SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] misc kernel and system patches
@ 2021-01-20 10:07 Russell Coker
  2021-01-20 14:36 ` Dominick Grift
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2021-01-20 10:07 UTC (permalink / raw)
  To: selinux-refpolicy

Lots of little patches that should be good to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
@@ -305,7 +305,6 @@ ifdef(`distro_debian',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm\.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb\.py.* --	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
+++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
@@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables'
 
 	corecmd_search_bin($1)
 	read_files_pattern($1, exec_type, exec_type)
+	allow $1 exec_type:file map;
 ')
 
 ########################################
Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20210120/policy/modules/kernel/devices.if
@@ -4323,6 +4323,42 @@ interface(`dev_mount_sysfs',`
 
 ########################################
 ## <summary>
+##     remount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_remount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##     unmount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
 ##	Do not audit getting the attributes of sysfs filesystem
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/domain.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/domain.if
+++ refpolicy-2.20210120/policy/modules/kernel/domain.if
@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state
 
 ########################################
 ## <summary>
-##	Get the attributes of all domains of all domains.
+##	Get the attributes of all domains
 ## </summary>
 ## <param name="domain">
 ##	<summary>
Index: refpolicy-2.20210120/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210120/policy/modules/kernel/files.if
@@ -5408,6 +5408,25 @@ interface(`files_delete_kernel_symbol_ta
 
 ########################################
 ## <summary>
+##	Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir list_dir_perms;
+	allow $1 system_map_t:file mounton;
+')
+
+########################################
+## <summary>
 ##	Search the contents of /var.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/selinux.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/selinux.if
+++ refpolicy-2.20210120/policy/modules/kernel/selinux.if
@@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',`
 
 ########################################
 ## <summary>
+##	Mount on the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the selinuxfs filesystem
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te
+++ refpolicy-2.20210120/policy/modules/kernel/terminal.te
@@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t)
 fs_xattr_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
+# for systemd-nspawn
+allow console_device_t devpts_t:filesystem associate;
+
 #
 # devtty_t is the type of /dev/tty.
 #
Index: refpolicy-2.20210120/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210120/policy/modules/system/authlogin.te
@@ -98,12 +98,13 @@ optional_policy(`
 
 allow chkpwd_t self:capability { dac_override setuid };
 dontaudit chkpwd_t self:capability sys_tty_config;
-allow chkpwd_t self:process { getattr signal };
+allow chkpwd_t self:process { getcap getattr signal };
 
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
 
 kernel_read_crypto_sysctls(chkpwd_t)
+kernel_read_kernel_sysctls(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
@@ -116,6 +117,7 @@ files_read_etc_files(chkpwd_t)
 files_dontaudit_search_var(chkpwd_t)
 
 fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+fs_read_tmpfs_symlinks(chkpwd_t)
 
 selinux_get_enforce_mode(chkpwd_t)
 
Index: refpolicy-2.20210120/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20210120/policy/modules/system/fstools.te
@@ -160,6 +160,8 @@ mount_exec(fsadm_t)
 # for /run/mount/utab
 mount_getattr_runtime_files(fsadm_t)
 
+mount_rw_runtime_files(fsadm_t)
+
 seutil_read_config(fsadm_t)
 
 userdom_use_user_terminals(fsadm_t)
Index: refpolicy-2.20210120/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.if
+++ refpolicy-2.20210120/policy/modules/system/init.if
@@ -191,6 +191,24 @@ interface(`init_domain',`
 
 ########################################
 ## <summary>
+##	Allow a domain to be transitioned to from init_t with nnp_transition
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to transition
+##	</summary>
+## </param>
+#
+interface(`init_nnp_domain',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow init_t $1:process2 nnp_transition;
+')
+
+########################################
+## <summary>
 ##	Create a domain which can be started by init,
 ##	with a range transition.
 ## </summary>
@@ -3029,6 +3047,24 @@ interface(`init_relabel_utmp',`
 
 ########################################
 ## <summary>
+##	Watch utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_watch_utmp',`
+	gen_require(`
+		type initrc_runtime_t;
+	')
+
+	allow $1 initrc_runtime_t:file watch;
+')
+
+########################################
+## <summary>
 ##	Create files in /var/run with the
 ##	utmp file type.
 ## </summary>
@@ -3248,6 +3284,24 @@ interface(`init_read_pid_pipes',`
 	init_read_runtime_pipes($1)
 ')
 
+######################################
+## <summary>
+##	restart systemd units, for /run/systemd/transient/*
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_restart_units',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:service { start status stop };
+')
+
 ########################################
 ## <summary>
 ##	Read init unnamed pipes.
@@ -3575,6 +3629,24 @@ interface(`init_manage_all_unit_files',`
 ')
 
 ########################################
+## <summary>
+##	stat systemd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	allow $1 systemdunit:file getattr;
+')
+
+########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
 ## </summary>
Index: refpolicy-2.20210120/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/init.te
+++ refpolicy-2.20210120/policy/modules/system/init.te
@@ -239,7 +239,8 @@ ifdef(`init_systemd',`
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
 	allow init_t self:netlink_selinux_socket create_socket_perms;
-	allow init_t self:system { status reboot halt reload };
+	# why does kernel 4.9 make it need start and stop while 4.19 does not?
+	allow init_t self:system { start stop status reboot halt reload };
 	# Until systemd is fixed
 	allow init_t self:udp_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',`
 
 ifdef(`init_systemd',`
 	allow initrc_t init_t:system { start status reboot halt reload };
+	allow init_t initrc_t:process2 nnp_transition;
 
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
@@ -1043,6 +1045,7 @@ ifdef(`init_systemd',`
 	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
 	init_rw_stream_sockets(initrc_t)
+	init_stop_system(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20210120/policy/modules/system/locallogin.te
@@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi
 auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
 
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
Index: refpolicy-2.20210120/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210120/policy/modules/system/logging.te
@@ -515,7 +515,8 @@ ifdef(`init_systemd',`
 	# for systemd-journal
 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
 	allow syslogd_t self:capability2 audit_read;
-	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+	allow syslogd_t self:capability { chown dac_read_search setgid setuid sys_ptrace audit_control };
+	allow syslogd_t self:cap_userns sys_ptrace;
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
 
 	# remove /run/log/journal when switching to permanent storage
@@ -533,6 +534,7 @@ ifdef(`init_systemd',`
 
 	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
+	domain_signull_all_domains(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
Index: refpolicy-2.20210120/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20210120/policy/modules/system/lvm.if
@@ -247,3 +247,21 @@ interface(`lvm_admin',`
 	files_search_tmp($1)
 	admin_pattern($1, lvm_tmp_t)
 ')
+
+######################################
+## <summary>
+##	Allow lvm_t to use a semaphore
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that created the semaphore
+##	</summary>
+## </param>
+#
+interface(`lvm_use_sem',`
+	gen_require(`
+		type lvm_t;
+	')
+
+	allow lvm_t $1:sem all_sem_perms;
+')
Index: refpolicy-2.20210120/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210120/policy/modules/system/lvm.te
@@ -345,6 +345,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	apt_use_fds(lvm_t)
+
 	dpkg_script_rw_pipes(lvm_t)
 ')
 
Index: refpolicy-2.20210120/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/miscfiles.fc
+++ refpolicy-2.20210120/policy/modules/system/miscfiles.fc
@@ -14,6 +14,8 @@ ifdef(`distro_gentoo',`
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
+/etc/letsencrypt(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_debian',`
Index: refpolicy-2.20210120/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210120/policy/modules/system/modutils.te
@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
 # insmod local policy
 #
 
-allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
@@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
 fs_search_tracefs(kmod_t)
 
+init_nnp_domain(kmod_t)
 init_rw_initctl(kmod_t)
 init_use_fds(kmod_t)
 init_use_script_fds(kmod_t)
@@ -138,6 +139,8 @@ optional_policy(`
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
 	dpkg_read_script_tmp_symlinks(kmod_t)
+	apt_use_fds(kmod_t)
+	apt_use_ptys(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210120/policy/modules/system/mount.te
@@ -219,6 +219,14 @@ optional_policy(`
 	samba_run_smbmount(mount_t, mount_roles)
 ')
 
