Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp353377ybb;
        Fri, 10 Apr 2020 01:11:08 -0700 (PDT)
X-Google-Smtp-Source: APiQypKqF1RDK3CaB2eyKS93AE+8bVKbGBSqAoin4bVWyggNzF22pOsOiQgYdDiMSUCx/zM0A8tP
X-Received: by 2002:aed:37a8:: with SMTP id j37mr3416242qtb.272.1586506267990;
        Fri, 10 Apr 2020 01:11:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586506267; cv=none;
        d=google.com; s=arc-20160816;
        b=I/8qXELcnKXXLLCCI2LS7iz3xbv9ZXabbVahMbfcUf3GXEuW9OkRoN5JqVLp4y06WA
         WNw49EEYVTfIsEmGP7mCqfK1QWyF668f130Bc7Tyfw0ABlYSVGcN9i5fX3avNGbTHmc1
         9JaNTJEKc7z8kNtJk+erkFiUT3uTjVUxICf1hLo00e4iGMj0IvYJZFfqHW3+u26ew0MD
         09knLrT8zuik1OCExJRbxpmPOr8QkCm7nML1GD/PlLPOptt74IAltvakMvQJO6c8Zx6O
         /8uWJPKzw9N+FIP5JPxTzIDY5NRuOmIAaqHRvlzgbs0e6NAxOHuoyjbXAtUMXd3pK/Lu
         rVVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:subject:cc:to:from;
        bh=cheKAH+Hn4g9+xPEARHpk+DxPJYrd26yUrI7QtCLRZw=;
        b=VsXulYMcAjHRrz/eB+2yKmFyB7p6DY41dK8FnXBGCR7l8LwJxub4q90uXXddnp4N8b
         2Ao7dMuVGocetex3xJFEosoXsmfM8qHdEAxtJrThhPvy4SONbRRQXqnhBssyD0bxtobX
         GciiO3FSgybxyhx3HwGHj3UQN3ya7mJ08/AiZgpyYeCdVovQQafqmKdAacWtScRCv1+e
         Swhutav68L0N0Md85FaGB9HgoxJpalgvwYzDWMWX+qXbwFOhDeypH0qsjRDdawwkSnnb
         TZeyTCUYPsShZV9PsN+j1VWBNLHH54DPSE5Ib3u2BH+uvjMpSxD9FcyNuIcgM38ffnV/
         fJtw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 2si629596qvb.68.2020.04.10.01.11.05;
        Fri, 10 Apr 2020 01:11:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725912AbgDJILB (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Fri, 10 Apr 2020 04:11:01 -0400
Received: from agnus.defensec.nl ([80.100.19.56]:60896 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725839AbgDJILB (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 10 Apr 2020 04:11:01 -0400
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id AB7952A0DAC;
        Fri, 10 Apr 2020 10:11:00 +0200 (CEST)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: another memlockd patch
References: <20200410060317.GB35896@xev>
Date:   Fri, 10 Apr 2020 10:10:57 +0200
In-Reply-To: <20200410060317.GB35896@xev> (Russell Coker's message of "Fri, 10
        Apr 2020 16:03:17 +1000")
Message-ID: <ypjl369bn4ku.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> I think this resolves all issues Chris raised.
>
>
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200410/policy/modules/services/memlockd.te
> @@ -0,0 +1,37 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };

the unix dgram socket creating is probably redundant and implied with
logging_send_logs_msg() as journald uses dgram_sendto for logging?

> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)

Hmm since /etc/shadow is mode 000, how is memlock able to read this
without cap_dac_read_search access. is that implied?

> +auth_map_shadow(memlockd_t)
> +
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +corecmd_search_bin(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +miscfiles_read_localization(memlockd_t)
> +
> +sysnet_mmap_read_config(memlockd_t)
> Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>  
>  #######################################
>  ## <summary>
> +##	map network config files.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to mmap the
> +##	general network configuration files.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file mmap_read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
>  ##	Do not audit attempts to read network config files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200410/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>  
>  ########################################
>  ## <summary>
> +##	Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> +	gen_require(`
> +		type shadow_t;
> +	')
> +	allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
>  ##	Pass shadow assertion for reading.
>  ## </summary>
>  ## <desc>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift