Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1672675ybl; Thu, 5 Dec 2019 05:20:25 -0800 (PST) X-Google-Smtp-Source: APXvYqznjokOh/Xp19TDB7wupeZD3lQXyPQ7mInRM8KwdMB/h4Ihj8vbDPHaymXpb2ExSJzezenJ X-Received: by 2002:a9d:6649:: with SMTP id q9mr6309479otm.313.1575552025871; Thu, 05 Dec 2019 05:20:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1575552025; cv=pass; d=google.com; s=arc-20160816; b=WbKxqxqOVpbpCvz8OMNQhBKOdCBI7d8gZQjkYkQ6VlnGNbeP5Z9MZ61a8qCD/HFQJJ sCcaxmFHK1PJ1TcfGDsu+SvJgA6AYkLyMUFJOCKczKBppaskZj/+ItAl24HL5JgwP0Z4 JeNvFGFGIU/ZVIFPBmX6+uvSDvbL67BD/mX5fStY6yejKS66wFBY8ab3u2Xa7BcoB/XI 1nx2wLRrJ2hDj0nAVCLUP/izvUyfZvD9ocQn1U4IfPLl9SewEbtBVAP1oYoryNk86qln 0nxcHjWzqHVgI/cu8oFphuLe+KMBKNXi3fWNLBWb6lQcYI12SdaK4QZHSi4QJ66mhtJs DzmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:user-agent:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:to :from:dkim-signature; bh=/1W2H/+v2SGR6Wi6hWNNuSgEEti7SFbKGE7F6zo+40U=; b=TDq6VtG3NU/ILcjhWsA/z0SABPTd4pnKzDB58Zvs2fd3fF77ALWKyPDfuEObWdc7kO F3WJpErub+XTrkYX1sdf3RurOzRN4UBlcxYl4+Yrq36xu+NHnPn2R2S/nwL0Q7Okio1T EzEpPcUHKrEuRhERPL/j+cNur4ir39we45menEzahi5ujUewP3ijSfpm075/ePs187Ka QB1Yh5KZtbx2wctbHsqdrurxPVnb5f6IxmDp6FPeEegI2km4A75nrIcuXAuqqMINAP2e 1ZrZsAV9TD5vGX2bLfZXfZRAz2LYoiM1GyVZJZNi3hnOe0Es3Qfjuzj6an6qwL+b80b6 32VQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=J1nR2+GX; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12si5255334ote.168.2019.12.05.05.20.22; Thu, 05 Dec 2019 05:20:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=J1nR2+GX; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729519AbfLENTK (ORCPT + 11 others); Thu, 5 Dec 2019 08:19:10 -0500 Received: from mail-eopbgr770113.outbound.protection.outlook.com ([40.107.77.113]:6978 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729466AbfLENTK (ORCPT ); Thu, 5 Dec 2019 08:19:10 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ALDOmnLDsFaD34+oIR4C5yITkn4r5YeKZLQ/RSKSYrMXFO7OTTLJYtGe0xDrT9QGUNvLbm5pWv+dFPQVqp7KHt+iTjkEgvXkzUcgfnSsP1NPthWp1C80CM/7vVzWsdJBfrfyqbq3GF4fs6kjMEPanx64I1rAqF/+nDhEeBD0LVmpeHVQr7JNSkklUiIOxDC5uvAECdSvSvKxYtRF8UulxcecXLC/DF2VjipseyQn1fdEAlJkhr8LiI4ssALTdTnpZjx9WEXUZbcyjYVnqRaqsfCdTSxvhFUtBrlMPKqSe2mG0EcoZXImekQIXRCUmCgbSwlk2rNyJI8aa9RbSApH9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/1W2H/+v2SGR6Wi6hWNNuSgEEti7SFbKGE7F6zo+40U=; b=ZLMb+DGGJeCcWfQp6dytxaK0NBPAVOpzHnLCkz3S96Xhlh3BjDoEib//d8CvidhU1+fdSZHGHV8lpT5T1HPPR1ZnT6JEF2VXXvF6tUk+3nm3asz2DJe0Ez1nVlFBLQLpVbvEhzIHtY2nBj8zXp44eIXgAZMoPopqbZbjB5OJiBoTEQhJIC3psB/Yfn5JU7DQFlBfkbZQOkYYnbDnNjjohsTCYCrwGAFm9oPC+IfN5oz/AXVi0f7IX2co2gNCHtRw7H/nr+7BQ1gKNWe51RPaFCiFkLEpNog2P7xSBl3kySQq4zPQAl4cHxvpb8XfIx1ft9BQL9/+VrKM+uOmsrk9xw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/1W2H/+v2SGR6Wi6hWNNuSgEEti7SFbKGE7F6zo+40U=; b=J1nR2+GX27T7kPos/kD+9H6LCbr41cpyJXsBsurFvunR+dr1UNJKEd/c3wja/LMbqJj8jeLl6VMm6thEQ/dE8jWwg30W4tdWOrPnORTigsbRVhiFnnEl5Kr8Oc03xsDl7ttNg8WIYDPgFJGGnmgFrs5f7Andsd2KJfAtUAh5pto= Received: from MW2PR1501MB1978.namprd15.prod.outlook.com (52.132.149.154) by MW2PR1501MB2092.namprd15.prod.outlook.com (52.132.146.