Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3771378ybl; Mon, 13 Jan 2020 02:18:34 -0800 (PST) X-Google-Smtp-Source: APXvYqwelOebeqWkMm7utNRNTSpiJ3yglo2xUigNwOmdLUMkAJ7x/wfJKmHxiinyrQCwpXvvHbF6 X-Received: by 2002:a05:6830:160c:: with SMTP id g12mr12062226otr.82.1578910714680; Mon, 13 Jan 2020 02:18:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578910714; cv=none; d=google.com; s=arc-20160816; b=MajFLGhgdLY6q3mZ0zHwx2Jvt70E91IBkEICGV9EgdT88CVwlIF79c90o2MSUKcpk4 bb1qAX/4+2lILQCiikBGVsFNqvE9/8f10Le0+U1UZbTXrQFALo5HG3hsL1A4Ga++paBr Bz/2r8XaK6+B7ZjpcAxdus4gFDBHBDgfb8ATErNGQEiT3vPOrk3lrVNz/gH+cwG1nSpj uMcmbNcSmtsPLbsTggV+4/VvuuuMCXRBgAJn0oDbztHziZvVqWBfu6Q3qIIkbP6vs7Cs jPNqbSealOjmiKlo8hgwOtyCRHSHzDRNKDaFZ3IMMbJEwxsdNUwUHdHRUb+BoWWbCG+6 +iQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:to:from:date:dkim-signature; bh=cBymlZCL9Jjq5iWM9e0kaomHCwOsVbUdUSMcBnwHJO8=; b=xVx+3lh/76vwVT9y8PPsjrc01DP8WWpMiw1m54UBOeTl8UV8VNDh5sFxG/eDHJX0zn bYPaeP0VfB659jUaSARFOZjHQ++ehQbWz3vpONNiRXg2km+hpMRInhEX+zroRyeINdud ErE292mNOwbqnDIc7Kkv4A1Gx8J4MHa19rkjBu2RVlnqe2FhhmnWRz06RKzthAm87WsQ tYJLcxYCQ4lQOv6uaOBUFc+JB4ryy9LtbQiI6g5ghIXInKrRURa9k2SMl1QCBcBljTIw lx4tK2NA+HQ5kFZgdSyIS70BdT48bdEM9Q1roQqCZM4irJqFDkObjPK/wW1uI6ek6sZd cL2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="j5YMbwZ/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1si6690853oti.234.2020.01.13.02.18.31; Mon, 13 Jan 2020 02:18:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="j5YMbwZ/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725992AbgAMKSa (ORCPT + 12 others); Mon, 13 Jan 2020 05:18:30 -0500 Received: from mail-wr1-f42.google.com ([209.85.221.42]:43833 "EHLO mail-wr1-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725978AbgAMKSa (ORCPT ); Mon, 13 Jan 2020 05:18:30 -0500 Received: by mail-wr1-f42.google.com with SMTP id d16so7900195wre.10 for ; Mon, 13 Jan 2020 02:18:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=cBymlZCL9Jjq5iWM9e0kaomHCwOsVbUdUSMcBnwHJO8=; b=j5YMbwZ/0iGOIoXDoK6AFd+p2LVEd9Hkx9u/zfw3FkuIosSZ+XsoTxPjVKZPuPKSh5 9geDWWGG2FSTCEw0cv5H0MqoXG+PJ4w1ydIXUysbo4odIpTs+nMVRnwEtKDwDo/kECWf GEdUovQ8SH8ZmIP1rgpoJDgxoovPj0ehWUZSTLxJFcT5OsLCXl8QDX2spRDje7YtpKDc IcKaz/edBf4ZqciSe6tFfN/Ewd2uTVbZjiSC3F0Cal1yg1nmDRjcNUSXiZNPquA9reIX 5iJcQGaGS8OYYKG6DTeMpJbYsgrMBCeWBd0K8L/360iiruDyB3bZbGyNfR+0YJfjiJhi dsDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=cBymlZCL9Jjq5iWM9e0kaomHCwOsVbUdUSMcBnwHJO8=; b=p85gZEXd4L8kR3i7O5zo1hzM46gBsdeVoJ/vJXQrmlDPp/RzVE9MGAq4dPuVs4do+s W/wWVL4kHAxenLhvbOECM8wGQ7C6mK+25o/6ZqQBF+FIGluX1wg6oKEmrSQOmyAfrx01 c3aPxzogL2rAUt5Fn289ajgKhaHNLcA+40/XMuLckULxLMtmT7fJMNniLGpcvH/t7mV4 GgZzuerTfeMYCiYmIHyu6cFbgIwa0QEfzuBMlx+2xFcVxJvGC1esi5UA3c4MNoWffRAs JWPSj+Qt4MbJtwMrfkmKD05NW4LUBDHNX0VOnb1zvk4anVYuXcL8l+mEX45IxIqtRPVz SGHA== X-Gm-Message-State: APjAAAWMXxL158/bG1/4JqvtSNUHxU5W5aOPlNjKCFK6IaI1Fr20Uani qwn3049BUHqrkaNzUjEILzg= X-Received: by 2002:adf:e3c1:: with SMTP id k1mr17040768wrm.151.1578910708095; Mon, 13 Jan 2020 02:18:28 -0800 (PST) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id m126sm14033165wmf.7.2020.01.13.02.18.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jan 2020 02:18:27 -0800 (PST) Date: Mon, 13 Jan 2020 11:18:25 +0100 From: Dominick Grift To: Chris PeBenito , refpolicy Subject: Re: [RFC] refining systemd mountpoints Message-ID: <20200113101825.GA892428@brutus.lan> Mail-Followup-To: Chris PeBenito , refpolicy References: <3418ebca-80c0-b10e-c0a2-a80427fdbf71@ieee.org> <20200109214240.GA2283901@brutus.lan> <20200113094210.GB870816@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <20200113094210.GB870816@brutus.lan> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 13, 2020 at 10:42:10AM +0100, Dominick Grift wrote: > On Thu, Jan 09, 2020 at 10:42:40PM +0100, Dominick Grift wrote: > > On Thu, Jan 09, 2020 at 04:06:38PM -0500, Chris PeBenito wrote: > > > I'd like to refine how the policy handles systemd's mounton so that i= t works > > > similar to how we manage mountpoints for mount_t. Since systemd can b= e made > > > to mount over just about anything, I'm looking at adding a new condit= ional > > > that would allow init_t to mounton non_security_file_type, and then an > > > interface like files_mountpoint(). > > >=20 > > > The question is for the implementation of the interface; I see two op= tions, > > > either the interface allows mounton for all file-like classes, or the > > > classes are specified as a parameter: > > >=20 > > > -------- > > > init.te: > > > attribute init_mountpoint_type; > > > allow init_t init_mountpoint_type:dir_file_class_set mounton; > > >=20 > > > init.if: > > > interface(`init_mountpoint',` > > > typeattribute $1 init_mountpoint_type; > > > ') To be clear: I like this option: 1. You can BindPath/BindReadOnlyPath/BindReadWritePath/InaccessiblePath *an= y* file in theory. So dir_file_class_set seems appropriate. 2. You might wat to extend it just a little though: allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton }; allow init_t init_mountpoint_type:dir search_dir_perms; > > > -------- > > >=20 > > > or > > >=20 > > > -------- > > > init.if: > > > interface(`init_mountpoint',` > > > allow init_t $1:$2 mounton; > > > ') > > > -------- > > >=20 > > > I like the first option because it is clearer since you can see the m= ounton > > > in init.te, but that is excessive access. The second option could be= made > > > to look like the first option, but it would need several attributes a= nd > > > interfaces, e.g. init_dir_mountpoint_type, init_file_mountpoint_type,= etc. > > > which isn't so desirable. > > >=20 > > > Any thoughts on this? > >=20 > > I implemented the former in my policy. ie the dir_file_class_set equiv.. > >=20 > > 4163 (allow subj bind_path_obj_type_attribute (dirs (crea= te))) > > 4164 (allow subj bind_path_obj_type_attribute list_dir_pe= rms) > > 4165 (allow subj bind_path_obj_type_attribute (dir (mount= on))) > > 4166 (allow subj bind_path_obj_type_attribute create_file= _perms) > > 4167 (allow subj bind_path_obj_type_attribute (file (moun= ton))) > >=20 > > As you can see i even allow systemd to create the mountpoint in case it= does not exist. For example if /etc/machine-id does not exist and I have a= BindReadOnlyPath=3D/etc/machine-id then systemd will touch /etc/machine-id= and mount it ro >=20 >=20 > Okay, I think I am wrong. It will not create the bind_path if it does not= exist. Not sure how I got to this... >=20 > >=20 > > It also generally buggy. Systemd does not (alway's) use setfscreatecon = to create the mountpoints. And sometimes it does use setfscreatecon where i= t shouldnt. > >=20 > > https://github.com/systemd/systemd/issues/13762 > >=20 > > >=20 > > > --=20 > > > Chris PeBenito > >=20 > > --=20 > > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6= B02 > > Dominick Grift >=20 >=20 >=20 > --=20 > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 > Dominick Grift --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl4cQ+wACgkQJXSOVTf5 R2nf9Av7BGpQC8WaegcnLzZYxWt4hoUMQkU/7pl18dw+saYVfEA+rZa6u775HGu3 9fAg7/gO+KvLf0i3UFNEUW6RMqLsDP30AO7+KczddWHAk430mo4W7M5MUaLXXzNT koA+BZd3YLogvBVgR/4tQXGqhLt3vusImJr+59cHX/45ngwdrIUqNuDIGQyghNtX e7OkVFVuIxp+5r5ouH1xaFJdLKwab8wJSdxlITM6x6NhFPtfFQLMILInCcwk2jQm EyTe0UnhRTs9/NhrDb0OfZKg8YJyc9UwLavH+JE8209CkI/R4FOdRlS+ThfmgYfn GzFzaEc7nmB91WoaGTpfw43BoifywxRtYo+1KPrjEKNrGNugG54bFbLGOhre+p/H 2BktD0UoPWmzGMfVUFqxxLrLOY5txCBv2brxkdJ4jkFOD7tMSqDAm1mmaaTyX220 FJOYr1yEyzZqiqtz9k4FBXFxC0YxJH3rnBTraa+yMITb7TMc+9XDOw8oGoF2NzR5 VH3qU0/Q =Jkyy -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/--