Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1371896ybl;
        Wed, 4 Dec 2019 23:46:39 -0800 (PST)
X-Google-Smtp-Source: APXvYqwQOPs+grllyodpfclpSSOYqmijlhONUGD6dBZih2+FrLe/SFjQdsAhY5qlJV/WJGVOV6L/
X-Received: by 2002:a9d:37cb:: with SMTP id x69mr5380177otb.90.1575531999635;
        Wed, 04 Dec 2019 23:46:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575531999; cv=none;
        d=google.com; s=arc-20160816;
        b=wpYgJrLoaMQqk3tZcZrE4k4gNfpp/bWuTEDEKhjfMylTWX8vwq/L+ckJ6mJya5rnv0
         uCwBiStQB17XE9emUzuWlJiriHe4MugGqS/ZMBKXch1eXw9uVAjDxyJgLZXWD6PJlrpZ
         9x1ssp7CRY6/Fyx9M2PF+8FTcm8yqsIHCw+AnJVjd6hN65MKckN1OBezPAE9bYq1Beue
         QpUfuem686/KaTTQ4DVFBB/yGIMaYDStm+v8bG9Uy0rS7jOnTGNYJSjjHw2ohcn5Dtw7
         +HJYVwF6g1XOKB6UeIJPQ+c/ZSb6iEgWxafMJ6l14qDaMCzC9bIzhM+PU3wWBLnmZmBR
         JQ6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:to:from:date:dkim-signature;
        bh=LABwMd0P43aiv2yyMEaoh2E6YfLKyBUGukB4v3Jxulo=;
        b=r1mRMZt4UQhscnAr3fuiEJx1pi4ikuPwlMPHHIeQE10fq90ihp0vBRH7jsTnaZFVqu
         K2pYPMPr8sMEKT/4qVRwYB0dj/ekrdI3teQQ7AplMiC7rXFm0tPqclTS29wvTMkCJYuh
         9MWjWpWz5+qvjul4/Fqr2cLNNX/hYi5hqLA3FyUmP1YlbMxYKSGcXU445Xjy+KjeHq8C
         UgPDt608Znniayo9iii7RlE4y4ALaQbtjtOjw4qQUyYi89Y5GbyDQuxBi3xXhUAyufFr
         CdO+S6274HyhjuDsMt1szY7z9YyRD1RztpfJdBdVUdvTSTXJxUOwwBoMawLdJGfHpdPY
         SKbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ichr9beW;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 7si4790126otv.26.2019.12.04.23.46.36;
        Wed, 04 Dec 2019 23:46:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ichr9beW;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725963AbfLEHqe (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Thu, 5 Dec 2019 02:46:34 -0500
Received: from mail-wm1-f67.google.com ([209.85.128.67]:50966 "EHLO
        mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725909AbfLEHqe (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 5 Dec 2019 02:46:34 -0500
Received: by mail-wm1-f67.google.com with SMTP id p9so2511280wmg.0
        for <selinux-refpolicy@vger.kernel.org>; Wed, 04 Dec 2019 23:46:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=LABwMd0P43aiv2yyMEaoh2E6YfLKyBUGukB4v3Jxulo=;
        b=ichr9beWXEiBLxsYu2X43GjnQfNYcFaBXu60449iW7LD0S9qF36y9n+Ws1vIwrV9s3
         Jle+tmWHCLp6YR5d3dYirrU+mRVefDn8UgsLAWZc0LL+LtGNptHwzrflEkcDfMQlEKAo
         ASKeiHPRgQlpyWMAJ4ReZ/KWdQZ43AC0TXaXh8rKkudyaGqL5yByAjQ9RzBe+3cQr6/2
         7FSijr4xDvaeipsM3p4lczaFpZe2T3HQCCJaDsShpoQgkHa5mNU7Aap2inmZMexvOBdU
         f8Q96ypLlAANdoYrfTH7+HKYc65DOyP0+3Zj1aqzCcJpucZWynVurNh4Q6fk/Ug8QYvS
         hZYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=LABwMd0P43aiv2yyMEaoh2E6YfLKyBUGukB4v3Jxulo=;
        b=PkHtqaE8zBOrusxsK/f7h9Rn4gLPV8q74WtsOP1BH7ChJ1tzLkwXHbCDDy7GFl5Ewk
         Xvq4esuACCbQOYhLGVr9lfgLlwq+XJYPcWjV4zSfP5Qlb6bQbei+aExDWBqAYiFAxWzH
         Ap697u8oZ7DwQQldkOyXnffhRHZL1qG1gtBF7wRorxdwqZxS8fw9va0xgaCn6XBRKkO0
         TI1Sgj4745CG6MzLiM8wKpCN7nExoaL2QCCSp7B3oMMWnxZj6ZKWlFCYictdCOQoU96j
         iUeS6XVs9+NEdrE/l8Hxy4h5KRMoXfEc1QoZyks6nWrr5ytou9RiQPpvxKBdAd1Whdpz
         G2Hg==
X-Gm-Message-State: APjAAAXCbN3l0a8X/9MRvPsB3kCgQ03/H71KtNpgX4RkExQEJn1wfBDh
        j6mdfzvaOJn+MYkf2tOIcCY=
X-Received: by 2002:a05:600c:2112:: with SMTP id u18mr3685262wml.100.1575531991036;
        Wed, 04 Dec 2019 23:46:31 -0800 (PST)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id a20sm9671595wmd.19.2019.12.04.23.46.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 04 Dec 2019 23:46:30 -0800 (PST)
Date:   Thu, 5 Dec 2019 08:46:28 +0100