+optional_policy(`
+	ssh_rw_pipes(mount_t)
+')
+
+optional_policy(`
+	xen_read_image_files(mount_t)
+')
+
 ########################################
 #
 # Unconfined mount local policy
Index: refpolicy-2.20210120/policy/modules/system/raid.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/raid.fc
+++ refpolicy-2.20210120/policy/modules/system/raid.fc
@@ -11,6 +11,8 @@
 /usr/bin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/bin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 
+/usr/share/mdadm/checkarray --	gen_context(system_u:object_r:mdadm_exec_t,s0)
+
 # Systemd unit files
 /usr/lib/systemd/system/[^/]*mdadm-.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
 /usr/lib/systemd/system/[^/]*mdmon.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
Index: refpolicy-2.20210120/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210120/policy/modules/system/raid.te
@@ -54,6 +54,7 @@ dev_dontaudit_getattr_all_blk_files(mdad
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 
+domain_dontaudit_search_all_domains_state(mdadm_t)
 domain_use_interactive_fds(mdadm_t)
 
 files_read_etc_files(mdadm_t)
@@ -90,6 +91,7 @@ userdom_dontaudit_use_user_terminals(mda
 
 optional_policy(`
 	cron_system_entry(mdadm_t, mdadm_exec_t)
+	cron_rw_tmp_files(mdadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20210120/policy/modules/system/systemd.fc
@@ -5,7 +5,6 @@
 
 /run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)
 
-/usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/bin/systemd-detect-virt		--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
Index: refpolicy-2.20210120/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210120/policy/modules/system/systemd.te
@@ -355,10 +355,11 @@ ifdef(`enable_mls',`
 #
 
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
-allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
 
 manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
 
 kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
 kernel_read_kernel_sysctls(systemd_coredump_t)
@@ -376,6 +377,7 @@ files_read_etc_files(systemd_coredump_t)
 files_search_var_lib(systemd_coredump_t)
 
 fs_getattr_xattr_fs(systemd_coredump_t)
+fs_search_tmpfs(systemd_coredump_t)
 
 selinux_getattr_fs(systemd_coredump_t)
 
@@ -397,6 +399,8 @@ allow systemd_generator_t self:fifo_file
 allow systemd_generator_t self:capability dac_override;
 allow systemd_generator_t self:process setfscreate;
 
+allow systemd_generator_t systemd_unit_t:file getattr;
+
 corecmd_getattr_bin_files(systemd_generator_t)
 
 dev_read_sysfs(systemd_generator_t)
@@ -407,6 +411,7 @@ files_read_etc_files(systemd_generator_t
 files_search_runtime(systemd_generator_t)
 files_list_boot(systemd_generator_t)
 files_read_boot_files(systemd_generator_t)
+files_read_config_files(systemd_generator_t)
 files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 
@@ -414,6 +419,8 @@ fs_list_efivars(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
+init_read_all_script_files(systemd_generator_t)
+init_getattr_all_unit_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
 init_manage_runtime_symlinks(systemd_generator_t)
 init_read_runtime_files(systemd_generator_t)
@@ -618,12 +625,17 @@ init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
 init_read_utmp(systemd_logind_t)
+init_restart_units(systemd_logind_t)
 init_service_start(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
+init_watch_utmp(systemd_logind_t)
+
+# for /run/systemd/transient/*
+init_restart_units(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
@@ -880,6 +892,9 @@ allow systemd_nspawn_t self:capability {
 allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
+allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
+allow systemd_nspawn_t self:udp_socket { create ioctl };
 
 allow systemd_nspawn_t systemd_journal_t:dir search;
 
@@ -916,6 +931,9 @@ dev_getattr_fs(systemd_nspawn_t)
 dev_manage_sysfs_dirs(systemd_nspawn_t)
 dev_mounton_sysfs_dirs(systemd_nspawn_t)
 dev_mount_sysfs(systemd_nspawn_t)
+dev_remount_sysfs(systemd_nspawn_t)
+dev_unmount_sysfs(systemd_nspawn_t)
+dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
@@ -928,6 +946,7 @@ files_mounton_tmp(systemd_nspawn_t)
 files_read_kernel_symbol_table(systemd_nspawn_t)
 files_setattr_runtime_dirs(systemd_nspawn_t)
 
+fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
@@ -951,6 +970,7 @@ init_write_runtime_socket(systemd_nspawn
 init_spec_domtrans_script(systemd_nspawn_t)
 
 miscfiles_manage_localization(systemd_nspawn_t)
+udev_read_runtime_files(systemd_nspawn_t)
 
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
@@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n
 	# manage etc symlinks for /etc/localtime
 	files_manage_etc_symlinks(systemd_nspawn_t)
 	files_mounton_runtime_dirs(systemd_nspawn_t)
+	files_mounton_kernel_symbol_table(systemd_nspawn_t)
 	files_search_home(systemd_nspawn_t)
 
+	files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
+	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+
 	fs_getattr_cgroup(systemd_nspawn_t)
 	fs_manage_cgroup_dirs(systemd_nspawn_t)
 	fs_manage_tmpfs_dirs(systemd_nspawn_t)
@@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n
 	selinux_getattr_fs(systemd_nspawn_t)
 	selinux_remount_fs(systemd_nspawn_t)
 	selinux_search_fs(systemd_nspawn_t)
+	selinux_mounton_fs(systemd_nspawn_t)
 
 	init_domtrans(systemd_nspawn_t)
 
@@ -1013,7 +1040,7 @@ optional_policy(`
 # systemd_passwd_agent_t local policy
 #
 
-allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource };
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
@@ -1024,14 +1051,19 @@ manage_sock_files_pattern(systemd_passwd
 manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
 
+can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
 kernel_read_system_state(systemd_passwd_agent_t)
 kernel_stream_connect(systemd_passwd_agent_t)
 
 dev_create_generic_dirs(systemd_passwd_agent_t)
 dev_read_generic_files(systemd_passwd_agent_t)
+dev_read_sysfs(systemd_passwd_agent_t)
+dev_write_sysfs_dirs(systemd_passwd_agent_t)
 dev_write_generic_sock_files(systemd_passwd_agent_t)
 dev_write_kmsg(systemd_passwd_agent_t)
 
+corecmd_search_bin(systemd_passwd_agent_t)
 files_read_etc_files(systemd_passwd_agent_t)
 
 fs_getattr_xattr_fs(systemd_passwd_agent_t)
@@ -1040,6 +1072,7 @@ selinux_get_enforce_mode(systemd_passwd_
 selinux_getattr_fs(systemd_passwd_agent_t)
 
 term_read_console(systemd_passwd_agent_t)
+term_use_unallocated_ttys(systemd_passwd_agent_t)
 
 auth_use_nsswitch(systemd_passwd_agent_t)
 
@@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t
 
 allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
 
+allow systemd_rfkill_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+
 manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
@@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
+allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
+
 kernel_getattr_proc(systemd_tmpfiles_t)
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
@@ -1495,6 +1532,8 @@ systemd_dbus_chat_logind(systemd_user_ru
 seutil_read_file_contexts(systemd_user_runtime_dir_t)
 seutil_libselinux_linked(systemd_user_runtime_dir_t)
 
+userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
 userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
 userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
 userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210120/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210120/policy/modules/system/udev.te
@@ -145,6 +145,7 @@ selinux_compute_access_vector(udev_t)
 selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
+selinux_use_status_page(udev_t)
 
 storage_watch_fixed_disk(udev_t)
 
@@ -351,6 +352,7 @@ optional_policy(`
 
 optional_policy(`
 	raid_domtrans_mdadm(udev_t)
+	raid_read_mdadm_runtime_files(udev_t)
 ')
 
 optional_policy(`
@@ -400,6 +402,10 @@ allow udevadm_t udev_runtime_t:dir watch
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)
 
+fs_getattr_cgroup(udevadm_t)
+fs_getattr_tmpfs(udevadm_t)
+fs_search_cgroup_dirs(udevadm_t)
+
 files_read_etc_files(udevadm_t)
 files_read_usr_files(udevadm_t)
 
Index: refpolicy-2.20210120/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20210120/policy/modules/system/unconfined.if
@@ -38,7 +38,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
-	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };
+	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
Index: refpolicy-2.20210120/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210120/policy/modules/system/unconfined.te
@@ -83,6 +83,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	certbot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	cron_unconfined_role(unconfined_r, unconfined_t)
 ')
 
@@ -121,6 +125,7 @@ optional_policy(`
 
 optional_policy(`
 	lvm_run(unconfined_t, unconfined_r)
+	lvm_use_sem(unconfined_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210120/policy/modules/system/userdomain.if
@@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten
 	')
 
