Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp698512ybl;
        Wed, 4 Dec 2019 09:25:10 -0800 (PST)
X-Google-Smtp-Source: APXvYqyLi/jg+HeuT4BQrvKuR7auc+ad78NCUeWjDuMUwz1tN+TlE5Mksxcu5B70li9914QhB/C+
X-Received: by 2002:a05:6830:1309:: with SMTP id p9mr3462254otq.328.1575480310064;
        Wed, 04 Dec 2019 09:25:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1575480310; cv=pass;
        d=google.com; s=arc-20160816;
        b=PYUB+DTWqO4QzaEVxknStnvHcnT2wzk/xI+LAto3TwJR4kI+QECpUtTYSoLjNlwfl+
         +V0oqH1B8OujE1LpHZkNMkLeqImdwOFcbXlR5ytiRxGM6VR4mu5tGSmKu/HvLjOTr5lr
         cjQ2L8IcShwuLhw4FlenUAbXLxhwRFqE9DYMC9bMtR4qDVyWpZpOQcRiEOTwB8kLjEjJ
         2X0u7GyJpIkk4unH31vuxrEXCeS82cLFGadceMJxPzazV9QWMfCvZ8PCE6VQp4wouqe9
         pVjTrAkCdvKx348bFKYvzY2IV0GW8oRt9Nrix0KqtCEqIJouBWhOvtw7xb+A+WtVnzfw
         wrlg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-id:user-agent:content-language:accept-language:in-reply-to
         :references:message-id:date:thread-index:thread-topic:subject:to
         :from:dkim-signature;
        bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=;
        b=ipPl4dXvO7lK8uBKgvV6pzsj1ftm8UTyA3LxCrLwONgGxx1Y1+wmZzc7JPmQwFDmS+
         dyY/417ZGkKKj5kjMaH7ifdaIokm8pRSZQsZc7LdQmW+drYrX5D4DaNVyXk0SQY77z/h
         7eRv6YhTClDF9iejIogSNCAcJWcXv6h59gt/g33BpkQWdSFFJYOC0Kh9JClQRj4elwfH
         LMiN5bLiOAHO/lf8JGBxwmYYZMNVkJDLmx1/yQCabk6vIUUCjG5q/N40jRWTunhtyCEY
         VbnwnTxXCVZ1V0RcVY7GoPMQOwTCMuDHo1qws7rJ+Qq0s6j+pogTDKSb79vRnBI0BIqX
         sunw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DRT7GFo7;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l125si3662657oih.223.2019.12.04.09.25.07;
        Wed, 04 Dec 2019 09:25:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DRT7GFo7;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728059AbfLDRXC (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Wed, 4 Dec 2019 12:23:02 -0500
Received: from mail-dm6nam12on2105.outbound.protection.outlook.com ([40.107.243.105]:52065
        "EHLO NAM12-DM6-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727033AbfLDRXA (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 4 Dec 2019 12:23:00 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=PHvzmX677agaGUdBMxwdFn/Ws2mcbloLxnkOA494z9iVkJgfaaVyDQVWON8Bp3wl8a8tGEnt+SiSgVVy4KmxORpHyH26pu91YErqRtS/Qi4rZOTWjzlGu9ay9HpYQNkJ+wHvzYXvyfarZ4CXWdjUebqQsx9xCpxD4h72bxHinKXVzaqUJxGCtzQudiIfa7aU1+WJVfRSwW3G7VFC8+GMx3iydfOy3W6AB7lcQGwv5bvx64u3ebl2P8vc4dPksP82wLcxQe5Rm+8aFcxkwi6ghS12CrXna5i1mDap12acQxe5jdOHgN89jRrX/mJqyntBFL3es1Iq+YSWwxE/s2x8fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=;
 b=OEVqOpgVCi4snGaxSOloN/l9GYkmX7TZF/DPfa3Wm4tm2dPHqN7dj+i46PRemIuBjUmes+Le5q3LzIviUrFQ5YKXFZDnZ5PkUEFQ8m5wzMsgxBg3EG2PfeLd/hJvFtkGXrzmv9NCsWLc0qq7DzUCOUq2jBGl3DFSYlRJ3izPevdUKulmfe449onpwZfy8r++UHlZyjuz0ccFYYc2h37cg6V7MlIxL2UTucf3pbB3ydC+DFftCEoQX4qWOg9hiI4QoOBeUtED2+/gA62NX7JNLekx8v5oDwmcGrsM+9aCBpt42twd5QTy6P7G/BMqXLT/6uvKiz/tSjsHt5Vv/x0OAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com;
 dkim=pass header.d=tresys.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uERkwjb2cJB2dIKrszTYOLtsvKtm/Ur1rQMT7bY+R/0=;
 b=DRT7GFo7CaOWCLHdfjNqwIc4VRVz04l1uGuRyNK7HoPW6vAH8PEzCw1a8Ve3Aq4v8+JJG1KI5XKoOJrVYK5ng7nlPG9lI1+5MTuR+o4ap3d68ekIJyLRC1MTQxedo2+qmJuf1LlpsR2rbzhWiE32Tsak+Fhm2JRw9/Nwn3YcYas=
Received: from MW2PR1501MB1978.namprd15.prod.outlook.com (52.132.149.154) by
 MW2PR1501MB2153.namprd15.prod.outlook.com (52.132.150.149) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2495.22; Wed, 4 Dec 2019 17:22:55 +0000
Received: from MW2PR1501MB1978.namprd15.prod.outlook.com
 ([fe80::a811:5450:8ff0:ab16]) by MW2PR1501MB1978.namprd15.prod.outlook.com
 ([fe80::a811:5450:8ff0:ab16%4]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019
 17:22:55 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Allow systemd to getattr configfile
Thread-Topic: [PATCH] Allow systemd to getattr configfile
Thread-Index: AQHVqsCK9y2wMKKqwU6WJMp7oqJPM6eqMfgAgAAHXYA=
Date:   Wed, 4 Dec 2019 17:22:55 +0000
Message-ID: <e3d4c752-899f-5454-37f5-851378426e8a@tresys.com>
References: <20191204163306.16545-1-dsugar@tresys.com>
 <20191204163306.16545-2-dsugar@tresys.com>
 <20191204165614.GA1321684@brutus.lan>
In-Reply-To: <20191204165614.GA1321684@brutus.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.234.151.2]
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.1.1
x-clientproxiedby: MN2PR12CA0015.namprd12.prod.outlook.com
 (2603:10b6:208:a8::28) To MW2PR1501MB1978.namprd15.prod.outlook.com
 (2603:10b6:302:b::26)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5d887192-3012-4cfb-9fcb-08d778de999e
x-ms-traffictypediagnostic: MW2PR1501MB2153:
x-microsoft-antispam-prvs: <MW2PR1501MB2153B603F549F591D88480F4B95D0@MW2PR1501MB2153.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(366004)(189003)(199004)(7736002)(71190400001)(64756008)(6116002)(6506007)(36756003)(14444005)(102836004)(58126008)(229853002)(25786009)(71200400001)(6486002)(6436002)(31696002)(86362001)(6246003)(31686004)(508600001)(2351001)(65956001)(2501003)(14454004)(3846002)(8676002)(53546011)(66476007)(2906002)(99286004)(11346002)(5660300002)(66446008)(5640700003)(52116002)(8936002)(66556008)(81156014)(2616005)(305945005)(81166006)(26005)(186003)(6916009)(76176011)(66946007)(6512007);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR1501MB2153;H:MW2PR1501MB1978.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iuUXI8UYCilqFtNYHDctZb0riboJ3Iy2S9QMFExTaOm7IwxnuWyqBQX1eo8K4nG6lJgbqO2dWGcqLHG3Vn5SniqVW76pIFU0S3NYmGB1XMSqY1JxJ2R0xrqpocQ3/uknPp53XFB2iU266d81AaWtmkr3xnYm7k6uqF6sOGSujIOh0gdY0FNJ79sMnQwyXo8izJAOMgewFvFOpUpTfu3rDn5Q5tVkV386UFt6YNRfCap1aam1cWTBKVYo4M+KpBWnHN+BfTq6mUBDA3z0hEI77RGWyS58S3BKEJ2eFMxDUNH2RwP3pNezLYUXzsVvylKNKKbudorF69x/RI62iNtT4+o9SKcWBB3kXGwIDIhLFdKS51DE8P/8GeHACYuc+c7s1s29VVAK5pNIpbjPAEQticwhHl6byunisO7yGJwv3nyiKkWOhNYLcJg3cIU2ihkL
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <8DB7CB434A51BE4C84A3ED5732C84051@namprd15.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d887192-3012-4cfb-9fcb-08d778de999e
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 17:22:55.3276
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wFi4TOA96SaR+/juqgHwI1KmFQnOWkzh9qWsRCP8fbCs8aIQDGUM6ULpcxDz9VQZbaFKogPyGZPwLIP/CZ1pGg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR1501MB2153
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org



On 12/4/19 11:56 AM, Dominick Grift wrote:
> On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote:
>> Systemd has ConditionalPathExists which is used to check if a path exist=
s to control starting a service.  But this requires getattr permissions on =
the file.  This is generally for configuration files.  We are mostly seeing=
 this is in our own policy.  But this lvm denial also fits the example.
>>
>> type=3DAVC msg=3Daudit(1575427946.229:1624): avc:  denied  { getattr } f=
or  pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D=
51799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:l=
vm_etc_t:s0 tclass=3Dfile permissive=3D0
>>
>> This second example is from chronyd, but it is happening becuase I added=
 the conditional in a drop-in file. Note that chronyd_conf_t is already a '=
configfile'.
>>
>> type=3DAVC msg=3Daudit(1575427959.882:1901): avc:  denied  { getattr } f=
or  pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D5=
3824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:ch=
ronyd_conf_t:s0 tclass=3Dfile permissive=3D1
>=20
> how about something a little more general?
>=20
> systemd_ConditionPath(`,'
> 	allow init_t $1:dir search_dir_perms;
> 	allow init_t $1:lnk_file read_lnk_file_perms;
> 	allow init_t $1:fifo_file getattr_fifo_file_perms;
> 	allow init_t $1:sock_file getattr_sock_file_perms;
> 	allow init_t $1:file getattr_file_perms;
> 	allow init_t $1:blk_file getattr_blk_file_perms;
> 	allow init_t $1:chr_file getattr_chr_file_perms;
> ')
>=20
I think you are suggesting an interface 'systemd_conditionpath' that=20
would exist in init.if and then need to be used by any module that wants=20
to grant access to a particular type to getattr?