From:   Dominick Grift <dac.override@gmail.com>
To:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Allow systemd to getattr configfile
Message-ID: <20191205074628.GA1734091@brutus.lan>
Mail-Followup-To: "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
References: <20191204163306.16545-1-dsugar@tresys.com>
 <20191204163306.16545-2-dsugar@tresys.com>
 <20191204165614.GA1321684@brutus.lan>
 <e3d4c752-899f-5454-37f5-851378426e8a@tresys.com>
 <20191204174343.GC1321684@brutus.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd"
Content-Disposition: inline
In-Reply-To: <20191204174343.GC1321684@brutus.lan>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 04, 2019 at 06:43:43PM +0100, Dominick Grift wrote:
> On Wed, Dec 04, 2019 at 05:22:55PM +0000, Sugar, David wrote:
> >=20
> >=20
> > On 12/4/19 11:56 AM, Dominick Grift wrote:
> > > On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote:
> > >> Systemd has ConditionalPathExists which is used to check if a path e=
xists to control starting a service.  But this requires getattr permissions=
 on the file.  This is generally for configuration files.  We are mostly se=
eing this is in our own policy.  But this lvm denial also fits the example.
> > >>
> > >> type=3DAVC msg=3Daudit(1575427946.229:1624): avc:  denied  { getattr=
 } for  pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" in=
o=3D51799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object=
_r:lvm_etc_t:s0 tclass=3Dfile permissive=3D0
> > >>
> > >> This second example is from chronyd, but it is happening becuase I a=
dded the conditional in a drop-in file. Note that chronyd_conf_t is already=
 a 'configfile'.
> > >>
> > >> type=3DAVC msg=3Daudit(1575427959.882:1901): avc:  denied  { getattr=
 } for  pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=
=3D53824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_=
r:chronyd_conf_t:s0 tclass=3Dfile permissive=3D1
> > >=20
> > > how about something a little more general?
> > >=20
> > > systemd_ConditionPath(`,'
> > > 	allow init_t $1:dir search_dir_perms;
> > > 	allow init_t $1:lnk_file read_lnk_file_perms;
> > > 	allow init_t $1:fifo_file getattr_fifo_file_perms;
> > > 	allow init_t $1:sock_file getattr_sock_file_perms;
> > > 	allow init_t $1:file getattr_file_perms;
> > > 	allow init_t $1:blk_file getattr_blk_file_perms;
> > > 	allow init_t $1:chr_file getattr_chr_file_perms;
> > > ')
> > >=20
> > I think you are suggesting an interface 'systemd_conditionpath' that=20
> > would exist in init.if and then need to be used by any module that want=
s=20
> > to grant access to a particular type to getattr?
> >=20
> > So, for this case, I would need to modify chronyd.te and lvm.te to use=
=20
> > this interface?
> >=20
> > I think you are also suggesting that ConditionPathExists usage in a uni=
t=20
> > file could be trying to check for the existence of something other than=
=20
> > a configuration file.
> >=20
> > Taking it to the extreme, a unit file could be checking for the=20
> > existence of a file that is in a different SELinux domain.  Does it=20
> > instead make sense to use the 'files_getattr_all_files',=20
> > 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.=
te?
> >=20
>=20
> $ man systemd.directives | grep -i conditionpath
>        ConditionPathExists=3D
>        ConditionPathExistsGlob=3D
>        ConditionPathIsDirectory=3D
>        ConditionPathIsMountPoint=3D
>        ConditionPathIsReadWrite=3D
>        ConditionPathIsSymbolicLink=3D

Don't get me wrong though. In DSSP2 standard I allow systemd to read all co=
nfig, which is also a less-than-optimal compromise.