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+	allow $1 user_home_t:file map;
+	allow $1 user_home_t:lnk_file read_lnk_file_perms;
 	files_search_home($1)
 ')
 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] misc kernel and system patches
  2021-01-20 10:07 [PATCH] misc kernel and system patches Russell Coker
@ 2021-01-20 14:36 ` Dominick Grift
  2021-01-27  4:05   ` Russell Coker
  0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2021-01-20 14:36 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> Lots of little patches that should be good to merge.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.fc
> @@ -305,7 +305,6 @@ ifdef(`distro_debian',`
>  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
>  
> -/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/ajaxterm\.py.* --	gen_context(system_u:object_r:bin_t,s0)
>  /usr/share/ajaxterm/qweb\.py.* --	gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
> +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables'
>  
>  	corecmd_search_bin($1)
>  	read_files_pattern($1, exec_type, exec_type)
> +	allow $1 exec_type:file map;

create a corecmd_map_read_all_executables() instead. This macro name is
"read_all_executables" if you extend it with this rule then you
effectively do several things:

1. you make the name of the interface inaccurate because the rules no
longer reflect the name

2. you give all existing callers of this interface access to map
exec_file files.

3. Youre essentially shutting the door for just read access to exec_type
files because the interface name has already been taken for "read + map"

>  ')
>  
>  ########################################
> Index: refpolicy-2.20210120/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20210120/policy/modules/kernel/devices.if
> @@ -4323,6 +4323,42 @@ interface(`dev_mount_sysfs',`
>  
>  ########################################
>  ## <summary>
> +##     remount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`dev_remount_sysfs',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem remount;
> +')
> +
> +########################################
> +## <summary>
> +##     unmount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`dev_unmount_sysfs',`
> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem unmount;
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit getting the attributes of sysfs filesystem
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/domain.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/domain.if
> +++ refpolicy-2.20210120/policy/modules/kernel/domain.if
> @@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state
>  
>  ########################################
>  ## <summary>
> -##	Get the attributes of all domains of all domains.
> +##	Get the attributes of all domains
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> Index: refpolicy-2.20210120/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210120/policy/modules/kernel/files.if
> @@ -5408,6 +5408,25 @@ interface(`files_delete_kernel_symbol_ta
>  
>  ########################################
>  ## <summary>
> +##	Delete a system.map in the /boot directory.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_mounton_kernel_symbol_table',`
> +	gen_require(`
> +		type boot_t, system_map_t;
> +	')
> +
> +	allow $1 boot_t:dir list_dir_perms;
> +	allow $1 system_map_t:file mounton;

mount != listing boot_t dirs (i know its semi-related but you might want
to mount on symbox table and not list boot_t and this will shut the door
on that)

instead you should probably imply getattr here:

        allow $1 system_map_t:file { getattr mounton };

Would be even better to declare "mounton_file_perms" on a lower level
and use that

define(`mounton_file_perms',`{ getattr mounton }')


> +')
> +
> +########################################
> +## <summary>
>  ##	Search the contents of /var.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/selinux.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/selinux.if
> +++ refpolicy-2.20210120/policy/modules/kernel/selinux.if
> @@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',`
>  
>  ########################################
>  ## <summary>
> +##	Mount on the selinuxfs filesystem.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`selinux_mounton_fs',`
> +	gen_require(`
> +		type security_t;
> +	')
> +
> +	allow $1 security_t:dir mounton;

getattr should probably be implied here

a mounton_dir_perms would be even better:

define(`mounton_dir_perms',`{ getattr mounton }')

> +')
> +
> +########################################
> +## <summary>
>  ##	Get the attributes of the selinuxfs filesystem
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te
> +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te
> @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t)
>  fs_xattr_type(devpts_t)
>  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>  
> +# for systemd-nspawn
> +allow console_device_t devpts_t:filesystem associate;

I am a fairly big user of systemd_nspawn and i have never ever
encountered this. only pty devices should ever associate with devpts_t
filesystems AFAIK

> +
>  #
>  # devtty_t is the type of /dev/tty.
>  #
> Index: refpolicy-2.20210120/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20210120/policy/modules/system/authlogin.te
> @@ -98,12 +98,13 @@ optional_policy(`
>  
>  allow chkpwd_t self:capability { dac_override setuid };
>  dontaudit chkpwd_t self:capability sys_tty_config;
> -allow chkpwd_t self:process { getattr signal };
> +allow chkpwd_t self:process { getcap getattr signal };
>  
>  allow chkpwd_t shadow_t:file read_file_perms;
>  files_list_etc(chkpwd_t)
>  
>  kernel_read_crypto_sysctls(chkpwd_t)
> +kernel_read_kernel_sysctls(chkpwd_t)
>  
>  domain_dontaudit_use_interactive_fds(chkpwd_t)
>  
> @@ -116,6 +117,7 @@ files_read_etc_files(chkpwd_t)
>  files_dontaudit_search_var(chkpwd_t)
>  
>  fs_dontaudit_getattr_xattr_fs(chkpwd_t)
> +fs_read_tmpfs_symlinks(chkpwd_t)
>  
>  selinux_get_enforce_mode(chkpwd_t)
>  
> Index: refpolicy-2.20210120/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20210120/policy/modules/system/fstools.te
> @@ -160,6 +160,8 @@ mount_exec(fsadm_t)
>  # for /run/mount/utab
>  mount_getattr_runtime_files(fsadm_t)
>  
> +mount_rw_runtime_files(fsadm_t)
> +
>  seutil_read_config(fsadm_t)
>  
>  userdom_use_user_terminals(fsadm_t)
> Index: refpolicy-2.20210120/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/init.if
> +++ refpolicy-2.20210120/policy/modules/system/init.if
> @@ -191,6 +191,24 @@ interface(`init_domain',`
>  
>  ########################################
>  ## <summary>
> +##	Allow a domain to be transitioned to from init_t with nnp_transition
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to transition
> +##	</summary>
> +## </param>
> +#
> +interface(`init_nnp_domain',`
> +	gen_require(`
> +		type init_t;
> +	')
> +
> +	allow init_t $1:process2 nnp_transition;
> +')

This is redundant. In systems with systemd (ifdef init_systemd) this access is already allowed.

> +
> +########################################
> +## <summary>
>  ##	Create a domain which can be started by init,
>  ##	with a range transition.
>  ## </summary>
> @@ -3029,6 +3047,24 @@ interface(`init_relabel_utmp',`
>  
>  ########################################
>  ## <summary>
> +##	Watch utmp.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_watch_utmp',`
> +	gen_require(`
> +		type initrc_runtime_t;
> +	')
> +
> +	allow $1 initrc_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create files in /var/run with the
>  ##	utmp file type.
>  ## </summary>
> @@ -3248,6 +3284,24 @@ interface(`init_read_pid_pipes',`
>  	init_read_runtime_pipes($1)
>  ')
>  
> +######################################
> +## <summary>
> +##	restart systemd units, for /run/systemd/transient/*
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_restart_units',`
> +	gen_require(`
> +		type init_var_run_t;
> +	')
> +
> +	allow $1 init_var_run_t:service { start status stop };
> +')

i would probably create a private type for "runtime units"
but also in another patch you create another "restart_units" interface
and that has different permissions (probably best to associate
consistent permissions with interface names)

not where "restart_units" means something different somewhere else

> +
>  ########################################
>  ## <summary>
>  ##	Read init unnamed pipes.
> @@ -3575,6 +3629,24 @@ interface(`init_manage_all_unit_files',`
>  ')
>  
>  ########################################
> +## <summary>
> +##	stat systemd unit files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_getattr_all_unit_files',`
> +	gen_require(`
> +		attribute systemdunit;
> +	')
> +
> +	allow $1 systemdunit:file getattr;
> +')
> +
> +########################################
>  ## <summary>
>  ##      Allow unconfined access to send instructions to init
>  ## </summary>
> Index: refpolicy-2.20210120/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/init.te
> +++ refpolicy-2.20210120/policy/modules/system/init.te
> @@ -239,7 +239,8 @@ ifdef(`init_systemd',`
>  	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
>  	allow init_t self:netlink_selinux_socket create_socket_perms;
> -	allow init_t self:system { status reboot halt reload };
> +	# why does kernel 4.9 make it need start and stop while 4.19 does not?
> +	allow init_t self:system { start stop status reboot halt reload
>  };

I would remove the above change. might have been a bug in 4.9, no need
to support bugs besides kernel 4.9 is old.

