Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4680353ybl; Wed, 22 Jan 2020 02:43:04 -0800 (PST) X-Google-Smtp-Source: APXvYqyzTJAS3jjJuYPVy3CcjSwCkLvHZ/QIA6ToaAc2RWpSG0tAUfqB362RPOcg7wXee26JDwyp X-Received: by 2002:aca:5490:: with SMTP id i138mr6478992oib.69.1579689784816; Wed, 22 Jan 2020 02:43:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579689784; cv=none; d=google.com; s=arc-20160816; b=IvNmtElY9k2PMjIDTOwUiYD7zZygLPXpKlKpIvUeeiuNlqHXQ/HPH5tWu51uUBfbv6 Tz3RwiF6C92nRP1fEODwtBC1ijK/N1vg+vs6qM6gPW62uyi7Z22fZUsGNAXsqnP34Gqs 6h7hcOD4pLVJhW1vGfChxRgjPR4cJtzGYuh/RFc4dP8YEHXp17pKJtlU0Cq828nlotNn QsRsnaibYtOeDPcV4b5jI6qJM9Wk7X9AKkCNQP3MjDkydyUml+sQFBK3veO0FAH4qJWU x1KEfwEdLMfWSuDHW2PjxictjuC8nkyxNZNDOO4pQDfyaj4491vOcjDDdMT2DTK574Ak adcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=+/kwy3qHJqtZlBTqFj0zjqMw58kYNpMRqGqGTYxyQbw=; b=cBsY8lI3euLFQiXoLHXUBGSTudEz+1Q06fN+SkxyKjbY2q9MrPYwljFfwWOAwfRx36 oZHiQ7i5gQMBL9lqFi16zahYrbopV2zZcClyZzigAAVJiz+b9tcnNEsD7AURswfAbuRE hsWuPnN6/DzyrvhCaD9CydLGExGdz+mmoj/bNLqwffLPr6JvottVVTvobJ5bVM5IH6XC KpmehhwQlNF3+GnH3t0uArrPoekLQoN6afdtetAuXo1Fqb7pZnNPbx5BNLhGxeFqiCFn Go4vBPnk/bEksodiZg6O2P9VlXXdgUwq13dccccQ0yYHs50/iynU0RWXun7Ct1RwytVl CVzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FElsJtCh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h5si20849142otn.280.2020.01.22.02.43.00; Wed, 22 Jan 2020 02:43:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FElsJtCh; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729536AbgAVKlp (ORCPT + 13 others); Wed, 22 Jan 2020 05:41:45 -0500 Received: from mail-qk1-f195.google.com ([209.85.222.195]:43073 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729388AbgAVKlo (ORCPT ); Wed, 22 Jan 2020 05:41:44 -0500 Received: by mail-qk1-f195.google.com with SMTP id j20so1880056qka.10 for ; Wed, 22 Jan 2020 02:41:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=+/kwy3qHJqtZlBTqFj0zjqMw58kYNpMRqGqGTYxyQbw=; b=FElsJtCh0yqmuLx8t6EQzZlCUMYEccJbLhexnHGm6wtmImV0ZjCwt/4t4XFPdgkjBk 89K2RLeBRghoZMnLQpALy/SJIJcbia6md5RXxIWl9Hrwp0kpwpmIBDr5O3s4DV2GoonZ C0RX8kUGZ/yBxSxsgFq2SU7tyfUUHUHk9PNG8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+/kwy3qHJqtZlBTqFj0zjqMw58kYNpMRqGqGTYxyQbw=; b=N7P87xmy5DYMaiNo42AH4tZcykTnbHvI4ls2B0uohznHB50ZWNhRjryyToXcMb5ryS ZOe/BmMer2ynQNAmM3wsD1GwMqU2pY7YOPPLkpSYxRcDdf3t3drOda4M40gk52rwpUjp FNIj/Wcw/AT7gasPkOI5iO+44bZh2ebBMFjvswXXulwKKGlBmRd7f3ceAmG9HML/OZnr 0v6DPQD92pD6e4hTE0uOO7I5Wdgoj7356GiehzRGaP7DdXFl0eqzQSGaNTT0JHfdtkpE Pf1u9taM/FUZ6HVpIabyaNNskRkGMLYUw2F/7+Z5qmBuzbiKtA1G8pzLUn34Vhh27/dY LQyg== X-Gm-Message-State: APjAAAVWh5s5JYFAGenr6tb7X6jncYE4eZLtng9Pp60j9AkfpcYVr6DL be+CRz/fVXqtR0MsITgdwHk+YXePQks9vQ== X-Received: by 2002:ae9:e901:: with SMTP id x1mr8701910qkf.117.1579689703695; Wed, 22 Jan 2020 02:41:43 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id y27sm1208606qta.50.2020.01.22.02.41.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Jan 2020 02:41:43 -0800 (PST) Subject: Re: [PATCH v2] Allow systemd to getattr configfile To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20200113182658.3502291-1-dsugar@tresys.com> <413d1a7d-224f-49eb-6a51-dab0a6227804@ieee.org> From: Chris PeBenito Message-ID: <39df5cdf-d7c4-fd23-2c5b-71c7679a55d5@ieee.org> Date: Wed, 22 Jan 2020 05:41:42 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/20 9:22 AM, Sugar, David wrote: > On 1/21/20 8:42 AM, Chris PeBenito wrote: >> On 1/13/20 1:27 PM, Sugar, David wrote: >>> v2 update - rework, creating interface 'init_systemd_conditional' >>> as suggested.  This grants getattr access to the type provided. >>> >>> Signed-off-by: Dave Sugar >>> --- >>>   policy/modules/services/chronyd.te |  2 ++ >>>   policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++ >>>   2 files changed, 28 insertions(+) >>> >>> diff --git a/policy/modules/services/chronyd.te >>> b/policy/modules/services/chronyd.te >>> index 5e680d39..7ae8bb5a 100644 >>> --- a/policy/modules/services/chronyd.te >>> +++ b/policy/modules/services/chronyd.te >>> @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t) >>>   chronyd_dgram_send_cli(chronyd_t) >>>   chronyd_read_config(chronyd_t) >>> +init_systemd_conditional(chronyd_conf_t) >>> + >>>   optional_policy(` >>>       gpsd_rw_shm(chronyd_t) >>>   ') >>> diff --git a/policy/modules/system/init.if >>> b/policy/modules/system/init.if >>> index 62ab4da8..5a0a78bf 100644 >>> --- a/policy/modules/system/init.if >>> +++ b/policy/modules/system/init.if >>> @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',` >>>       allow $1 { init_script_file_type systemdunit }:service reload; >>>   ') >>> + >>> +######################################## >>> +## >>> +##      Allow init_t getattr permissions.  Generally >>> +##      needed for types that are used in a Condition >>> +##      predicate. >>> +## >>> +## >>> +##      >>> +##      type accessible by init_t >>> +##      >>> +## >>> +# >>> +interface(`init_systemd_conditional',` >> >> systemd_ConditionPath is a more preferable name. >> > > I'm a little confused about the suggested name. I think this interface > belongs in init.if due to the requiring of init_t. Due to this, I think > it should have the init_ prefix. I also don't think there are any camel > case interface names. > > Is the name 'init_systemd_condition_path' acceptable? Or are some of my > assumptions wrong? No, you're right, my mistake. However, this makes me reconsider the previous discussion on this. Is it really an issue for systemd to be able to getattr all files? Condition* works in many cases already since systemd already has lots of access all over the filesystem. -- Chris PeBenito