Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBCDEC43387 for ; Tue, 15 Jan 2019 08:36:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 933112063F for ; Tue, 15 Jan 2019 08:36:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="uy0uHFjy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727174AbfAOIg5 (ORCPT ); Tue, 15 Jan 2019 03:36:57 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:43007 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725869AbfAOIg5 (ORCPT ); Tue, 15 Jan 2019 03:36:57 -0500 Received: by mail-ed1-f66.google.com with SMTP id y20so1840346edw.9 for ; Tue, 15 Jan 2019 00:36:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=qXjLu5AXUJ5WuEb+VVjNAKlDxAcofcmoQiUIN1FrHTg=; b=uy0uHFjyJPdw9AZ7SwiSDgSkTk9J+H5bIM8hEYBC7ChYi41Lv2KxLgvUcPcxb35pae z/r984BmKl2D0OS6xHYLMauAv7s0ATFtayh0iY2GNXqezINro64pZSf3vCtvlPHjKSD2 KbS0qaMm7l1cPG0kotsha9VNezKLxwM0xCKtmWQezEWzaSv650yN/I2rXCfi23yihoKc DdOXgoXlREqWOwNAZchwyBCIj8cM0F6dvfWeUKGg6qI3T0oh32x9aPiypWy8pEJRiDvV k8iCe1NKtHl1bW+tT7fQPH+jiWOeDBhgY3rzrmJGm3GJkq2ixpvB1dN7TJK5kbJP7WDp Lr6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=qXjLu5AXUJ5WuEb+VVjNAKlDxAcofcmoQiUIN1FrHTg=; b=cdSTKlqutQXa8oy0FnP9CndWKDekiWvw8g4WECMlxBsBXYq3/fAV8h8VExLGd7rz/C KVvuHkVTyv++OxIKWAG1IBimcHPj1PWQ5qv3JRaU4TRrZZJHMiPxc/jQj5bWGFVH5e7q M9/zkPclslZfhww4VStMNCscoScPQ73ukzI+PXX/lrSNtripXGf6HXrCbki7BKzW+JxB mFzmlsP4bW4koZCBkeRbvw29TW9O5Xy4jpx9qysMre60ZkLqrA/aeHPpxuoJT2bYKQDe Jbl6XFP1i5zSmA/mgVmB3IR1s8d2R44GL0Wv/cNiUT2wpob3+VQav5j6NYosDTTcp4Sf Ykgg== X-Gm-Message-State: AJcUukdlWb77dFFaLXJKl9Y6w8hLW3BnjF2WC10HKCOI32kR3y3yCuge p2NWT8BCtiXCC4qhO01O9LMh32nc X-Google-Smtp-Source: ALg8bN5TFE/IG8ewAJrsfxwjMvFfBpTogYcw3XU6xpOjVyy/otAFRB+MFT+FRcQ5bABmAY4A6DtGSw== X-Received: by 2002:a17:906:e0cb:: with SMTP id gl11-v6mr2271671ejb.92.1547541415016; Tue, 15 Jan 2019 00:36:55 -0800 (PST) Received: from brutus ([2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id t18-v6sm2581242ejz.9.2019.01.15.00.36.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 15 Jan 2019 00:36:54 -0800 (PST) From: Dominick Grift To: Russell Coker Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] some little stuff References: <20190111103043.GA22910@xev> <4df64def-6cfe-af47-5c2a-dcdbf0d507e4@ieee.org> <2480376.JRpnWL4ehX@liv> Date: Tue, 15 Jan 2019 09:36:53 +0100 In-Reply-To: <2480376.JRpnWL4ehX@liv> (Russell Coker's message of "Tue, 15 Jan 2019 18:47:13 +1100") Message-ID: <8736pu9v16.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > On Sunday, 13 January 2019 6:28:35 AM AEDT Chris PeBenito wrote: >> > Index: refpolicy-2.20180701/policy/modules/system/systemd.te >> > =================================================================== >> > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te >> > +++ refpolicy-2.20180701/policy/modules/system/systemd.te >> > @@ -337,6 +337,10 @@ optional_policy(` >> > networkmanager_dbus_chat(systemd_hostnamed_t) >> > ') >> > >> > +optional_policy(` >> > + unconfined_dbus_send(systemd_hostnamed_t) >> > +') >> >> This comment: >> >> https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615 >> >> makes me rethink all dbus sends to unconfined domains, especially >> unconfined_t. This here isn't all confined domains, but I want more >> consideration for the perm. > > That comment is about allowing all domains to send to unconfined_t. Allowing > specific domains like systemd_hostnamed_t to send to unconfined_t doesn't seem > like a problem. It doesn't seem likely that an attack via dbus would start > with a systemd domain, especially not one like systemd_hostnamed_t. Not completely accurate. The comment is not about "all" domains, its about "all" domains that already have access to dbus. However I kind of agree here that it's probably not worth it to go down this rabbit hole. Even the normal dbus_chat interfaces are too broad (and that is inevitable), and potentially allow for atleast some form of priv escalation more often then not. It just a dbus design issue IMHO. This is also why i added that commit in the first place. I knew that it was a (big) compromise but i just chose to add it anyway (without any discussion, which was wrong). I still allow this access in DSSP2, I just made a note about it in the README. There are just weak spots in the policy such as DBUS and unconfined. As long as you are aware of them you can to some extent anticipate that. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift