This is adding an interface to perform a filetrans when creating
systemd unit files (in systemd_unit_t directory). Something like this
is required if creating new unit files for systemd and you want them
to have something other than the generic systemd_unit_t type.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 5beb21e9..caed4867 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+########################################
+## <summary>
+## Create systemd_unit_t objects with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_unit_filetrans',`
+ gen_require(`
+ type systemd_unit_t;
+ ')
+
+ filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
+')
+
########################################
## <summary>
## Allow unconfined access to send instructions to init
--
2.20.1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/iptables.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 725a6a3d..a36277a6 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
dontaudit $1 iptables_runtime_t:file read;
')
+########################################
+## <summary>
+## Allow specified domain to start and stop iptables service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_startstop',`
+ gen_require(`
+ type iptables_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 iptables_unit_t:service { start stop };
+')
+
########################################
## <summary>
## Allow specified domain to get status of iptables service
--
2.20.1
ClamAV configuration controls where temporary files are stored.
Default is /tmp but the configuration option 'TemporaryDirectory'
allows for this location to be changed. This change allows for
the type of this directory to be something other than 'tmp_t'
and have files created in this directory still be clamd_tmp_t.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
policy/modules/services/clamav.te | 2 ++
2 files changed, 31 insertions(+)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7b6df49e..a8d1603c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
typeattribute $1 clam_scannable_type;
')
+#######################################
+## <summary>
+## Denote a particular directory type to
+## be a temporary working directory for ClamAV
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to be a directory to be
+## used by ClamAV for temp files. This is only needed
+## if the TemporaryDirectory in the clamd.conf is
+## modified to point to a directory that is not already
+## labeled tmp_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type of directory to hold clamd temp files.
+## </summary>
+## </param>
+#
+interface(`clamav_temp_dir',`
+ gen_require(`
+ attribute clam_tmp_type;
+ ')
+
+ typeattribute $1 clam_tmp_type;
+')
+
+
########################################
## <summary>
## Allow specified domain to enable clamd units
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 84a0bc76..6fc9cc7e 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
# Declarations
#
attribute clam_scannable_type;
+attribute clam_tmp_type;
type clamd_t;
type clamd_exec_t;
@@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
--
2.20.1
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9c70afc9..740b3a92 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_var_run_t:file read_file_perms;
')
+########################################
+## <summary>
+## Send and receive messages from
+## systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_hostnamed',`
+ gen_require(`
+ type systemd_hostnamed_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_hostnamed_t:dbus send_msg;
+ allow systemd_hostnamed_t $1:dbus send_msg;
+')
+
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
--
2.20.1
hostnamectl updates /etc/hostname.
This change is setting up a private type for the file /etc/hostname (was etc_t)
and granting hostnamectl permission to edit this file. Note that hostnamectl
is initially creating a new file .#hostname????? which is why the create
permissions are requied.
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.te | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index eefcfaf1..2277fc1e 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -1,3 +1,4 @@
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
/etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0)
/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5f7dc1b..3704b756 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -77,6 +77,9 @@ type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+type hostname_etc_t;
+files_config_file(hostname_etc_t)
+
type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
@@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
# Hostnamed policy
#
+allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
+
kernel_read_kernel_sysctls(systemd_hostnamed_t)
dev_read_sysfs(systemd_hostnamed_t)
+files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
files_read_etc_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
--
2.20.1
Are we really gaining anything from not using net_conf_t? Yes writing to
net_conf_t allows doing more things than changing the hostname, but changing
the hostname is a privileged operation anyway.
Are we getting a benefit to make up for the increase in types?
On Saturday, 12 January 2019 2:30:54 AM AEDT Sugar, David wrote:
> hostnamectl updates /etc/hostname.
> This change is setting up a private type for the file /etc/hostname (was
> etc_t) and granting hostnamectl permission to edit this file. Note that
> hostnamectl is initially creating a new file .#hostname????? which is why
> the create permissions are requied.
