Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F540C43387 for ; Sun, 6 Jan 2019 19:14:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 117C920859 for ; Sun, 6 Jan 2019 19:14:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="fA4QXwVi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726114AbfAFTOg (ORCPT ); Sun, 6 Jan 2019 14:14:36 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:40245 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726041AbfAFTOg (ORCPT ); Sun, 6 Jan 2019 14:14:36 -0500 Received: by mail-qt1-f193.google.com with SMTP id k12so45598013qtf.7 for ; Sun, 06 Jan 2019 11:14:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=HA6+XtsmGOXk5kXXbegqWmO9DOWVQKVCFtVgwmsHZMM=; b=fA4QXwViOH5DSR9OMn8CDoIyJczNDmJAsy2WorbTwadUKeF1F7jK01jWlCKJTyQnPU LpD4st8Hj+tgjJFRsfC2arAz4suCm3d3RraHJAnZeiAxp3AzUrO/TDhtc8FG9/R83/ul eARMak8aBHiebDETVlpPEuqI470WctH63H8d8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=HA6+XtsmGOXk5kXXbegqWmO9DOWVQKVCFtVgwmsHZMM=; b=hCJMjqF5V570GwbV1t77q7cqBllIiVjLV5wprVNAMua5O/R0Ym1HIzcBCVDjbrcmmb bcmkdE4ffOnpnO/hhcm5FQJHkncHF9xjXHNFlMK8dZIsrBd0gLPdCZzM0zFgnrQl+FQl Xy228uRYYpWhYLOgv4u/lrciONpGls3q6CPPyXx2qMfCFLtRvzoVXiAU+8AaKtkJYvSq lhKQo/OgZCE62QQRdT02DgbKd+LxjmHa2GxndZqH3S3uu6J0ZZibKxtgGNM2BsEFGpyq NnPg86TzmYvcw1h/QMN4FuzBeuuRXvFHf0TY+1kxZTmTZ/Ix+CQqQml5xSYPuJqa7gry 5HGg== X-Gm-Message-State: AJcUukf0pH48qgvKPn27Io1Utr0lqD80PO1GltGnQdTdHL8Oe6KsaFBH 31FJgM7haSIUhyBJihceRBeo0AR17us= X-Google-Smtp-Source: ALg8bN7OaPHlNMqlfmRFek4XFj2Rb0xIlpj7Xe46ZxssPyaHFDYTgaE+ImXMS/vnguOEaRC6fv2GTg== X-Received: by 2002:a0c:9d81:: with SMTP id s1mr57811065qvd.82.1546802074331; Sun, 06 Jan 2019 11:14:34 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id r18sm37807512qta.83.2019.01.06.11.14.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 11:14:33 -0800 (PST) Subject: Re: [PATCH] systemd misc To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org References: <20190104075422.GB11721@aaa.coker.com.au> <1b08133a-611c-e670-d2cc-9438c0b33def@ieee.org> <2908877.gL7Ou1sHps@xev> From: Chris PeBenito Message-ID: Date: Sun, 6 Jan 2019 13:18:16 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <2908877.gL7Ou1sHps@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/5/19 9:34 PM, Russell Coker wrote: > I'm not sure. If this is a problem then skip the Postfix bit and merge the > rest, I can investigate Postfix more later. I've merged this, though I'd still prefer to hear more about the Postfix change, if possible. > On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote: >> On 1/4/19 2:54 AM, Russell Coker wrote: >>> This patch has policy changes related to systemd and the systemd versions >>> of system programs. >>> >>> Also has some dbus policy which probably isn't strictly a systemd thing, >>> but it all came at the same time. >> >> Is all the postfix dbus usage due to a postfix change or something else? >> I want to look for a pattern if this is not due to postfix code changes. >> >> I don't think I have any issues with anything else in the patch, but >> will wait for the above answer to try to merge in one shot. >> >>> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te >>> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te >>> @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t; >>> >>> # >>> >>> allow logrotate_t self:capability { chown dac_override dac_read_search >>> fowner fsetid kill setgid setuid sys_nice sys_resource };> >>> +# systemctl asks for net_admin >>> +dontaudit logrotate_t self:capability net_admin; >>> >>> allow logrotate_t self:process { transition signal_perms getsched >>> setsched getsession getpgid setpgid getcap setcap share getattr >>> setfscreate noatsecure siginh setrlimit rlimitinh dyntransition >>> setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use; >>> allow logrotate_t self:key manage_key_perms; >>> >>> Index: refpolicy-2.20180701/policy/modules/services/cron.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te >>> +++ refpolicy-2.20180701/policy/modules/services/cron.te >>> @@ -378,6 +378,10 @@ optional_policy(` >>> >>> ') >>> >>> optional_policy(` >>> >>> + init_dbus_chat(crond_t) >>> + ') >>> + >>> + optional_policy(` >>> >>> unconfined_dbus_send(crond_t) >>> >>> ') >>> >>> ') >>> >>> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te >>> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te >>> @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t) >>> >>> domain_use_interactive_fds(NetworkManager_t) >>> domain_read_all_domains_state(NetworkManager_t) >>> >>> +# /etc/resolv.conf is a symlink written by NM >>> +files_manage_etc_symlinks(NetworkManager_t) >>> >>> files_read_etc_runtime_files(NetworkManager_t) >>> files_read_usr_files(NetworkManager_t) >>> files_read_usr_src_files(NetworkManager_t) >>> >>> @@ -346,6 +348,7 @@ optional_policy(` >>> >>> ') >>> >>> optional_policy(` >>> >>> + systemd_read_logind_pids(NetworkManager_t) >>> >>> systemd_read_logind_sessions_files(NetworkManager_t) >>> systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t) >>> >>> ') >>> >>> Index: refpolicy-2.20180701/policy/modules/services/ntp.fc >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc >>> +++ refpolicy-2.20180701/policy/modules/services/ntp.fc >>> @@ -13,6 +13,7 @@ >>> >>> /etc/rc\.d/init\.d/ntpd? >>> -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) >>> >>> /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0) >>> >>> +/run/systemd/timesync(/.*)? > gen_context(system_u:object_r:ntpd_pid_t,s0 >>> ) >>> >>> /usr/bin/ntpd -- > gen_context(system_u:object_r:ntpd_exec_t,s0) >>> /usr/bin/ntpdate -- > gen_context(system_u:object_r:ntpdate_exec_t,s0) >>> >>> @@ -31,6 +32,7 @@ >>> >>> /var/lib/ntp(/.*)? > gen_context(system_u:object_r:ntp_drift_t,s0) >>> /var/lib/sntp-kod(/.*)? > gen_context(system_u:object_r:ntp_drift_t,s0) >>> /var/lib/systemd/clock -- > gen_context(system_u:object_r:ntp_drift_t,s0 >>> ) >>> >>> +/var/lib/private/systemd/timesync(/.*)? >>> -- gen_context(system_u:object_r:ntp_drift_t,s0)> >>> /var/lock/ntpdate -- >>> gen_context(system_u:object_r:ntpd_lock_t,s0)> >>> Index: refpolicy-2.20180701/policy/modules/services/openvpn.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te >>> +++ refpolicy-2.20180701/policy/modules/services/openvpn.te >>> @@ -175,3 +175,7 @@ optional_policy(` >>> >>> networkmanager_dbus_chat(openvpn_t) >>> >>> ') >>> >>> ') >>> >>> + >>> +optional_policy(` >>> + systemd_use_passwd_agent(openvpn_t) >>> +') >>> Index: refpolicy-2.20180701/policy/modules/services/postfix.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te >>> +++ refpolicy-2.20180701/policy/modules/services/postfix.te >>> @@ -347,6 +347,12 @@ optional_policy(` >>> >>> ') >>> >>> optional_policy(` >>> >>> + dbus_send_system_bus(postfix_master_t) >>> + dbus_system_bus_client(postfix_master_t) >>> + init_dbus_chat(postfix_master_t) >>> +') >>> + >>> +optional_policy(` >>> >>> sendmail_signal(postfix_master_t) >>> >>> ') >>> >>> @@ -376,6 +382,10 @@ optional_policy(` >>> >>> init_dbus_chat(postfix_bounce_t) >>> >>> ') >>> >>> +optional_policy(` >>> + dbus_system_bus_client(postfix_bounce_t) >>> +') >>> + >>> >>> ######################################## >>> # >>> # Cleanup local policy >>> >>> @@ -420,6 +430,12 @@ optional_policy(` >>> >>> mailman_read_data_files(postfix_cleanup_t) >>> >>> ') >>> >>> +optional_policy(` >>> + dbus_send_system_bus(postfix_cleanup_t) >>> + dbus_system_bus_client(postfix_cleanup_t) >>> + init_dbus_chat(postfix_cleanup_t) >>> +') >>> + >>> >>> ######################################## >>> # >>> # Local local policy >>> >>> @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p >>> >>> mcs_file_read_all(postfix_pickup_t) >>> mcs_file_write_all(postfix_pickup_t) >>> >>> +optional_policy(` >>> + dbus_system_bus_client(postfix_pickup_t) >>> + init_dbus_chat(postfix_pickup_t) >>> +') >>> + >>> >>> ######################################## >>> # >>> # Pipe