Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp643423ybl; Wed, 4 Dec 2019 08:34:26 -0800 (PST) X-Google-Smtp-Source: APXvYqyuVB+cdN/0ZoC4tgCDHtFawvXUXk6dApOThOz5eUSdCeUhIXMxP72wZiKcW2nNOceT63ql X-Received: by 2002:aca:d502:: with SMTP id m2mr3180682oig.41.1575477266258; Wed, 04 Dec 2019 08:34:26 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1575477266; cv=pass; d=google.com; s=arc-20160816; b=wPDD0exbBZ+gBVVyljCMT1Le4r23BQK5ZW0tPZY4W0giSn0gyPxkflewBJvCebquv8 rYZBtIWqhZSVwDIc7GniKn+QPcbka4p1IbvSvRtuXZNx8r96oePnCyLtyoUGeXIAjOwU aigTzSX6vd1PpkirkM6M4Wlt9pmQMoXfqTqUoFZ4IR++lMm6/BvRnOKOijGd2KbSLc3w g9haQhfQ5tc/AKeC0Htbzs6pVK5730Wso2rKHEAnISRveDpT2a+uKgyTXNWx5pNUBaMM 4WMD0l4+LoRNke6FK83ZMWJtbj1WwEdy675vE3gsikkpJiegwtdNP3/11saIui+lqW0Z ezgw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:to:from:dkim-signature; bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=; b=nDmZOAlTFtVv3f0D2XCjUOZtnIh6tFdFqglEc41YXpwJ+/UhwjN2ghXT0/8CtvdSDM yUetU8QJ+eV3TuwLWP4atMF/duZNOJxgBC8yrfLLfNcKyzMvf7pAnZPf0UBaVhEl00QC bwNrOcsyM1vxw2Kv/vkFB8+aa3qvlz3RB2rSpr3Kgxv9MCh0+SCXnP8SaNI+22q1DTc8 DGeMAktWq1IP717fTUgt1+XroMJ+aZB5oH+XHYHy959Zwyv4oMjriuXvyfgfGGXiNWNV /Z5n4ruiG+KgAjIbr4ie3NjQtXb+4g9xMJspLPpS6UxmJlgJ7tc7H0Huc++tji8SH2vt mvlw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=MCBeko+7; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d68si3458974oib.194.2019.12.04.08.34.22; Wed, 04 Dec 2019 08:34:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=MCBeko+7; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727867AbfLDQeG (ORCPT + 11 others); Wed, 4 Dec 2019 11:34:06 -0500 Received: from mail-eopbgr750123.outbound.protection.outlook.com ([40.107.75.123]:22084 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728241AbfLDQeG (ORCPT ); Wed, 4 Dec 2019 11:34:06 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qg8tHSnMxGUt7coD8J/l5BK/KZ7tC9BKEiU9FOf0CcGBhRtbTXg/ahwzXM0kDT+bCaZ6lnVcRyj1akjN4FGRZgjirGstLFQOnrWZ7z+/Ytejg3l4kLd/Xi+O5wC8nRTunVTMHbBoS0rdogT6AROoNGj74twkLmV36qiM0b9zCY9mQQb7GkYRvrRzB2tgpy+lxlj6pSdz0/C5KDNr1U0K6wr4Og+SHiGT649nwXLMUsyIkZgUMad/uccLHfoL0wzyNx3FIWY/PNhotr4ifXpHNhmk6N2rEpSX9250l5YlBqVk1LiYfdpZ4y47TOVMx6LBYRmnuS39W/bdwz8bgX3ELQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=; b=LGTdMqdbwtuTE4Ynyg84XgYb5RoXD3H1c78QnJA088pciYvT0wdevU8QjESCaWuUWv+PM4OmHYfqM5pXcYOcGAWLkjU61WiUycydNYSj/pIEzUxSeKpjNKDpg32DOQ4X8lslFt93xJ0hiWSWCfbO090ZBd3I1sYJi0lSGf/iXoG8eiiOCwSt6FGNUaF1B1PyYYn09dTSgAytApzV9eWRFYa7wCuUxG8u81Qba2vKVbesZzDNDovr+cJCv48z24nzyr8pnen07Td/EOBNrHuViRtgxhsJMyDAm2bF0tnxv7E2HhuBdl/JYkkbuduoxhvVQZUhuPmSS2RSdF3Za7OtBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=; b=MCBeko+7a0rxLLE433sloHMcQ/3PjQzG3mqjnP/+zzGUPGy+Jq8PfjCnsYjadsX/5Q0AoQgsMEnJJ7jL3O/7lohfbOVFCgiJObcwlT11BrlQJDYD+06Lm3TdphmeM9e9jo0/02SZJ5u4M6s6JE9g2MydyQKxbMkKvLqxGebWDtM= Received: from MW2PR1501MB1978.namprd15.prod.outlook.com (52.132.149.154) by MW2PR1501MB2076.namprd15.prod.outlook.com (52.132.148.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Wed, 4 Dec 2019 16:33:22 +0000 Received: from MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16]) by MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16%4]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019 16:33:22 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow systemd to getattr configfile Thread-Topic: [PATCH] Allow systemd to getattr configfile Thread-Index: AQHVqsCK9y2wMKKqwU6WJMp7oqJPMw== Date: Wed, 4 Dec 2019 16:33:20 +0000 Message-ID: <20191204163306.16545-2-dsugar@tresys.com> References: <20191204163306.16545-1-dsugar@tresys.com> In-Reply-To: <20191204163306.16545-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] x-clientproxiedby: SN4PR0501CA0055.namprd05.prod.outlook.com (2603:10b6:803:41::32) To MW2PR1501MB1978.namprd15.prod.outlook.com (2603:10b6:302:b::26) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.21.0 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3d61fa1d-fbaa-4b2e-0aa5-08d778d7ac9a x-ms-traffictypediagnostic: MW2PR1501MB2076: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-forefront-prvs: 0241D5F98C x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(39840400004)(376002)(346002)(396003)(136003)(366004)(189003)(199004)(508600001)(52116002)(25786009)(6506007)(5640700003)(71190400001)(71200400001)(2906002)(3846002)(6512007)(76176011)(6116002)(14444005)(66946007)(6436002)(66476007)(64756008)(66446008)(36756003)(14454004)(6486002)(66556008)(7736002)(2501003)(305945005)(186003)(86362001)(2616005)(5660300002)(81156014)(8676002)(1076003)(8936002)(11346002)(81166006)(50226002)(316002)(6916009)(99286004)(2351001)(26005)(102836004);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR1501MB2076;H:MW2PR1501MB1978.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: mGKUl8xoSHipFt9xTOCpJZYJcjHFmcqIEVJJ3clEHJs0CoxRF2ZvSyzXDashtq6CUJgNuzBs/tofWvMJLZeNGiMKaHotoKyo1+kxadUKFIAV83P3CBkCEu6iNDq/TN4cRfBlSIt5J41u0BRAHPDzM9VyZ3s8epYvPsEFd/B/xquwZE3JL0AqgUcih5iuw4EAu6P/2QXRgKeOKRoY2wPWWSRXzsnx4H//9Cj305hAQGd5mdRn/lpVaIFLFspI1BtOWbXIHbDGZFAp6dUfazLp2qLrYwkBkjGJA0ONGq0KSgniSHjp7NFgjNeFVvnPsxUPpHRqCZrGURGNzwYsrxBOR3n4oV7gf4lvON+d/U/t7hdxZRwL8DZhC3eEvTXzlp+ZD56gecbhAR3zC0gvmh9GlSGUO7iImbcaq8e4xWKqwptUBUI8MqNtEwSdrnBOjVQw x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3d61fa1d-fbaa-4b2e-0aa5-08d778d7ac9a X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 16:33:20.8310 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: KiegyrQFsIiPiaqKq+IpHGy8nncoZYKe/UPMf81u4YemfHRgtlgOydXQ02LdVIHqPQDVm7+HX7e0FSkYre5v3A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR1501MB2076 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Systemd has ConditionalPathExists which is used to check if a path exists t= o control starting a service. But this requires getattr permissions on the= file. This is generally for configuration files. We are mostly seeing th= is is in our own policy. But this lvm denial also fits the example. type=3DAVC msg=3Daudit(1575427946.229:1624): avc: denied { getattr } for = pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D517= 99 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:lvm_= etc_t:s0 tclass=3Dfile permissive=3D0 This second example is from chronyd, but it is happening becuase I added th= e conditional in a drop-in file. Note that chronyd_conf_t is already a 'con= figfile'. type=3DAVC msg=3Daudit(1575427959.882:1901): avc: denied { getattr } for = pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D5382= 4 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:chron= yd_conf_t:s0 tclass=3Dfile permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/kernel/files.if | 20 ++++++++++++++++++++ policy/modules/system/init.te | 1 + policy/modules/system/lvm.te | 2 +- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.i= f index f1c94411..87be07ae 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',` relabel_dirs_pattern($1, configfile, configfile) ') =20 +######################################## +## +## Getattr config files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_config_files',` + gen_require(` + attribute configfile; + ') + + allow $1 configfile:dir list_dir_perms; + getattr_files_pattern($1, configfile, configfile) + read_lnk_files_pattern($1, configfile, configfile) +') + ######################################## ## ## Read config files in /etc. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8973a622..747b696e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -320,6 +320,7 @@ ifdef(`init_systemd',` domain_subj_id_change_exemption(init_t) domain_role_change_exemption(init_t) =20 + files_getattr_config_files(init_t) files_read_all_pids(init_t) files_list_usr(init_t) files_list_var(init_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index ad4eb579..c05344e0 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t) role system_r types lvm_t; =20 type lvm_etc_t; -files_type(lvm_etc_t) +files_config_file(lvm_etc_t) =20 type lvm_lock_t; files_lock_file(lvm_lock_t) --=20 2.21.0