Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3706625ybl;
        Tue, 21 Jan 2020 05:43:24 -0800 (PST)
X-Google-Smtp-Source: APXvYqwVCwaathh/EvgcpZAxwbSJheOgjZ0AZRfRRrsmC4KD/6GJnMuP96jACJeO5o2OJR+yc+RU
X-Received: by 2002:aca:ab0e:: with SMTP id u14mr3043410oie.1.1579614204137;
        Tue, 21 Jan 2020 05:43:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579614204; cv=none;
        d=google.com; s=arc-20160816;
        b=yq/1EhO1JPZPow9rmPvGGqT3s80VSu0cTjl31l6xtkj2AxyygieVCLfcfkRjPYN50U
         RSLBX43SRf2IOEHS6Z4yxTr9fZNxvT1no86HZrhaW+oBy7AP3eyqasHDCuAC8mlKQJ5k
         GSRtr3AN6Rkl3je20kZcMYPtRjR6eNP+jMZ2J6B9s6R6occSuZPbcgy8g3AN30WC2MJN
         Y7CEb0oznkVJWKVqA3IAU4nxO1dMGO4ZbFB2+XFIGgqS5qrawwp94rYk4EXT9Xgd3UjF
         bM5lVOVuMvq4Y7oVw4pkXybI8vLH5XMG426vGjNmPPumwDImPJ5jiCrXvutUX4tW5xsd
         c80Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=SXPbiZTVy+rVVJQLo8xUe/Di0v8Veg9TGzMDeq+1dps=;
        b=0Zv8JXdbJOkI4hihHrxgiTDmAwFP/3sFeqkSGRnaGK8VDtteyhsbJStcYjqLBSqj1E
         FBSoVjiW0MUCU3x0giyRYa5t1tjlcb6/qPbZK9I9Lg7josrhLdSaLOOkry78QoFZxWk1
         /UDVc0t3umwb8cGy4SWM/ioFRisjD0UwvpSHlGY9KUMAQPwc/+01VcVcfqJRU+aW52T3
         X1j/NzKAgq76baak78ACtq/sKk9LdKoZq7eBKxySQp3choUEPBs8Vcb/TlDLbUBsOGa4
         iLUhNM4oZcJwaUpME53wV0DcRt+IL/ylRj/nCaB8olb+61GoZz8JY9EHsoPp+WbV8O49
         PXZw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=Yd9Kqaqv;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t184si19154252oig.184.2020.01.21.05.43.21;
        Tue, 21 Jan 2020 05:43:24 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=Yd9Kqaqv;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729174AbgAUNnV (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Tue, 21 Jan 2020 08:43:21 -0500
Received: from mail-qk1-f193.google.com ([209.85.222.193]:40887 "EHLO
        mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729134AbgAUNnU (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 21 Jan 2020 08:43:20 -0500
Received: by mail-qk1-f193.google.com with SMTP id c17so2667013qkg.7
        for <selinux-refpolicy@vger.kernel.org>; Tue, 21 Jan 2020 05:43:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=SXPbiZTVy+rVVJQLo8xUe/Di0v8Veg9TGzMDeq+1dps=;
        b=Yd9KqaqvSyVGbBacoKPn8KT/E+DiHSZOlJo3NbGi2HkR10W3dAgBsBuHY0oZJhcUTM
         n1MvBuYuX7Un3WOAPlr75REMaD7MJP7oXShVc5+PiPo3uVXQHL9+4RfrIzrA1Pa9QkGd
         WCcEqx1tOTmkW1M2/xKlgfZnflwVRkAfy4QrY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=SXPbiZTVy+rVVJQLo8xUe/Di0v8Veg9TGzMDeq+1dps=;
        b=bUR2dJRx4gUqx9g7jg8M3IeyN7O8GzDd0BHY6qljiE7UgnG7g5652x6skkCmBka7Hm
         VS/pgENZ2I9RRS1kPiaZKdRmTq+DRVzgkBT/kRxKo20grjC4XBvDznyMcbWyYaZzivWw
         +NZaz36S/NTddVo6++3P5ZGGqPuzbM7s1qnFSJytfgt9L5TEXtePvUTWaBd5dof+GBQw
         bSYbpx88EO/Jp7PvpbhrsrgcojbNZy9T6sYc1pp2KihiKfZFEHVo9jbW3sTiRKhTkdVg
         yTtKbQiYXtn6V0QnRte+0ELkdExwaybAX3/6dEQCkNMjfxrg79p+KuLtHM5e2NuwmHkT
         LOsQ==
X-Gm-Message-State: APjAAAVbX7MqmklzDUolkHjxX6VfkkBwTqQ0xog+heiyp5JinfP2ytUc
        rRKOARH9Ibi3r2TEct8MA8fi8S+hrxhNoQ==
X-Received: by 2002:a37:a4c6:: with SMTP id n189mr4522306qke.477.1579614199268;
        Tue, 21 Jan 2020 05:43:19 -0800 (PST)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id e13sm153259qtq.26.2020.01.21.05.43.18
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 21 Jan 2020 05:43:18 -0800 (PST)
Subject: Re: [PATCH v2] Allow systemd to getattr configfile
To:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20200113182658.3502291-1-dsugar@tresys.com>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <413d1a7d-224f-49eb-6a51-dab0a6227804@ieee.org>
Date:   Tue, 21 Jan 2020 08:42:54 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <20200113182658.3502291-1-dsugar@tresys.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/13/20 1:27 PM, Sugar, David wrote:
> v2 update - rework, creating interface 'init_systemd_conditional'
> as suggested.  This grants getattr access to the type provided.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/chronyd.te |  2 ++
>   policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
>   2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
> index 5e680d39..7ae8bb5a 100644
> --- a/policy/modules/services/chronyd.te
> +++ b/policy/modules/services/chronyd.te
> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
>   chronyd_dgram_send_cli(chronyd_t)
>   chronyd_read_config(chronyd_t)
>   
> +init_systemd_conditional(chronyd_conf_t)
> +
>   optional_policy(`
>   	gpsd_rw_shm(chronyd_t)
>   ')
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 62ab4da8..5a0a78bf 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
>   	allow $1 { init_script_file_type systemdunit }:service reload;
>   ')
>   
> +
> +########################################
> +## <summary>
> +##      Allow init_t getattr permissions.  Generally
> +##      needed for types that are used in a Condition
> +##      predicate.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      type accessible by init_t
> +##      </summary>
> +## </param>
> +#
> +interface(`init_systemd_conditional',`

systemd_ConditionPath is a more preferable name.


> +	gen_require(`
> +		type init_t;
> +	')
> +	allow init_t $1:dir search_dir_perms;
> +	allow init_t $1:lnk_file read_lnk_file_perms;
> +	allow init_t $1:fifo_file getattr_fifo_file_perms;
> +	allow init_t $1:sock_file getattr_sock_file_perms;
> +	allow init_t $1:file getattr_file_perms;
> +	allow init_t $1:blk_file getattr_blk_file_perms;
> +	allow init_t $1:chr_file getattr_chr_file_perms;
> +')
> +
>   ########################################
>   ## <summary>
>   ##      Allow unconfined access to send instructions to init
> 


-- 
Chris PeBenito