>  	# Until systemd is fixed
>  	allow init_t self:udp_socket create_socket_perms;
>  	allow init_t self:netlink_route_socket create_netlink_socket_perms;
> @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',`
>  
>  ifdef(`init_systemd',`
>  	allow initrc_t init_t:system { start status reboot halt reload };
> +	allow init_t initrc_t:process2 nnp_transition;

this is dedundant. Should already be allowed

>  
>  	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
>  	files_lock_filetrans(initrc_t, initrc_lock_t, file)
> @@ -1043,6 +1045,7 @@ ifdef(`init_systemd',`
>  	init_get_all_units_status(initrc_t)
>  	init_manage_var_lib_files(initrc_t)
>  	init_rw_stream_sockets(initrc_t)
> +	init_stop_system(initrc_t)
>  
>  	# Create /etc/audit.rules.prev after firstboot remediation
>  	logging_manage_audit_config(initrc_t)
> Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20210120/policy/modules/system/locallogin.te
> @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi
>  auth_manage_pam_console_data(local_login_t)
>  auth_domtrans_pam_console(local_login_t)
>  
> -init_dontaudit_use_fds(local_login_t)
> +# if local_login_t can not inherit fd from init it takes ages to login
> +init_use_fds(local_login_t)

Yes i think youre right but i think this applies to all processes forked
by systemd. I believe that addressing rules associated with systemd
forked processes should probably be addressed on a lower level instead

for example:

init_domain is obviously systemd forked in a systemd system (init_domain
is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in
init_domain().

Howver local_login is not a direct fork of systemd (its not an
init_daemon) and instead its a indirect forked process of systemd (it
gets executed by a init domain but not by init itself)

I would create a type attribute "systemd_forked_type" and then associate
the forked related rules to that and then use that

i think these (or somthing like it):

allow $1 systemd_forked_type:fd use;
allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms;

These these can be removed:

https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662ff7efa2395572/policy/modules/system/init.if#L186
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/init.if#L149
etc

otherwise you end up with very decentralized policy which is hard to maintain.

>  
>  miscfiles_read_localization(local_login_t)
>  
> Index: refpolicy-2.20210120/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20210120/policy/modules/system/logging.te
> @@ -515,7 +515,8 @@ ifdef(`init_systemd',`
>  	# for systemd-journal
>  	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
>  	allow syslogd_t self:capability2 audit_read;
> -	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
> +	allow syslogd_t self:capability { chown dac_read_search setgid setuid sys_ptrace audit_control };
> +	allow syslogd_t self:cap_userns sys_ptrace;
>  	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
>  
>  	# remove /run/log/journal when switching to permanent storage
> @@ -533,6 +534,7 @@ ifdef(`init_systemd',`
>  
>  	domain_getattr_all_domains(syslogd_t)
>  	domain_read_all_domains_state(syslogd_t)
> +	domain_signull_all_domains(syslogd_t)
>  
>  	init_create_runtime_dirs(syslogd_t)
>  	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
> Index: refpolicy-2.20210120/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20210120/policy/modules/system/lvm.if
> @@ -247,3 +247,21 @@ interface(`lvm_admin',`
>  	files_search_tmp($1)
>  	admin_pattern($1, lvm_tmp_t)
>  ')
> +
> +######################################
> +## <summary>
> +##	Allow lvm_t to use a semaphore
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain that created the semaphore
> +##	</summary>
> +## </param>
> +#
> +interface(`lvm_use_sem',`
> +	gen_require(`
> +		type lvm_t;
> +	')
> +
> +	allow lvm_t $1:sem all_sem_perms;

Thats not allowed like this generally

> +')
> Index: refpolicy-2.20210120/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20210120/policy/modules/system/lvm.te
> @@ -345,6 +345,8 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	apt_use_fds(lvm_t)
> +
>  	dpkg_script_rw_pipes(lvm_t)
>  ')
>  
> Index: refpolicy-2.20210120/policy/modules/system/miscfiles.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20210120/policy/modules/system/miscfiles.fc
> @@ -14,6 +14,8 @@ ifdef(`distro_gentoo',`
>  /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>  /etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
>  /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/ssl/private(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
> +/etc/letsencrypt(/.*)?		gen_context(system_u:object_r:tls_privkey_t,s0)
>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>  
>  ifdef(`distro_debian',`
> Index: refpolicy-2.20210120/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20210120/policy/modules/system/modutils.te
> @@ -33,7 +33,7 @@ ifdef(`init_systemd',`
>  # insmod local policy
>  #
>  
> -allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
> +allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
>  allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
>  # for the radeon/amdgpu modules
>  dontaudit kmod_t self:capability sys_admin;
> @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t)
>  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
>  fs_search_tracefs(kmod_t)
>  
> +init_nnp_domain(kmod_t)

shouldnt be needed : kmod is a init_system_domain which is a
init_domain, and systemd can already nnp transition to all init_domain
if ifdef init_systemd is set

>  init_rw_initctl(kmod_t)
>  init_use_fds(kmod_t)
>  init_use_script_fds(kmod_t)
> @@ -138,6 +139,8 @@ optional_policy(`
>  	dpkg_manage_script_tmp_files(kmod_t)
>  	dpkg_map_script_tmp_files(kmod_t)
>  	dpkg_read_script_tmp_symlinks(kmod_t)
> +	apt_use_fds(kmod_t)
> +	apt_use_ptys(kmod_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20210120/policy/modules/system/mount.te
> @@ -219,6 +219,14 @@ optional_policy(`
>  	samba_run_smbmount(mount_t, mount_roles)
>  ')
>  
> +optional_policy(`
> +	ssh_rw_pipes(mount_t)
> +')
> +
> +optional_policy(`
> +	xen_read_image_files(mount_t)
> +')
> +
>  ########################################
>  #
>  # Unconfined mount local policy
> Index: refpolicy-2.20210120/policy/modules/system/raid.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/raid.fc
> +++ refpolicy-2.20210120/policy/modules/system/raid.fc
> @@ -11,6 +11,8 @@
>  /usr/bin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
>  /usr/bin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
>  
> +/usr/share/mdadm/checkarray --	gen_context(system_u:object_r:mdadm_exec_t,s0)
> +
>  # Systemd unit files
>  /usr/lib/systemd/system/[^/]*mdadm-.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
>  /usr/lib/systemd/system/[^/]*mdmon.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
> Index: refpolicy-2.20210120/policy/modules/system/raid.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/raid.te
> +++ refpolicy-2.20210120/policy/modules/system/raid.te
> @@ -54,6 +54,7 @@ dev_dontaudit_getattr_all_blk_files(mdad
>  dev_dontaudit_getattr_all_chr_files(mdadm_t)
>  dev_read_realtime_clock(mdadm_t)
>  
> +domain_dontaudit_search_all_domains_state(mdadm_t)
>  domain_use_interactive_fds(mdadm_t)
>  
>  files_read_etc_files(mdadm_t)
> @@ -90,6 +91,7 @@ userdom_dontaudit_use_user_terminals(mda
>  
>  optional_policy(`
>  	cron_system_entry(mdadm_t, mdadm_exec_t)
> +	cron_rw_tmp_files(mdadm_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20210120/policy/modules/system/systemd.fc
> @@ -5,7 +5,6 @@
>  
>  /run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)
>  
> -/usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
>  /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
>  /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
>  /usr/bin/systemd-detect-virt		--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
> Index: refpolicy-2.20210120/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20210120/policy/modules/system/systemd.te
> @@ -355,10 +355,11 @@ ifdef(`enable_mls',`
>  #
>  
>  allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> -allow systemd_coredump_t self:capability { setgid setuid setpcap };
> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
>  allow systemd_coredump_t self:process { getcap setcap setfscreate };
>  
>  manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
> +allow systemd_coredump_t systemd_coredump_var_lib_t:file map;
>  
>  kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
>  kernel_read_kernel_sysctls(systemd_coredump_t)
> @@ -376,6 +377,7 @@ files_read_etc_files(systemd_coredump_t)
>  files_search_var_lib(systemd_coredump_t)
>  
>  fs_getattr_xattr_fs(systemd_coredump_t)
> +fs_search_tmpfs(systemd_coredump_t)
>  
>  selinux_getattr_fs(systemd_coredump_t)
>  
> @@ -397,6 +399,8 @@ allow systemd_generator_t self:fifo_file
>  allow systemd_generator_t self:capability dac_override;
>  allow systemd_generator_t self:process setfscreate;
>  
> +allow systemd_generator_t systemd_unit_t:file getattr;
> +
>  corecmd_getattr_bin_files(systemd_generator_t)
>  
>  dev_read_sysfs(systemd_generator_t)
> @@ -407,6 +411,7 @@ files_read_etc_files(systemd_generator_t
>  files_search_runtime(systemd_generator_t)
>  files_list_boot(systemd_generator_t)
>  files_read_boot_files(systemd_generator_t)
> +files_read_config_files(systemd_generator_t)
>  files_search_all_mountpoints(systemd_generator_t)
>  files_list_usr(systemd_generator_t)
>  
> @@ -414,6 +419,8 @@ fs_list_efivars(systemd_generator_t)
>  fs_getattr_xattr_fs(systemd_generator_t)
>  
>  init_create_runtime_files(systemd_generator_t)
> +init_read_all_script_files(systemd_generator_t)
> +init_getattr_all_unit_files(systemd_generator_t)
>  init_manage_runtime_dirs(systemd_generator_t)
>  init_manage_runtime_symlinks(systemd_generator_t)
>  init_read_runtime_files(systemd_generator_t)
> @@ -618,12 +625,17 @@ init_dbus_send_script(systemd_logind_t)
>  init_get_all_units_status(systemd_logind_t)
>  init_get_system_status(systemd_logind_t)
>  init_read_utmp(systemd_logind_t)
> +init_restart_units(systemd_logind_t)
>  init_service_start(systemd_logind_t)
>  init_service_status(systemd_logind_t)
>  init_start_all_units(systemd_logind_t)
>  init_stop_all_units(systemd_logind_t)
>  init_start_system(systemd_logind_t)
>  init_stop_system(systemd_logind_t)
> +init_watch_utmp(systemd_logind_t)
> +
> +# for /run/systemd/transient/*
> +init_restart_units(systemd_logind_t)
>  
>  locallogin_read_state(systemd_logind_t)
>  
> @@ -880,6 +892,9 @@ allow systemd_nspawn_t self:capability {
>  allow systemd_nspawn_t self:capability2 wake_alarm;
>  allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
>  allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
> +allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
> +allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
> +allow systemd_nspawn_t self:udp_socket { create ioctl };

