Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp698512ybl; Wed, 4 Dec 2019 09:25:10 -0800 (PST) X-Google-Smtp-Source: APXvYqyLi/jg+HeuT4BQrvKuR7auc+ad78NCUeWjDuMUwz1tN+TlE5Mksxcu5B70li9914QhB/C+ X-Received: by 2002:a05:6830:1309:: with SMTP id p9mr3462254otq.328.1575480310064; Wed, 04 Dec 2019 09:25:10 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1575480310; cv=pass; d=google.com; s=arc-20160816; b=PYUB+DTWqO4QzaEVxknStnvHcnT2wzk/xI+LAto3TwJR4kI+QECpUtTYSoLjNlwfl+ +V0oqH1B8OujE1LpHZkNMkLeqImdwOFcbXlR5ytiRxGM6VR4mu5tGSmKu/HvLjOTr5lr cjQ2L8IcShwuLhw4FlenUAbXLxhwRFqE9DYMC9bMtR4qDVyWpZpOQcRiEOTwB8kLjEjJ 2X0u7GyJpIkk4unH31vuxrEXCeS82cLFGadceMJxPzazV9QWMfCvZ8PCE6VQp4wouqe9 pVjTrAkCdvKx348bFKYvzY2IV0GW8oRt9Nrix0KqtCEqIJouBWhOvtw7xb+A+WtVnzfw wrlg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:user-agent:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:to :from:dkim-signature; bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=; b=ipPl4dXvO7lK8uBKgvV6pzsj1ftm8UTyA3LxCrLwONgGxx1Y1+wmZzc7JPmQwFDmS+ dyY/417ZGkKKj5kjMaH7ifdaIokm8pRSZQsZc7LdQmW+drYrX5D4DaNVyXk0SQY77z/h 7eRv6YhTClDF9iejIogSNCAcJWcXv6h59gt/g33BpkQWdSFFJYOC0Kh9JClQRj4elwfH LMiN5bLiOAHO/lf8JGBxwmYYZMNVkJDLmx1/yQCabk6vIUUCjG5q/N40jRWTunhtyCEY VbnwnTxXCVZ1V0RcVY7GoPMQOwTCMuDHo1qws7rJ+Qq0s6j+pogTDKSb79vRnBI0BIqX sunw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DRT7GFo7; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l125si3662657oih.223.2019.12.04.09.25.07; Wed, 04 Dec 2019 09:25:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DRT7GFo7; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728059AbfLDRXC (ORCPT + 11 others); Wed, 4 Dec 2019 12:23:02 -0500 Received: from mail-dm6nam12on2105.outbound.protection.outlook.com ([40.107.243.105]:52065 "EHLO NAM12-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727033AbfLDRXA (ORCPT ); Wed, 4 Dec 2019 12:23:00 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PHvzmX677agaGUdBMxwdFn/Ws2mcbloLxnkOA494z9iVkJgfaaVyDQVWON8Bp3wl8a8tGEnt+SiSgVVy4KmxORpHyH26pu91YErqRtS/Qi4rZOTWjzlGu9ay9HpYQNkJ+wHvzYXvyfarZ4CXWdjUebqQsx9xCpxD4h72bxHinKXVzaqUJxGCtzQudiIfa7aU1+WJVfRSwW3G7VFC8+GMx3iydfOy3W6AB7lcQGwv5bvx64u3ebl2P8vc4dPksP82wLcxQe5Rm+8aFcxkwi6ghS12CrXna5i1mDap12acQxe5jdOHgN89jRrX/mJqyntBFL3es1Iq+YSWwxE/s2x8fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=; b=OEVqOpgVCi4snGaxSOloN/l9GYkmX7TZF/DPfa3Wm4tm2dPHqN7dj+i46PRemIuBjUmes+Le5q3LzIviUrFQ5YKXFZDnZ5PkUEFQ8m5wzMsgxBg3EG2PfeLd/hJvFtkGXrzmv9NCsWLc0qq7DzUCOUq2jBGl3DFSYlRJ3izPevdUKulmfe449onpwZfy8r++UHlZyjuz0ccFYYc2h37cg6V7MlIxL2UTucf3pbB3ydC+DFftCEoQX4qWOg9hiI4QoOBeUtED2+/gA62NX7JNLekx8v5oDwmcGrsM+9aCBpt42twd5QTy6P7G/BMqXLT/6uvKiz/tSjsHt5Vv/x0OAA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=; b=DRT7GFo7CaOWCLHdfjNqwIc4VRVz04l1uGuRyNK7HoPW6vAH8PEzCw1a8Ve3Aq4v8+JJG1KI5XKoOJrVYK5ng7nlPG9lI1+5MTuR+o4ap3d68ekIJyLRC1MTQxedo2+qmJuf1LlpsR2rbzhWiE32Tsak+Fhm2JRw9/Nwn3YcYas= Received: from MW2PR1501MB1978.namprd15.prod.outlook.com (52.132.149.154) by MW2PR1501MB2153.namprd15.prod.outlook.com (52.132.150.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.22; Wed, 4 Dec 2019 17:22:55 +0000 Received: from MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16]) by MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16%4]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019 17:22:55 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH] Allow systemd to getattr configfile Thread-Topic: [PATCH] Allow systemd to getattr configfile Thread-Index: AQHVqsCK9y2wMKKqwU6WJMp7oqJPM6eqMfgAgAAHXYA= Date: Wed, 4 Dec 2019 17:22:55 +0000 Message-ID: References: <20191204163306.16545-1-dsugar@tresys.com> <20191204163306.16545-2-dsugar@tresys.com> <20191204165614.GA1321684@brutus.lan> In-Reply-To: <20191204165614.GA1321684@brutus.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 x-clientproxiedby: MN2PR12CA0015.namprd12.prod.outlook.com (2603:10b6:208:a8::28) To MW2PR1501MB1978.namprd15.prod.outlook.com (2603:10b6:302:b::26) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5d887192-3012-4cfb-9fcb-08d778de999e x-ms-traffictypediagnostic: MW2PR1501MB2153: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-forefront-prvs: 0241D5F98C x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(366004)(189003)(199004)(7736002)(71190400001)(64756008)(6116002)(6506007)(36756003)(14444005)(102836004)(58126008)(229853002)(25786009)(71200400001)(6486002)(6436002)(31696002)(86362001)(6246003)(31686004)(508600001)(2351001)(65956001)(2501003)(14454004)(3846002)(8676002)(53546011)(66476007)(2906002)(99286004)(11346002)(5660300002)(66446008)(5640700003)(52116002)(8936002)(66556008)(81156014)(2616005)(305945005)(81166006)(26005)(186003)(6916009)(76176011)(66946007)(6512007);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR1501MB2153;H:MW2PR1501MB1978.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: iuUXI8UYCilqFtNYHDctZb0riboJ3Iy2S9QMFExTaOm7IwxnuWyqBQX1eo8K4nG6lJgbqO2dWGcqLHG3Vn5SniqVW76pIFU0S3NYmGB1XMSqY1JxJ2R0xrqpocQ3/uknPp53XFB2iU266d81AaWtmkr3xnYm7k6uqF6sOGSujIOh0gdY0FNJ79sMnQwyXo8izJAOMgewFvFOpUpTfu3rDn5Q5tVkV386UFt6YNRfCap1aam1cWTBKVYo4M+KpBWnHN+BfTq6mUBDA3z0hEI77RGWyS58S3BKEJ2eFMxDUNH2RwP3pNezLYUXzsVvylKNKKbudorF69x/RI62iNtT4+o9SKcWBB3kXGwIDIhLFdKS51DE8P/8GeHACYuc+c7s1s29VVAK5pNIpbjPAEQticwhHl6byunisO7yGJwv3nyiKkWOhNYLcJg3cIU2ihkL x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="Windows-1252" Content-ID: <8DB7CB434A51BE4C84A3ED5732C84051@namprd15.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5d887192-3012-4cfb-9fcb-08d778de999e X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 17:22:55.3276 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: wFi4TOA96SaR+/juqgHwI1KmFQnOWkzh9qWsRCP8fbCs8aIQDGUM6ULpcxDz9VQZbaFKogPyGZPwLIP/CZ1pGg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR1501MB2153 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/4/19 11:56 AM, Dominick Grift wrote: > On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote: >> Systemd has ConditionalPathExists which is used to check if a path exist= s to control starting a service. But this requires getattr permissions on = the file. This is generally for configuration files. We are mostly seeing= this is in our own policy. But this lvm denial also fits the example. >> >> type=3DAVC msg=3Daudit(1575427946.229:1624): avc: denied { getattr } f= or pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D= 51799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:l= vm_etc_t:s0 tclass=3Dfile permissive=3D0 >> >> This second example is from chronyd, but it is happening becuase I added= the conditional in a drop-in file. Note that chronyd_conf_t is already a '= configfile'. >> >> type=3DAVC msg=3Daudit(1575427959.882:1901): avc: denied { getattr } f= or pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D5= 3824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:ch= ronyd_conf_t:s0 tclass=3Dfile permissive=3D1 >=20 > how about something a little more general? >=20 > systemd_ConditionPath(`,' > allow init_t $1:dir search_dir_perms; > allow init_t $1:lnk_file read_lnk_file_perms; > allow init_t $1:fifo_file getattr_fifo_file_perms; > allow init_t $1:sock_file getattr_sock_file_perms; > allow init_t $1:file getattr_file_perms; > allow init_t $1:blk_file getattr_blk_file_perms; > allow init_t $1:chr_file getattr_chr_file_perms; > ') >=20 I think you are suggesting an interface 'systemd_conditionpath' that=20 would exist in init.if and then need to be used by any module that wants=20 to grant access to a particular type to getattr? So, for this case, I would need to modify chronyd.te and lvm.te to use=20 this interface? I think you are also suggesting that ConditionPathExists usage in a unit=20 file could be trying to check for the existence of something other than=20 a configuration file. Taking it to the extreme, a unit file could be checking for the=20 existence of a file that is in a different SELinux domain. Does it=20 instead make sense to use the 'files_getattr_all_files',=20 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.te? >> >> Signed-off-by: Dave Sugar >> --- >> policy/modules/kernel/files.if | 20 ++++++++++++++++++++ >> policy/modules/system/init.te | 1 + >> policy/modules/system/lvm.te | 2 +- >> 3 files changed, 22 insertions(+), 1 deletion(-) >> >> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/file= s.if >> index f1c94411..87be07ae 100644 >> --- a/policy/modules/kernel/files.if >> +++ b/policy/modules/kernel/files.if >> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',` >> relabel_dirs_pattern($1, configfile, configfile) >> ') >> =20 >> +######################################## >> +## >> +## Getattr config files in /etc. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`files_getattr_config_files',` >> + gen_require(` >> + attribute configfile; >> + ') >> + >> + allow $1 configfile:dir list_dir_perms; >> + getattr_files_pattern($1, configfile, configfile) >> + read_lnk_files_pattern($1, configfile, configfile) >> +') >> + >> ######################################## >> ## >> ## Read config files in /etc. >> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.= te >> index 8973a622..747b696e 100644 >> --- a/policy/modules/system/init.te >> +++ b/policy/modules/system/init.te >> @@ -320,6 +320,7 @@ ifdef(`init_systemd',` >> domain_subj_id_change_exemption(init_t) >> domain_role_change_exemption(init_t) >> =20 >> + files_getattr_config_files(init_t) >> files_read_all_pids(init_t) >> files_list_usr(init_t) >> files_list_var(init_t) >> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te >> index ad4eb579..c05344e0 100644 >> --- a/policy/modules/system/lvm.te >> +++ b/policy/modules/system/lvm.te >> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t) >> role system_r types lvm_t; >> =20 >> type lvm_etc_t; >> -files_type(lvm_etc_t) >> +files_config_file(lvm_etc_t) >> =20 >> type lvm_lock_t; >> files_lock_file(lvm_lock_t) >> --=20 >> 2.21.0 >> >=20