Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp605544ybl; Thu, 23 Jan 2020 04:41:00 -0800 (PST) X-Google-Smtp-Source: APXvYqy0RZ5zSFEd+PaxuAiftvBoWrwgNqTBlJaBWUHQEwMJR9oaoRZQ4qdXRXtatrkDXpk2IRDu X-Received: by 2002:a9d:3bc4:: with SMTP id k62mr11439986otc.186.1579783260131; Thu, 23 Jan 2020 04:41:00 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1579783260; cv=pass; d=google.com; s=arc-20160816; b=uiIbAFIgPSFzNhJF/I+sXcOiHnjqR04rqDzXJUnqRvyqtJDGRi53gsiqiPbA00qIMk vo5mgoS6KT5opQrQdSIoxAz9YmzyyYCH2C4797cUn/sQynSZ+MMUqrzm0thyHlsm3UVf bPX/4JXznqgjwa1vidOgExy5Q008I+rkul5ZcmZY5WafjptwbKSs6FMDsBWSUqmeLa36 PXaf7yyPaGgroHU8eFrOhN2VyZJSxfS0XEgHEvrRdjqyhcUqyxXYCh2x85zHuydB/51S L2Ryvpekjxpqybpbnt27rTmEyGVXX6SNE4Dxcdhuhf+dxy0sUSOTx24wvBGcrAzqsPKo L3UQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=Xn0vL5d6U/bvFTQXzHABZe1lXVfE6uNcFiDXnjHR3eg=; b=Tn8zHAlgV2OMf0wL3AEh2lU8Bsls+kRFPwXfomYFPRqG3YWEbXXvVJQyMI607kMdFT 3G724SOxq4biKEDnSpXsOOr7s0zDaT2XKp/Rjm8AJcZ92DVqnSMGfAicNWCHNLYm2yej EYfSIVeXu6g2jNwZRIwi7a7Dv7fkUh4+9csRz2VbslUN5oWl7MU1kCWNnLUqrllRHddx KzYpxq2CEEtc7TQBpcoJ7G4pNHhw/YfplYfL6MR6lg0843JrAuUtZG27K55TG3kUljTL 4IpMoWKYzL63UwV+EUAYc7DKEkGKcWTgR2kkgryN6kpk0PjVMYbn4g0OO0S4q09ilZs+ DfYg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=rlVrB0kT; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u62si819695oig.29.2020.01.23.04.40.56; Thu, 23 Jan 2020 04:41:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=rlVrB0kT; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726204AbgAWMkz (ORCPT + 13 others); Thu, 23 Jan 2020 07:40:55 -0500 Received: from mail-dm6nam10on2130.outbound.protection.outlook.com ([40.107.93.130]:19617 "EHLO NAM10-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726170AbgAWMky (ORCPT ); Thu, 23 Jan 2020 07:40:54 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SVL3MaqsCJoQO0t0X1cZG5sJjNYW2kicNVBHHQW1uVOfFZYEdVpkRX5IYUoXikdyhCJ1hjtCxxMHU4Fc17+nnEWEnbD2DOJNYLj0KGDpVs6YJKSUHHDo26q09q+eLDRXBQquLcGYVBtvQvXFJV7iJ/GtCx+UDbJzEkgwA3Ra7ybXiRcOUOTkJGpqUhoctyaDOm8Iv1GumxnVBYBAugUY/fhVr7xNRzbHLdjXmXRqipyjKdt32YVctRK1lmHsEPwXZrarSlY/3qAn8TIjVnCsgSXQPL3Jk7+RWmx/08DeBiUPRM83Xh5x7kPa/n/MkT9IttC2WTcLXBeIomKHirtGQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xn0vL5d6U/bvFTQXzHABZe1lXVfE6uNcFiDXnjHR3eg=; b=JhopQZz94onLApA/DcgQemAtZXKLIcCQLQGbik6zGHe9HSGQ4FF1OK/NdKYK1y6cTPH6viU6Zv1IjjPqKqcHybDq/D2PiW7IvDv8UUF6QVG/IaBeJdpB+6cBZyt+3dz/0tOxbNX330EsBXZKs7NCHkiVgsxElkfgA/R3/brdp03jjxhAcOzWBlp7lWzbW143qt5Kn+4Utpy8TnR4mZnh0Ou8D9tlqrZAS6tS2TKlPGPUhsCZeN/lwhVaPVbSm6c9xy16hK0q2gtAGtGfeB6r/gjZL2qWCrg41PQ3XLEev6xPCXLPUWnqNyLrno1pumjT7wrj4ScjGrEdOLbOCSOCvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xn0vL5d6U/bvFTQXzHABZe1lXVfE6uNcFiDXnjHR3eg=; b=rlVrB0kTIaRxfCGlc4FMetfB4/FaEBHNXnBoe6MR1Wppz04tCRviybEG8ADKBLWptgndvtLqQ4iB4ZG6CaZMF/67+0bOzURheMumtCVe1hkIYJOIN2hWsXg+XPR6a49TtnQ12PC0m7wnBQUieJJIHde9mcceYz25oJd6cqndom8= Received: from BN8PR15MB2659.namprd15.prod.outlook.com (20.179.136.222) by BN8PR15MB2642.namprd15.prod.outlook.com (20.179.139.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.20; Thu, 23 Jan 2020 12:40:49 +0000 Received: from BN8PR15MB2659.namprd15.prod.outlook.com ([fe80::c836:6150:15a0:ea6]) by BN8PR15MB2659.namprd15.prod.outlook.com ([fe80::c836:6150:15a0:ea6%6]) with mapi id 15.20.2644.027; Thu, 23 Jan 2020 12:40:49 +0000 Received: from davelaptop.columbia.tresys.com (96.234.151.2) by BL0PR03CA0016.namprd03.prod.outlook.com (2603:10b6:208:2d::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20 via Frontend Transport; Thu, 23 Jan 2020 12:40:49 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v3] Allow systemd to getattr all files Thread-Topic: [PATCH v3] Allow systemd to getattr all files Thread-Index: AQHV0epXuYPF87B5bUmMHrYkdqoZ/g== Date: Thu, 23 Jan 2020 12:40:49 +0000 Message-ID: <20200123124037.969990-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] x-clientproxiedby: BL0PR03CA0016.namprd03.prod.outlook.com (2603:10b6:208:2d::29) To BN8PR15MB2659.namprd15.prod.outlook.com (2603:10b6:408:c3::30) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.24.