probably just create_socket_perms

>  
>  allow systemd_nspawn_t systemd_journal_t:dir search;
>  
> @@ -916,6 +931,9 @@ dev_getattr_fs(systemd_nspawn_t)
>  dev_manage_sysfs_dirs(systemd_nspawn_t)
>  dev_mounton_sysfs_dirs(systemd_nspawn_t)
>  dev_mount_sysfs(systemd_nspawn_t)
> +dev_remount_sysfs(systemd_nspawn_t)
> +dev_unmount_sysfs(systemd_nspawn_t)
> +dev_read_sysfs(systemd_nspawn_t)
>  dev_read_rand(systemd_nspawn_t)
>  dev_read_urand(systemd_nspawn_t)
>  
> @@ -928,6 +946,7 @@ files_mounton_tmp(systemd_nspawn_t)
>  files_read_kernel_symbol_table(systemd_nspawn_t)
>  files_setattr_runtime_dirs(systemd_nspawn_t)
>  
> +fs_getattr_cgroup(systemd_nspawn_t)
>  fs_getattr_tmpfs(systemd_nspawn_t)
>  fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>  fs_mount_tmpfs(systemd_nspawn_t)
> @@ -951,6 +970,7 @@ init_write_runtime_socket(systemd_nspawn
>  init_spec_domtrans_script(systemd_nspawn_t)
>  
>  miscfiles_manage_localization(systemd_nspawn_t)
> +udev_read_runtime_files(systemd_nspawn_t)
>  
>  # for writing inside chroot
>  sysnet_manage_config(systemd_nspawn_t)
> @@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n
>  	# manage etc symlinks for /etc/localtime
>  	files_manage_etc_symlinks(systemd_nspawn_t)
>  	files_mounton_runtime_dirs(systemd_nspawn_t)
> +	files_mounton_kernel_symbol_table(systemd_nspawn_t)
>  	files_search_home(systemd_nspawn_t)
>  
> +	files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
> +	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
> +	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
> +	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
> +
>  	fs_getattr_cgroup(systemd_nspawn_t)
>  	fs_manage_cgroup_dirs(systemd_nspawn_t)
>  	fs_manage_tmpfs_dirs(systemd_nspawn_t)
> @@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n
>  	selinux_getattr_fs(systemd_nspawn_t)
>  	selinux_remount_fs(systemd_nspawn_t)
>  	selinux_search_fs(systemd_nspawn_t)
> +	selinux_mounton_fs(systemd_nspawn_t)
>  
>  	init_domtrans(systemd_nspawn_t)
>  
> @@ -1013,7 +1040,7 @@ optional_policy(`
>  # systemd_passwd_agent_t local policy
>  #
>  
> -allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
> +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource };
>  allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
>  allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
>  
> @@ -1024,14 +1051,19 @@ manage_sock_files_pattern(systemd_passwd
>  manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
>  init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
>  
> +can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
> +
>  kernel_read_system_state(systemd_passwd_agent_t)
>  kernel_stream_connect(systemd_passwd_agent_t)
>  
>  dev_create_generic_dirs(systemd_passwd_agent_t)
>  dev_read_generic_files(systemd_passwd_agent_t)
> +dev_read_sysfs(systemd_passwd_agent_t)
> +dev_write_sysfs_dirs(systemd_passwd_agent_t)
>  dev_write_generic_sock_files(systemd_passwd_agent_t)
>  dev_write_kmsg(systemd_passwd_agent_t)
>  
> +corecmd_search_bin(systemd_passwd_agent_t)
>  files_read_etc_files(systemd_passwd_agent_t)
>  
>  fs_getattr_xattr_fs(systemd_passwd_agent_t)
> @@ -1040,6 +1072,7 @@ selinux_get_enforce_mode(systemd_passwd_
>  selinux_getattr_fs(systemd_passwd_agent_t)
>  
>  term_read_console(systemd_passwd_agent_t)
> +term_use_unallocated_ttys(systemd_passwd_agent_t)
>  
>  auth_use_nsswitch(systemd_passwd_agent_t)
>  
> @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t
>  
>  allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
>  
> +allow systemd_rfkill_t self:netlink_kobject_uevent_socket client_stream_socket_perms;

thats not a stream socket, do this instead:

- allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
+ allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;

> +
>  manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
>  manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
>  init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
> @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
>  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
>  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>  
> +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;

questionable

> +
>  kernel_getattr_proc(systemd_tmpfiles_t)
>  kernel_read_kernel_sysctls(systemd_tmpfiles_t)
>  kernel_read_network_state(systemd_tmpfiles_t)
> @@ -1495,6 +1532,8 @@ systemd_dbus_chat_logind(systemd_user_ru
>  seutil_read_file_contexts(systemd_user_runtime_dir_t)
>  seutil_libselinux_linked(systemd_user_runtime_dir_t)
>  
> +userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
> +userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
>  userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
>  userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
>  userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
> Index: refpolicy-2.20210120/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20210120/policy/modules/system/udev.te
> @@ -145,6 +145,7 @@ selinux_compute_access_vector(udev_t)
>  selinux_compute_create_context(udev_t)
>  selinux_compute_relabel_context(udev_t)
>  selinux_compute_user_contexts(udev_t)
> +selinux_use_status_page(udev_t)
>  
>  storage_watch_fixed_disk(udev_t)
>  
> @@ -351,6 +352,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	raid_domtrans_mdadm(udev_t)
> +	raid_read_mdadm_runtime_files(udev_t)
>  ')
>  
>  optional_policy(`
> @@ -400,6 +402,10 @@ allow udevadm_t udev_runtime_t:dir watch
>  dev_rw_sysfs(udevadm_t)
>  dev_read_urand(udevadm_t)
>  
> +fs_getattr_cgroup(udevadm_t)
> +fs_getattr_tmpfs(udevadm_t)
> +fs_search_cgroup_dirs(udevadm_t)
> +
>  files_read_etc_files(udevadm_t)
>  files_read_usr_files(udevadm_t)
>  
> Index: refpolicy-2.20210120/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20210120/policy/modules/system/unconfined.if
> @@ -38,7 +38,7 @@ interface(`unconfined_domain_noaudit',`
>  
>  	# Use most Linux capabilities
>  	allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
> -	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };
> +	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon };
>  	allow $1 self:fifo_file manage_fifo_file_perms;
>  
>  	# Transition to myself, to make get_ordered_context_list happy.
> Index: refpolicy-2.20210120/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20210120/policy/modules/system/unconfined.te
> @@ -83,6 +83,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	certbot_run(unconfined_t, unconfined_r)

unconfined should be unconfined.

