Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3863578ybv;
        Sun, 16 Feb 2020 07:34:54 -0800 (PST)
X-Google-Smtp-Source: APXvYqwuXAAfrNDFddD9JQjJRUZqpNwgF5WTPuANr5GjHmsVzJRKYLuSKICkYvXojb1yLlMvoIYW
X-Received: by 2002:aca:d502:: with SMTP id m2mr7329705oig.41.1581867293924;
        Sun, 16 Feb 2020 07:34:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581867293; cv=none;
        d=google.com; s=arc-20160816;
        b=btHHJ4x8A5qEJiCMX1HDx46B6NlqLzGsR+ARXvHDa+H7CrcT6OhmVTyk0SW9ecpJld
         bYWxEETpT/MKN7tlxX3rteVCT+GZzOSZlpL0Rp2uMXgbF+vrfIqux0buMyz5ki+3cWuv
         MHu1VwCMVHiQ7s8HiE+XTku35eUiYuV0y2LYR256SOSLXkOIG1S5Yy+toXTT0q5hfMjo
         Y3o4JDYTwhJjbbVaebbHlMnPDkgdZ0nLpXurmRcImvs+t5S0IHdDPL3ZJ3oJJL5PVKF+
         ncQZeQl9NZFcLGa1vNYAgqmbiaDS87x7ri1vB7vfR5FCK9ZxCAHV7GoXgA743AdZtwWi
         zMeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=;
        b=DUfD2dOnCpU29ppiR5vPLMpB732Yi6bYan1GETT9jqPze1CMrshHTAQ1naoGAjmBEC
         tvfn/rGlBu4oFPfe+B7l+70GqUv9Tzbv8VMMGutm8mREsMH16Uaz9OBt6xnEWChDb66n
         XGOJ7foCWwzxckzDESZ36GGs4mQtfedAg95PPNlCKLBn7kyqEVATmMUu7RF2D67SDgXJ
         jGKftkzdo5F74yk0GEuDpSd3SB4bdviIvxasUXF3anemp7JYVZM07ZL5R+m33t668SnA
         TaZ+y3+d36vu58X7UUWPWbL7jJcwoDTCGLsvPS8aM8wmyNFgHReju/frU0CC7znZDeHx
         1byA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b="TpJxgda/";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p14si6008744ota.71.2020.02.16.07.34.49;
        Sun, 16 Feb 2020 07:34:53 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b="TpJxgda/";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728281AbgBPPeo (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Sun, 16 Feb 2020 10:34:44 -0500
Received: from mail-qk1-f193.google.com ([209.85.222.193]:35349 "EHLO
        mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726171AbgBPPeo (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 16 Feb 2020 10:34:44 -0500
Received: by mail-qk1-f193.google.com with SMTP id v2so13947842qkj.2
        for <selinux-refpolicy@vger.kernel.org>; Sun, 16 Feb 2020 07:34:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=;
        b=TpJxgda/5DZMCRiCqeoH3nYuRmwhMVVSZh/jOz1/eJzsA6woCS0OAi/YqEvcDpNdIZ
         qcXesHxqEYmOvSJdtcHvJ321OM2hC/mnnMSZGIFNxRL4vNpiXMeqUd+s7F4ko4XnUDwf
         wIQKHkS2oPHrCrJddY2F623NOKuvsZ2rbYIxI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=;
        b=knTVjeeil/M8cWiLs5TF3d02f7ZvSuLWN/aaKNRIE6vzMkuWvgjfpuwsHLd6Am4/i9
         z8bWweYKWuLEzD7tjqORQS5LA0vTZajYtwilbd42qv8lBLPFsIhCVKMNKvndM2uhKySW
         pnQWUrx/xP7du4xJkSNJL7bveEgpQeKGW5i7gVQhdbrCw0cZcYYf93tafyBJVqnGpYce
         i0kSaAznInsr3QdjGwy8S1dKi93ZKeRAvBxGWmHBV1LmCwETd0FQ6viJWY9iGLjy8q24
         35qXesQAUx+O8b5JezvB9fSyNlQ1mxTk2yI8S7I2CJIN2g1l4KWmZt9UI1DKIpcCqWxc
         1P3w==
X-Gm-Message-State: APjAAAXmqmf4qYoBVvU8N3P93r6DbIUBsZ48cPSPpMGjWthVTOkAE/q3
        ulTmkygWPGUz2GCSJjM05p/aOO9Z8Qc=
X-Received: by 2002:a05:620a:14a2:: with SMTP id x2mr11054761qkj.36.1581867282749;
        Sun, 16 Feb 2020 07:34:42 -0800 (PST)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id k4sm7201802qtj.74.2020.02.16.07.34.41
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 16 Feb 2020 07:34:42 -0800 (PST)
Subject: Re: strict patch
To:     russell@coker.com.au,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <1687678.FLogphAbyu@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <041061fb-7256-d549-a9a4-1e1e2f2adb38@ieee.org>
Date:   Sun, 16 Feb 2020 10:04:43 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <1687678.FLogphAbyu@xev>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 2/11/20 9:43 PM, Russell Coker wrote:
> The attached patch has a bunch of minor changes which are mostly needed in a
> "strict" configuration when running with systemd.
> 
> It also removes the systemd_analyze_t domain which doesn't provide any
> benefit.  This patch is against the git refpolicy from 3 days ago and I think
> it's ready for merging.

Please inline the patch and add signed-off-by.

> Index: refpolicy-2.20200209/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20200209/policy/modules/system/userdomain.if
[...]
> @@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
>  
>  	libs_exec_ld_so($1_t)
>  
> +	logging_send_syslog_msg($1_t)
> +
>  	miscfiles_read_localization($1_t)
>  	miscfiles_read_generic_certs($1_t)
>  
>  	sysnet_read_config($1_t)
>  
> +	userdom_write_all_user_runtime_named_sockets($1_t)
> +
>  	# kdeinit wants systemd status
>  	init_get_system_status($1_t)
>  

I would be ok with these in one of the other templates, but not the base 
template.


> @@ -861,6 +867,10 @@ template(`userdom_common_user_template',
>  	')
>  
>  	optional_policy(`
> +		udev_read_pid_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		usernetctl_run($1_t, $1_r)
>  	')
>  

Why?


> @@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template',
>  
>  	optional_policy(`
>  		systemd_dbus_chat_logind($1_t)
> +		systemd_use_logind_fds($1_t)
> +		systemd_dbus_chat_hostnamed($1_t)
> +		systemd_write_inherited_logind_inhibit_pipes($1_t)

What features are these needed for?


> +		# kwalletd5 inherits a socket from init
> +		init_rw_inherited_stream_socket($1_t)
> +		init_use_fds($1_t)
> +		# for polkit-kde-auth
> +		init_read_state($1_t)
>  	')
>  ')
>  
> @@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti
>  ')
>  
>  ########################################
> +## <summary>
> +##	write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> +	gen_require(`
> +		attribute user_runtime_content_type;
> +	')
> +
> +	allow $1 user_runtime_content_type:dir list_dir_perms;
> +	allow $1 user_runtime_content_type:sock_file write;

Which processes is this related to?

> +')
> +
> +########################################
>  ## <summary>
>  ##	Create objects in the pid directory
>  ##	with an automatic type transition to
> Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20200209/policy/modules/roles/sysadm.te
> @@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t)
>  userdom_manage_user_home_dirs(sysadm_t)
>  userdom_home_filetrans_user_home_dir(sysadm_t)
>  
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)
> +
>  ifdef(`direct_sysadm_daemon',`
>  	optional_policy(`
>  		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1107,6 +1110,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
>  	tboot_run_txtstat(sysadm_t, sysadm_r)
>  ')
>  
> @@ -1174,6 +1181,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)
>  	usbmodules_run(sysadm_t, sysadm_r)
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200209/policy/modules/services/xserver.if
> @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
>  	xserver_xsession_entry_type($2)
>  	xserver_dontaudit_write_log($2)
>  	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>  	# certain apps want to read xdm.pid file
>  	xserver_read_xdm_pid($2)
>  	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -140,7 +141,7 @@ interface(`xserver_role',`
>  	gen_require(`
>  		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>  		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>  	')
>  
>  	xserver_restricted_role($1, $2)
> @@ -183,6 +184,8 @@ interface(`xserver_role',`
>  
>  	xserver_read_xkb_libs($2)
>  
> +	allow $2 xdm_t:unix_stream_socket accept;
> +
>  	optional_policy(`
>  		xdg_manage_all_cache($2)
>  		xdg_relabel_all_cache($2)
> @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
>  	allow $1 xkb_var_lib_t:dir list_dir_perms;
>  	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>  	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>  ')
>  
>  ########################################
> Index: refpolicy-2.20200209/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20200209/policy/modules/services/dbus.if
> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>  
>  	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>  	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;
>  	allow $3 $1_dbusd_t:fd use;
>  
>  	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
> @@ -99,9 +100,14 @@ template(`dbus_role_template',`
>  
>  	allow $1_dbusd_t $3:process sigkill;
>  
> +	allow $1_dbusd_t self:process getcap;
> +
>  	corecmd_bin_domtrans($1_dbusd_t, $3)
>  	corecmd_shell_domtrans($1_dbusd_t, $3)
>  
> +	dev_read_sysfs($1_dbusd_t)
> +	xdg_read_data_files($1_dbusd_t)

This xdg access needs to be optional.

> +
>  	auth_use_nsswitch($1_dbusd_t)
>  
>  	ifdef(`hide_broken_symptoms',`
> @@ -109,6 +115,11 @@ template(`dbus_role_template',`
>  	')
>  
>  	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)
> +	')
> +
> +	optional_policy(`
>  		systemd_read_logind_pids($1_dbusd_t)
>  	')
>  ')
> Index: refpolicy-2.20200209/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200209/policy/modules/services/ssh.if
> @@ -437,6 +437,7 @@ template(`ssh_role_template',`
>  		xserver_use_xdm_fds($1_ssh_agent_t)
>  		xserver_rw_xdm_pipes($1_ssh_agent_t)
>  		xserver_sigchld_xdm($1_ssh_agent_t)
> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
>  	')
>  ')
>  
> Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
>  #
>  # bin_t is the type of files in the system bin/sbin directories.
>  #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
>  corecmd_executable_file(bin_t)
>  dev_associate(bin_t)	#For /dev/MAKEDEV
>  
> Index: refpolicy-2.20200209/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20200209.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20200209/policy/modules/system/systemd.te
> @@ -37,10 +37,6 @@ type systemd_activate_t;
>  type systemd_activate_exec_t;
>  init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>  
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
>  type systemd_backlight_t;
>  type systemd_backlight_exec_t;
>  init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>  ')
>  
>  optional_policy(`
> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>  	dbus_read_lib_files(systemd_tmpfiles_t)
>  	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>  ')




-- 
Chris PeBenito