Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp718400ybl; Wed, 4 Dec 2019 09:43:57 -0800 (PST) X-Google-Smtp-Source: APXvYqxe4IB6QH4m1VwHt+um8ubMeh6W9mXfY9HAjfo3CmaNmq1TyFKP2E36pHdU5r1LLa0YBbvI X-Received: by 2002:aca:54cc:: with SMTP id i195mr2327387oib.126.1575481436909; Wed, 04 Dec 2019 09:43:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575481436; cv=none; d=google.com; s=arc-20160816; b=admj5emtVuihgL2nbRlYeuf0H750o8PMC1ioxGZV7Fj6XPPhMi2s91D+W157Rh/qJo CCGHgUQzPu/RJtPCcn6xuNggmGy9oFG/dHDR5uPllhf0XYZ3NcibYC2UPXBBdH9qT3vy BXWx7SIkKtmNYgNYs4onvfoW1mbqZR7/6ioDR6tSV+TjRP9OYKWNxEQsKbhplhVHdXto Ba9YGxj56ibJF5nAgtXP/54EvDfrFDRUedUA1ZIymT1ruTm8ZWQvOcimaWk49b1uNUws QdlG1DW+xkmkRJwbg+OcLtnouWWKdM+FufK1ZiLHO1fnnWbB1Kd0JBfmXK1Pu3FQQvy9 CK5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=6cia39NesAm/yr5ANP7PdAIzBdl9X5/Q1j35k+r72fo=; b=oQ8aS3WV+GD+imHaAERaSsr/B8lRuX4//uqTnPStoycb7vUEHOo6oIPrlA/jEbcn+B oNmGndBdZPXiujA2dE7ZU38nJEv8tWSBXFf+604LIAmUdPqH7IIPbBb7xxfacvmtpUVP VpWrvhqXU/lVvrySkBfje3MTnMLilCHWa2/UvQmeyg7UfLyOntSF6Bi4HeKPwC65lOLJ 5VpziVG2brh3hkqEXYPGctHBZeRnPrVzz0Nm0HjIRwkKmw8n1/ONcpoAOxwRpFTmjEBU SZVyNzN3sNCAHywMSoqxQEI5RD1OKGb8q2W9NVw5IUDZQ6Y6HiHtJi9Rx/QV34oTvbTL D/NQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M3Stm+UB; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q26si3525926oij.38.2019.12.04.09.43.55; Wed, 04 Dec 2019 09:43:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M3Stm+UB; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727852AbfLDRns (ORCPT + 11 others); Wed, 4 Dec 2019 12:43:48 -0500 Received: from mail-wr1-f66.google.com ([209.85.221.66]:46729 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726934AbfLDRns (ORCPT ); Wed, 4 Dec 2019 12:43:48 -0500 Received: by mail-wr1-f66.google.com with SMTP id z7so162664wrl.13 for ; Wed, 04 Dec 2019 09:43:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=6cia39NesAm/yr5ANP7PdAIzBdl9X5/Q1j35k+r72fo=; b=M3Stm+UBWcEo6d2P5aSWnKVweH2h5mG6vsw7n37ttIqby7yzzkpAsj3l5tF0U9xt2J 7+5aKcIGgD6IzGwng+wM2vV8abvyr5uzVB/VWn2FGaz69Nmi1EtROEhFapuog3FZuite cvjcyKMCoD0a5pdijx0nmXT8LZqfMRY9S+MCj2edQEVmkazndM86K99CAIO21MXWaq7l iv8eXHCQWie9YleL+RpYATWl064TuKsrAlyAdBSq13QjW8jU8i5ytKcyQifzRpjQsZfV RuOYdLJO9LGECpnJUSMaWNchuUX/R2SKQw5j8tXWQ0ccj3DzEuBI51lvoCU2DggTUHzE H+oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=6cia39NesAm/yr5ANP7PdAIzBdl9X5/Q1j35k+r72fo=; b=jhJVSwT9hGS+pE30b9QOTcicT/th5X1MFIbo9zPMNFI6+CltCQ5LZJ5f6tovxWLx1y combG61VT7YQ3tZOOiiKCd0oochiqiEYhRbvy8FtAFJhrYVa1ENbLhKWLKFe1aiL3MCq 612gXOqSKE7Tix2s/OieNGPFhe50U/2M/ORCn10MwAyZ0xUGIP9hAnUHsXPidI7j2SBq p0sE8gUvGe+sR3Cm4Nchlaz16LRiyoSW9RxTszYUa3QMYCw+xtrZGVar0g9bUSE+cBzT xJ17chb7tHoeaH8sBOFTnpAXmMCR4xHIfmjRTR/0ltjJLu0lOvfSP/UWJtB8SLW4Xsnt ZoQA== X-Gm-Message-State: APjAAAWmW2f9fOhxIUo5Q0YZVoK7vLQXRWuNQKpFGwnsD3rNOVJDXGst O1eYXxCIPc533NQLyRJrUMM= X-Received: by 2002:a05:6000:11c3:: with SMTP id i3mr5342169wrx.244.1575481426050; Wed, 04 Dec 2019 09:43:46 -0800 (PST) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id i16sm7444025wmb.36.2019.12.04.09.43.