Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4440C43387 for ; Sun, 6 Jan 2019 02:34:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 53020222A9 for ; Sun, 6 Jan 2019 02:34:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="TNbFEgEo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726380AbfAFCeX (ORCPT ); Sat, 5 Jan 2019 21:34:23 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:39540 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726368AbfAFCeX (ORCPT ); Sat, 5 Jan 2019 21:34:23 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 9BB96ECBC; Sun, 6 Jan 2019 13:34:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546742061; bh=bYALy++UmJdpN+KF6CK75G3N0pkgm0sUIBTu97I058Q=; l=15174; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=TNbFEgEoNLznl0uz6wgBllPtlpXR0JE2qU1uIxU3zzYB2veXNTuYkYnGu+mRi6uQF DUVBrFKufT4Rzh206uhylBF2m8eIs5xFMNgBQcaIVkcAks1JqJd/IFxNgPS91R4sTd K/XlxeOUnApISCBb7snaZgp/WAkQk4QkerxQuLjI= Received: by xev.coker.com.au (Postfix, from userid 1001) id 92BB4C3CEED; Sun, 6 Jan 2019 13:34:15 +1100 (AEDT) From: Russell Coker To: Chris PeBenito Reply-To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] systemd misc Date: Sun, 06 Jan 2019 13:34:15 +1100 Message-ID: <2908877.gL7Ou1sHps@xev> In-Reply-To: <1b08133a-611c-e670-d2cc-9438c0b33def@ieee.org> References: <20190104075422.GB11721@aaa.coker.com.au> <1b08133a-611c-e670-d2cc-9438c0b33def@ieee.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm not sure. If this is a problem then skip the Postfix bit and merge the rest, I can investigate Postfix more later. On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote: > On 1/4/19 2:54 AM, Russell Coker wrote: > > This patch has policy changes related to systemd and the systemd versions > > of system programs. > > > > Also has some dbus policy which probably isn't strictly a systemd thing, > > but it all came at the same time. > > Is all the postfix dbus usage due to a postfix change or something else? > I want to look for a pattern if this is not due to postfix code changes. > > I don't think I have any issues with anything else in the patch, but > will wait for the above answer to try to merge in one shot. > > > Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te > > +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te > > @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t; > > > > # > > > > allow logrotate_t self:capability { chown dac_override dac_read_search > > fowner fsetid kill setgid setuid sys_nice sys_resource };> > > +# systemctl asks for net_admin > > +dontaudit logrotate_t self:capability net_admin; > > > > allow logrotate_t self:process { transition signal_perms getsched > > setsched getsession getpgid setpgid getcap setcap share getattr > > setfscreate noatsecure siginh setrlimit rlimitinh dyntransition > > setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use; > > allow logrotate_t self:key manage_key_perms; > > > > Index: refpolicy-2.20180701/policy/modules/services/cron.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/cron.te > > +++ refpolicy-2.20180701/policy/modules/services/cron.te > > @@ -378,6 +378,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + init_dbus_chat(crond_t) > > + ') > > + > > + optional_policy(` > > > > unconfined_dbus_send(crond_t) > > > > ') > > > > ') > > > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te > > @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t) > > > > domain_use_interactive_fds(NetworkManager_t) > > domain_read_all_domains_state(NetworkManager_t) > > > > +# /etc/resolv.conf is a symlink written by NM > > +files_manage_etc_symlinks(NetworkManager_t) > > > > files_read_etc_runtime_files(NetworkManager_t) > > files_read_usr_files(NetworkManager_t) > > files_read_usr_src_files(NetworkManager_t) > > > > @@ -346,6 +348,7 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + systemd_read_logind_pids(NetworkManager_t) > > > > systemd_read_logind_sessions_files(NetworkManager_t) > > systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t) > > > > ') > > > > Index: refpolicy-2.20180701/policy/modules/services/ntp.fc > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc > > +++ refpolicy-2.20180701/policy/modules/services/ntp.fc > > @@ -13,6 +13,7 @@ > > > > /etc/rc\.d/init\.d/ntpd? > > -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) > > > > /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) > > > > +/run/systemd/timesync(/.*)? gen_context(system_u:object_r:ntpd_pid_t,s0 > > ) > > > > /usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) > > /usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) > > > > @@ -31,6 +32,7 @@ > > > > /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > > /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) > > /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0 > > ) > > > > +/var/lib/private/systemd/timesync(/.*)? > > -- gen_context(system_u:object_r:ntp_drift_t,s0)> > > /var/lock/ntpdate -- > > gen_context(system_u:object_r:ntpd_lock_t,s0)> > > Index: refpolicy-2.20180701/policy/modules/services/openvpn.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te > > +++ refpolicy-2.20180701/policy/modules/services/openvpn.te > > @@ -175,3 +175,7 @@ optional_policy(` > > > > networkmanager_dbus_chat(openvpn_t) > > > > ') > > > > ') > > > > + > > +optional_policy(` > > + systemd_use_passwd_agent(openvpn_t) > > +') > > Index: refpolicy-2.20180701/policy/modules/services/postfix.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te > > +++ refpolicy-2.20180701/policy/modules/services/postfix.te > > @@ -347,6 +347,12 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + dbus_send_system_bus(postfix_master_t) > > + dbus_system_bus_client(postfix_master_t) > > + init_dbus_chat(postfix_master_t) > > +') > > + > > +optional_policy(` > > > > sendmail_signal(postfix_master_t) > > > > ') > > > > @@ -376,6 +382,10 @@ optional_policy(` > > > > init_dbus_chat(postfix_bounce_t) > > > > ') > > > > +optional_policy(` > > + dbus_system_bus_client(postfix_bounce_t) > > +') > > + > > > > ######################################## > > # > > # Cleanup local policy > > > > @@ -420,6 +430,12 @@ optional_policy(` > > > > mailman_read_data_files(postfix_cleanup_t) > > > > ') > > > > +optional_policy(` > > + dbus_send_system_bus(postfix_cleanup_t) > > + dbus_system_bus_client(postfix_cleanup_t) > > + init_dbus_chat(postfix_cleanup_t) > > +') > > + > > > > ######################################## > > # > > # Local local policy > > > > @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p > > > > mcs_file_read_all(postfix_pickup_t) > > mcs_file_write_all(postfix_pickup_t) > > > > +optional_policy(` > > + dbus_system_bus_client(postfix_pickup_t) > > + init_dbus_chat(postfix_pickup_t) > > +') > > + > > > > ######################################## > > # > > # Pipe local policy > > > > @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po > > > > corecmd_exec_bin(postfix_qmgr_t) > > > > +optional_policy(` > > + dbus_send_system_bus(postfix_qmgr_t) > > + dbus_system_bus_client(postfix_qmgr_t) > > + init_dbus_chat(postfix_qmgr_t) > > +') > > + > > > > ######################################## > > # > > # Showq local policy > > > > @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t) > > > > mta_map_aliases(postfix_smtpd_t) > > > > optional_policy(` > > > > + dbus_send_system_bus(postfix_smtp_t) > > + dbus_system_bus_client(postfix_smtp_t) > > + init_dbus_chat(postfix_smtp_t) > > +') > > + > > +optional_policy(` > > > > dovecot_stream_connect_auth(postfix_smtpd_t) > > dovecot_stream_connect(postfix_smtpd_t) > > > > ') > > > > Index: refpolicy-2.20180701/policy/modules/services/ssh.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te > > +++ refpolicy-2.20180701/policy/modules/services/ssh.te > > @@ -278,6 +278,7 @@ ifdef(`distro_debian',` > > > > ') > > > > ifdef(`init_systemd',` > > > > + init_dbus_chat(sshd_t) > > > > systemd_dbus_chat_logind(sshd_t) > > init_rw_stream_sockets(sshd_t) > > > > ') > > > > Index: refpolicy-2.20180701/policy/modules/services/tor.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/tor.te > > +++ refpolicy-2.20180701/policy/modules/services/tor.te > > @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t) > > > > files_read_usr_files(tor_t) > > > > fs_search_tmpfs(tor_t) > > > > +# for log symlink on a tmpfs filesystem systemd creates for it > > +fs_read_tmpfs_symlinks(tor_t) > > > > auth_use_nsswitch(tor_t) > > > > Index: refpolicy-2.20180701/policy/modules/system/systemd.fc > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc > > +++ refpolicy-2.20180701/policy/modules/system/systemd.fc > > @@ -50,6 +50,8 @@ > > > > /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_va > > r_run_t,s0) > > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_ > > t,s0)> > > +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_pas > > swd_var_run_t,s0) > > +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:syst > > emd_passwd_var_run_t,s0)> > > /run/systemd/resolve(/.*)? > > gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) > > /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions > > _var_run_t,s0) > > /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessi > > ons_var_run_t,s0)> > > Index: refpolicy-2.20180701/policy/modules/system/systemd.