v2 update - rework, creating interface 'init_systemd_conditional'
as suggested. This grants getattr access to the type provided.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/chronyd.te | 2 ++
policy/modules/system/init.if | 26 ++++++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 5e680d39..7ae8bb5a 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
chronyd_dgram_send_cli(chronyd_t)
chronyd_read_config(chronyd_t)
+init_systemd_conditional(chronyd_conf_t)
+
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 62ab4da8..5a0a78bf 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow init_t getattr permissions. Generally
+## needed for types that are used in a Condition
+## predicate.
+## </summary>
+## <param name="domain">
+## <summary>
+## type accessible by init_t
+## </summary>
+## </param>
+#
+interface(`init_systemd_conditional',`
+ gen_require(`
+ type init_t;
+ ')
+ allow init_t $1:dir search_dir_perms;
+ allow init_t $1:lnk_file read_lnk_file_perms;
+ allow init_t $1:fifo_file getattr_fifo_file_perms;
+ allow init_t $1:sock_file getattr_sock_file_perms;
+ allow init_t $1:file getattr_file_perms;
+ allow init_t $1:blk_file getattr_blk_file_perms;
+ allow init_t $1:chr_file getattr_chr_file_perms;
+')
+
########################################
## <summary>
## Allow unconfined access to send instructions to init
--
2.24.1
On 1/13/20 1:27 PM, Sugar, David wrote:
> v2 update - rework, creating interface 'init_systemd_conditional'
> as suggested. This grants getattr access to the type provided.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/chronyd.te | 2 ++
> policy/modules/system/init.if | 26 ++++++++++++++++++++++++++
> 2 files changed, 28 insertions(+)
>
> diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
> index 5e680d39..7ae8bb5a 100644
> --- a/policy/modules/services/chronyd.te
> +++ b/policy/modules/services/chronyd.te
> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
> chronyd_dgram_send_cli(chronyd_t)
> chronyd_read_config(chronyd_t)
>
> +init_systemd_conditional(chronyd_conf_t)
> +
> optional_policy(`
> gpsd_rw_shm(chronyd_t)
> ')
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 62ab4da8..5a0a78bf 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
> allow $1 { init_script_file_type systemdunit }:service reload;
> ')
>
> +
> +########################################
> +## <summary>
> +## Allow init_t getattr permissions. Generally
> +## needed for types that are used in a Condition
> +## predicate.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## type accessible by init_t
> +## </summary>
> +## </param>
> +#
> +interface(`init_systemd_conditional',`
systemd_ConditionPath is a more preferable name.
> + gen_require(`
> + type init_t;
> + ')
> + allow init_t $1:dir search_dir_perms;
> + allow init_t $1:lnk_file read_lnk_file_perms;
> + allow init_t $1:fifo_file getattr_fifo_file_perms;
> + allow init_t $1:sock_file getattr_sock_file_perms;
> + allow init_t $1:file getattr_file_perms;
> + allow init_t $1:blk_file getattr_blk_file_perms;
> + allow init_t $1:chr_file getattr_chr_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Allow unconfined access to send instructions to init
>
--
Chris PeBenito
On 1/21/20 8:42 AM, Chris PeBenito wrote:
> On 1/13/20 1:27 PM, Sugar, David wrote:
>> v2 update - rework, creating interface 'init_systemd_conditional'
>> as suggested. This grants getattr access to the type provided.
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/services/chronyd.te | 2 ++
>> policy/modules/system/init.if | 26 ++++++++++++++++++++++++++
>> 2 files changed, 28 insertions(+)
>>
>> diff --git a/policy/modules/services/chronyd.te
>> b/policy/modules/services/chronyd.te
>> index 5e680d39..7ae8bb5a 100644
>> --- a/policy/modules/services/chronyd.te
>> +++ b/policy/modules/services/chronyd.te
>> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>> chronyd_dgram_send_cli(chronyd_t)
>> chronyd_read_config(chronyd_t)
>> +init_systemd_conditional(chronyd_conf_t)
>> +
>> optional_policy(`
>> gpsd_rw_shm(chronyd_t)
>> ')
>> diff --git a/policy/modules/system/init.if
>> b/policy/modules/system/init.if
>> index 62ab4da8..5a0a78bf 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>> allow $1 { init_script_file_type systemdunit }:service reload;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## Allow init_t getattr permissions. Generally
>> +## needed for types that are used in a Condition
>> +## predicate.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## type accessible by init_t
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`init_systemd_conditional',`
>
> systemd_ConditionPath is a more preferable name.
>
I'm a little confused about the suggested name. I think this interface
belongs in init.if due to the requiring of init_t. Due to this, I think
it should have the init_ prefix. I also don't think there are any camel
case interface names.
Is the name 'init_systemd_condition_path' acceptable? Or are some of my
assumptions wrong?
>
>> + gen_require(`
>> + type init_t;
>> + ')
>> + allow init_t $1:dir search_dir_perms;
>> + allow init_t $1:lnk_file read_lnk_file_perms;
>> + allow init_t $1:fifo_file getattr_fifo_file_perms;
>> + allow init_t $1:sock_file getattr_sock_file_perms;
>> + allow init_t $1:file getattr_file_perms;
>> + allow init_t $1:blk_file getattr_blk_file_perms;
>> + allow init_t $1:chr_file getattr_chr_file_perms;
>> +')
>> +
>> ########################################
>> ## <summary>
>> ## Allow unconfined access to send instructions to init
>>
>
>
On 1/21/20 9:22 AM, Sugar, David wrote:
> On 1/21/20 8:42 AM, Chris PeBenito wrote:
>> On 1/13/20 1:27 PM, Sugar, David wrote:
>>> v2 update - rework, creating interface 'init_systemd_conditional'
>>> as suggested. This grants getattr access to the type provided.
>>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>> policy/modules/services/chronyd.te | 2 ++
>>> policy/modules/system/init.if | 26 ++++++++++++++++++++++++++
>>> 2 files changed, 28 insertions(+)
>>>
>>> diff --git a/policy/modules/services/chronyd.te
>>> b/policy/modules/services/chronyd.te
>>> index 5e680d39..7ae8bb5a 100644
>>> --- a/policy/modules/services/chronyd.te
>>> +++ b/policy/modules/services/chronyd.te
>>> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>>> chronyd_dgram_send_cli(chronyd_t)
>>> chronyd_read_config(chronyd_t)
>>> +init_systemd_conditional(chronyd_conf_t)
>>> +
>>> optional_policy(`
>>> gpsd_rw_shm(chronyd_t)
>>> ')
>>> diff --git a/policy/modules/system/init.if
>>> b/policy/modules/system/init.if
>>> index 62ab4da8..5a0a78bf 100644
>>> --- a/policy/modules/system/init.if
>>> +++ b/policy/modules/system/init.if
>>> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>>> allow $1 { init_script_file_type systemdunit }:service reload;
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Allow init_t getattr permissions. Generally
>>> +## needed for types that are used in a Condition
>>> +## predicate.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## type accessible by init_t
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_systemd_conditional',`
>>
>> systemd_ConditionPath is a more preferable name.
>>
>
> I'm a little confused about the suggested name. I think this interface
> belongs in init.if due to the requiring of init_t. Due to this, I think
> it should have the init_ prefix. I also don't think there are any camel
> case interface names.
>
> Is the name 'init_systemd_condition_path' acceptable? Or are some of my
> assumptions wrong?
No, you're right, my mistake. However, this makes me reconsider the
previous discussion on this. Is it really an issue for systemd to be
able to getattr all files? Condition* works in many cases already since
systemd already has lots of access all over the filesystem.
--
Chris PeBenito