mount an all init_mountpoint_types. mounton unlabeled dirs indicates that something is unlabeled/mislabeled though. Wouldnt allow that. > > [..] >> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) >> term_search_ptys(systemd_nspawn_t) >> term_setattr_generic_ptys(systemd_nspawn_t) >> term_use_ptmx(systemd_nspawn_t) >> +term_use_generic_ptys(systemd_nspawn_t) > > Perhaps this should have a pty type? Agree > > >> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se >> # systemd-user-runtime-dir local policy >> # >> -allow systemd_user_runtime_dir_t self:capability { fowner chown >> sys_admin dac_read_search dac_override }; >> +allow systemd_user_runtime_dir_t self:capability { chown >> dac_override dac_read_search dac_override fowner sys_admin mknod }; > > sys_admin and mknod? What is sys_admin used for; also, I don't see > any rules for creating devices. its probably old systemd stuff (fixed in more recent version): ie /run/user/UID/inaccessible/blk should be able to ignore this > >> allow systemd_user_runtime_dir_t self:process setfscreate; >> domain_obj_id_change_exemption(systemd_user_runtime_dir_t) >> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir >> manage_dir_perms; >> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink; >> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink; >> + >> files_read_etc_files(systemd_user_runtime_dir_t) >> fs_mount_tmpfs(systemd_user_runtime_dir_t) >> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r >> seutil_libselinux_linked(systemd_user_runtime_dir_t) >> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) >> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t) >> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) >> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t) >> +userdom_list_user_tmp(systemd_user_runtime_dir_t) >> userdom_search_user_runtime_root(systemd_user_runtime_dir_t) >> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) >> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) >> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if >> =================================================================== >> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if >> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if >> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks >> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; >> ') >> + >> +######################################## >> +##

>> +## send dbus messages to dpkg_t >> +##

>> +## >> +##

>> +## Domain allowed access. >> +##

>> +## >> +# >> +interface(`dpkg_dbus_chat',` >> + gen_require(` >> + type dpkg_t; >> + ') >> + >> + allow $1 dpkg_t:dbus send_msg; >> +') > > I'd prefer that the dbus chat interfaces are provided by the server process' domain. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift