Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp643423ybl;
        Wed, 4 Dec 2019 08:34:26 -0800 (PST)
X-Google-Smtp-Source: APXvYqyuVB+cdN/0ZoC4tgCDHtFawvXUXk6dApOThOz5eUSdCeUhIXMxP72wZiKcW2nNOceT63ql
X-Received: by 2002:aca:d502:: with SMTP id m2mr3180682oig.41.1575477266258;
        Wed, 04 Dec 2019 08:34:26 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1575477266; cv=pass;
        d=google.com; s=arc-20160816;
        b=wPDD0exbBZ+gBVVyljCMT1Le4r23BQK5ZW0tPZY4W0giSn0gyPxkflewBJvCebquv8
         rYZBtIWqhZSVwDIc7GniKn+QPcbka4p1IbvSvRtuXZNx8r96oePnCyLtyoUGeXIAjOwU
         aigTzSX6vd1PpkirkM6M4Wlt9pmQMoXfqTqUoFZ4IR++lMm6/BvRnOKOijGd2KbSLc3w
         g9haQhfQ5tc/AKeC0Htbzs6pVK5730Wso2rKHEAnISRveDpT2a+uKgyTXNWx5pNUBaMM
         4WMD0l4+LoRNke6FK83ZMWJtbj1WwEdy675vE3gsikkpJiegwtdNP3/11saIui+lqW0Z
         ezgw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:in-reply-to:references:message-id
         :date:thread-index:thread-topic:subject:to:from:dkim-signature;
        bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=;
        b=nDmZOAlTFtVv3f0D2XCjUOZtnIh6tFdFqglEc41YXpwJ+/UhwjN2ghXT0/8CtvdSDM
         yUetU8QJ+eV3TuwLWP4atMF/duZNOJxgBC8yrfLLfNcKyzMvf7pAnZPf0UBaVhEl00QC
         bwNrOcsyM1vxw2Kv/vkFB8+aa3qvlz3RB2rSpr3Kgxv9MCh0+SCXnP8SaNI+22q1DTc8
         DGeMAktWq1IP717fTUgt1+XroMJ+aZB5oH+XHYHy959Zwyv4oMjriuXvyfgfGGXiNWNV
         /Z5n4ruiG+KgAjIbr4ie3NjQtXb+4g9xMJspLPpS6UxmJlgJ7tc7H0Huc++tji8SH2vt
         mvlw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=MCBeko+7;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d68si3458974oib.194.2019.12.04.08.34.22;
        Wed, 04 Dec 2019 08:34:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=MCBeko+7;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727867AbfLDQeG (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Wed, 4 Dec 2019 11:34:06 -0500
Received: from mail-eopbgr750123.outbound.protection.outlook.com ([40.107.75.123]:22084
        "EHLO NAM02-BL2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728241AbfLDQeG (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 4 Dec 2019 11:34:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Qg8tHSnMxGUt7coD8J/l5BK/KZ7tC9BKEiU9FOf0CcGBhRtbTXg/ahwzXM0kDT+bCaZ6lnVcRyj1akjN4FGRZgjirGstLFQOnrWZ7z+/Ytejg3l4kLd/Xi+O5wC8nRTunVTMHbBoS0rdogT6AROoNGj74twkLmV36qiM0b9zCY9mQQb7GkYRvrRzB2tgpy+lxlj6pSdz0/C5KDNr1U0K6wr4Og+SHiGT649nwXLMUsyIkZgUMad/uccLHfoL0wzyNx3FIWY/PNhotr4ifXpHNhmk6N2rEpSX9250l5YlBqVk1LiYfdpZ4y47TOVMx6LBYRmnuS39W/bdwz8bgX3ELQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=;
 b=LGTdMqdbwtuTE4Ynyg84XgYb5RoXD3H1c78QnJA088pciYvT0wdevU8QjESCaWuUWv+PM4OmHYfqM5pXcYOcGAWLkjU61WiUycydNYSj/pIEzUxSeKpjNKDpg32DOQ4X8lslFt93xJ0hiWSWCfbO090ZBd3I1sYJi0lSGf/iXoG8eiiOCwSt6FGNUaF1B1PyYYn09dTSgAytApzV9eWRFYa7wCuUxG8u81Qba2vKVbesZzDNDovr+cJCv48z24nzyr8pnen07Td/EOBNrHuViRtgxhsJMyDAm2bF0tnxv7E2HhuBdl/JYkkbuduoxhvVQZUhuPmSS2RSdF3Za7OtBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com;
 dkim=pass header.d=tresys.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=6CjgdoduB5a1O3Z4B8ZxJ320s5hLy+3XEAgtN03Zpt4=;
 b=MCBeko+7a0rxLLE433sloHMcQ/3PjQzG3mqjnP/+zzGUPGy+Jq8PfjCnsYjadsX/5Q0AoQgsMEnJJ7jL3O/7lohfbOVFCgiJObcwlT11BrlQJDYD+06Lm3TdphmeM9e9jo0/02SZJ5u4M6s6JE9g2MydyQKxbMkKvLqxGebWDtM=
Received: from MW2PR1501MB1978.namprd15.prod.outlook.com (52.132.149.154) by
 MW2PR1501MB2076.namprd15.prod.outlook.com (52.132.148.18) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2474.22; Wed, 4 Dec 2019 16:33:22 +0000
Received: from MW2PR1501MB1978.namprd15.prod.outlook.com
 ([fe80::a811:5450:8ff0:ab16]) by MW2PR1501MB1978.namprd15.prod.outlook.com
 ([fe80::a811:5450:8ff0:ab16%4]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019
 16:33:22 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Allow systemd to getattr configfile
Thread-Topic: [PATCH] Allow systemd to getattr configfile
Thread-Index: AQHVqsCK9y2wMKKqwU6WJMp7oqJPMw==
Date:   Wed, 4 Dec 2019 16:33:20 +0000
Message-ID: <20191204163306.16545-2-dsugar@tresys.com>
References: <20191204163306.16545-1-dsugar@tresys.com>
In-Reply-To: <20191204163306.16545-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.234.151.2]
x-clientproxiedby: SN4PR0501CA0055.namprd05.prod.outlook.com
 (2603:10b6:803:41::32) To MW2PR1501MB1978.namprd15.prod.outlook.com
 (2603:10b6:302:b::26)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d61fa1d-fbaa-4b2e-0aa5-08d778d7ac9a
x-ms-traffictypediagnostic: MW2PR1501MB2076:
x-microsoft-antispam-prvs: <MW2PR1501MB2076D8883C9C2E3EBD3F4C0CB95D0@MW2PR1501MB2076.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(39840400004)(376002)(346002)(396003)(136003)(366004)(189003)(199004)(508600001)(52116002)(25786009)(6506007)(5640700003)(71190400001)(71200400001)(2906002)(3846002)(6512007)(76176011)(6116002)(14444005)(66946007)(6436002)(66476007)(64756008)(66446008)(36756003)(14454004)(6486002)(66556008)(7736002)(2501003)(305945005)(186003)(86362001)(2616005)(5660300002)(81156014)(8676002)(1076003)(8936002)(11346002)(81166006)(50226002)(316002)(6916009)(99286004)(2351001)(26005)(102836004);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR1501MB2076;H:MW2PR1501MB1978.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mGKUl8xoSHipFt9xTOCpJZYJcjHFmcqIEVJJ3clEHJs0CoxRF2ZvSyzXDashtq6CUJgNuzBs/tofWvMJLZeNGiMKaHotoKyo1+kxadUKFIAV83P3CBkCEu6iNDq/TN4cRfBlSIt5J41u0BRAHPDzM9VyZ3s8epYvPsEFd/B/xquwZE3JL0AqgUcih5iuw4EAu6P/2QXRgKeOKRoY2wPWWSRXzsnx4H//9Cj305hAQGd5mdRn/lpVaIFLFspI1BtOWbXIHbDGZFAp6dUfazLp2qLrYwkBkjGJA0ONGq0KSgniSHjp7NFgjNeFVvnPsxUPpHRqCZrGURGNzwYsrxBOR3n4oV7gf4lvON+d/U/t7hdxZRwL8DZhC3eEvTXzlp+ZD56gecbhAR3zC0gvmh9GlSGUO7iImbcaq8e4xWKqwptUBUI8MqNtEwSdrnBOjVQw
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d61fa1d-fbaa-4b2e-0aa5-08d778d7ac9a
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 16:33:20.8310
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KiegyrQFsIiPiaqKq+IpHGy8nncoZYKe/UPMf81u4YemfHRgtlgOydXQ02LdVIHqPQDVm7+HX7e0FSkYre5v3A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR1501MB2076
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Systemd has ConditionalPathExists which is used to check if a path exists t=
o control starting a service.  But this requires getattr permissions on the=
 file.  This is generally for configuration files.  We are mostly seeing th=
is is in our own policy.  But this lvm denial also fits the example.