So, for this case, I would need to modify chronyd.te and lvm.te to use=20
this interface?

I think you are also suggesting that ConditionPathExists usage in a unit=20
file could be trying to check for the existence of something other than=20
a configuration file.

Taking it to the extreme, a unit file could be checking for the=20
existence of a file that is in a different SELinux domain.  Does it=20
instead make sense to use the 'files_getattr_all_files',=20
'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.te?


>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/kernel/files.if | 20 ++++++++++++++++++++
>>   policy/modules/system/init.te  |  1 +
>>   policy/modules/system/lvm.te   |  2 +-
>>   3 files changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/file=
s.if
>> index f1c94411..87be07ae 100644
>> --- a/policy/modules/kernel/files.if
>> +++ b/policy/modules/kernel/files.if
>> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
>>   	relabel_dirs_pattern($1, configfile, configfile)
>>   ')
>>  =20
>> +########################################
>> +## <summary>
>> +##	Getattr config files in /etc.
>> +## </summary>
>> +## <param name=3D"domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`files_getattr_config_files',`
>> +	gen_require(`
>> +		attribute configfile;
>> +	')
>> +
>> +	allow $1 configfile:dir list_dir_perms;
>> +	getattr_files_pattern($1, configfile, configfile)
>> +	read_lnk_files_pattern($1, configfile, configfile)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##	Read config files in /etc.
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.=
te
>> index 8973a622..747b696e 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -320,6 +320,7 @@ ifdef(`init_systemd',`
>>   	domain_subj_id_change_exemption(init_t)
>>   	domain_role_change_exemption(init_t)
>>  =20
>> +	files_getattr_config_files(init_t)
>>   	files_read_all_pids(init_t)
>>   	files_list_usr(init_t)
>>   	files_list_var(init_t)
>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>> index ad4eb579..c05344e0 100644
>> --- a/policy/modules/system/lvm.te
>> +++ b/policy/modules/system/lvm.te
>> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
>>   role system_r types lvm_t;
>>  =20
>>   type lvm_etc_t;
>> -files_type(lvm_etc_t)
>> +files_config_file(lvm_etc_t)
>>  =20
>>   type lvm_lock_t;
>>   files_lock_file(lvm_lock_t)
>> --=20
>> 2.21.0
>>
>=20