Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS,MAILING_LIST_MULTI, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4DE2C43387 for ; Fri, 4 Jan 2019 07:54:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 88875208E3 for ; Fri, 4 Jan 2019 07:54:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="bv/NVvuC" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725984AbfADHyd (ORCPT ); Fri, 4 Jan 2019 02:54:33 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:40268 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725931AbfADHyd (ORCPT ); Fri, 4 Jan 2019 02:54:33 -0500 Received: from liv.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 5DD40EFEB for ; Fri, 4 Jan 2019 18:54:30 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546588471; bh=Wu3m8w9WKnFDOYmkbJHa4sjk13Ok+SjgQtc6QDviKmk=; l=12869; h=Date:From:To:Subject:From; b=bv/NVvuCcSFgsyr6vtgXYq6u/ii5dkXL1ps93cABgc3SvIVgDvRvnrQilHZgU92lk 93oZXkR7dna2IJ/37Jb4/L/rtartc32CxwzI7YAKHXa9Ruhn0y+n0hbe8cAbI4UAHR YVnF0DNKu+CfhIFwytFmba2VSxq3yT/kinz3qnF4= Received: by liv.coker.com.au (Postfix, from userid 1000) id AD0282D1EA6; Fri, 4 Jan 2019 18:54:22 +1100 (AEDT) Date: Fri, 4 Jan 2019 18:54:22 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] systemd misc Message-ID: <20190104075422.GB11721@aaa.coker.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch has policy changes related to systemd and the systemd versions of system programs. Also has some dbus policy which probably isn't strictly a systemd thing, but it all came at the same time. Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t; # allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; +# systemctl asks for net_admin +dontaudit logrotate_t self:capability net_admin; allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; Index: refpolicy-2.20180701/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.te +++ refpolicy-2.20180701/policy/modules/services/cron.te @@ -378,6 +378,10 @@ optional_policy(` ') optional_policy(` + init_dbus_chat(crond_t) + ') + + optional_policy(` unconfined_dbus_send(crond_t) ') ') Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) domain_read_all_domains_state(NetworkManager_t) +# /etc/resolv.conf is a symlink written by NM +files_manage_etc_symlinks(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) @@ -346,6 +348,7 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_pids(NetworkManager_t) systemd_read_logind_sessions_files(NetworkManager_t) systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t) ') Index: refpolicy-2.20180701/policy/modules/services/ntp.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc +++ refpolicy-2.20180701/policy/modules/services/ntp.fc @@ -13,6 +13,7 @@ /etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) +/run/systemd/timesync(/.*)? gen_context(system_u:object_r:ntpd_pid_t,s0) /usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) @@ -31,6 +32,7 @@ /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/private/systemd/timesync(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) Index: refpolicy-2.20180701/policy/modules/services/openvpn.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te +++ refpolicy-2.20180701/policy/modules/services/openvpn.te @@ -175,3 +175,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') + +optional_policy(` + systemd_use_passwd_agent(openvpn_t) +') Index: refpolicy-2.20180701/policy/modules/services/postfix.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te +++ refpolicy-2.20180701/policy/modules/services/postfix.te @@ -347,6 +347,12 @@ optional_policy(` ') optional_policy(` + dbus_send_system_bus(postfix_master_t) + dbus_system_bus_client(postfix_master_t) + init_dbus_chat(postfix_master_t) +') + +optional_policy(` sendmail_signal(postfix_master_t) ') @@ -376,6 +382,10 @@ optional_policy(` init_dbus_chat(postfix_bounce_t) ') +optional_policy(` + dbus_system_bus_client(postfix_bounce_t) +') + ######################################## # # Cleanup local policy @@ -420,6 +430,12 @@ optional_policy(` mailman_read_data_files(postfix_cleanup_t) ') +optional_policy(` + dbus_send_system_bus(postfix_cleanup_t) + dbus_system_bus_client(postfix_cleanup_t) + init_dbus_chat(postfix_cleanup_t) +') + ######################################## # # Local local policy @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p mcs_file_read_all(postfix_pickup_t) mcs_file_write_all(postfix_pickup_t) +optional_policy(` + dbus_system_bus_client(postfix_pickup_t) + init_dbus_chat(postfix_pickup_t) +') + ######################################## # # Pipe local policy @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po