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 09:43:45 -0800 (PST) Date: Wed, 4 Dec 2019 18:43:43 +0100 From: Dominick Grift To: "Sugar, David" Cc: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH] Allow systemd to getattr configfile Message-ID: <20191204174343.GC1321684@brutus.lan> Mail-Followup-To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20191204163306.16545-1-dsugar@tresys.com> <20191204163306.16545-2-dsugar@tresys.com> <20191204165614.GA1321684@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TiqCXmo5T1hvSQQg" Content-Disposition: inline In-Reply-To: User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --TiqCXmo5T1hvSQQg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 04, 2019 at 05:22:55PM +0000, Sugar, David wrote: >=20 >=20 > On 12/4/19 11:56 AM, Dominick Grift wrote: > > On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote: > >> Systemd has ConditionalPathExists which is used to check if a path exi= sts to control starting a service. But this requires getattr permissions o= n the file. This is generally for configuration files. We are mostly seei= ng this is in our own policy. But this lvm denial also fits the example. > >> > >> type=3DAVC msg=3Daudit(1575427946.229:1624): avc: denied { getattr }= for pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino= =3D51799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_= r:lvm_etc_t:s0 tclass=3Dfile permissive=3D0 > >> > >> This second example is from chronyd, but it is happening becuase I add= ed the conditional in a drop-in file. Note that chronyd_conf_t is already a= 'configfile'. > >> > >> type=3DAVC msg=3Daudit(1575427959.882:1901): avc: denied { getattr }= for pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino= =3D53824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_= r:chronyd_conf_t:s0 tclass=3Dfile permissive=3D1 > >=20 > > how about something a little more general? > >=20 > > systemd_ConditionPath(`,' > > allow init_t $1:dir search_dir_perms; > > allow init_t $1:lnk_file read_lnk_file_perms; > > allow init_t $1:fifo_file getattr_fifo_file_perms; > > allow init_t $1:sock_file getattr_sock_file_perms; > > allow init_t $1:file getattr_file_perms; > > allow init_t $1:blk_file getattr_blk_file_perms; > > allow init_t $1:chr_file getattr_chr_file_perms; > > ') > >=20 > I think you are suggesting an interface 'systemd_conditionpath' that=20 > would exist in init.if and then need to be used by any module that wants= =20 > to grant access to a particular type to getattr? >=20 > So, for this case, I would need to modify chronyd.te and lvm.te to use=20 > this interface? >=20 > I think you are also suggesting that ConditionPathExists usage in a unit= =20 > file could be trying to check for the existence of something other than= =20 > a configuration file. >=20 > Taking it to the extreme, a unit file could be checking for the=20 > existence of a file that is in a different SELinux domain. Does it=20 > instead make sense to use the 'files_getattr_all_files',=20 > 