Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS,MAILING_LIST_MULTI, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32A44C37121 for ; Mon, 21 Jan 2019 22:59:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F32A220861 for ; Mon, 21 Jan 2019 22:59:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="1M/5J+Df" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727007AbfAUW7g (ORCPT ); Mon, 21 Jan 2019 17:59:36 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:60104 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726244AbfAUW7g (ORCPT ); Mon, 21 Jan 2019 17:59:36 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 8863EF443 for ; Tue, 22 Jan 2019 09:59:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1548111574; bh=WUqGrjEmYT5E+fzekBTiSuq+dEIyefe30YozZIFL82I=; l=5270; h=Date:From:To:Subject:From; b=1M/5J+Dfp9VTmpXYzopFhtcZMHktUlO+goKCrw2EMh8XKtoBwlUWh2rda7YXs/MHW d5D39IE/1OFiBRhPy57OedAf2vVIHTNeD2SoiRiolICO4JuXeISNy0wQjDuNrUSs0x 1eJyzix53MrrISLZHnCgfSu4ZSpnkYS6hETUvUEA= Received: by xev.coker.com.au (Postfix, from userid 1001) id B149CC629BE; Tue, 22 Jan 2019 09:59:28 +1100 (AEDT) Date: Tue, 22 Jan 2019 09:59:28 +1100 From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] yet more tiny stuff Message-ID: <20190121225928.GA2428@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I think this should be self-explanatory. I've added an audit trace for the sys_ptrace access that was previously rejected. Here is the audit log for sys_ptrace: type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/ type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0 Index: refpolicy-2.20180701/policy/modules/apps/gpg.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te +++ refpolicy-2.20180701/policy/modules/apps/gpg.te @@ -184,11 +184,6 @@ optional_policy(` ') optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') - -optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') Index: refpolicy-2.20180701/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/cron.te +++ refpolicy-2.20180701/policy/modules/services/cron.te @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_getattr_mtrr_dev(system_cronjob_t) +dev_read_rand(system_cronjob_t) dev_read_urand(system_cronjob_t) dev_read_sysfs(system_cronjob_t) # for checkarray to write to sync_action @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj mls_file_read_to_clearance(system_cronjob_t) init_domtrans_script(system_cronjob_t) +init_read_generic_units_links(system_cronjob_t) init_read_utmp(system_cronjob_t) init_use_script_fds(system_cronjob_t) @@ -623,6 +625,10 @@ optional_policy(` ') optional_policy(` + gpg_exec(system_cronjob_t) +') + +optional_policy(` inn_manage_log(system_cronjob_t) inn_manage_pid(system_cronjob_t) inn_read_config(system_cronjob_t) Index: refpolicy-2.20180701/policy/modules/system/init.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/init.if +++ refpolicy-2.20180701/policy/modules/system/init.if @@ -2962,6 +2962,25 @@ interface(`init_search_units',` ######################################## ## +## Read systemd unit links +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_generic_units_links',` + gen_require(` + type systemd_unit_t; + class service status; + ') + + allow $1 systemd_unit_t:lnk_file read_lnk_file_perms; +') + +######################################## +## ## Get status of generic systemd units. ## ## Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat allow irqbalance_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file }) kernel_read_network_state(irqbalance_t) kernel_read_system_state(irqbalance_t) Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t; # Local policy # -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; +# sys_ptrace is for systemctl +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource }; # systemctl asks for net_admin dontaudit logrotate_t self:capability net_admin; allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };