From: Henrik Grindal Bakken <[email protected]>
This is the same behavious as files_*_non_auth_types have.
---
policy/modules/kernel/files.if | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c9441..255d8a9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
attribute non_security_file_type;
')
+ manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
attribute non_security_file_type;
')
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
--
2.10.2
Henrik Grindal Bakken <[email protected]> writes:
> From: Henrik Grindal Bakken <[email protected]>
>
> This is the same behavious as files_*_non_auth_types have.
The rationale for changing this is that the systemd-tmpfiles rules use
files_manage_non_security_files() (and ..._relabel_...), which doesn't
work well if you use tmpfiles for somewhat more exotic paths that the
standard setup.
An alternative to this approach is to change the rules in systemd.te for
systemd_tmpfiles_t, but it seems to me like this change would be more in
line with what's done for the similar interfaces.
--
Henrik Grindal Bakken <[email protected]>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
> From: Henrik Grindal Bakken <[email protected]>
>
> This is the same behavious as files_*_non_auth_types have.
> ---
> policy/modules/kernel/files.if | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index f1c9441..255d8a9 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
> manage_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> + manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
> @@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
> attribute non_security_file_type;
> ')
>
> + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> ')
>
> ########################################
NAK. Access per object class is already split up across separate
interfaces, so doing this would be confusing and prevent someone from
getting file-only access.
--
Chris PeBenito
Chris PeBenito <[email protected]> writes:
> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>> From: Henrik Grindal Bakken <[email protected]>
>>
>> This is the same behavious as files_*_non_auth_types have.
[...]
> NAK. Access per object class is already split up across separate
> interfaces, so doing this would be confusing and prevent someone from
> getting file-only access.
Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a
bit, because today it has a serious amount of AVC violations for pretty
standard usage.
There are no matching interfaces for lnk_files, at least. Any
suggestions as to how to set up the tmpfiles rules?
A new interface like this:
interface(`manage_non_security_somethingsomething',`
gen_require(`
attribute non_security_file_type;
')
manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
or
interface(`manage_stuff',`
manage_dirs_pattern($1, $2, $2)
manage_files_pattern($1, $2, $2)
manage_lnk_files_pattern($1, $2, $2)
manage_fifo_files_pattern($1, $2, $2)
manage_sock_files_pattern($1, $2, $2)
')
or call the manage_*_pattern() stuff directly from systemd.te?
(I guess one should add stuff for chr_file, etc)
--
Henrik Grindal Bakken <[email protected]>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
> Chris PeBenito <[email protected]> writes:
>
>> On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
>>> From: Henrik Grindal Bakken <[email protected]>
>>>
>>> This is the same behavious as files_*_non_auth_types have.
>
> [...]
>
>> NAK. Access per object class is already split up across separate
>> interfaces, so doing this would be confusing and prevent someone from
>> getting file-only access.
>
> Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a
> bit, because today it has a serious amount of AVC violations for pretty
> standard usage.
Perhaps. However, it depends on what you consider standard usage.
> There are no matching interfaces for lnk_files, at least. Any
> suggestions as to how to set up the tmpfiles rules?
By adding new interfaces that are like the existing
files_manage_non_security_files() interface, but for lnk_file.
--
Chris PeBenito
Chris PeBenito <[email protected]> writes:
> On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
>
>> Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a
>> bit, because today it has a serious amount of AVC violations for pretty
>> standard usage.
>
> Perhaps. However, it depends on what you consider standard usage.
I suppose. It might not be standard out-of-the-distro-box, but it
supports managing all of these classes of files, and I would've
preferred my policy to support that.
>> There are no matching interfaces for lnk_files, at least. Any
>> suggestions as to how to set up the tmpfiles rules?
>
> By adding new interfaces that are like the existing
> files_manage_non_security_files() interface, but for lnk_file.
Ok. Is there interest in a patch for that, or should I just conjure up
something locally that works for me?
--
Henrik Grindal Bakken <[email protected]>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
On 1/22/20 3:24 PM, Henrik Grindal Bakken wrote:
> Chris PeBenito <[email protected]> writes:
>> On 1/21/20 9:06 AM, Henrik Grindal Bakken wrote:
>>> There are no matching interfaces for lnk_files, at least. Any
>>> suggestions as to how to set up the tmpfiles rules?
>>
>> By adding new interfaces that are like the existing
>> files_manage_non_security_files() interface, but for lnk_file.
>
> Ok. Is there interest in a patch for that, or should I just conjure up
> something locally that works for me?
I'd take a patch that adds that and calls it in the
systemd_tmpfiles_manage_all tunable block.
--
Chris PeBenito