Date:   Fri, 4 Jan 2019 18:51:18 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] systemd related interfaces
Message-ID: <20190104075118.GA11721@aaa.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk

This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.

Index: refpolicy-2.20180701/policy/modules/admin/sudo.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/sudo.if
+++ refpolicy-2.20180701/policy/modules/admin/sudo.if
@@ -154,6 +154,9 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		ifdef(`init_systemd',`
+			init_dbus_chat($1_sudo_t)
+		')
 	')
 
 	optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20180701/policy/modules/services/dbus.if
@@ -318,6 +318,25 @@ interface(`dbus_read_lib_files',`
 
 ########################################
 ## <summary>
+##	Relabel system dbus lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_relabel_lib_dirs',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	system dbus lib files.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/init.if
+++ refpolicy-2.20180701/policy/modules/system/init.if
@@ -1134,6 +1134,25 @@ interface(`init_dbus_chat',`
 
 ########################################
 ## <summary>
+##      read/follow symlinks under /var/lib/systemd/
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_var_lib_links',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir list_dir_perms;
+	allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##      List /var/lib/systemd/ dir
 ## </summary>
 ## <param name="domain">
@@ -1304,23 +1323,13 @@ interface(`init_pid_filetrans',`
 ## </param>
 #
 interface(`init_getattr_initctl',`
-	ifdef(`init_systemd',`
-		# stat /run/systemd/initctl/fifo
-		gen_require(`
-			type init_var_run_t;
-		')
-
-		allow $1 init_var_run_t:fifo_file getattr;
-		allow $1 init_var_run_t:dir list_dir_perms;
-	',`
-		gen_require(`
-			type initctl_t;
-		')
-
-		dev_list_all_dev_nodes($1)
-		files_search_pids($1)
-		allow $1 initctl_t:fifo_file getattr;
+	gen_require(`
+		type initctl_t;
 	')
+
+	files_search_pids($1)
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file getattr;
 ')
 
 ########################################
@@ -1859,6 +1868,25 @@ interface(`init_ptrace',`
 
 ########################################
 ## <summary>
+##	get init process stats
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_getattr',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getattr;
+')
+
+########################################
+## <summary>
 ##	Write an init script unnamed pipe.
 ## </summary>
 ## <param name="domain">
@@ -2822,6 +2850,25 @@ interface(`init_search_units',`
 	fs_search_tmpfs($1)
 ')
 
+######################################
+## <summary>
+##	read systemd unit lnk files (usually under /run/systemd/units/)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_unit_links',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+	allow $1 init_var_run_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get status of generic systemd units.
@@ -3030,3 +3077,21 @@ interface(`init_admin',`
 	init_stop_system($1)
 	init_telinit($1)
 ')
+
+########################################
+## <summary>
+##      Allow getting init_t rlimit
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`init_getrlimit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getrlimit;
+')
Index: refpolicy-2.20180701/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180701/policy/modules/system/systemd.if
@@ -307,6 +307,8 @@ interface(`systemd_use_passwd_agent',`
 	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
 
 	allow systemd_passwd_agent_t $1:process signull;
+	allow systemd_passwd_agent_t $1:dir search;
+	allow systemd_passwd_agent_t $1:file read_file_perms;
 	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
 ')
 
@@ -828,3 +830,22 @@ interface(`systemd_getattr_updated_runti
 
 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
 ')
+
+#######################################
+## <summary>
+##  Allow domain to list dirs under /run/systemd/netif
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain permitted the access
+## </summary>
+## </param>
+#
+interface(`systemd_list_netif',`
+	gen_require(`
+		type systemd_networkd_var_run_t;
+	')
+
+	init_list_pids($1)
+	allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20180701/policy/modules/services/ntp.te
@@ -142,6 +142,8 @@ ifdef(`init_systemd',`
 	dbus_connect_system_bus(ntpd_t)
 	init_dbus_chat(ntpd_t)
 	init_get_system_status(ntpd_t)
+	# for /var/lib/systemd/timesync
+	init_read_var_lib_links(ntpd_t)
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
@@ -150,7 +152,7 @@ ifdef(`init_systemd',`
 	init_list_var_lib_dirs(ntpd_t)
 
 	# for /run/systemd/netif/links
-	init_list_pids(ntpd_t)
+	systemd_list_netif(ntpd_t)
 
 	optional_policy(`
 		unconfined_dbus_send(ntpd_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -736,6 +736,7 @@ term_setattr_generic_ptys(systemd_nspawn
 term_use_ptmx(systemd_nspawn_t)
 
 init_domtrans_script(systemd_nspawn_t)
+init_getrlimit(systemd_nspawn_t)
 init_kill_scripts(systemd_nspawn_t)
 init_read_state(systemd_nspawn_t)
 init_search_run(systemd_nspawn_t)
@@ -1027,6 +1028,7 @@ tunable_policy(`systemd_tmpfiles_manage_
 
 optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
+	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180701/policy/modules/system/logging.te
@@ -541,15 +541,19 @@ ifdef(`init_systemd',`
 	dev_read_urand(syslogd_t)
 	dev_write_kmsg(syslogd_t)
 
+	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
 
 	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_getattr(syslogd_t)
 	init_rename_pid_files(syslogd_t)
 	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)
 	init_read_pid_pipes(syslogd_t)
 	init_read_state(syslogd_t)
+	# for /run/systemd/units/invocation:* links
+	init_read_unit_links(syslogd_t)
 
 	systemd_manage_journal_files(syslogd_t)