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.17; Thu, 5 Dec 2019 13:19:06 +0000 Received: from MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16]) by MW2PR1501MB1978.namprd15.prod.outlook.com ([fe80::a811:5450:8ff0:ab16%4]) with mapi id 15.20.2516.014; Thu, 5 Dec 2019 13:19:06 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH] Allow systemd to getattr configfile Thread-Topic: [PATCH] Allow systemd to getattr configfile Thread-Index: AQHVqsCK9y2wMKKqwU6WJMp7oqJPM6eqMfgA//+zi4CAAFm5gIAA63YAgABc5wA= Date: Thu, 5 Dec 2019 13:19:06 +0000 Message-ID: <394bf12e-7833-d4b9-1554-4f2755794152@tresys.com> References: <20191204163306.16545-1-dsugar@tresys.com> <20191204163306.16545-2-dsugar@tresys.com> <20191204165614.GA1321684@brutus.lan> <20191204174343.GC1321684@brutus.lan> <20191205074628.GA1734091@brutus.lan> In-Reply-To: <20191205074628.GA1734091@brutus.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 x-clientproxiedby: MN2PR01CA0016.prod.exchangelabs.com (2603:10b6:208:10c::29) To MW2PR1501MB1978.namprd15.prod.outlook.com (2603:10b6:302:b::26) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b4839f55-66b2-4995-8792-08d77985b45d x-ms-traffictypediagnostic: MW2PR1501MB2092: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:7691; x-forefront-prvs: 02426D11FE x-forefront-antispam-report: SFV:NSPM;SFS:(10001)(10019020)(4636009)(39840400004)(396003)(376002)(136003)(346002)(366004)(199004)(189003)(14454004)(2906002)(229853002)(6486002)(58126008)(8676002)(508600001)(6506007)(6916009)(316002)(102836004)(65956001)(5660300002)(186003)(81156014)(86362001)(31696002)(36756003)(53546011)(8936002)(66556008)(31686004)(66946007)(99286004)(66446008)(81166006)(66476007)(966005)(26005)(64756008)(6512007)(25786009)(11346002)(2616005)(71200400001)(14444005)(71190400001)(5640700003)(52116002)(305945005)(76176011);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR1501MB2092;H:MW2PR1501MB1978.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: EdBExL/qP4yF00h1/RVGnqUWHVWRBQjWBll+gd2nq2IdOqkIYM7eQGgEfUH5DZZxvjttkWN85ZkQcQq1XSgQw3KRsAUGg14Lni2iwJ+vJ8aDKHEaoKCfXZHW5d0NkJgtm4uAb2VG8KIs6io+a58sGJazxlcxmwNGPLf/JmvA7V1aEBAAUQ9xEKwLB7xg1MtBYkaSnagBraPYuS11mbNV8+UAydS+sv+xX/ixC3EtSowgmxJMqGF7QpXUyTbjZwVyVgMaYsJsNi/GvVkwrQLrYxFiMrt6SJqFvaArUH2D8TaYKWs4iUSqUQzSBsIG6Ir2XE+FcCSmCjgVaKz6vjWqFYiJcxeBdgarGWA30priTOmeIX10HhsWA0tWwKtDR0Znp8L2RrHcMhRl21gdxMo4rffd6BEKa+I0fI6+e0XjMgApgtuKV+9w1fqlOClZ8wtSTMOvOOOXWg5OJcAbKWjXuhTofXPrq6rRXahTpDnIW1r4ejuklERpGHf4Fs0hYEhnZ1+qpbGfP0B8oUXOR+UXqDYL7pmyfdUyoIb+PsrplkA= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: b4839f55-66b2-4995-8792-08d77985b45d X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2019 13:19:06.2502 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8PCK6zlfNO/iKrvCn09bPBK3fO1IYcYDvGbxn4UaF3h+21Zq1TKD9ml207oYYBnd2+d4NPjMFP47dknERKKKzQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR1501MB2092 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/5/19 2:46 AM, Dominick Grift wrote: > On Wed, Dec 04, 2019 at 06:43:43PM +0100, Dominick Grift wrote: >> On Wed, Dec 04, 2019 at 05:22:55PM +0000, Sugar, David wrote: >>> >>> >>> On 12/4/19 11:56 AM, Dominick Grift wrote: >>>> On Wed, Dec 04, 2019 at 04:33:20PM +0000, Sugar, David wrote: >>>>> Systemd has ConditionalPathExists which is used to check if a path ex= ists to control starting a service. But this requires getattr permissions = on the file. This is generally for configuration files. We are mostly see= ing this is in our own policy. But this lvm denial also fits the example. >>>>> >>>>> type=3DAVC msg=3Daudit(1575427946.229:1624): avc: denied { getattr = } for pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino= =3D51799 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_= r:lvm_etc_t:s0 tclass=3Dfile permissive=3D0 >>>>> >>>>> This second example is from chronyd, but it is happening becuase I ad= ded the conditional in a drop-in file. Note that chronyd_conf_t is already = a 'configfile'. >>>>> >>>>> type=3DAVC msg=3Daudit(1575427959.882:1901): avc: denied { getattr = } for pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino= =3D53824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_= r:chronyd_conf_t:s0 tclass=3Dfile permissive=3D1 >>>> >>>> how about something a little more general? >>>> >>>> systemd_ConditionPath(`,' >>>> allow init_t $1:dir search_dir_perms; >>>> allow init_t $1:lnk_file read_lnk_file_perms; >>>> allow init_t $1:fifo_file getattr_fifo_file_perms; >>>> allow init_t $1:sock_file getattr_sock_file_perms; >>>> allow init_t $1:file getattr_file_perms; >>>> allow init_t $1:blk_file getattr_blk_file_perms; >>>> allow init_t $1:chr_file getattr_chr_file_perms; >>>> ') >>>> >>> I think you are suggesting an interface 'systemd_conditionpath' that >>> would exist in init.if and then need to be used by any module that want= s >>> to grant access to a particular type to getattr? >>> >>> So, for this case, I would need to modify chronyd.te and lvm.te to use >>> this interface? >>> >>> I think you are also suggesting that ConditionPathExists usage in a uni= t >>> file could be trying to check for the existence of something other than >>> a configuration file. >>> >>> Taking it to the extreme, a unit file could be checking for the >>> existence of a file that is in a different SELinux domain. Does it >>> instead make sense to use the 'files_getattr_all_files', >>> 'files_getattr_all_sockets', 'files_getattr_all_pipes', etc... in init.= te? >>> >> >> $ man systemd.directives | grep -i conditionpath >> ConditionPathExists=3D >> ConditionPathExistsGlob=3D >> ConditionPathIsDirectory=3D >> ConditionPathIsMountPoint=3D >> ConditionPathIsReadWrite=3D >> ConditionPathIsSymbolicLink=3D >=20 > Don't get me wrong though. In DSSP2 standard I allow systemd to read all = config, which is also a less-than-optimal compromise. > I basically do this because systemd often needs to be able to read enviro= nment config files in /etc/sysconfig (EnvironmentFile=3D) > Ideally I would also narrow this down and maybe one day i will (or maybe = not) >=20 > The point i am trying to make wrt to this patch though, is that Condition= Path* is not limited to config files >=20 I agree with you, and I'm very much in favor of a more generic solution=20 that will cover as much of this type of stuff as possible. I just don't=20 have any other ideas yet. Looking at current refpolicy, it looks like most (but not all) of the=20 files in /etc/sysconfig are labeled etc_t (at least on my system) and=20 init_t can read etc_t files already. Maybe we need a mix of solutions here. Something added to