Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3742779ybl;
        Mon, 13 Jan 2020 01:43:33 -0800 (PST)
X-Google-Smtp-Source: APXvYqyPCqDF2FBWMTmfkQJ5x0SVEEE9rz7mp/GkL7/f2ZmhAaLhJ6Be1LDT5PneH8xxZCXzBMCa
X-Received: by 2002:aca:1801:: with SMTP id h1mr12379679oih.16.1578908613449;
        Mon, 13 Jan 2020 01:43:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578908613; cv=none;
        d=google.com; s=arc-20160816;
        b=xq5rRqsqBYNUYEuiBZQfBjHm/o4r0cQNlOIdqsLNOPtHGxGNCj0yrHX8SagqK1vqko
         FbBeXj0gp6kqaBnUIQejjkknEenWMKbFkRLk7GqEN5sMQ02a7ZEB2EZOD9RqW/a28rbY
         nAT//kphR1Qt+6usaLsFejS5G/DeEWxYP5GflnM4glCIJsM0QuQD7IWUa7QuQwmwMgPq
         bhnbUYyoDXh9VvnUp3HA4UK1T55f6mzkVj4i2tOf1Cc7W/3QEOK2EF2t/O9byzToHfDE
         jIFf4TnFqraaGuZD45hnQ4WM6kVniL78QFbOH+XSObm3Ec6S+b4ir43zFgdexgy9fahO
         SJpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:to:from:date:dkim-signature;
        bh=MBndXHjfy1VOW673oLYSIN5wC8hF6G/aLltiA3AMMDA=;
        b=XF65JJpxKuUxrTpk67xRrh2B/ktZWNtqoFcZNQ4vHYN7dzm3eRAPFZOR4ZF4Sa6U8q
         yipVztgZsqSR76iH9eE9o+N9udJNg/uzrIvE5u5+HYopRkbyOsnhrRo7SxB9Xtwtthq+
         I0a+hDDO1FvtbqPcRIxRQsyAL+3zDId5FKnUP6WKSU9Dlpr8nAHKSImXl4xtlspZWgL2
         AQymUcyIZYbHtHTe0+MDpkbcYFY3/yBaG49VDKlauCtxCoj2zk3oELuTjj66W1XBGIWc
         cm+J+Fw50jbJAmh8Qfj/FOwEnxy4Niz0cR0nTFNXAk934DsCAIdSLo8ihMnRjd30ec2I
         TXYg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=H6SVHC2H;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l5si6411390otn.194.2020.01.13.01.43.30;
        Mon, 13 Jan 2020 01:43:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=H6SVHC2H;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725978AbgAMJmT (ORCPT <rfc822;denisobrezkov@gmail.com>
        + 12 others); Mon, 13 Jan 2020 04:42:19 -0500
Received: from mail-wr1-f48.google.com ([209.85.221.48]:37985 "EHLO
        mail-wr1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728682AbgAMJmR (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 13 Jan 2020 04:42:17 -0500
Received: by mail-wr1-f48.google.com with SMTP id y17so7800081wrh.5
        for <selinux-refpolicy@vger.kernel.org>; Mon, 13 Jan 2020 01:42:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=MBndXHjfy1VOW673oLYSIN5wC8hF6G/aLltiA3AMMDA=;
        b=H6SVHC2HC2g6gi8YHubrSdMSucij7VRN/H+7WXpI2ycR0TZ/54/jeR+fxp4L1aguLr
         8I0F7TpiAgam4sHoPjWy4hMYlFMyA9dd17GvL0ZAK8Unig1OsrT+QevgREUW9zrugPj8
         NjKiQEImOAs2SoEx3Fmc9LF3wxtBfpKZPKikXyto9/Y8sRg1AiGG10Zoil9hLe9+IdWL
         y26nL93cDyuj5qEuk6ISsNFbMM1R1EYdNLz3fo8MCtwbI9YbQnGLL6vHk3va61OAUuJL
         OlxVODpdV9b3EH6aBMrW3WsYaiuAwoqF3AzPyARSUiTQ02Fk0Ba7xExQAOU4YDrebWBm
         yvyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=MBndXHjfy1VOW673oLYSIN5wC8hF6G/aLltiA3AMMDA=;
        b=Z+i6LSesuWl5CrfhlG210ngfQszDZUIl4Ck7Q7abVwVvrIoGQqu2NzJmKQQLc/k5rB
         2olBXfB8skO2fuGnInuJAvt+GHpDfaZHmMN6zb8L3JclIVplhBJQ0S48VUtb+PewRQVC
         AMIQmVv6P+Txj8eRy26azSTPeNq14mSeYYkDYxbA4PK4ca8yykZ8L2L1LEdLGcMmp63s
         +ztXd2T5StCcWD4doVgMHJVXSBNm5epAWdDdELEIpmacSLjw4B6pJfbvUTtxxmaUCmK4
         SFb1/cjLaCb/MZgpLHTc1I8qAuM0Sd/NNiPL+R6e9gncsoaYwoyUmFM7i0CMwPu+dtRd
         eEHw==
X-Gm-Message-State: APjAAAXZNdXYjvjAu26Time98XYp1jYUVwSgZvPMKyiKJ3I7JCb+NksO
        vguM482O1WDEt0bICu0AgozlPuq1
X-Received: by 2002:a5d:5592:: with SMTP id i18mr16410637wrv.55.1578908534491;
        Mon, 13 Jan 2020 01:42:14 -0800 (PST)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id u24sm13829801wml.10.2020.01.13.01.42.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Jan 2020 01:42:13 -0800 (PST)
Date:   Mon, 13 Jan 2020 10:42:10 +0100
From:   Dominick Grift <dac.override@gmail.com>
To:     Chris PeBenito <pebenito@ieee.org>,
        refpolicy <selinux-refpolicy@vger.kernel.org>
Subject: Re: [RFC] refining systemd mountpoints
Message-ID: <20200113094210.GB870816@brutus.lan>
Mail-Followup-To: Chris PeBenito <pebenito@ieee.org>,
        refpolicy <selinux-refpolicy@vger.kernel.org>
References: <3418ebca-80c0-b10e-c0a2-a80427fdbf71@ieee.org>
 <20200109214240.GA2283901@brutus.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="3uo+9/B/ebqu+fSQ"
Content-Disposition: inline
In-Reply-To: <20200109214240.GA2283901@brutus.lan>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--3uo+9/B/ebqu+fSQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 09, 2020 at 10:42:40PM +0100, Dominick Grift wrote:
> On Thu, Jan 09, 2020 at 04:06:38PM -0500, Chris PeBenito wrote:
> > I'd like to refine how the policy handles systemd's mounton so that it =
works
> > similar to how we manage mountpoints for mount_t. Since systemd can be =
made
> > to mount over just about anything, I'm looking at adding a new conditio=
nal
> > that would allow init_t to mounton non_security_file_type, and then an
> > interface like files_mountpoint().
> >=20
> > The question is for the implementation of the interface; I see two opti=
ons,
> > either the interface allows mounton for all file-like classes, or the
> > classes are specified as a parameter:
> >=20
> > --------
> > init.te:
> > attribute init_mountpoint_type;
> > allow init_t init_mountpoint_type:dir_file_class_set mounton;
> >=20
> > init.if:
> > interface(`init_mountpoint',`
> > typeattribute $1 init_mountpoint_type;
> > ')
> > --------
> >=20
> > or
> >=20
> > --------
> > init.if:
> > interface(`init_mountpoint',`
> > allow init_t $1:$2 mounton;
> > ')
> > --------
> >=20
> > I like the first option because it is clearer since you can see the mou=
nton
> > in init.te, but that is excessive access.  The second option could be m=
ade
> > to look like the first option, but it would need several attributes and
> > interfaces, e.g. init_dir_mountpoint_type, init_file_mountpoint_type, e=
tc.
> > which isn't so desirable.
> >=20
> > Any thoughts on this?
>=20
> I implemented the former in my policy. ie the dir_file_class_set equiv..
>=20
> 4163               (allow subj bind_path_obj_type_attribute (dirs (create=
)))
> 4164               (allow subj bind_path_obj_type_attribute list_dir_perm=
s)
> 4165               (allow subj bind_path_obj_type_attribute (dir (mounton=
)))
> 4166               (allow subj bind_path_obj_type_attribute create_file_p=
erms)
> 4167               (allow subj bind_path_obj_type_attribute (file (mounto=
n)))
>=20
> As you can see i even allow systemd to create the mountpoint in case it d=
oes not exist. For example if /etc/machine-id does not exist and I have a B=
indReadOnlyPath=3D/etc/machine-id then systemd will touch /etc/machine-id a=
nd mount it ro