type=3DAVC msg=3Daudit(1575427946.229:1624): avc:  denied  { getattr } for =
 pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D517=
99 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:lvm_=
etc_t:s0 tclass=3Dfile permissive=3D0

This second example is from chronyd, but it is happening becuase I added th=
e conditional in a drop-in file. Note that chronyd_conf_t is already a 'con=
figfile'.

type=3DAVC msg=3Daudit(1575427959.882:1901): avc:  denied  { getattr } for =
 pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D5382=
4 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:chron=
yd_conf_t:s0 tclass=3Dfile permissive=3D1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/files.if | 20 ++++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 policy/modules/system/lvm.te   |  2 +-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.i=
f
index f1c94411..87be07ae 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
 	relabel_dirs_pattern($1, configfile, configfile)
 ')
=20
+########################################
+## <summary>
+##	Getattr config files in /etc.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	allow $1 configfile:dir list_dir_perms;
+	getattr_files_pattern($1, configfile, configfile)
+	read_lnk_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Read config files in /etc.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8973a622..747b696e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -320,6 +320,7 @@ ifdef(`init_systemd',`
 	domain_subj_id_change_exemption(init_t)
 	domain_role_change_exemption(init_t)
=20
+	files_getattr_config_files(init_t)
 	files_read_all_pids(init_t)
 	files_list_usr(init_t)
 	files_list_var(init_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ad4eb579..c05344e0 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
 role system_r types lvm_t;
=20
 type lvm_etc_t;
-files_type(lvm_etc_t)
+files_config_file(lvm_etc_t)
=20
 type lvm_lock_t;
 files_lock_file(lvm_lock_t)
--=20
2.21.0