local policy >>> >>> @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po >>> >>> corecmd_exec_bin(postfix_qmgr_t) >>> >>> +optional_policy(` >>> + dbus_send_system_bus(postfix_qmgr_t) >>> + dbus_system_bus_client(postfix_qmgr_t) >>> + init_dbus_chat(postfix_qmgr_t) >>> +') >>> + >>> >>> ######################################## >>> # >>> # Showq local policy >>> >>> @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t) >>> >>> mta_map_aliases(postfix_smtpd_t) >>> >>> optional_policy(` >>> >>> + dbus_send_system_bus(postfix_smtp_t) >>> + dbus_system_bus_client(postfix_smtp_t) >>> + init_dbus_chat(postfix_smtp_t) >>> +') >>> + >>> +optional_policy(` >>> >>> dovecot_stream_connect_auth(postfix_smtpd_t) >>> dovecot_stream_connect(postfix_smtpd_t) >>> >>> ') >>> >>> Index: refpolicy-2.20180701/policy/modules/services/ssh.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te >>> +++ refpolicy-2.20180701/policy/modules/services/ssh.te >>> @@ -278,6 +278,7 @@ ifdef(`distro_debian',` >>> >>> ') >>> >>> ifdef(`init_systemd',` >>> >>> + init_dbus_chat(sshd_t) >>> >>> systemd_dbus_chat_logind(sshd_t) >>> init_rw_stream_sockets(sshd_t) >>> >>> ') >>> >>> Index: refpolicy-2.20180701/policy/modules/services/tor.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te >>> +++ refpolicy-2.20180701/policy/modules/services/tor.te >>> @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t) >>> >>> files_read_usr_files(tor_t) >>> >>> fs_search_tmpfs(tor_t) >>> >>> +# for log symlink on a tmpfs filesystem systemd creates for it >>> +fs_read_tmpfs_symlinks(tor_t) >>> >>> auth_use_nsswitch(tor_t) >>> >>> Index: refpolicy-2.20180701/policy/modules/system/systemd.fc >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc >>> +++ refpolicy-2.20180701/policy/modules/system/systemd.fc >>> @@ -50,6 +50,8 @@ >>> >>> /run/\.nologin[^/]* -- > gen_context(system_u:object_r:systemd_sessions_va >>> r_run_t,s0) >>> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_ >>> t,s0)> >>> +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_pas >>> swd_var_run_t,s0) >>> +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:syst >>> emd_passwd_var_run_t,s0)> >>> /run/systemd/resolve(/.*)? >>> gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) >>> /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions >>> _var_run_t,s0) >>> /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessi >>> ons_var_run_t,s0)> >>> Index: refpolicy-2.20180701/policy/modules/system/systemd.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te >>> +++ refpolicy-2.20180701/policy/modules/system/systemd.te >>> @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys >>> >>> type systemd_nspawn_t; >>> type systemd_nspawn_exec_t; >>> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) >>> >>> +mcs_killall(systemd_nspawn_t) >>> >>> type systemd_nspawn_var_run_t; >>> files_pid_file(systemd_nspawn_var_run_t) >>> >>> @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste >>> >>> # >>> >>> dev_read_sysfs(systemd_gpt_generator_t) >>> >>> +files_list_usr(systemd_gpt_generator_t) >>> >>> files_read_etc_files(systemd_gpt_generator_t) >>> fs_getattr_xattr_fs(systemd_gpt_generator_t) >>> storage_raw_read_fixed_disk(systemd_gpt_generator_t) >>> >>> @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars >>> >>> # Logind local policy >>> # >>> >>> -allow systemd_logind_t self:capability { chown dac_override fowner >>> sys_admin sys_tty_config }; +allow systemd_logind_t self:capability { >>> chown dac_override dac_read_search fowner sys_admin sys_tty_config };> >>> allow systemd_logind_t self:process { getcap setfscreate }; >>> allow systemd_logind_t self:netlink_kobject_uevent_socket >>> create_socket_perms; allow systemd_logind_t self:unix_dgram_socket >>> create_socket_perms;> >>> @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti >>> >>> # Nspawn local policy >>> # >>> >>> -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill >>> }; >>> -allow systemd_nspawn_t self:capability { dac_override fsetid mknod >>> net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow >>> systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit >>> sigkill }; +allow systemd_nspawn_t self:capability { dac_override >>> dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin >>> sys_chroot };> >>> allow systemd_nspawn_t self:capability2 wake_alarm; >>> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; >>> >>> @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va >>> >>> allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; >>> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) >>> >>> -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir }) >>> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file }) >>> >>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; >>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; >>> >>> +# for /tmp/.#inaccessible* >>> +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms; >>> >>> # for /run/systemd/nspawn/incoming in chroot >>> allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; >>> >>> @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t) >>> >>> files_mounton_mnt(systemd_nspawn_t) >>> files_mounton_root(systemd_nspawn_t) >>> files_mounton_tmp(systemd_nspawn_t) >>> >>> +files_read_kernel_symbol_table(systemd_nspawn_t) >>> >>> files_setattr_pid_dirs(systemd_nspawn_t) >>> >>> fs_getattr_tmpfs(systemd_nspawn_t) >>> >>> @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t) >>> >>> userdom_manage_user_home_dirs(systemd_nspawn_t) >>> >>> tunable_policy(`systemd_nspawn_labeled_namespace',` >>> >>> + corecmd_exec_bin(systemd_nspawn_t) >>> >>> corecmd_exec_shell(systemd_nspawn_t) >>> >>> dev_mounton(systemd_nspawn_t) >>> >>> @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n >>> >>> fs_write_cgroup_files(systemd_nspawn_t) >>> >>> selinux_getattr_fs(systemd_nspawn_t) >>> >>> + selinux_remount_fs(systemd_nspawn_t) >>> >>> selinux_search_fs(systemd_nspawn_t) >>> >>> init_domtrans(systemd_nspawn_t) >>> >>> @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass >>> >>> seutil_search_default_contexts(systemd_passwd_agent_t) >>> >>> +userdom_use_user_ttys(systemd_passwd_agent_t) >>> >>> userdom_use_user_ptys(systemd_passwd_agent_t) >>> >>> optional_policy(` >>> >>> @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se >>> >>> # Tmpfiles local policy >>> # >>> >>> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner >>> fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t >>> self:capability { chown dac_override dac_read_search fowner fsetid mknod >>> net_admin sys_admin };> >>> allow systemd_tmpfiles_t self:process { setfscreate getcap }; >>> >>> allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom >>> relabelto manage_dir_perms };> >>> @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal >>> >>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; >>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file >>> read_file_perms; >>> >>> +kernel_getattr_proc(systemd_tmpfiles_t) >>> >>> kernel_read_kernel_sysctls(systemd_tmpfiles_t) >>> kernel_read_network_state(systemd_tmpfiles_t) >>> >>> +dev_getattr_fs(systemd_tmpfiles_t) >>> >>> dev_manage_all_dev_nodes(systemd_tmpfiles_t) >>> dev_read_urand(systemd_tmpfiles_t) >>> dev_relabel_all_sysfs(systemd_tmpfiles_t) >>> >>> @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t >>> >>> files_manage_var_lib_dirs(systemd_tmpfiles_t) >>> files_purge_tmp(systemd_tmpfiles_t) >>> files_read_etc_files(systemd_tmpfiles_t) >>> >>> +files_read_etc_runtime_files(systemd_tmpfiles_t) >>> >>> files_relabel_all_lock_dirs(systemd_tmpfiles_t) >>> files_relabel_all_pid_dirs(systemd_tmpfiles_t) >>> files_relabel_all_tmp_dirs(systemd_tmpfiles_t) > > -- Chris PeBenito