>
> type=AVC msg=audit(1547039052.041:563): avc: denied { write } for
> pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc: denied { create } for pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
> msg=audit(1547039052.041:563): avc: denied { write } for pid=7564
> comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
> msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8
> a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="systemd-hostnam"
> exe="/usr/lib/systemd/systemd-hostnamed"
> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
> msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
> msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0
> a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed"
> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
> msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
> msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564
> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
> msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564
> comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712
> scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.fc | 1 +
> policy/modules/system/systemd.te | 6 ++++++
> 2 files changed, 7 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc
> b/policy/modules/system/systemd.fc index eefcfaf1..2277fc1e 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -1,3 +1,4 @@
> +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
> /etc/udev/hwdb\.bin --
gen_context(system_u:object_r:systemd_hwdb_t,s0)
>
> /run/log/journal(/.*)?
gen_context(system_u:object_r:systemd_journal_t,s
> 0) diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te index f5f7dc1b..3704b756 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -77,6 +77,9 @@ type systemd_detect_virt_t;
> type systemd_detect_virt_exec_t;
> init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
>
> +type hostname_etc_t;
> +files_config_file(hostname_etc_t)
> +
> type systemd_hostnamed_t;
> type systemd_hostnamed_exec_t;
> init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
> @@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
> # Hostnamed policy
> #
>
> +allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
> +
> kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> dev_read_sysfs(systemd_hostnamed_t)
>
> +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
> files_read_etc_files(systemd_hostnamed_t)
>
> seutil_read_file_contexts(systemd_hostnamed_t)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 1/11/19 8:11 PM, Russell Coker wrote:
> Are we really gaining anything from not using net_conf_t? Yes writing to
> net_conf_t allows doing more things than changing the hostname, but changing
> the hostname is a privileged operation anyway.
>
> Are we getting a benefit to make up for the increase in types?
>
Only that I didn't think of using net_conf_t in this instance. And that
is probably a reasonable type to use for /etc/hostname. I will resubmit
this patch with that change.
> On Saturday, 12 January 2019 2:30:54 AM AEDT Sugar, David wrote:
>> hostnamectl updates /etc/hostname.
>> This change is setting up a private type for the file /etc/hostname (was
>> etc_t) and granting hostnamectl permission to edit this file. Note that
>> hostnamectl is initially creating a new file .#hostname????? which is why
>> the create permissions are requied.
>>
>> type=AVC msg=audit(1547039052.041:563): avc: denied { write } for
>> pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc: denied { create } for pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t"
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
>> msg=audit(1547039052.041:563): avc: denied { write } for pid=7564
>> comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
>> msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8
>> a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>> tty=(none) ses=4294967295 comm="systemd-hostnam"
>> exe="/usr/lib/systemd/systemd-hostnamed"
>> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
>> msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL
>> msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0
>> a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>> comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed"
>> subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC
>> msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC
>> msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564
>> comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC
>> msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564
>> comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712
>> scontext=system_u:system_r:systemd_hostnamed_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/system/systemd.fc | 1 +
>> policy/modules/system/systemd.te | 6 ++++++
>> 2 files changed, 7 insertions(+)
>>
>> diff --git a/policy/modules/system/systemd.fc
>> b/policy/modules/system/systemd.fc index eefcfaf1..2277fc1e 100644
>> --- a/policy/modules/system/systemd.fc
>> +++ b/policy/modules/system/systemd.fc
>> @@ -1,3 +1,4 @@
>> +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
>> /etc/udev/hwdb\.bin --
> gen_context(system_u:object_r:systemd_hwdb_t,s0)
>>
>> /run/log/journal(/.*)?
