Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1825713ybv; Sat, 8 Feb 2020 06:50:11 -0800 (PST) X-Google-Smtp-Source: APXvYqy5F9AW885xlgJt0wFYG9F7nUvP8OBmkxG50NOiGf0TWrXPkTGVadTL3QWSaJ4YfqXmTExZ X-Received: by 2002:a9d:7590:: with SMTP id s16mr3474301otk.89.1581173411498; Sat, 08 Feb 2020 06:50:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581173411; cv=none; d=google.com; s=arc-20160816; b=ucQa2Xfuu7mQlqcqrXsxqHZMEg3g+btx1MjUhuyjjofKAcT9URyAAUlQ0LL56XOxRr ziwEIguTY/z+LvmQyR0wiP3E22wHa2MjZDVdQnsmDVR1COlVipRtdgKRcVKy/l+ZUgsF eqWck6/Owz93/VAwIVanriKQYRU0iCFLdO5Cxx//C3K46MFSq4Sd+84Vw5wDGemRFl7H HQzuhFbNtxNN38KewZ/Um2kcnJKVgDUQy3OosGGkG0Sqadgvx62RHPuEAQYi4S/QBVJF AUNJG0TWI9zbQqibK7GQRVjFgx664KdafEUBnCDQnsp3O3rynRCLXW1bmpQaj/xjk20H QR5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=MGrTAVxrE2Nu33JfdHMLnLaXnDCEValDQuPTBQZeqZI=; b=UA3FGilHXgA2PtdkOTSiaLqgVstjV9X17h8HIa59ya7hmnVTSHA/azQeXTzYR8iFKv pWmE0IeHf9z8krqUp4M/NHNKnqnEAxMrbBGbZeXnJHM/Ak2TrYGm9QeFDGrqAd+Aj0wY z54AruGeenNO6kKzvlrd8esUvWbPy7nxZxmPYtW+ORfYpuXrSVPKsGoPQxpA4W8+ynWk OdE6UfVZT8RA9ShWpvwiRaUOCKqO7cnil2wtU8d1/iN5k9cwnNiyxUgh/2jKL2Jrx05j NpCZNYa2kiP8tFQ04rl2GgiWblLZZ3bqpicG9IK8Ek4Q85ybhUvR57pMj5KJFnf5qLe9 A/Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=OUixNAw7; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q65si5638795oic.123.2020.02.08.06.50.09; Sat, 08 Feb 2020 06:50:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=OUixNAw7; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727341AbgBHOuE (ORCPT + 13 others); Sat, 8 Feb 2020 09:50:04 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:35864 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727335AbgBHOuE (ORCPT ); Sat, 8 Feb 2020 09:50:04 -0500 Received: by mail-qt1-f194.google.com with SMTP id t13so1767424qto.3 for ; Sat, 08 Feb 2020 06:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=MGrTAVxrE2Nu33JfdHMLnLaXnDCEValDQuPTBQZeqZI=; b=OUixNAw7g3Lu9eTOVHuz7nXjb0tACUTFC1v/CpUgsIFZ8CRzTWwzJfJgdWlX0wWYDE y9FUqaW8hcTIqRvSCKYJInJBgDUBXQ7jnuJxivLPjUy3T84S5CQTHUKyU7AzVW/nI9MM u+FMFqRQsHPuPTwP8aLhe+rGGiizk8n0MKHs0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=MGrTAVxrE2Nu33JfdHMLnLaXnDCEValDQuPTBQZeqZI=; b=gM/1LxICKJrnC6lO1/C/7yAY7lTN6AyVVxTkptX+pEhnvZ/TJfhgA3Qp0QSTvqJvwE fQ/YJHVrvjJjHlCgcnJ5R7N93lgBZm1FiUgBPlUXj1VtdOkBkiNH7RipK+1F08mUx8BC ENFMZo9UcgIBo1eMaktEpeQmLavL0aeN7GyNl2anOWprGDdeAwDCjx1XK0tQEgiO+u/d Hpcl5X9iBAquSvYa9mPuaVx91N6+7cOeWnj+eLN3lQ58bZinX3wpAlMxKRFvKjKAYkEi ZObauY9vEDQ7teP08gsIIcFONY3fp288zlJkSbJT34+Vo/Lvpflx1cpUF2BIizjF8+I8 gKpQ== X-Gm-Message-State: APjAAAWETUF4Q3ETLwwzcsLjhdbSiXV34hIginFQP6Fg2K8XVhU03pKk y2kLDmwDZx5NHe5qiMW8hBfpoK7yhsU= X-Received: by 2002:ac8:4e43:: with SMTP id e3mr3160366qtw.129.1581173403136; Sat, 08 Feb 2020 06:50:03 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id 4sm2972182qki.51.2020.02.08.06.50.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 08 Feb 2020 06:50:02 -0800 (PST) Subject: Re: [PATCH v3] Allow systemd to getattr all files To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20200123124037.969990-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <76882587-a7a3-a210-49fd-b3234441620e@ieee.org> Date: Sat, 8 Feb 2020 09:41:56 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200123124037.969990-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/23/20 7:40 AM, Sugar, David wrote: > Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which > are used to check various path/file/directory to control starting a > service. But this requires getattr permissions on the types. > Example denials that fit the problem. > > The first example is from lvm where accessing config file. > > type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for > pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0 > > This second example is from chronyd, but it is happening becuase I added > the conditional in a drop-in file. > > type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for > pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1 > > v3 - rework to not use interface and allow getattr for all files > > Signed-off-by: Dave Sugar > --- > policy/modules/system/init.te | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 281d4fd2..c772ff40 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -335,6 +335,11 @@ ifdef(`init_systemd',` > domain_subj_id_change_exemption(init_t) > domain_role_change_exemption(init_t) > > + files_getattr_all_dirs(init_t) > + files_getattr_all_files(init_t) > + files_getattr_all_pipes(init_t) > + files_getattr_all_sockets(init_t) > + files_read_all_symlinks(init_t) > files_read_all_pids(init_t) > files_list_usr(init_t) > files_list_var(init_t) Sorry for the delay. Merged. -- Chris PeBenito