Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4255796ybl; Mon, 13 Jan 2020 10:27:19 -0800 (PST) X-Google-Smtp-Source: APXvYqzvJzbRL7B0e3QLB7Fzvh2x7FwfhVQGHAke0BX9YlluF51qWrX1vVSQvH+nmhtGhvBGeHTZ X-Received: by 2002:aca:ba88:: with SMTP id k130mr14281458oif.167.1578940039608; Mon, 13 Jan 2020 10:27:19 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1578940039; cv=pass; d=google.com; s=arc-20160816; b=0M01eosF83lXYmp008O0SIvGKmHHUjy2HGG5Lb56aJ4os/Ty3SLKQ2fqOiXQgcVMo9 RxyeSarqlnBhHcPnxsq1PKPSZltDAO5iik+O6yt7jTyg8g/gxtp5eYmcx1btub/52qYx pkz7AqCmmyuD45m9n4FhRsCs+VKbgSbVrZFCFcMknReUd31h7JniarplLqrjlvfG+/dj lj7zj/qMd3qt2gmTqKSEcZi4QGido9RJk/kUc+HqBR7nRPumYS2fFAW3jYNLfG93QqEz Qz1ukEhCy3GbpTwAG3GPSSL2I1f6QgYYUw/rvhi6YHh8NrrNZ1j0btOa0m6Cwb3+yyOZ qcrQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=rQkv+qlJHe5BQ5AIdIlP7w/omyoUUblCOzIzfKT2Fvc=; b=HZMmtnWnj2iIsrgrKDrK7Vj8PI2neVkZCg8ttJmIrOS42bmdD2F7B2ITMtPlt20ebI Sm6RO9MkMrETD4KeINm0fKByoxSmyjVI5gKsiCSDRz4pNXgaerP/e0EDRIBMCAyZ8M/Y A+T4c3a+D0C+lt88vRq2fe00qzrv4ohDX5vvY7xa6S8VXXOyGFSoWezBzmWLpROlOjwj sDxnxry88lN+xqt8lY4mQbx8qy03LnxjV+IMvWWRXrsizLomuexEQ+qfab/pOn5jLZXo gcEuMsIZTb1HWZjuh2FVlzAGf7l0/Y9kjRDz7OpBEtOpVjr06Dllddvi4aEYbRlGlRo1 Z9mQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=sy4DT6Nh; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r1si7183556otn.150.2020.01.13.10.27.16; Mon, 13 Jan 2020 10:27:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=sy4DT6Nh; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728665AbgAMS1P (ORCPT + 12 others); Mon, 13 Jan 2020 13:27:15 -0500 Received: from mail-dm6nam10on2123.outbound.protection.outlook.com ([40.107.93.123]:25184 "EHLO NAM10-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728516AbgAMS1P (ORCPT ); Mon, 13 Jan 2020 13:27:15 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aDWiigsi8GRLf6OtkiBTEOikfi2wz5uoQFqYb48iededUwcOPX0fxyuzxfpCRK1v2R5dEibivxEMg+WgwhscclvdSXRRPElRTHlveDSvnmrQEDqoYTm6NKtwmI5W7509IRtJQbO0mNGyNYZx+7962v4sQzoPoHQg62Yi4nlxuPTYF8JwAZOTBPZqenec4dc7MrCTeIKdQ4KvfJpZOCP9ZUe2+gR1lXQg3rnFHiR57Nktkou4xyHsf6qFqekctiSZTkqN0ygGnn9Xyeck+BnfAfvqRFJIoQjMqQDD9G8utYnRJj/CDbIYWmdJNcOlfUkeqRRq9WzzDXbJ+fpWRgnFlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rQkv+qlJHe5BQ5AIdIlP7w/omyoUUblCOzIzfKT2Fvc=; b=WydQ9YIlN3WGALLzz4U8qRcTx4B7wwlGvskzy3G70V6XqFNEF4yxrn3gt007jbb0mmH1dCxuUjidL16zx1tekeC/lMyWLLe6jCjHHqAXxWQxGzVCtJiQCGfBIILDBeMcGxjmmJDSo8w8/LrNN969FxpBCCaseiNmphw5AkgHwdLfxaG3+xHfphvj464iJQ3tvkuLK2vB7r/3+tDB0NAro5ZcKPZfdeF9QROxTy2gqfh0HEY1oW06e5VXkfu6Vu6VZii92kT40HCpe+ynN8NBT7exaIgMHRhZfccRYCoGjlYbG4kjGjCUcZMkfLft5Q6RwnOzQXEei1q94FMYcZIlpw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rQkv+qlJHe5BQ5AIdIlP7w/omyoUUblCOzIzfKT2Fvc=; b=sy4DT6Nh5+KsgXgad2DI0y5dplMqSsECw/LEJ4nHUkN1AmFD4YJz6GeUZtZZFE+b1aapYRd0FIoHVHgKZW1aRTMyAE5ou3gW0Y52KJa6f8k5g5TvLJ0G0QymGppyJELaSPCzHQWIxe9SLXYX+JzsHS4A+Yytjz1wnk+cBR/nMU8= Received: from BYAPR15MB2375.namprd15.prod.outlook.com (52.135.200.157) by BYAPR15MB2903.namprd15.prod.outlook.com (20.178.236.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Mon, 13 Jan 2020 18:27:11 +0000 Received: from BYAPR15MB2375.namprd15.prod.outlook.com ([fe80::f572:9d34:edf6:b415]) by BYAPR15MB2375.namprd15.prod.outlook.com ([fe80::f572:9d34:edf6:b415%5]) with mapi id 15.20.2623.015; Mon, 13 Jan 2020 18:27:11 +0000 Received: from davelaptop.columbia.tresys.com (96.234.151.2) by MN2PR12CA0035.namprd12.prod.outlook.com (2603:10b6:208:a8::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9 via Frontend Transport; Mon, 13 Jan 2020 18:27:11 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v2] Allow systemd to getattr configfile Thread-Topic: [PATCH v2] Allow systemd to getattr configfile Thread-Index: AQHVyj8StLfF4NCTnESXS61wDEUM3w== Date: Mon, 13 Jan 2020 18:27:11 +0000 Message-ID: <20200113182658.3502291-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] x-clientproxiedby: MN2PR12CA0035.namprd12.prod.outlook.com (2603:10b6:208:a8::48) To BYAPR15MB2375.namprd15.prod.outlook.com (2603:10b6:a02:91::29) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.24.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 9455f5db-0e0f-4657-8fd6-08d7985634a2 x-ms-traffictypediagnostic: BYAPR15MB2903: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4125; x-forefront-prvs: 028166BF91 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(366004)(136003)(346002)(39830400003)(396003)(189003)(199004)(1076003)(186003)(26005)(7696005)(52116002)(6916009)(16526019)(5660300002)(71200400001)(316002)(2616005)(66446008)(64756008)(66556008)(66476007)(36756003)(8676002)(81166006)(956004)(8936002)(6486002)(66946007)(508600001)(2906002)(86362001)(81156014);DIR:OUT;SFP:1102;SCL:1;SRVR:BYAPR15MB2903;H:BYAPR15MB2375.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: b6qs2VY/kNcqXuG3S6G3vGIgC9GAXJVJDXlPSIbXq/0yeePB5+Dg1ZQJqAUjr7BR6uquPw9/ICOabh59Y7ba9axdirR5TRSkJrOszhodNMroDMm8OcuH3Yeam7RqHnYlCQKYC+Vc4KJp77CY1Gjr8y1phRYlBaMRs/RvPEKh9PevaoNjFi2PknSwIjp2wGKueEgBfdQRF50u7FAb8bpWalMlb6wRQrlfJwmST+z5jTZgkfm6vM5Y8cVHD7JbkbJgr+iM9fuX5Z3KXfMokaPUHmGAevBdm4yDv0W7fRsy86h2mOwRtrHijsEpBqMYR54V3OM7365XiiceDDg2U7YpwrYxDhpUo/fr7XHNv2eI/SZAdsMoCAdZ9xUBq+r7sBLR0x2TIi4LWuDp7sWJX8/LYaSCT5I5+oRFlDRrFY9WcUpuWQJ4EnI4ThddsTrkXVBX x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9455f5db-0e0f-4657-8fd6-08d7985634a2 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2020 18:27:11.6281 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: MiQ07pjDWYyPBjhUxCb/dpfSL7bW2JFd/sRCpP95jk/RgM/Pe72tk/lTP+LfOFUL9aylpHHNG7ZK88pQnPPZOA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR15MB2903 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org v2 update - rework, creating interface 'init_systemd_conditional' as suggested. This grants getattr access to the type provided. Signed-off-by: Dave Sugar --- policy/modules/services/chronyd.te | 2 ++ policy/modules/system/init.if | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/c= hronyd.te index 5e680d39..7ae8bb5a 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t) chronyd_dgram_send_cli(chronyd_t) chronyd_read_config(chronyd_t) =20 +init_systemd_conditional(chronyd_conf_t) + optional_policy(` gpsd_rw_shm(chronyd_t) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 62ab4da8..5a0a78bf 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',` allow $1 { init_script_file_type systemdunit }:service reload; ') =20 + +######################################## +## +## Allow init_t getattr permissions. Generally +## needed for types that are used in a Condition +## predicate. +## +## +## +## type accessible by init_t +## +## +# +interface(`init_systemd_conditional',` + gen_require(` + type init_t; + ') + allow init_t $1:dir search_dir_perms; + allow init_t $1:lnk_file read_lnk_file_perms; + allow init_t $1:fifo_file getattr_fifo_file_perms; + allow init_t $1:sock_file getattr_sock_file_perms; + allow init_t $1:file getattr_file_perms; + allow init_t $1:blk_file getattr_blk_file_perms; + allow init_t $1:chr_file getattr_chr_file_perms; +') + ######################################## ## ## Allow unconfined access to send instructions to init --=20 2.24.1