> gen_context(system_u:object_r:systemd_journal_t,s
>> 0) diff --git a/policy/modules/system/systemd.te
>> b/policy/modules/system/systemd.te index f5f7dc1b..3704b756 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -77,6 +77,9 @@ type systemd_detect_virt_t;
>> type systemd_detect_virt_exec_t;
>> init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
>>
>> +type hostname_etc_t;
>> +files_config_file(hostname_etc_t)
>> +
>> type systemd_hostnamed_t;
>> type systemd_hostnamed_exec_t;
>> init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
>> @@ -317,10 +320,13 @@ seutil_search_default_contexts(systemd_coredump_t)
>> # Hostnamed policy
>> #
>>
>> +allow systemd_hostnamed_t hostname_etc_t:file manage_file_perms;
>> +
>> kernel_read_kernel_sysctls(systemd_hostnamed_t)
>>
>> dev_read_sysfs(systemd_hostnamed_t)
>>
>> +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
>> files_read_etc_files(systemd_hostnamed_t)
>>
>> seutil_read_file_contexts(systemd_hostnamed_t)
>
>
On 1/11/19 10:30 AM, Sugar, David wrote:
> This is adding an interface to perform a filetrans when creating
> systemd unit files (in systemd_unit_t directory). Something like this
> is required if creating new unit files for systemd and you want them
> to have something other than the generic systemd_unit_t type.
I'm not against this change, but why wouldn't they be installed by the
package manager? It seems less likely that this would be otherwise needed.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 5beb21e9..caed4867 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
> allow $1 { init_script_file_type systemdunit }:service reload;
> ')
>
> +########################################
> +## <summary>
> +## Create systemd_unit_t objects with a private
> +## type using a type_transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## Private file type.
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## Object classes to be created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_unit_filetrans',`
> + gen_require(`
> + type systemd_unit_t;
> + ')
> +
> + filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
> +')
> +
> ########################################
> ## <summary>
> ## Allow unconfined access to send instructions to init
>
--
Chris PeBenito
On 1/11/19 10:30 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/iptables.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 725a6a3d..a36277a6 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
> dontaudit $1 iptables_runtime_t:file read;
> ')
>
> +########################################
> +## <summary>
> +## Allow specified domain to start and stop iptables service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`iptables_startstop',`
> + gen_require(`
> + type iptables_unit_t;
> + class service { start stop };
> + ')
> +
> + allow $1 iptables_unit_t:service { start stop };
> +')
> +
> ########################################
> ## <summary>
> ## Allow specified domain to get status of iptables service
Merged.
--
Chris PeBenito
On 1/11/19 10:30 AM, Sugar, David wrote:
> ClamAV configuration controls where temporary files are stored.
> Default is /tmp but the configuration option 'TemporaryDirectory'
> allows for this location to be changed. This change allows for
> the type of this directory to be something other than 'tmp_t'
> and have files created in this directory still be clamd_tmp_t.
In this case, it would seem to be more appropriate to simply label this
alternative tmp directory as clamd_tmp_t.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
> policy/modules/services/clamav.te | 2 ++
> 2 files changed, 31 insertions(+)
>
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 7b6df49e..a8d1603c 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
> typeattribute $1 clam_scannable_type;
> ')
>
> +#######################################
> +## <summary>
> +## Denote a particular directory type to
> +## be a temporary working directory for ClamAV
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to be a directory to be
> +## used by ClamAV for temp files. This is only needed
> +## if the TemporaryDirectory in the clamd.conf is
> +## modified to point to a directory that is not already
> +## labeled tmp_t.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type of directory to hold clamd temp files.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_temp_dir',`
> + gen_require(`
> + attribute clam_tmp_type;
> + ')
> +
> + typeattribute $1 clam_tmp_type;
> +')
> +
> +
> ########################################
> ## <summary>
> ## Allow specified domain to enable clamd units
> diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
> index 84a0bc76..6fc9cc7e 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
> # Declarations
> #
> attribute clam_scannable_type;
> +attribute clam_tmp_type;
>
> type clamd_t;
> type clamd_exec_t;
> @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
> manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
> manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
> files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
> +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
>
> manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
> manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>
--
Chris PeBenito
On 1/12/19 2:30 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> This is adding an interface to perform a filetrans when creating
>> systemd unit files (in systemd_unit_t directory). Something like this
>> is required if creating new unit files for systemd and you want them
>> to have something other than the generic systemd_unit_t type.
>
> I'm not against this change, but why wouldn't they be installed by the
> package manager? It seems less likely that this would be otherwise needed.
>
>
In this case the service files were being created by a system
configuration program. I have updated the way this works to have
default service files installed by the package manager and the service
disabled. Then the configuration program just updates as needed and
enables the service. This will work without this change in reference
policy.
This patch can be discarded.
