Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5563337ybv; Tue, 11 Feb 2020 18:43:49 -0800 (PST) X-Google-Smtp-Source: APXvYqwOHAIyj6FTVXv6dSR9kFIDvWiQUbNJ8xAip15hCRMtBOL5taqTKtGKLyzEgggT8aIt0qEV X-Received: by 2002:a9d:1c96:: with SMTP id l22mr302626ota.322.1581475429825; Tue, 11 Feb 2020 18:43:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581475429; cv=none; d=google.com; s=arc-20160816; b=E3VmjQr7OCjP70K17tVWTT6VcixsjwJ/7Txn13U+OoxGsfRaw4OrTbFWR+AkrCO0lu gOwCTfpf+qRtk5JXqu22EfScBbtDt4/iPlstiscaEolWZD5iQSwLCF9O3fQpp17qFLoh KC0g60Y9uJpuLfh5F/dgej7sQ3gj6dQADEITjfot5HokISvMONLA8SlQkVeBtLCr7WQE WoS8Sgd/KBm2NLHxzotHnOk7focmfiulAh6Qo2I2VjILqqGpxsRFD+2X6YMB86RFP79E 8sOjv9cjcMJJfsoVatQeNbg4Z/8bPGBstRbwv/GjZnLSGhydffkTm2t0pSvncUSoWJqt ZavQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:reply-to:to:from:dkim-signature; bh=/Vhpnvt7T92YDtZdcDTjRBQfsrj90pwhf6mHLNL0tJg=; b=Ghk4L6A341EJc1CSGoWVwdF1QgyAi7Vt1zuEoxbla6TsVAKpR5pZPnFeTPhzlowJAz QdtZIJCEA4y6wMvV35TnINfT3Nq1PKzBfHGjf1MarQn2SRN3CUhuhuP+j3Oz5VVJSHHD dT9J6kliDx/NkhxiYWe/1O0jPmdX8/1ai9QohUuhA9CydOeU/udjznozUZjfCzEJFGiV 1RIkwMUejlHhPSmMwFIhnCRTkHPDyZLYjiZHBDp/PRclSWnEXpGVoVJ0UCLtBctb90Rk tbnz1tPMwehDK2KN2qaOKkZI6a9vp4HbngNoIWXVRi3/lK9LDLV0lht2+hPycUW7DAiB Xmlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=w8sKQh6t; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z7si2481972oid.150.2020.02.11.18.43.47; Tue, 11 Feb 2020 18:43:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=w8sKQh6t; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727584AbgBLCnr (ORCPT + 13 others); Tue, 11 Feb 2020 21:43:47 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:44328 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727535AbgBLCnr (ORCPT ); Tue, 11 Feb 2020 21:43:47 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id C5631EC4E for ; Wed, 12 Feb 2020 13:43:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1581475424; bh=/Vhpnvt7T92YDtZdcDTjRBQfsrj90pwhf6mHLNL0tJg=; l=8354; h=From:To:Reply-To:Subject:Date:From; b=w8sKQh6tCspNTe48GXjpC7563mNFh/Zy62X6jLYhHhK5OxH+yvDW1oH/osZglw4Yf SVUTQb8vdeHLB8y/H7/3A2MCLONXAbtTCP9FzM5QWMNlwJyBKC63y0viMyE6/ADPmL 5GsQgiRDIS/eMggeZhB3yf6ztiKJN9+cBXzv+Yr0= Received: by xev.coker.com.au (Postfix, from userid 1001) id 74699F2C83C; Wed, 12 Feb 2020 13:43:38 +1100 (AEDT) From: Russell Coker To: "selinux-refpolicy@vger.kernel.org" Reply-To: russell@coker.com.au Subject: strict patch Date: Wed, 12 Feb 2020 13:43:38 +1100 Message-ID: <1687678.FLogphAbyu@xev> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nextPart1911665.paOEr1NIRV" Content-Transfer-Encoding: 7Bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is a multi-part message in MIME format. --nextPart1911665.paOEr1NIRV Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" The attached patch has a bunch of minor changes which are mostly needed in a "strict" configuration when running with systemd. It also removes the systemd_analyze_t domain which doesn't provide any benefit. This patch is against the git refpolicy from 3 days ago and I think it's ready for merging. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ --nextPart1911665.paOEr1NIRV Content-Disposition: attachment; filename="strict.diff" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="UTF-8"; name="strict.diff" Index: refpolicy-2.20200209/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20200209/policy/modules/system/userdomain.if @@ -68,6 +68,8 @@ template(`userdom_base_user_template',` dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_crypto_sysctls($1_t) + kernel_read_vm_overcommit_sysctl($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) @@ -110,11 +112,15 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) + logging_send_syslog_msg($1_t) + miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) sysnet_read_config($1_t) + userdom_write_all_user_runtime_named_sockets($1_t) + # kdeinit wants systemd status init_get_system_status($1_t) @@ -861,6 +867,10 @@ template(`userdom_common_user_template', ') optional_policy(` + udev_read_pid_files($1_t) + ') + + optional_policy(` usernetctl_run($1_t, $1_r) ') @@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template', optional_policy(` systemd_dbus_chat_logind($1_t) + systemd_use_logind_fds($1_t) + systemd_dbus_chat_hostnamed($1_t) + systemd_write_inherited_logind_inhibit_pipes($1_t) + + # kwalletd5 