> +')
> +
> +optional_policy(`
>  	cron_unconfined_role(unconfined_r, unconfined_t)
>  ')
>  
> @@ -121,6 +125,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	lvm_run(unconfined_t, unconfined_r)
> +	lvm_use_sem(unconfined_t)

that lvm_use_sem should probably just be part of lvm_run()

ie "allow $1 lvm_t:semd rw_sem_perms;"

But in my personal view unconfined_t shouldnt run lvm with a domain
transition in the first place (defeats the purpose of the unconfined domain)

>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20210120/policy/modules/system/userdomain.if
> @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten
>  	')
>  
>  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
> +	allow $1 user_home_t:file map;

read != map
and file != lnk_file

by generalizing interfaces you shut doors for fine grained access control

> +	allow $1 user_home_t:lnk_file read_lnk_file_perms;
>  	files_search_home($1)
>  ')
>  
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] misc kernel and system patches
  2021-01-20 14:36 ` Dominick Grift
@ 2021-01-27  4:05   ` Russell Coker
  2021-01-27  6:03     ` Dominick Grift
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2021-01-27  4:05 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Thursday, 21 January 2021 1:36:46 AM AEDT Dominick Grift wrote:
> > Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
> > +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
> > @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables'
> > 
> >  	corecmd_search_bin($1)
> >  	read_files_pattern($1, exec_type, exec_type)
> > 
> > +	allow $1 exec_type:file map;
> 
> create a corecmd_map_read_all_executables() instead. This macro name is
> "read_all_executables" if you extend it with this rule then you
> effectively do several things:

OK, I'll do that in another patch.

> > +interface(`files_mounton_kernel_symbol_table',`
> > +	gen_require(`
> > +		type boot_t, system_map_t;
> > +	')
> > +
> > +	allow $1 boot_t:dir list_dir_perms;
> > +	allow $1 system_map_t:file mounton;
> 
> mount != listing boot_t dirs (i know its semi-related but you might want
> to mount on symbox table and not list boot_t and this will shut the door
> on that)
> 
> instead you should probably imply getattr here:
> 
>         allow $1 system_map_t:file { getattr mounton };
> 
> Would be even better to declare "mounton_file_perms" on a lower level
> and use that
> 
> define(`mounton_file_perms',`{ getattr mounton }')

OK, that will be in the next version.

> > +##	Mount on the selinuxfs filesystem.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`selinux_mounton_fs',`
> > +	gen_require(`
> > +		type security_t;
> > +	')
> > +
> > +	allow $1 security_t:dir mounton;
> 
> getattr should probably be implied here
> 
> a mounton_dir_perms would be even better:
> 
> define(`mounton_dir_perms',`{ getattr mounton }')

OK.

> > Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te
> > +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te
> > @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t)
> > 
> >  fs_xattr_type(devpts_t)
> >  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
> > 
> > +# for systemd-nspawn
> > +allow console_device_t devpts_t:filesystem associate;
> 
> I am a fairly big user of systemd_nspawn and i have never ever
> encountered this. only pty devices should ever associate with devpts_t
> filesystems AFAIK

OK, I'll remove that and investigate other solutions.

> > +##	Allow a domain to be transitioned to from init_t with nnp_transition
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain to transition
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`init_nnp_domain',`
> > +	gen_require(`
> > +		type init_t;
> > +	')
> > +
> > +	allow init_t $1:process2 nnp_transition;
> > +')
> 
> This is redundant. In systems with systemd (ifdef init_systemd) this access
> is already allowed.

OK, I'll remove it.

> > +######################################
> > +## <summary>
> > +##	restart systemd units, for /run/systemd/transient/*
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`init_restart_units',`
> > +	gen_require(`
> > +		type init_var_run_t;
> > +	')
> > +
> > +	allow $1 init_var_run_t:service { start status stop };
> > +')
> 
> i would probably create a private type for "runtime units"
> but also in another patch you create another "restart_units" interface
> and that has different permissions (probably best to associate
> consistent permissions with interface names)
> 
> not where "restart_units" means something different somewhere else

I'll move this to another patch.

> > Index: refpolicy-2.20210120/policy/modules/system/init.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/system/init.te
> > +++ refpolicy-2.20210120/policy/modules/system/init.te
> > @@ -239,7 +239,8 @@ ifdef(`init_systemd',`
> > 
> >  	allow init_t self:unix_stream_socket { create_stream_socket_perms
> >  	connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay
> >  	create_socket_perms }; allow init_t self:netlink_selinux_socket
> >  	create_socket_perms;
> > 
> > -	allow init_t self:system { status reboot halt reload };
> > +	# why does kernel 4.9 make it need start and stop while 4.19 does not?
> > +	allow init_t self:system { start stop status reboot halt reload
> > 
> >  };
> 
> I would remove the above change. might have been a bug in 4.9, no need
> to support bugs besides kernel 4.9 is old.

OK, I've removed that.

> > @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',`
> > 
> >  ifdef(`init_systemd',`
> >  
> >  	allow initrc_t init_t:system { start status reboot halt reload };
> > 
> > +	allow init_t initrc_t:process2 nnp_transition;
> 
> this is dedundant. Should already be allowed

OK.

> > Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
> > +++ refpolicy-2.20210120/policy/modules/system/locallogin.te
> > @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi
> > 
> >  auth_manage_pam_console_data(local_login_t)
> >  auth_domtrans_pam_console(local_login_t)
> > 
> > -init_dontaudit_use_fds(local_login_t)
> > +# if local_login_t can not inherit fd from init it takes ages to login
> > +init_use_fds(local_login_t)
> 
> Yes i think youre right but i think this applies to all processes forked
> by systemd. I believe that addressing rules associated with systemd
> forked processes should probably be addressed on a lower level instead
> 
> for example:
> 
> init_domain is obviously systemd forked in a systemd system (init_domain
> is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in
> init_domain().
> 
> Howver local_login is not a direct fork of systemd (its not an
> init_daemon) and instead its a indirect forked process of systemd (it
> gets executed by a init domain but not by init itself)
> 
> I would create a type attribute "systemd_forked_type" and then associate
> the forked related rules to that and then use that
> 
> i think these (or somthing like it):
> 
> allow $1 systemd_forked_type:fd use;
> allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms;
> 
> These these can be removed:

I'll move this to another patch and another discussion.

> https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662
> ff7efa2395572/policy/modules/system/init.if#L186
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/syst
> em/init.if#L149 etc
> 
> otherwise you end up with very decentralized policy which is hard to
> maintain.

> > +######################################
> > +## <summary>
> > +##	Allow lvm_t to use a semaphore
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain that created the semaphore
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`lvm_use_sem',`
> > +	gen_require(`
> > +		type lvm_t;
> > +	')
> > +
> > +	allow lvm_t $1:sem all_sem_perms;
> 
> Thats not allowed like this generally

OK, I'll do it differently.

> > @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t)
> > 
> >  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> >  fs_search_tracefs(kmod_t)
> > 
> > +init_nnp_domain(kmod_t)
> 
> shouldnt be needed : kmod is a init_system_domain which is a
> init_domain, and systemd can already nnp transition to all init_domain
> if ifdef init_systemd is set

OK, I'll test that out.

> > +term_use_unallocated_ttys(systemd_passwd_agent_t)
> > 
> >  auth_use_nsswitch(systemd_passwd_agent_t)
> > 
> > @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t
> > 
> >  allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create
> >  getattr read setopt };> 
> > +allow systemd_rfkill_t self:netlink_kobject_uevent_socket
> > client_stream_socket_perms;
> thats not a stream socket, do this instead:
> 
> - allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create
> getattr read setopt }; + allow systemd_rfkill_t
> self:netlink_kobject_uevent_socket create_socket_perms;

OK.

> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
> > 
> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
> > 
> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
> 
> questionable

Why?

> > Index: refpolicy-2.20210120/policy/modules/system/unconfined.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te
> > +++ refpolicy-2.20210120/policy/modules/system/unconfined.te
> > @@ -83,6 +83,10 @@ optional_policy(`
> > 
> >  ')
> >  
> >  optional_policy(`
> > 
> > +	certbot_run(unconfined_t, unconfined_r)
> 
> unconfined should be unconfined.

certbot needs execmem, we generally don't want to give that to unconfined, so 
running certbot in a different domain seems better.

> >  optional_policy(`
> >  
> >  	lvm_run(unconfined_t, unconfined_r)
> > 
> > +	lvm_use_sem(unconfined_t)
> 
> that lvm_use_sem should probably just be part of lvm_run()
> 
> ie "allow $1 lvm_t:semd rw_sem_perms;"

OK, I'll do that.

> But in my personal view unconfined_t shouldnt run lvm with a domain
> transition in the first place (defeats the purpose of the unconfined domain)

I think the problem is the type transition rules.  Run lvm etc as unconfined_t 
and then lvm run from init etc won't be able to access it's temporary files 
etc.

> > Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
> > +++ refpolicy-2.20210120/policy/modules/system/userdomain.if
> > @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten
> > 
> >  	')
> >  	
> >  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
> > 
> > +	allow $1 user_home_t:file map;
> 
> read != map
> and file != lnk_file
> 
> by generalizing interfaces you shut doors for fine grained access control

OK, I'll remove that.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] misc kernel and system patches
  2021-01-27  4:05   ` Russell Coker
@ 2021-01-27  6:03     ` Dominick Grift
  2021-01-27  8:53       ` Russell Coker
  0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2021-01-27  6:03 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 21 January 2021 1:36:46 AM AEDT Dominick Grift wrote:
>> > Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if
>> > +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if
>> > @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables'
>> > 
>> >  	corecmd_search_bin($1)
>> >  	read_files_pattern($1, exec_type, exec_type)
>> > 
>> > +	allow $1 exec_type:file map;
>> 
>> create a corecmd_map_read_all_executables() instead. This macro name is
>> "read_all_executables" if you extend it with this rule then you
>> effectively do several things:
>
> OK, I'll do that in another patch.
>
>> > +interface(`files_mounton_kernel_symbol_table',`
>> > +	gen_require(`
>> > +		type boot_t, system_map_t;
>> > +	')
>> > +
>> > +	allow $1 boot_t:dir list_dir_perms;
>> > +	allow $1 system_map_t:file mounton;
>> 
>> mount != listing boot_t dirs (i know its semi-related but you might want
>> to mount on symbox table and not list boot_t and this will shut the door
>> on that)
>> 
>> instead you should probably imply getattr here:
>> 
>>         allow $1 system_map_t:file { getattr mounton };
>> 
>> Would be even better to declare "mounton_file_perms" on a lower level
>> and use that
>> 
>> define(`mounton_file_perms',`{ getattr mounton }')
>
> OK, that will be in the next version.
>
>> > +##	Mount on the selinuxfs filesystem.
>> > +## </summary>
>> > +## <param name="domain">
>> > +##	<summary>
>> > +##	Domain allowed access.
>> > +##	</summary>
>> > +## </param>
>> > +#
>> > +interface(`selinux_mounton_fs',`
>> > +	gen_require(`
>> > +		type security_t;
>> > +	')
>> > +
>> > +	allow $1 security_t:dir mounton;
>> 
>> getattr should probably be implied here
>> 
>> a mounton_dir_perms would be even better:
>> 
>> define(`mounton_dir_perms',`{ getattr mounton }')
>
> OK.
>
>> > Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te
>> > +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te
>> > @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t)
>> > 
>> >  fs_xattr_type(devpts_t)
>> >  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>> > 
>> > +# for systemd-nspawn
>> > +allow console_device_t devpts_t:filesystem associate;
>> 
>> I am a fairly big user of systemd_nspawn and i have never ever
>> encountered this. only pty devices should ever associate with devpts_t
>> filesystems AFAIK
>
> OK, I'll remove that and investigate other solutions.
>
>> > +##	Allow a domain to be transitioned to from init_t with nnp_transition
>> > +## </summary>
>> > +## <param name="domain">
>> > +##	<summary>
>> > +##	Domain to transition
>> > +##	</summary>
>> > +## </param>
>> > +#
>> > +interface(`init_nnp_domain',`
>> > +	gen_require(`
>> > +		type init_t;
>> > +	')
>> > +
>> > +	allow init_t $1:process2 nnp_transition;
>> > +')
>> 
>> This is redundant. In systems with systemd (ifdef init_systemd) this access
>> is already allowed.
>
> OK, I'll remove it.
>
>> > +######################################
>> > +## <summary>
>> > +##	restart systemd units, for /run/systemd/transient/*
>> > +## </summary>
>> > +## <param name="domain">
>> > +##	<summary>
>> > +##	Domain allowed access.
>> > +##	</summary>
>> > +## </param>
>> > +#
>> > +interface(`init_restart_units',`
>> > +	gen_require(`
>> > +		type init_var_run_t;
>> > +	')
>> > +
>> > +	allow $1 init_var_run_t:service { start status stop };
>> > +')
>> 
>> i would probably create a private type for "runtime units"
>> but also in another patch you create another "restart_units" interface
>> and that has different permissions (probably best to associate
>> consistent permissions with interface names)
>> 
>> not where "restart_units" means something different somewhere else
>
> I'll move this to another patch.
>
>> > Index: refpolicy-2.20210120/policy/modules/system/init.te
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/system/init.te
>> > +++ refpolicy-2.20210120/policy/modules/system/init.te
>> > @@ -239,7 +239,8 @@ ifdef(`init_systemd',`
>> > 
>> >  	allow init_t self:unix_stream_socket { create_stream_socket_perms
>> >  	connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay
>> >  	create_socket_perms }; allow init_t self:netlink_selinux_socket
>> >  	create_socket_perms;
>> > 
>> > -	allow init_t self:system { status reboot halt reload };
>> > +	# why does kernel 4.9 make it need start and stop while 4.19 does not?
>> > +	allow init_t self:system { start stop status reboot halt reload
>> > 
>> >  };
>> 
>> I would remove the above change. might have been a bug in 4.9, no need
>> to support bugs besides kernel 4.9 is old.
>
> OK, I've removed that.
>
>> > @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',`
>> > 
>> >  ifdef(`init_systemd',`
>> >  
>> >  	allow initrc_t init_t:system { start status reboot halt reload };
>> > 
>> > +	allow init_t initrc_t:process2 nnp_transition;
>> 
>> this is dedundant. Should already be allowed
>
> OK.
>
>> > Index: refpolicy-2.20210120/policy/modules/system/locallogin.te
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te
>> > +++ refpolicy-2.20210120/policy/modules/system/locallogin.te
>> > @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi
>> > 
>> >  auth_manage_pam_console_data(local_login_t)
>> >  auth_domtrans_pam_console(local_login_t)
>> > 
>> > -init_dontaudit_use_fds(local_login_t)
>> > +# if local_login_t can not inherit fd from init it takes ages to login
>> > +init_use_fds(local_login_t)
>> 
>> Yes i think youre right but i think this applies to all processes forked
>> by systemd. I believe that addressing rules associated with systemd
>> forked processes should probably be addressed on a lower level instead
>> 
>> for example:
>> 
>> init_domain is obviously systemd forked in a systemd system (init_domain
>> is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in
>> init_domain().
>> 
>> Howver local_login is not a direct fork of systemd (its not an
>> init_daemon) and instead its a indirect forked process of systemd (it
>> gets executed by a init domain but not by init itself)
>> 
>> I would create a type attribute "systemd_forked_type" and then associate
>> the forked related rules to that and then use that
>> 
>> i think these (or somthing like it):
>> 
>> allow $1 systemd_forked_type:fd use;
>> allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms;
>> 
>> These these can be removed:
>
> I'll move this to another patch and another discussion.
>
>> https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662
>> ff7efa2395572/policy/modules/system/init.if#L186
>> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/syst
>> em/init.if#L149 etc
>> 
>> otherwise you end up with very decentralized policy which is hard to
>> maintain.
>
>> > +######################################
>> > +## <summary>
>> > +##	Allow lvm_t to use a semaphore
>> > +## </summary>
>> > +## <param name="domain">
>> > +##	<summary>
>> > +##	Domain that created the semaphore
>> > +##	</summary>
>> > +## </param>
>> > +#
>> > +interface(`lvm_use_sem',`
>> > +	gen_require(`
>> > +		type lvm_t;
>> > +	')
>> > +
>> > +	allow lvm_t $1:sem all_sem_perms;
>> 
>> Thats not allowed like this generally
>
> OK, I'll do it differently.
>
>> > @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t)
>> > 
>> >  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
>> >  fs_search_tracefs(kmod_t)
>> > 
>> > +init_nnp_domain(kmod_t)
>> 
>> shouldnt be needed : kmod is a init_system_domain which is a
>> init_domain, and systemd can already nnp transition to all init_domain
>> if ifdef init_systemd is set
>
> OK, I'll test that out.
>
>> > +term_use_unallocated_ttys(systemd_passwd_agent_t)
>> > 
>> >  auth_use_nsswitch(systemd_passwd_agent_t)
>> > 
>> > @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t
>> > 
>> >  allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create
>> >  getattr read setopt };> 
>> > +allow systemd_rfkill_t self:netlink_kobject_uevent_socket
>> > client_stream_socket_perms;
>> thats not a stream socket, do this instead:
>> 
>> - allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create
>> getattr read setopt }; + allow systemd_rfkill_t
>> self:netlink_kobject_uevent_socket create_socket_perms;
>
> OK.
>
>> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
>> > 
>> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
>> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>> > 
>> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
>> 
>> questionable
>
> Why?
>