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te > > +++ refpolicy-2.20180701/policy/modules/system/systemd.te > > @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys > > > > type systemd_nspawn_t; > > type systemd_nspawn_exec_t; > > init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) > > > > +mcs_killall(systemd_nspawn_t) > > > > type systemd_nspawn_var_run_t; > > files_pid_file(systemd_nspawn_var_run_t) > > > > @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste > > > > # > > > > dev_read_sysfs(systemd_gpt_generator_t) > > > > +files_list_usr(systemd_gpt_generator_t) > > > > files_read_etc_files(systemd_gpt_generator_t) > > fs_getattr_xattr_fs(systemd_gpt_generator_t) > > storage_raw_read_fixed_disk(systemd_gpt_generator_t) > > > > @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars > > > > # Logind local policy > > # > > > > -allow systemd_logind_t self:capability { chown dac_override fowner > > sys_admin sys_tty_config }; +allow systemd_logind_t self:capability { > > chown dac_override dac_read_search fowner sys_admin sys_tty_config };> > > allow systemd_logind_t self:process { getcap setfscreate }; > > allow systemd_logind_t self:netlink_kobject_uevent_socket > > create_socket_perms; allow systemd_logind_t self:unix_dgram_socket > > create_socket_perms;> > > @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti > > > > # Nspawn local policy > > # > > > > -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill > > }; > > -allow systemd_nspawn_t self:capability { dac_override fsetid mknod > > net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow > > systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit > > sigkill }; +allow systemd_nspawn_t self:capability { dac_override > > dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin > > sys_chroot };> > > allow systemd_nspawn_t self:capability2 wake_alarm; > > allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; > > > > @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va > > > > allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; > > init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) > > > > -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir }) > > +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file }) > > > > allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; > > allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; > > > > +# for /tmp/.#inaccessible* > > +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms; > > > > # for /run/systemd/nspawn/incoming in chroot > > allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; > > > > @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t) > > > > files_mounton_mnt(systemd_nspawn_t) > > files_mounton_root(systemd_nspawn_t) > > files_mounton_tmp(systemd_nspawn_t) > > > > +files_read_kernel_symbol_table(systemd_nspawn_t) > > > > files_setattr_pid_dirs(systemd_nspawn_t) > > > > fs_getattr_tmpfs(systemd_nspawn_t) > > > > @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t) > > > > userdom_manage_user_home_dirs(systemd_nspawn_t) > > > > tunable_policy(`systemd_nspawn_labeled_namespace',` > > > > + corecmd_exec_bin(systemd_nspawn_t) > > > > corecmd_exec_shell(systemd_nspawn_t) > > > > dev_mounton(systemd_nspawn_t) > > > > @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n > > > > fs_write_cgroup_files(systemd_nspawn_t) > > > > selinux_getattr_fs(systemd_nspawn_t) > > > > + selinux_remount_fs(systemd_nspawn_t) > > > > selinux_search_fs(systemd_nspawn_t) > > > > init_domtrans(systemd_nspawn_t) > > > > @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass > > > > seutil_search_default_contexts(systemd_passwd_agent_t) > > > > +userdom_use_user_ttys(systemd_passwd_agent_t) > > > > userdom_use_user_ptys(systemd_passwd_agent_t) > > > > optional_policy(` > > > > @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se > > > > # Tmpfiles local policy > > # > > > > -allow systemd_tmpfiles_t self:capability { chown dac_override fowner > > fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t > > self:capability { chown dac_override dac_read_search fowner fsetid mknod > > net_admin sys_admin };> > > allow systemd_tmpfiles_t self:process { setfscreate getcap }; > > > > allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom > > relabelto manage_dir_perms };> > > @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal > > > > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; > > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file > > read_file_perms; > > > > +kernel_getattr_proc(systemd_tmpfiles_t) > > > > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > > kernel_read_network_state(systemd_tmpfiles_t) > > > > +dev_getattr_fs(systemd_tmpfiles_t) > > > > dev_manage_all_dev_nodes(systemd_tmpfiles_t) > > dev_read_urand(systemd_tmpfiles_t) > > dev_relabel_all_sysfs(systemd_tmpfiles_t) > > > > @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t > > > > files_manage_var_lib_dirs(systemd_tmpfiles_t) > > files_purge_tmp(systemd_tmpfiles_t) > > files_read_etc_files(systemd_tmpfiles_t) > > > > +files_read_etc_runtime_files(systemd_tmpfiles_t) > > > > files_relabel_all_lock_dirs(systemd_tmpfiles_t) > > files_relabel_all_pid_dirs(systemd_tmpfiles_t) > > files_relabel_all_tmp_dirs(systemd_tmpfiles_t) -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/