Okay, I think I am wrong. It will not create the bind_path if it does not e=
xist. Not sure how I got to this...

>=20
> It also generally buggy. Systemd does not (alway's) use setfscreatecon to=
 create the mountpoints. And sometimes it does use setfscreatecon where it =
shouldnt.
>=20
> https://github.com/systemd/systemd/issues/13762
>=20
> >=20
> > --=20
> > Chris PeBenito
>=20
> --=20
> Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
> Dominick Grift



--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--3uo+9/B/ebqu+fSQ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl4cO24ACgkQJXSOVTf5
R2lQPQv+Lm+gWYyC2UvBRF9jaqvVtGDOPgEi8zn3fsxiXpzcGQ5JMP5pNrVxzVM0
Y4yrrYQpXqYM1E+BgFhi1W2rell7JOgFLDj1PTIzJvIBUtD1D07GXOrAgXLlYPc0
CsLKtEOaKiYvu5c8mCp7fRgFkyT926GqVPajQSnDynPd6GwiRxtmq6oOz9XfMYTl
Emri3XVfigOPPqC4LpmGOzQUHKOsvPTgKCfjNbpACy38r1rhpO3PKM45vkuE6WbR
ONahUJeO+FGJsSt7k4VOxC3jlvuovQ1EKtNTkCbZVl+K0J7p6Y9HfHCgK39fJNee
5+uwwvmbRLtSGVhtNYDlFIVpJL+RlMCSZrmjpkr7pailVwYl9WUEPBaIFVMS+x+B
ne/CuUYewiOarjcnKFzF9PTxhotwMhf1sdrTqM7CmeTAONEhgOGPOxPRx5kZkxDk
oISjFqXZEqpQg5k/43fVT20UVMKR3d3Rb9bJ4kpfbDoW6iyb40yJ8s9vaSxiAmeV
cVo+yWTC
=6Y+O
-----END PGP SIGNATURE-----

--3uo+9/B/ebqu+fSQ--