Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp353377ybb; Fri, 10 Apr 2020 01:11:08 -0700 (PDT) X-Google-Smtp-Source: APiQypKqF1RDK3CaB2eyKS93AE+8bVKbGBSqAoin4bVWyggNzF22pOsOiQgYdDiMSUCx/zM0A8tP X-Received: by 2002:aed:37a8:: with SMTP id j37mr3416242qtb.272.1586506267990; Fri, 10 Apr 2020 01:11:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586506267; cv=none; d=google.com; s=arc-20160816; b=I/8qXELcnKXXLLCCI2LS7iz3xbv9ZXabbVahMbfcUf3GXEuW9OkRoN5JqVLp4y06WA WNw49EEYVTfIsEmGP7mCqfK1QWyF668f130Bc7Tyfw0ABlYSVGcN9i5fX3avNGbTHmc1 9JaNTJEKc7z8kNtJk+erkFiUT3uTjVUxICf1hLo00e4iGMj0IvYJZFfqHW3+u26ew0MD 09knLrT8zuik1OCExJRbxpmPOr8QkCm7nML1GD/PlLPOptt74IAltvakMvQJO6c8Zx6O /8uWJPKzw9N+FIP5JPxTzIDY5NRuOmIAaqHRvlzgbs0e6NAxOHuoyjbXAtUMXd3pK/Lu rVVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from; bh=cheKAH+Hn4g9+xPEARHpk+DxPJYrd26yUrI7QtCLRZw=; b=VsXulYMcAjHRrz/eB+2yKmFyB7p6DY41dK8FnXBGCR7l8LwJxub4q90uXXddnp4N8b 2Ao7dMuVGocetex3xJFEosoXsmfM8qHdEAxtJrThhPvy4SONbRRQXqnhBssyD0bxtobX GciiO3FSgybxyhx3HwGHj3UQN3ya7mJ08/AiZgpyYeCdVovQQafqmKdAacWtScRCv1+e Swhutav68L0N0Md85FaGB9HgoxJpalgvwYzDWMWX+qXbwFOhDeypH0qsjRDdawwkSnnb TZeyTCUYPsShZV9PsN+j1VWBNLHH54DPSE5Ib3u2BH+uvjMpSxD9FcyNuIcgM38ffnV/ fJtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si629596qvb.68.2020.04.10.01.11.05; Fri, 10 Apr 2020 01:11:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725912AbgDJILB (ORCPT + 13 others); Fri, 10 Apr 2020 04:11:01 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:60896 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725839AbgDJILB (ORCPT ); Fri, 10 Apr 2020 04:11:01 -0400 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id AB7952A0DAC; Fri, 10 Apr 2020 10:11:00 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: another memlockd patch References: <20200410060317.GB35896@xev> Date: Fri, 10 Apr 2020 10:10:57 +0200 In-Reply-To: <20200410060317.GB35896@xev> (Russell Coker's message of "Fri, 10 Apr 2020 16:03:17 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Signed-off-by: Russell Coker > > I think this resolves all issues Chris raised. > > > Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc > @@ -0,0 +1 @@ > +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0) > Index: refpolicy-2.20200410/policy/modules/services/memlockd.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.if > @@ -0,0 +1,2 @@ > +## memory lock daemon, keeps important files in RAM. > + > Index: refpolicy-2.20200410/policy/modules/services/memlockd.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20200410/policy/modules/services/memlockd.te > @@ -0,0 +1,37 @@ > +policy_module(memlockd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type memlockd_t; > +type memlockd_exec_t; > +init_daemon_domain(memlockd_t, memlockd_exec_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow memlockd_t self:capability { setgid setuid ipc_lock }; > +allow memlockd_t self:fifo_file rw_file_perms; > +allow memlockd_t self:unix_dgram_socket { create connect }; the unix dgram socket creating is probably redundant and implied with logging_send_logs_msg() as journald uses dgram_sendto for logging? > + > +# cache /etc/shadow too > +auth_read_shadow(memlockd_t) Hmm since /etc/shadow is mode 000, how is memlock able to read this without cap_dac_read_search access. is that implied? > +auth_map_shadow(memlockd_t) > + > +corecmd_exec_all_executables(memlockd_t) > +corecmd_exec_bin(memlockd_t) > +corecmd_exec_shell(memlockd_t) > +corecmd_read_all_executables(memlockd_t) > +corecmd_search_bin(memlockd_t) > +files_read_etc_files(memlockd_t) > +libs_exec_ld_so(memlockd_t) > +files_map_etc_files(memlockd_t) > + > +logging_send_syslog_msg(memlockd_t) > +miscfiles_read_localization(memlockd_t) > + > +sysnet_mmap_read_config(memlockd_t) > Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if > @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',` > > ####################################### > ## > +## map network config files. > +## > +## > +##

> +## Allow the specified domain to mmap the > +## general network configuration files. > +##

> +##
> +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sysnet_mmap_read_config',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_search_etc($1) > + allow $1 net_conf_t:file mmap_read_file_perms; > +') > + > +####################################### > +## > ## Do not audit attempts to read network config files. > ## > ## > Index: refpolicy-2.20200410/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20200410/policy/modules/system/authlogin.if > @@ -577,6 +577,23 @@ interface(`auth_read_shadow',` > > ######################################## > ## > +## Map the shadow passwords file (/etc/shadow) > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_map_shadow',` > + gen_require(` > + type shadow_t; > + ') > + allow $1 shadow_t:file map; > +') > + > +######################################## > +## > ## Pass shadow assertion for reading. > ## > ## -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift