Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2488768ybl;
        Thu, 9 Jan 2020 13:43:29 -0800 (PST)
X-Google-Smtp-Source: APXvYqzVkOyM3tqhW+tMDuoxmr123ZnUtEuqYIdAqN6L5x/ZF7o73vFwq5HHjMrAkn73sfgVx/S0
X-Received: by 2002:aca:edc5:: with SMTP id l188mr4618743oih.55.1578606209454;
        Thu, 09 Jan 2020 13:43:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578606209; cv=none;
        d=google.com; s=arc-20160816;
        b=Rs7SaV8YzFl3r05/Oe5epjGZVSOi6lEA2QhTMiHNMBitNYP6kj3wtCl73++kPSI+Kn
         AlQLXboL3REZYwTGBw5e3VubMM+X3dkSoZQyvl5XpfAOll2qFQWG2MhiF6wTILfTCt1O
         Kcjp92VJlz7vBGHhAW1ws+RAaGUcqYVlD0D/ca8Er9fJMdQET3D69iQNJSxjGtO7QbzS
         UqTIGnTjTqrA3Hl3n+B3l49PHyl58wD7KdQvIUl+f7Xl8JUU97ePFvn8p1/jYNTiyQIq
         FHqH4Lvknll5CC45+r0v/HRKuPGTGHYIboCNLpQVG+UE44hAIebRLMyJ+2InY5/zTO/t
         pJsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=zjW9CW//LvVO4+iRUZZNTU2sUkApxEhTuBn/c119p5M=;
        b=O2EsDpMxqsCw0OLGXH2xB9aPrNwYA0FzIgs2U4do0BrKRz35tab0TrAvxTNPX5NuUr
         FXXHJvK/G+2o0tLyUGOMiwdi0iXoIHrRVZQpZRvBPUkiNsU3CSA1P55tF0QmoyQs4r4o
         fEnNbQuwIchjBVzLd9HHdK73pZT+xCSOvfrpWoQ1zcQ4Hzi0ZzMQm6dXED5rwhazbZPp
         r4YFwTYd5TvsLgO6Iek43E6/2BBs3YGm/Kl4N4ll+IoNShDyiNXwMAEAaxkmAldJG2Jf
         uvPJGrBE6dHJPZcfn4EVp9mC4rpI1QILgLyuAAzcOdjXpu+NtPW7cnZ+qWxOXp9aMhDu
         cIkg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vJsWwcCf;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h9si4625533otb.49.2020.01.09.13.43.26;
        Thu, 09 Jan 2020 13:43:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=vJsWwcCf;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725775AbgAIVmq (ORCPT <rfc822;denisobrezkov@gmail.com>
        + 12 others); Thu, 9 Jan 2020 16:42:46 -0500
Received: from mail-wm1-f44.google.com ([209.85.128.44]:37444 "EHLO
        mail-wm1-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725763AbgAIVmq (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 9 Jan 2020 16:42:46 -0500
Received: by mail-wm1-f44.google.com with SMTP id f129so4483851wmf.2
        for <selinux-refpolicy@vger.kernel.org>; Thu, 09 Jan 2020 13:42:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=zjW9CW//LvVO4+iRUZZNTU2sUkApxEhTuBn/c119p5M=;
        b=vJsWwcCfRoK9ndKFEMmp11XHMY1vI7/bCvjl8XN7QWFS+wbMxGMs7ag0a6T2XTXFOI
         6kNIkycycQ9ATmgTOo+v6AU2x0KhAg14E1bpqhcs1URPmeOL2QGPMxPrqw0SQyhjLZcU
         XesACFsZmGjLW6WmIAi1IJmx2iTHUvFuIgDChqHsNnuwaUEjiLgjkn1ovlPAMVZ999LQ
         MQ3blekRUmS94QI4dpFB6IofT/ZtuhDFJpzdP+ybrMWqiTphHhWh5ll6Jg915jMXerrW
         eJEErUiS0yPtw9c32B4Bd1Vsj2+N5Lc25mDjSc++c4a0D1VrqBtOp4NdklAXyZnkIKBA
         QP4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=zjW9CW//LvVO4+iRUZZNTU2sUkApxEhTuBn/c119p5M=;
        b=dp4zxM//MR4ziHnRDoqczgT5DuxHhbA4w0oEfqL6mPxCiQazpieSQGjd14EIfiM9GF
         rR/qyfVn0xpxEBAzAIEuYBiKNgmacINtbHu9BUJOBN2qDq8OGeLp3Zrvx4xkc80SE4U9
         951CeV9unRMhO77gi05IeAr+UePxSkC4ucEish8wVAMg0BBZ+dKRJRcCXkQ7M83s4miU
         e4nH1IHO6izo1hlsrZE9ERs1/xXFTUlqm7+wUqa3tEbI/97dAIVhJGO7Pol9f5PO+DvU
         pjrb1nsrhIkBxrvMxbbFw/32Hf83BDYdVH8skLhxotjuIit4mcOd0U3+fU48p1/2D0ug
         a/1w==
X-Gm-Message-State: APjAAAWpqYu6AOHMKH8EMuFDP/UQFhDeooFdi2domUj+TtOGwnkL0QDB
        2PJyM0skTkSu65iphiHYmdT3FIiz
X-Received: by 2002:a05:600c:2050:: with SMTP id p16mr52438wmg.176.1578606164197;
        Thu, 09 Jan 2020 13:42:44 -0800 (PST)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id b16sm9836582wrj.23.2020.01.09.13.42.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Jan 2020 13:42:43 -0800 (PST)
Date:   Thu, 9 Jan 2020 22:42:40 +0100
From:   Dominick Grift <dac.override@gmail.com>
To:     Chris PeBenito <pebenito@ieee.org>
Cc:     refpolicy <selinux-refpolicy@vger.kernel.org>
Subject: Re: [RFC] refining systemd mountpoints
Message-ID: <20200109214240.GA2283901@brutus.lan>
Mail-Followup-To: Chris PeBenito <pebenito@ieee.org>,
        refpolicy <selinux-refpolicy@vger.kernel.org>
References: <3418ebca-80c0-b10e-c0a2-a80427fdbf71@ieee.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline
In-Reply-To: <3418ebca-80c0-b10e-c0a2-a80427fdbf71@ieee.org>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 09, 2020 at 04:06:38PM -0500, Chris PeBenito wrote:
> I'd like to refine how the policy handles systemd's mounton so that it wo=
rks
> similar to how we manage mountpoints for mount_t. Since systemd can be ma=
de
> to mount over just about anything, I'm looking at adding a new conditional
> that would allow init_t to mounton non_security_file_type, and then an
> interface like files_mountpoint().
>=20
> The question is for the implementation of the interface; I see two option=
s,
> either the interface allows mounton for all file-like classes, or the
> classes are specified as a parameter:
>=20
> --------
> init.te:
> attribute init_mountpoint_type;
> allow init_t init_mountpoint_type:dir_file_class_set mounton;
>=20
> init.if:
> interface(`init_mountpoint',`
> typeattribute $1 init_mountpoint_type;
> ')
> --------
>=20
> or
>=20
> --------
> init.if:
> interface(`init_mountpoint',`
> allow init_t $1:$2 mounton;
> ')
> --------
>=20
> I like the first option because it is clearer since you can see the mount=
on
> in init.te, but that is excessive access.  The second option could be made
> to look like the first option, but it would need several attributes and
> interfaces, e.g. init_dir_mountpoint_type, init_file_mountpoint_type, etc.
> which isn't so desirable.
>=20
> Any thoughts on this?

