2019-01-02 08:45:14

by Russell Coker

[permalink] [raw]
Subject: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

Lots of little stuff.

Also the sysnet_dns_name_resolve() change the previous patch needed.

Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)

fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+ optional_policy(`
+ # for /etc/resolv.conf symlink
+ networkmanager_read_pid_files($1)
+ ')

ifdef(`init_systemd',`
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
allow dhcpc_t dhcp_state_t:file read_file_perms;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;

# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)

logging_send_syslog_msg(ifconfig_t)

+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(ifconfig_t)

seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
# Local policy
#

-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
#

allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)

optional_policy(`
+ dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
@@ -269,6 +273,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')

+optional_policy(`
+ unconfined_use_fds(groupadd_t)
+')
+
########################################
#
# Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
#

allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
@@ -560,3 +572,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+
+optional_policy(`
+ unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`

files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
+ allow $1 apt_var_cache_t:file mmap_read_file_perms;
')

########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`

files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
- allow $1 apt_var_cache_t:file manage_file_perms;
+ allow $1 apt_var_cache_t:file { manage_file_perms map };
')

########################################
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
')

optional_policy(`
+ init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')

Index: refpolicy-2.20180701/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
@@ -306,10 +306,6 @@ optional_policy(`
')

optional_policy(`
- lvm_domtrans(udev_t)
-')
-
-optional_policy(`
fstools_domtrans(udev_t)
')

@@ -328,6 +324,11 @@ optional_policy(`
')

optional_policy(`
+ iptables_domtrans(udev_t)
+ iptables_write_pipe(udev_t)
+')
+
+optional_policy(`
lvm_domtrans(udev_t)
')

Index: refpolicy-2.20180701/policy/modules/system/iptables.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20180701/policy/modules/system/iptables.if
@@ -25,6 +25,24 @@ interface(`iptables_domtrans',`

########################################
## <summary>
+## Allow iptables to write to a pipe
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be written to
+## </summary>
+## </param>
+#
+interface(`iptables_write_pipe',`
+ gen_require(`
+ type iptables_t;
+ ')
+
+ allow iptables_t $1:fifo_file write;
+')
+
+########################################
+## <summary>
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
## </summary>
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)

mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180701/policy/modules/services/gpm.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
+++ refpolicy-2.20180701/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
')

dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')

########################################


2019-01-03 00:27:53

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

On 1/2/19 3:45 AM, Russell Coker wrote:
> Lots of little stuff.
>
> Also the sysnet_dns_name_resolve() change the previous patch needed.
>
[...]

> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> # Local policy
> #
>
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };

Since you're getting the dac_read_search denial, the dac_override
probably isn't necessary anymore. Can you retest without it?



[...]
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20180701/policy/modules/system/udev.te
[...]

> @@ -328,6 +324,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + iptables_domtrans(udev_t)
> + iptables_write_pipe(udev_t)

I'm not clear why this separate pipe interface is necessary, as that
access should be provided by the domtrans interface already.


> --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
>
> ########################################
> ## <summary>
> +## Allow iptables to write to a pipe
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to be written to
> +## </summary>
> +## </param>
> +#
> +interface(`iptables_write_pipe',`

Should be iptables_write_inherited_pipe().

> + gen_require(`
> + type iptables_t;
> + ')
> +
> + allow iptables_t $1:fifo_file write;
> +')
> +

--
Chris PeBenito

2019-01-03 05:16:18

by Jason Zaman

[permalink] [raw]
Subject: Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

On Wed, Jan 02, 2019 at 07:07:19PM -0500, Chris PeBenito wrote:
> On 1/2/19 3:45 AM, Russell Coker wrote:
> > Lots of little stuff.
> >
> > Also the sysnet_dns_name_resolve() change the previous patch needed.
> >
> [...]
>
> > --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> > +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> > @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> > # Local policy
> > #
> >
> > -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> > +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
>
> Since you're getting the dac_read_search denial, the dac_override
> probably isn't necessary anymore. Can you retest without it?

No, consolekit definitely needs dac_override. It needs to be able to
nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
say grant the perm instead of dontaudit makes things easier if doing
semodule -DB.
>
>
>
> [...]
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> > +++ refpolicy-2.20180701/policy/modules/system/udev.te
> [...]
>
> > @@ -328,6 +324,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + iptables_domtrans(udev_t)
> > + iptables_write_pipe(udev_t)
>
> I'm not clear why this separate pipe interface is necessary, as that
> access should be provided by the domtrans interface already.
>
>
> > --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> > +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> > @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
> >
> > ########################################
> > ## <summary>
> > +## Allow iptables to write to a pipe
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to be written to
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`iptables_write_pipe',`
>
> Should be iptables_write_inherited_pipe().
>
> > + gen_require(`
> > + type iptables_t;
> > + ')
> > +
> > + allow iptables_t $1:fifo_file write;
> > +')
> > +
>
> --
> Chris PeBenito

2019-01-04 07:06:46

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

On Thursday, 3 January 2019 4:16:14 PM AEDT Jason Zaman wrote:
> > > -allow consolekit_t self:capability { chown dac_override fowner setgid
> > > setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow
> > > consolekit_t self:capability { chown dac_override dac_read_search
> > > fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };>
> > Since you're getting the dac_read_search denial, the dac_override
> > probably isn't necessary anymore. Can you retest without it?
>
> No, consolekit definitely needs dac_override. It needs to be able to
> nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
> say grant the perm instead of dontaudit makes things easier if doing
> semodule -DB.

Thanks for that comment.

As an aside we might consider a policy of having all capabilities documented
in future. For the existing policy it's going to be an unpleasant task to
comment things. But for greenfields stuff I think it makes sense to require
it.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/