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b33dfe8b-cfd5-48c6-abbe-08d7a0017992 x-ms-traffictypediagnostic: BN8PR15MB2642: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6430; x-forefront-prvs: 029174C036 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(366004)(199004)(189003)(8936002)(26005)(2906002)(7696005)(52116002)(16526019)(186003)(81156014)(71200400001)(81166006)(1076003)(8676002)(66446008)(64756008)(66946007)(66476007)(508600001)(66556008)(5660300002)(36756003)(956004)(2616005)(6486002)(86362001)(6916009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN8PR15MB2642;H:BN8PR15MB2659.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Z/FBQ55GWDF/kSDCjiRvhOsIMDtxCIUTHRJi3Keq8tKGlS3OBq+mOAL/tBS7kmYiwv50iOlJy2UQJPNG9odaLXlaYT48anGEvgj2172KjMQsqBqdrw2XbpORJSM1wMVzh22RaKIApPxqfKzZM7O9JZ0GIv7TQYMcPH8+d85Wap1hjCKgK8fEwwxxgjyvpMoOtkPRT5hE1lVxmUF5bW54L3Q8YMz4Ldo4gU0zA+CuvoJCJjGy9TE4tO+GDUCYkFMRNXFXVzKK7JdCQ1DS0IqHkDjuqF9mktXA5+mzaxGmNy89l3+Jued3mIuyH04zG8af63yOnyX1wvhmPeP4Fdv8STuJ8xB+z5P0Mp1uIB3Pki1KH1N5rVTr6aGvkOkavqQKQjW7Kf/rhLDUlnRDfXOCRSsiEPd73MuaFqXzuQM++y25gH5Ps21G9tku0g6AGFn5 x-ms-exchange-antispam-messagedata: 7au4u2o0K1Blreq2gQOnT7uoznGaG6NkVWLF8CavS+jzcL3Apa2EsCyR2f0QhPHPkQC614yr9Qwlfpw3bXeNG9hONzx4/wGKTlkJ883vKXw0DmFVUF54C1FPGFaMsqSD2RlcCtyJ0Gv7Nww1vjB/jw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: b33dfe8b-cfd5-48c6-abbe-08d7a0017992 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2020 12:40:49.3140 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: /f9CcInesHCHdhDr/aRX6sjKadIanhlfS4+D2X8zKjJGk9+lQKBCbnDHOYUd3WSoqnhMpPj92abx3fy/zt/Q9w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR15MB2642 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which are used to check various path/file/directory to control starting a service. But this requires getattr permissions on the types. Example denials that fit the problem. The first example is from lvm where accessing config file. type=3DAVC msg=3Daudit(1575427946.229:1624): avc: denied { getattr } for pid=3D1 comm=3D"systemd" path=3D"/etc/lvm/lvm.conf" dev=3D"dm-0" ino=3D5179= 9 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:lvm_etc_t:s0 tclass=3Dfile permissive=3D0 This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file.=20 type=3DAVC msg=3Daudit(1575427959.882:1901): avc: denied { getattr } for pid=3D1 comm=3D"systemd" path=3D"/etc/chrony.conf" dev=3D"dm-0" ino=3D53824 scontext=3Dsystem_u:system_r:init_t:s0 tcontext=3Dsystem_u:object_r:chronyd_conf_t:s0 tclass=3Dfile permissive=3D1 v3 - rework to not use interface and allow getattr for all files Signed-off-by: Dave Sugar --- policy/modules/system/init.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 281d4fd2..c772ff40 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -335,6 +335,11 @@ ifdef(`init_systemd',` domain_subj_id_change_exemption(init_t) domain_role_change_exemption(init_t) =20 + files_getattr_all_dirs(init_t) + files_getattr_all_files(init_t) + files_getattr_all_pipes(init_t) + files_getattr_all_sockets(init_t) + files_read_all_symlinks(init_t) files_read_all_pids(init_t) files_list_usr(init_t) files_list_var(init_t) --=20 2.24.1