I implemented the former in my policy. ie the dir_file_class_set equiv..

4163               (allow subj bind_path_obj_type_attribute (dirs (create)))
4164               (allow subj bind_path_obj_type_attribute list_dir_perms)
4165               (allow subj bind_path_obj_type_attribute (dir (mounton)))
4166               (allow subj bind_path_obj_type_attribute create_file_per=
ms)
4167               (allow subj bind_path_obj_type_attribute (file (mounton)=
))

As you can see i even allow systemd to create the mountpoint in case it doe=
s not exist. For example if /etc/machine-id does not exist and I have a Bin=
dReadOnlyPath=3D/etc/machine-id then systemd will touch /etc/machine-id and=
 mount it ro

It also generally buggy. Systemd does not (alway's) use setfscreatecon to c=
reate the mountpoints. And sometimes it does use setfscreatecon where it sh=
ouldnt.

https://github.com/systemd/systemd/issues/13762

>=20
> --=20
> Chris PeBenito

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--M9NhX3UHpAaciwkO
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGyBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl4XnksACgkQJXSOVTf5
R2kV2Av2JgAK2SgH9qdYZYULNw+nqyTjk6umYOQy54rv6LUG+Vmk23a8HhHZTWJN
lk5CTm4mnKf1fpxVdQ/198wRcJd7/WaKF7m4KlT83hwl4aDnUePV/ATsQkRWOYuq
cKzXYv87WdZlblHG2j3Kn745eI6ug2uKfdwdcys9j3uIgqLVR8aNAv0fg++8/Oku
izLQjhLkseqC5Ah6zQfgtPWf4TQQ1LydnMXpBc4rbZ9n5AbuaxfJiKuWngSUmnRd
nMBFTiTGnERHnulddfeojjrNsVmNsGZ4LS1Zhwit/3Ar+jTCbRgxZf+qS6cW19Vg
EDroCuwEhSkpTudH4kni6UDRhDJyVs1KWb1W6EYZPJEVnXS41u8BO/qJ0TGuVVS4
bQvP39nVTVowTJAjyp+DUDj8wIzmIpUimyKYoxqO7kFOxlp4ONWfkAL7FkXa4zm8
XRxI9q7fPyvY4S2+D7yLgG3iMbaS27ZWalLbpeUCakr1JY0wzIkDemv9z5mSs4ot
SIziCns=
=q/sC
-----END PGP SIGNATURE-----

--M9NhX3UHpAaciwkO--