Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3863578ybv; Sun, 16 Feb 2020 07:34:54 -0800 (PST) X-Google-Smtp-Source: APXvYqwuXAAfrNDFddD9JQjJRUZqpNwgF5WTPuANr5GjHmsVzJRKYLuSKICkYvXojb1yLlMvoIYW X-Received: by 2002:aca:d502:: with SMTP id m2mr7329705oig.41.1581867293924; Sun, 16 Feb 2020 07:34:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581867293; cv=none; d=google.com; s=arc-20160816; b=btHHJ4x8A5qEJiCMX1HDx46B6NlqLzGsR+ARXvHDa+H7CrcT6OhmVTyk0SW9ecpJld bYWxEETpT/MKN7tlxX3rteVCT+GZzOSZlpL0Rp2uMXgbF+vrfIqux0buMyz5ki+3cWuv MHu1VwCMVHiQ7s8HiE+XTku35eUiYuV0y2LYR256SOSLXkOIG1S5Yy+toXTT0q5hfMjo Y3o4JDYTwhJjbbVaebbHlMnPDkgdZ0nLpXurmRcImvs+t5S0IHdDPL3ZJ3oJJL5PVKF+ ncQZeQl9NZFcLGa1vNYAgqmbiaDS87x7ri1vB7vfR5FCK9ZxCAHV7GoXgA743AdZtwWi zMeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=; b=DUfD2dOnCpU29ppiR5vPLMpB732Yi6bYan1GETT9jqPze1CMrshHTAQ1naoGAjmBEC tvfn/rGlBu4oFPfe+B7l+70GqUv9Tzbv8VMMGutm8mREsMH16Uaz9OBt6xnEWChDb66n XGOJ7foCWwzxckzDESZ36GGs4mQtfedAg95PPNlCKLBn7kyqEVATmMUu7RF2D67SDgXJ jGKftkzdo5F74yk0GEuDpSd3SB4bdviIvxasUXF3anemp7JYVZM07ZL5R+m33t668SnA TaZ+y3+d36vu58X7UUWPWbL7jJcwoDTCGLsvPS8aM8wmyNFgHReju/frU0CC7znZDeHx 1byA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="TpJxgda/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p14si6008744ota.71.2020.02.16.07.34.49; Sun, 16 Feb 2020 07:34:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="TpJxgda/"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728281AbgBPPeo (ORCPT + 13 others); Sun, 16 Feb 2020 10:34:44 -0500 Received: from mail-qk1-f193.google.com ([209.85.222.193]:35349 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726171AbgBPPeo (ORCPT ); Sun, 16 Feb 2020 10:34:44 -0500 Received: by mail-qk1-f193.google.com with SMTP id v2so13947842qkj.2 for ; Sun, 16 Feb 2020 07:34:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=; b=TpJxgda/5DZMCRiCqeoH3nYuRmwhMVVSZh/jOz1/eJzsA6woCS0OAi/YqEvcDpNdIZ qcXesHxqEYmOvSJdtcHvJ321OM2hC/mnnMSZGIFNxRL4vNpiXMeqUd+s7F4ko4XnUDwf wIQKHkS2oPHrCrJddY2F623NOKuvsZ2rbYIxI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=n8SXj9vuOZfw0BXwgtzSKkCM1kpmCUYTS1EIAZHmLx4=; b=knTVjeeil/M8cWiLs5TF3d02f7ZvSuLWN/aaKNRIE6vzMkuWvgjfpuwsHLd6Am4/i9 z8bWweYKWuLEzD7tjqORQS5LA0vTZajYtwilbd42qv8lBLPFsIhCVKMNKvndM2uhKySW pnQWUrx/xP7du4xJkSNJL7bveEgpQeKGW5i7gVQhdbrCw0cZcYYf93tafyBJVqnGpYce i0kSaAznInsr3QdjGwy8S1dKi93ZKeRAvBxGWmHBV1LmCwETd0FQ6viJWY9iGLjy8q24 35qXesQAUx+O8b5JezvB9fSyNlQ1mxTk2yI8S7I2CJIN2g1l4KWmZt9UI1DKIpcCqWxc 1P3w== X-Gm-Message-State: APjAAAXmqmf4qYoBVvU8N3P93r6DbIUBsZ48cPSPpMGjWthVTOkAE/q3 ulTmkygWPGUz2GCSJjM05p/aOO9Z8Qc= X-Received: by 2002:a05:620a:14a2:: with SMTP id x2mr11054761qkj.36.1581867282749; Sun, 16 Feb 2020 07:34:42 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id k4sm7201802qtj.74.2020.02.16.07.34.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Feb 2020 07:34:42 -0800 (PST) Subject: Re: strict patch To: russell@coker.com.au, "selinux-refpolicy@vger.kernel.org" References: <1687678.FLogphAbyu@xev> From: Chris PeBenito Message-ID: <041061fb-7256-d549-a9a4-1e1e2f2adb38@ieee.org> Date: Sun, 16 Feb 2020 10:04:43 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <1687678.FLogphAbyu@xev> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/11/20 9:43 PM, Russell Coker wrote: > The attached patch has a bunch of minor changes which are mostly