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.te? >=20 $ man systemd.directives | grep -i conditionpath ConditionPathExists=3D ConditionPathExistsGlob=3D ConditionPathIsDirectory=3D ConditionPathIsMountPoint=3D ConditionPathIsReadWrite=3D ConditionPathIsSymbolicLink=3D >=20 > >> > >> Signed-off-by: Dave Sugar > >> --- > >> policy/modules/kernel/files.if | 20 ++++++++++++++++++++ > >> policy/modules/system/init.te | 1 + > >> policy/modules/system/lvm.te | 2 +- > >> 3 files changed, 22 insertions(+), 1 deletion(-) > >> > >> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/fi= les.if > >> index f1c94411..87be07ae 100644 > >> --- a/policy/modules/kernel/files.if > >> +++ b/policy/modules/kernel/files.if > >> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',` > >> relabel_dirs_pattern($1, configfile, configfile) > >> ') > >> =20 > >> +######################################## > >> +## > >> +## Getattr config files in /etc. > >> +## > >> +## > >> +## > >> +## Domain allowed access. > >> +## > >> +## > >> +# > >> +interface(`files_getattr_config_files',` > >> + gen_require(` > >> + attribute configfile; > >> + ') > >> + > >> + allow $1 configfile:dir list_dir_perms; > >> + getattr_files_pattern($1, configfile, configfile) > >> + read_lnk_files_pattern($1, configfile, configfile) > >> +') > >> + > >> ######################################## > >> ## > >> ## Read config files in /etc. > >> diff --git a/policy/modules/system/init.te b/policy/modules/system/ini= t.te > >> index 8973a622..747b696e 100644 > >> --- a/policy/modules/system/init.te > >> +++ b/policy/modules/system/init.te > >> @@ -320,6 +320,7 @@ ifdef(`init_systemd',` > >> domain_subj_id_change_exemption(init_t) > >> domain_role_change_exemption(init_t) > >> =20 > >> + files_getattr_config_files(init_t) > >> files_read_all_pids(init_t) > >> files_list_usr(init_t) > >> files_list_var(init_t) > >> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.= te > >> index ad4eb579..c05344e0 100644 > >> --- a/policy/modules/system/lvm.te > >> +++ b/policy/modules/system/lvm.te > >> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t) > >> role system_r types lvm_t; > >> =20 > >> type lvm_etc_t; > >> -files_type(lvm_etc_t) > >> +files_config_file(lvm_etc_t) > >> =20 > >> type lvm_lock_t; > >> files_lock_file(lvm_lock_t) > >> --=20 > >> 2.21.0 > >> > >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --TiqCXmo5T1hvSQQg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl3n8EoACgkQJXSOVTf5 R2mtBgv/Tb0uTKm8VDavXlcCIe1kmN0E7NWwH0AOI4RecbLXaUNiJ3lrjP56EGbW I5N+wlsUoad7aajeYWqo/gvv2E1W0NgR8BrPr4YE9GZl3NcPW/Dj06y57ERvEumz zooPwZHJYGC+FVyatpagtP+837u/vSgpHyaCdIghSY7Q8/F9XRc1IkAQ32tLzOqO tQGehW0sDQGd28Fd+eQVD/p0AqpoWK5p05wqp5SXU1MrRY9wob8jUA6AJwtESOba qBvz03y7xjYha32oUQVu5uPPz1DP5VyiNGryXO3mSw644NkXQ9Ab+qgdejMIjnSC naudgq6iZFBxN/DxGhjAKYir2qgB/J7Ys8QQUEzWzuRpMROuiq3fBroxjuSGX7q3 l+OQUaAgXRPdzzs9kSY8a8hvMAfqZAAOZU5Q/7BSYVGoYvpEiMBTV/mhAvi80b7T WmPFdDrqdmprTjcPbb7QvM4AL3+vZQyMUsbuKZbmiN779BqHwrJrH2bB9lm3M7dU TNetRwmn =ARFq -----END PGP SIGNATURE----- --TiqCXmo5T1hvSQQg--