corecmd_exec_bin(postfix_qmgr_t) +optional_policy(` + dbus_send_system_bus(postfix_qmgr_t) + dbus_system_bus_client(postfix_qmgr_t) + init_dbus_chat(postfix_qmgr_t) +') + ######################################## # # Showq local policy @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t) mta_map_aliases(postfix_smtpd_t) optional_policy(` + dbus_send_system_bus(postfix_smtp_t) + dbus_system_bus_client(postfix_smtp_t) + init_dbus_chat(postfix_smtp_t) +') + +optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) ') Index: refpolicy-2.20180701/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te +++ refpolicy-2.20180701/policy/modules/services/ssh.te @@ -278,6 +278,7 @@ ifdef(`distro_debian',` ') ifdef(`init_systemd',` + init_dbus_chat(sshd_t) systemd_dbus_chat_logind(sshd_t) init_rw_stream_sockets(sshd_t) ') Index: refpolicy-2.20180701/policy/modules/services/tor.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/tor.te +++ refpolicy-2.20180701/policy/modules/services/tor.te @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t) files_read_usr_files(tor_t) fs_search_tmpfs(tor_t) +# for log symlink on a tmpfs filesystem systemd creates for it +fs_read_tmpfs_symlinks(tor_t) auth_use_nsswitch(tor_t) Index: refpolicy-2.20180701/policy/modules/system/systemd.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc +++ refpolicy-2.20180701/policy/modules/system/systemd.fc @@ -50,6 +50,8 @@ /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) Index: refpolicy-2.20180701/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180701/policy/modules/system/systemd.te @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) +mcs_killall(systemd_nspawn_t) type systemd_nspawn_var_run_t; files_pid_file(systemd_nspawn_var_run_t) @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste # dev_read_sysfs(systemd_gpt_generator_t) +files_list_usr(systemd_gpt_generator_t) files_read_etc_files(systemd_gpt_generator_t) fs_getattr_xattr_fs(systemd_gpt_generator_t) storage_raw_read_fixed_disk(systemd_gpt_generator_t) @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars # Logind local policy # -allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config }; +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config }; allow systemd_logind_t self:process { getcap setfscreate }; allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti # Nspawn local policy # -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; -allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill }; +allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir }) +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file }) allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; +# for /tmp/.#inaccessible* +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms; # for /run/systemd/nspawn/incoming in chroot allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t) files_mounton_mnt(systemd_nspawn_t) files_mounton_root(systemd_nspawn_t) files_mounton_tmp(systemd_nspawn_t) +files_read_kernel_symbol_table(systemd_nspawn_t) files_setattr_pid_dirs(systemd_nspawn_t) fs_getattr_tmpfs(systemd_nspawn_t) @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t) userdom_manage_user_home_dirs(systemd_nspawn_t) tunable_policy(`systemd_nspawn_labeled_namespace',` + corecmd_exec_bin(systemd_nspawn_t) corecmd_exec_shell(systemd_nspawn_t) dev_mounton(systemd_nspawn_t) @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n fs_write_cgroup_files(systemd_nspawn_t) selinux_getattr_fs(systemd_nspawn_t) + selinux_remount_fs(systemd_nspawn_t) selinux_search_fs(systemd_nspawn_t) init_domtrans(systemd_nspawn_t) @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass seutil_search_default_contexts(systemd_passwd_agent_t) +userdom_use_user_ttys(systemd_passwd_agent_t) userdom_use_user_ptys(systemd_passwd_agent_t) optional_policy(` @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se # Tmpfiles local policy # -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin }; allow systemd_tmpfiles_t self:process { setfscreate getcap }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; +kernel_getattr_proc(systemd_tmpfiles_t) kernel_read_kernel_sysctls(systemd_tmpfiles_t) kernel_read_network_state(systemd_tmpfiles_t) +dev_getattr_fs(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t files_manage_var_lib_dirs(systemd_tmpfiles_t) files_purge_tmp(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) +files_read_etc_runtime_files(systemd_tmpfiles_t) files_relabel_all_lock_dirs(systemd_tmpfiles_t) files_relabel_all_pid_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t)