init.te to=20 grant most of the obvious access needed to deal with many of these cases=20 and then an interface in init.if to give an ability to grant additional=20 access when the generic case isn't enough for some reason. Maybe grant=20 getattr access to all 'non_security_file_type'. Then an interface like the following (which is just an idea) where $1 is=20 the type that init_t needs to getattr for a Conditional* and $2 is one=20 (or more) object classes. interface(`init_systemd_conditional',' gen_require(` type init_t; ') allow init_t $1:dir list_dir_perms; allow init_t $1:{ $2 } { getattr }; read_lnk_files_pattern(init_t, $1, $1) ') Alternatively add a new attribute in init.te called=20 'systemd_conditional' which init.te has getattr permission on and then=20 types can be added to that attribute that need to be used in a=20 Condition*. Granted that is very similar to what you initial proposed=20 just using an attribute instead. I'm also hoping that Chris will chime in with some opinion on this topic. >> >>> >>>>> >>>>> Signed-off-by: Dave Sugar >>>>> --- >>>>> policy/modules/kernel/files.if | 20 ++++++++++++++++++++ >>>>> policy/modules/system/init.te | 1 + >>>>> policy/modules/system/lvm.te | 2 +- >>>>> 3 files changed, 22 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/f= iles.if >>>>> index f1c94411..87be07ae 100644 >>>>> --- a/policy/modules/kernel/files.if >>>>> +++ b/policy/modules/kernel/files.if >>>>> @@ -1562,6 +1562,26 @@ interface(`files_relabel_config_dirs',` >>>>> relabel_dirs_pattern($1, configfile, configfile) >>>>> ') >>>>> =20 >>>>> +######################################## >>>>> +## >>>>> +## Getattr config files in /etc. >>>>> +## >>>>> +## >>>>> +## >>>>> +## Domain allowed access. >>>>> +## >>>>> +## >>>>> +# >>>>> +interface(`files_getattr_config_files',` >>>>> + gen_require(` >>>>> + attribute configfile; >>>>> + ') >>>>> + >>>>> + allow $1 configfile:dir list_dir_perms; >>>>> + getattr_files_pattern($1, configfile, configfile) >>>>> + read_lnk_files_pattern($1, configfile, configfile) >>>>> +') >>>>> + >>>>> ######################################## >>>>> ## >>>>> ## Read config files in /etc. >>>>> diff --git a/policy/modules/system/init.te b/policy/modules/system/in= it.te >>>>> index 8973a622..747b696e 100644 >>>>> --- a/policy/modules/system/init.te >>>>> +++ b/policy/modules/system/init.te >>>>> @@ -320,6 +320,7 @@ ifdef(`init_systemd',` >>>>> domain_subj_id_change_exemption(init_t) >>>>> domain_role_change_exemption(init_t) >>>>> =20 >>>>> + files_getattr_config_files(init_t) >>>>> files_read_all_pids(init_t) >>>>> files_list_usr(init_t) >>>>> files_list_var(init_t) >>>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm= .te >>>>> index ad4eb579..c05344e0 100644 >>>>> --- a/policy/modules/system/lvm.te >>>>> +++ b/policy/modules/system/lvm.te >>>>> @@ -25,7 +25,7 @@ domain_obj_id_change_exemption(lvm_t) >>>>> role system_r types lvm_t; >>>>> =20 >>>>> type lvm_etc_t; >>>>> -files_type(lvm_etc_t) >>>>> +files_config_file(lvm_etc_t) >>>>> =20 >>>>> type lvm_lock_t; >>>>> files_lock_file(lvm_lock_t) >>>>> --=20 >>>>> 2.21.0 >>>>> >>>> >> >> --=20 >> Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B= 02 >> Dominick Grift >=20 >=20 >=20