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
>> 1 file changed, 34 insertions(+)
>>
>> diff --git a/policy/modules/system/init.if
>> b/policy/modules/system/init.if
>> index 5beb21e9..caed4867 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
>> allow $1 { init_script_file_type systemdunit }:service reload;
>> ')
>> +########################################
>> +## <summary>
>> +## Create systemd_unit_t objects with a private
>> +## type using a type_transition.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <param name="file_type">
>> +## <summary>
>> +## Private file type.
>> +## </summary>
>> +## </param>
>> +## <param name="class">
>> +## <summary>
>> +## Object classes to be created.
>> +## </summary>
>> +## </param>
>> +## <param name="name" optional="true">
>> +## <summary>
>> +## The name of the object being created.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`init_unit_filetrans',`
>> + gen_require(`
>> + type systemd_unit_t;
>> + ')
>> +
>> + filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Allow unconfined access to send instructions to init
>>
>
>
On 1/12/19 2:34 PM, Chris PeBenito wrote:
> On 1/11/19 10:30 AM, Sugar, David wrote:
>> ClamAV configuration controls where temporary files are stored.
>> Default is /tmp but the configuration option 'TemporaryDirectory'
>> allows for this location to be changed. This change allows for
>> the type of this directory to be something other than 'tmp_t'
>> and have files created in this directory still be clamd_tmp_t.
>
> In this case, it would seem to be more appropriate to simply label this
> alternative tmp directory as clamd_tmp_t.
>
In this case the directory wasn't labeled clamd_tmp_t and was labeled
for primary access by program controlling files sent to clamd. I was
just adding this as a directory for clam to use as temp files also. I
have altered the configuration a bit more to make the temp directory for
clam elsewhere (on the same partition) and labeled it clamd_tmp_t. This
should work for our use case at this point without this patch. And this
patch can be ignored.
>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/services/clamav.if | 29 +++++++++++++++++++++++++++++
>> policy/modules/services/clamav.te | 2 ++
>> 2 files changed, 31 insertions(+)
>>
>> diff --git a/policy/modules/services/clamav.if
>> b/policy/modules/services/clamav.if
>> index 7b6df49e..a8d1603c 100644
>> --- a/policy/modules/services/clamav.if
>> +++ b/policy/modules/services/clamav.if
>> @@ -225,6 +225,35 @@ interface(`clamav_scannable_files',`
>> typeattribute $1 clam_scannable_type;
>> ')
>> +#######################################
>> +## <summary>
>> +## Denote a particular directory type to
>> +## be a temporary working directory for ClamAV
>> +## </summary>
>> +## <desc>
>> +## <p>
>> +## Allow the specified domain to be a directory to be
>> +## used by ClamAV for temp files. This is only needed
>> +## if the TemporaryDirectory in the clamd.conf is
>> +## modified to point to a directory that is not already
>> +## labeled tmp_t.
>> +## </p>
>> +## </desc>
>> +## <param name="domain">
>> +## <summary>
>> +## Type of directory to hold clamd temp files.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`clamav_temp_dir',`
>> + gen_require(`
>> + attribute clam_tmp_type;
>> + ')
>> +
>> + typeattribute $1 clam_tmp_type;
>> +')
>> +
>> +
>> ########################################
>> ## <summary>
>> ## Allow specified domain to enable clamd units
>> diff --git a/policy/modules/services/clamav.te
>> b/policy/modules/services/clamav.te
>> index 84a0bc76..6fc9cc7e 100644
>> --- a/policy/modules/services/clamav.te
>> +++ b/policy/modules/services/clamav.te
>> @@ -28,6 +28,7 @@ gen_tunable(clamd_use_jit, false)
>> # Declarations
>> #
>> attribute clam_scannable_type;
>> +attribute clam_tmp_type;
>> type clamd_t;
>> type clamd_exec_t;
>> @@ -88,6 +89,7 @@ read_lnk_files_pattern(clamd_t, clamd_etc_t,
>> clamd_etc_t)
>> manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>> manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
>> files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
>> +filetrans_pattern(clamd_t, clam_tmp_type, clamd_tmp_t, { file dir })
>> manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>> manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
>>
>
>