I basically do this because systemd often needs to be able to read environm=
ent config files in /etc/sysconfig (EnvironmentFile=3D)
Ideally I would also narrow this down and maybe one day i will (or maybe no=
t)

The point i am trying to make wrt to this patch though, is that ConditionPa=
th* is not limited to config files

>=20
> >=20
> > >>
> > >> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > >> ---
> > >>   policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> > >>   policy/modules/system/init.te  |  1 +
> > >>   policy/modules/system/lvm.te   |  2 +-
> > >>   3 files changed, 22 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/=
files.if
> > >> index f1c94411..87be07ae 100644
> > >> --- a/policy/modules/kernel/files.if
> > >> +++ b/policy/modules/kernel/files.if
> > >> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',`
> > >>   	relabel_dirs_pattern($1, configfile, configfile)
> > >>   ')
> > >>  =20
> > >> +########################################
> > >> +## <summary>
> > >> +##	Getattr config files in /etc.
> > >> +## </summary>
> > >> +## <param name=3D"domain">
> > >> +##	<summary>
> > >> +##	Domain allowed access.
> > >> +##	</summary>
> > >> +## </param>
> > >> +#
> > >> +interface(`files_getattr_config_files',`
> > >> +	gen_require(`
> > >> +		attribute configfile;
> > >> +	')
> > >> +
> > >> +	allow $1 configfile:dir list_dir_perms;
> > >> +	getattr_files_pattern($1, configfile, configfile)
> > >> +	read_lnk_files_pattern($1, configfile, configfile)
> > >> +')
> > >> +
> > >>   ########################################
> > >>   ## <summary>
> > >>   ##	Read config files in /etc.
> > >> diff --git a/policy/modules/system/init.te b/policy/modules/system/i=
nit.te
> > >> index 8973a622..747b696e 100644
> > >> --- a/policy/modules/system/init.te
> > >> +++ b/policy/modules/system/init.te
> > >> @@ -320,6 +320,7 @@ ifdef(`init_systemd',`
> > >>   	domain_subj_id_change_exemption(init_t)
> > >>   	domain_role_change_exemption(init_t)
> > >>  =20
> > >> +	files_getattr_config_files(init_t)
> > >>   	files_read_all_pids(init_t)
> > >>   	files_list_usr(init_t)
> > >>   	files_list_var(init_t)
> > >> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lv=
m.te
> > >> index ad4eb579..c05344e0 100644
> > >> --- a/policy/modules/system/lvm.te
> > >> +++ b/policy/modules/system/lvm.te
> > >> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t)
> > >>   role system_r types lvm_t;
> > >>  =20
> > >>   type lvm_etc_t;
> > >> -files_type(lvm_etc_t)
> > >> +files_config_file(lvm_etc_t)
> > >>  =20
> > >>   type lvm_lock_t;
> > >>   files_lock_file(lvm_lock_t)
> > >> --=20
> > >> 2.21.0
> > >>
> > >=20
>=20
> --=20
> Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
> Dominick Grift



--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl3otdAACgkQJXSOVTf5
R2nq+Av/fMd8GwC1S9nDVrHNGhaUA600svNe0jageSMRsnv9zhAorvg7bNN/j7F4
ENI0oLag1J4PbmuHjA6ErTsvDTo04/N628TbmezqATBNsg+UhjdCLmhYyUwvc5J2
Whheu04SjYKUpTEVo6Sswgb8fGm6/lm36DjW8GeqaJO1wbIRcU/5BGNLKeSaj9U9
gdW/InlUnC6khTjWRiBFkRi390Hnzq9hvN93ouyMjjHoFaI9PzZ7Wczg1BOm0dYg
lINhYkeGpMYup8PIz8LuoaAYXoKYXbVoYgUWcRPuVgQSzYsESeQwWpcj5HY4gJZw
2vxKMi8g3wGKHzUOhYk1u3jOvep1t0i5Tu5kFIfWDfk1Sklz5H4diM0Tn093DCaS
/yB2fEdWl3EqHbLd5PW1B6QCEOJowYvrKrc+J3HOEpnrIO2bFtr0KqdaLPxELr2J
sqty2Lr6JGW6YM08rX3FXkNGlYVnm6IsdcsVVqIkclUaCqdlzz0V/R3+69V3JhCJ
PYUD4/0H
=TdDQ
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--