needed in a > "strict" configuration when running with systemd. > > It also removes the systemd_analyze_t domain which doesn't provide any > benefit. This patch is against the git refpolicy from 3 days ago and I think > it's ready for merging. Please inline the patch and add signed-off-by. > Index: refpolicy-2.20200209/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20200209/policy/modules/system/userdomain.if [...] > @@ -110,11 +112,15 @@ template(`userdom_base_user_template',` > > libs_exec_ld_so($1_t) > > + logging_send_syslog_msg($1_t) > + > miscfiles_read_localization($1_t) > miscfiles_read_generic_certs($1_t) > > sysnet_read_config($1_t) > > + userdom_write_all_user_runtime_named_sockets($1_t) > + > # kdeinit wants systemd status > init_get_system_status($1_t) > I would be ok with these in one of the other templates, but not the base template. > @@ -861,6 +867,10 @@ template(`userdom_common_user_template', > ') > > optional_policy(` > + udev_read_pid_files($1_t) > + ') > + > + optional_policy(` > usernetctl_run($1_t, $1_r) > ') > Why? > @@ -1208,6 +1218,15 @@ template(`userdom_unpriv_user_template', > > optional_policy(` > systemd_dbus_chat_logind($1_t) > + systemd_use_logind_fds($1_t) > + systemd_dbus_chat_hostnamed($1_t) > + systemd_write_inherited_logind_inhibit_pipes($1_t) What features are these needed for? > + # kwalletd5 inherits a socket from init > + init_rw_inherited_stream_socket($1_t) > + init_use_fds($1_t) > + # for polkit-kde-auth > + init_read_state($1_t) > ') > ') > > @@ -3519,6 +3538,25 @@ interface(`userdom_delete_all_user_runti > ') > > ######################################## > +## > +## write user runtime socket files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_all_user_runtime_named_sockets',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:sock_file write; Which processes is this related to? > +') > + > +######################################## > ## > ## Create objects in the pid directory > ## with an automatic type transition to > Index: refpolicy-2.20200209/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20200209/policy/modules/roles/sysadm.te > @@ -49,6 +49,9 @@ selinux_read_policy(sysadm_t) > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) > > +# for systemd-analyze > +files_get_etc_unit_status(sysadm_t) > + > ifdef(`direct_sysadm_daemon',` > optional_policy(` > init_run_daemon(sysadm_t, sysadm_r) > @@ -1107,6 +1110,10 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(sysadm_t) > +') > + > +optional_policy(` > tboot_run_txtstat(sysadm_t, sysadm_r) > ') > > @@ -1174,6 +1181,7 @@ optional_policy(` > ') > > optional_policy(` > + dev_rw_generic_usb_dev(sysadm_t) > usbmodules_run(sysadm_t, sysadm_r) > ') > > Index: refpolicy-2.20200209/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20200209/policy/modules/services/xserver.if > @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',` > xserver_xsession_entry_type($2) > xserver_dontaudit_write_log($2) > xserver_stream_connect_xdm($2) > + xserver_use_user_fonts($2) > # certain apps want to read xdm.pid file > xserver_read_xdm_pid($2) > # gnome-session creates socket under /tmp/.ICE-unix/ > @@ -140,7 +141,7 @@ interface(`xserver_role',` > gen_require(` > type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; > type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > - type mesa_shader_cache_t; > + type mesa_shader_cache_t, xdm_t; > ') > > xserver_restricted_role($1, $2) > @@ -183,6 +184,8 @@ interface(`xserver_role',` > > xserver_read_xkb_libs($2) > > + allow $2 xdm_t:unix_stream_socket accept; > + > optional_policy(` > xdg_manage_all_cache($2) > xdg_relabel_all_cache($2) > @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',` > allow $1 xkb_var_lib_t:dir list_dir_perms; > read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > + allow $1 xkb_var_lib_t:file map; > ') > > ######################################## > Index: refpolicy-2.20200209/policy/modules/services/dbus.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/dbus.if > +++ refpolicy-2.20200209/policy/modules/services/dbus.if > @@ -84,6 +84,7 @@ template(`dbus_role_template',` > > allow $3 $1_dbusd_t:unix_stream_socket connectto; > allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; > + allow $1_dbusd_t $3:dbus send_msg; > allow $3 $1_dbusd_t:fd use; > > allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; > @@ -99,9 +100,14 @@ template(`dbus_role_template',` > > allow $1_dbusd_t $3:process sigkill; > > + allow $1_dbusd_t self:process getcap; > + > corecmd_bin_domtrans($1_dbusd_t, $3) > corecmd_shell_domtrans($1_dbusd_t, $3) > > + dev_read_sysfs($1_dbusd_t) > + xdg_read_data_files($1_dbusd_t) This xdg access needs to be optional. > + > auth_use_nsswitch($1_dbusd_t) > > ifdef(`hide_broken_symptoms',` > @@ -109,6 +115,11 @@ template(`dbus_role_template',` > ') > > optional_policy(` > + init_dbus_chat($1_dbusd_t) > + dbus_system_bus_client($1_dbusd_t) > + ') > + > + optional_policy(` > systemd_read_logind_pids($1_dbusd_t) > ') > ') > Index: refpolicy-2.20200209/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20200209/policy/modules/services/ssh.if > @@ -437,6 +437,7 @@ template(`ssh_role_template',` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > xserver_sigchld_xdm($1_ssh_agent_t) > + xserver_write_inherited_xsession_log($1_ssh_agent_t) > ') > ') > > Index: refpolicy-2.20200209/policy/modules/kernel/corecommands.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/kernel/corecommands.te > +++ refpolicy-2.20200209/policy/modules/kernel/corecommands.te > @@ -13,7 +13,7 @@ attribute exec_type; > # > # bin_t is the type of files in the system bin/sbin directories. > # > -type bin_t alias { ls_exec_t sbin_t }; > +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; > corecmd_executable_file(bin_t) > dev_associate(bin_t) #For /dev/MAKEDEV > > Index: refpolicy-2.20200209/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20200209.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20200209/policy/modules/system/systemd.te > @@ -37,10 +37,6 @@ type systemd_activate_t; > type systemd_activate_exec_t; > init_system_domain(systemd_activate_t, systemd_activate_exec_t) > > -type systemd_analyze_t; > -type systemd_analyze_exec_t; > -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) > - > type systemd_backlight_t; > type systemd_backlight_exec_t; > init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) > @@ -1168,6 +1164,7 @@ tunable_policy(`systemd_tmpfiles_manage_ > ') > > optional_policy(` > + dbus_manage_lib_files(systemd_tmpfiles_t) > dbus_read_lib_files(systemd_tmpfiles_t) > dbus_relabel_lib_dirs(systemd_tmpfiles_t) > ') -- Chris PeBenito