inherits a socket from init + init_rw_inherited_stream_socket($1_t) + init_use_fds($1_t) + # for polkit-kde-auth + init_read_state($1_t) ') ') @@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti ') ######################################## +## +## write user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:sock_file write; +') + +######################################## ## ## Create objects in the pid directory ## with an automatic type transition to Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20200209/policy/modules/roles/sysadm.te @@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +# for systemd-analyze +files_get_etc_unit_status(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t, sysadm_r) @@ -1107,6 +1110,10 @@ optional_policy(` ') optional_policy(` + systemd_dbus_chat_logind(sysadm_t) +') + +optional_policy(` tboot_run_txtstat(sysadm_t, sysadm_r) ') @@ -1174,6 +1181,7 @@ optional_policy(` ') optional_policy(` + dev_rw_generic_usb_dev(sysadm_t) usbmodules_run(sysadm_t, sysadm_r) ') Index: refpolicy-2.20200209/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if +++ refpolicy-2.20200209/policy/modules/services/xserver.if @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',` xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) + xserver_use_user_fonts($2) # certain apps want to read xdm.pid file xserver_read_xdm_pid($2) # gnome-session creates socket under /tmp/.ICE-unix/ @@ -140,7 +141,7 @@ interface(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type mesa_shader_cache_t; + type mesa_shader_cache_t, xdm_t; ') xserver_restricted_role($1, $2) @@ -183,6 +184,8 @@ interface(`xserver_role',` xserver_read_xkb_libs($2) + allow $2 xdm_t:unix_stream_socket accept; + optional_policy(` xdg_manage_all_cache($2) xdg_relabel_all_cache($2) @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',` allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + allow $1 xkb_var_lib_t:file map; ') ######################################## Index: refpolicy-2.20200209/policy/modules/services/dbus.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/dbus.if +++ refpolicy-2.20200209/policy/modules/services/dbus.if @@ -84,6 +84,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:fd use; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; @@ -99,9 +100,14 @@ template(`dbus_role_template',` allow $1_dbusd_t $3:process sigkill; + allow $1_dbusd_t self:process getcap; + corecmd_bin_domtrans($1_dbusd_t, $3) corecmd_shell_domtrans($1_dbusd_t, $3) + dev_read_sysfs($1_dbusd_t) + xdg_read_data_files($1_dbusd_t) + auth_use_nsswitch($1_dbusd_t) ifdef(`hide_broken_symptoms',` @@ -109,6 +115,11 @@ template(`dbus_role_template',` ') optional_policy(` + init_dbus_chat($1_dbusd_t) + dbus_system_bus_client($1_dbusd_t) + ') + + optional_policy(` systemd_read_logind_pids($1_dbusd_t) ') ') Index: refpolicy-2.20200209/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if +++ refpolicy-2.20200209/policy/modules/services/ssh.if @@ -437,6 +437,7 @@ template(`ssh_role_template',` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) xserver_sigchld_xdm($1_ssh_agent_t) + xserver_write_inherited_xsession_log($1_ssh_agent_t) ') ') Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te +++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te @@ -13,7 +13,7 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. # -type bin_t alias { ls_exec_t sbin_t }; +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV Index: refpolicy-2.20200209/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20200209.orig/policy/modules/system/systemd.te +++ refpolicy-2.20200209/policy/modules/system/systemd.te @@ -37,10 +37,6 @@ type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) -type systemd_analyze_t; -type systemd_analyze_exec_t; -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) - type systemd_backlight_t; type systemd_backlight_exec_t; init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) @@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_ ') optional_policy(` + dbus_manage_lib_files(systemd_tmpfiles_t) dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t) ') --nextPart1911665.paOEr1NIRV--