Not sure yet. other than that is looks incomplete and that i am
wondering why one would be bothering with this.

Can you tell me a bit more about this event?

>> > Index: refpolicy-2.20210120/policy/modules/system/unconfined.te
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te
>> > +++ refpolicy-2.20210120/policy/modules/system/unconfined.te
>> > @@ -83,6 +83,10 @@ optional_policy(`
>> > 
>> >  ')
>> >  
>> >  optional_policy(`
>> > 
>> > +	certbot_run(unconfined_t, unconfined_r)
>> 
>> unconfined should be unconfined.
>
> certbot needs execmem, we generally don't want to give that to unconfined, so 
> running certbot in a different domain seems better.

Those day's are long gone. Nowaday's even `grep` does execmem.

>
>> >  optional_policy(`
>> >  
>> >  	lvm_run(unconfined_t, unconfined_r)
>> > 
>> > +	lvm_use_sem(unconfined_t)
>> 
>> that lvm_use_sem should probably just be part of lvm_run()
>> 
>> ie "allow $1 lvm_t:semd rw_sem_perms;"
>
> OK, I'll do that.
>
>> But in my personal view unconfined_t shouldnt run lvm with a domain
>> transition in the first place (defeats the purpose of the unconfined domain)
>
> I think the problem is the type transition rules.  Run lvm etc as unconfined_t 
> and then lvm run from init etc won't be able to access it's temporary files 
> etc.
>

why would lvm run for init have any busyness with temporary files? Seems
unlikely to me and nowaday's we have a lot more flexibility with
type-trans rules. But yes, its a bit late in the game now to change
this. It breaks the model though IMHO.

>> > Index: refpolicy-2.20210120/policy/modules/system/userdomain.if
>> > ===================================================================
>> > --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if
>> > +++ refpolicy-2.20210120/policy/modules/system/userdomain.if
>> > @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten
>> > 
>> >  	')
>> >  	
>> >  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
>> > 
>> > +	allow $1 user_home_t:file map;
>> 
>> read != map
>> and file != lnk_file
>> 
>> by generalizing interfaces you shut doors for fine grained access control
>
> OK, I'll remove that.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] misc kernel and system patches
  2021-01-27  6:03     ` Dominick Grift
@ 2021-01-27  8:53       ` Russell Coker
  2021-01-27 11:45         ` Dominick Grift
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2021-01-27  8:53 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Wednesday, 27 January 2021 5:03:06 PM AEDT Dominick Grift wrote:
> >> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
> >> > 
> >> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> >> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
> >> >  read_file_perms;
> >> > 
> >> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
> >> 
> >> questionable
> > 
> > Why?
> 
> Not sure yet. other than that is looks incomplete and that i am
> wondering why one would be bothering with this.
> 
> Can you tell me a bit more about this event?

It's just a fifo that systemd-nspawn left lying around and tmpfiles cleaned 
up.  My way of not bothering is to just allow it.  It doesn't seem to do any 
harm.

> >> unconfined should be unconfined.
> > 
> > certbot needs execmem, we generally don't want to give that to unconfined,
> > so running certbot in a different domain seems better.
> 
> Those day's are long gone. Nowaday's even `grep` does execmem.

grep asks for execmem but seems to work fine without it.  certbot won't 
function without it.

> >> But in my personal view unconfined_t shouldnt run lvm with a domain
> >> transition in the first place (defeats the purpose of the unconfined
> >> domain)> 
> > I think the problem is the type transition rules.  Run lvm etc as
> > unconfined_t and then lvm run from init etc won't be able to access it's
> > temporary files etc.
> 
> why would lvm run for init have any busyness with temporary files? Seems
> unlikely to me and nowaday's we have a lot more flexibility with
> type-trans rules. But yes, its a bit late in the game now to change
> this. It breaks the model though IMHO.

type_transition lvm_t device_t:blk_file fixed_disk_device_t;
type_transition lvm_t etc_t:file lvm_metadata_t;

Here's a couple of the type_transition rules in the current policy that 
indicate problems if you removed the transition to lvm_t.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] misc kernel and system patches
  2021-01-27  8:53       ` Russell Coker
@ 2021-01-27 11:45         ` Dominick Grift
  0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2021-01-27 11:45 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> On Wednesday, 27 January 2021 5:03:06 PM AEDT Dominick Grift wrote:
>> >> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal
>> >> > 
>> >> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
>> >> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
>> >> >  read_file_perms;
>> >> > 
>> >> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink;
>> >> 
>> >> questionable
>> > 
>> > Why?
>> 
>> Not sure yet. other than that is looks incomplete and that i am
>> wondering why one would be bothering with this.
>> 
>> Can you tell me a bit more about this event?
>
> It's just a fifo that systemd-nspawn left lying around and tmpfiles cleaned 
> up.  My way of not bothering is to just allow it.  It doesn't seem to do any 
> harm.
>
>> >> unconfined should be unconfined.
>> > 
>> > certbot needs execmem, we generally don't want to give that to unconfined,
>> > so running certbot in a different domain seems better.
>> 
>> Those day's are long gone. Nowaday's even `grep` does execmem.
>
> grep asks for execmem but seems to work fine without it.  certbot won't 
> function without it.
>

git also wants execmem and without it some functionality does not work
(although dont ask me what exactly as i dont fully recall, i just know
that the search box in my gitweb didnt work correctly without it and
that is using git under the hood.

But aside , modern wayland compositors also need execmem (gnome,sway
etc). Execmem is just way too common these day's

>> >> But in my personal view unconfined_t shouldnt run lvm with a domain
>> >> transition in the first place (defeats the purpose of the unconfined
>> >> domain)> 
>> > I think the problem is the type transition rules.  Run lvm etc as
>> > unconfined_t and then lvm run from init etc won't be able to access it's
>> > temporary files etc.
>> 
>> why would lvm run for init have any busyness with temporary files? Seems
>> unlikely to me and nowaday's we have a lot more flexibility with
>> type-trans rules. But yes, its a bit late in the game now to change
>> this. It breaks the model though IMHO.
>
> type_transition lvm_t device_t:blk_file fixed_disk_device_t;
> type_transition lvm_t etc_t:file lvm_metadata_t;
>
> Here's a couple of the type_transition rules in the current policy that 
> indicate problems if you removed the transition to lvm_t.

k, well those could be addressed with name-based type transitions

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-20 10:07 [PATCH] misc kernel and system patches Russell Coker
2021-01-20 14:36 ` Dominick Grift
2021-01-27  4:05   ` Russell Coker
2021-01-27  6:03     ` Dominick Grift
2021-01-27  8:53       ` Russell Coker
2021-01-27 11:45         ` Dominick Grift

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git