Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp6991245pxu; Thu, 24 Dec 2020 21:14:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJz0PifkNbv7Ixk+oE3fPPICKwZ0Lq1Q/7xbtU9pQ31kaYBJJusYCKvagpMdH37U85p31TmT X-Received: by 2002:a17:906:6b88:: with SMTP id l8mr30421844ejr.482.1608873265391; Thu, 24 Dec 2020 21:14:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608873265; cv=none; d=google.com; s=arc-20160816; b=jvQE7QWPT7htJjnOb0tZAB702eH1SooLLywbuvRWsWExLN4G5oYNryMVq63mSXNXYC kobrVvdsrY5isYeJzmuBQ1eC10K4i54DmDVXCOfpxo5LVEyLxwWllfr2+d0wTBQsPcvX MKg4ug9JVcgy26JhqEu5jt4w/Zmrn9fBBQqoGHi0aeetjViMtWQXSQoFDca2gZXw51wp 8obzi955eGUbEYEr+yJktM9W+ZZ6L7F1yXJtN8p7OAtDQcXtKxzBKzZnC5QY+y4BbokF +y9XkItliN4OmP5J3jCUlWG9rfZZjjmfG6AUP1kyqn+YW82KTiw84/o8PbFGIOP62IPZ n5wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=LLGJN9GUNjOgG6Fu8Z2p4f5kr1DFqeqa3R6AWfauiVY=; b=okC7iOjkoAz2qZuGSaI7tNo927trwjNoaSWDKUOSZA/pQ99DiwH8JYm5qssquHb3MO 6KF/HVkTO41hD2HYgJ1V+9P6fO+GVn1UKzdTARFJKU7wE07o0tLQ3+LSRja449Z/73tR KdHZPlAfngf27zvYZ+pko0AwX2i8x0CAg3nK5LhFb0SxbGgo52v9DND8opEunM0+/WcA 25WJ8jlk2cPGNfk3FA1Y7dowsYkpqRhAM/j+D46Bu6+IKYm6zkQmvsJXo1RycIxIBH0i HtDSK27uPL7TrmBljkNTwpwUHZCc4FMU56PQ3eLhHm5nNftxgLbzkKZvOcpn/i9wD6oR BizA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=qMFoGT8U; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k11si7505075ejp.611.2020.12.24.21.14.16; Thu, 24 Dec 2020 21:14:25 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=qMFoGT8U; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725554AbgLYFNP (ORCPT + 18 others); Fri, 25 Dec 2020 00:13:15 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:34346 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725648AbgLYFNP (ORCPT ); Fri, 25 Dec 2020 00:13:15 -0500 X-Greylist: delayed 111252 seconds by postgrey-1.27 at vger.kernel.org; Fri, 25 Dec 2020 00:13:15 EST Received: from liv.coker.com.au (c220-237-144-98.sunsh21.vic.optusnet.com.au [220.237.144.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id A197BEC7A; Fri, 25 Dec 2020 16:12:32 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1608873153; bh=LLGJN9GUNjOgG6Fu8Z2p4f5kr1DFqeqa3R6AWfauiVY=; l=1933; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qMFoGT8UD05QpyXJd01eaFftp7Zgngb+KJeG3Swq5/qMB4Akc9mwmAWiGO63TB9Oi u+p2eLxO4X9gbwaJ4So3yaZdrMnYmTpV2KDbCrCxsIezHX4LpkWbP/v+3BUMU+Ma/h r+zbFh0Y3b4DtqtUWrRLxrs+ZbLurIVB9+3tQCeE= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: machinectl shell policy Date: Fri, 25 Dec 2020 16:12:24 +1100 Message-ID: <1723812.Y751QtlBzf@liv> In-Reply-To: References: <8322849.62pqQp6Oog@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote: > > To enable "machinectl shell" on recent versions of systemd we need > > something like the above policy (which is not complete or ideal, still > > doesn't work so no point polishing it) and something for the below. What > > is the below about? > this should be thoroughly addressed. machined creates a login pty that > gets relabeled on login as per type_change rules. Currently it's not being relabeled on Debian, but that's a separate issue. > > type=USER_AVC msg=audit(1608759091.934:1799): pid=324 uid=108 > > auid=4294967295 ses=4294967295 > > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { > > 0x2 } for msgtype=error > > error_name=org.freedesktop.DBus.Error.FileNotFound dest=:1.18 spid=2642 > > tpid=2706 scontext=system_u:system_r:systemd_machined_t:s0 > > tcontext=bofh:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=(null) permissive=0 > > exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? > > terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus" > > Yes i noticed the above as well on debian with dbus-daemon, i dont see > any of these on fedora with dbus-broker > > By the way we probably shouldnt use the same dbus policy for both > dbus-daemon and dbus-broker because theyre pretty different. > > * dbus-broker does not check method returns (dbus-daemon does) > * dbus-broker is systemd specific (dbus activation works via systemd) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001 We have work in progress on dbus-broker in Debian. Would it make sense to only support dbus-broker in SE Linux policy? Being forced to use only 1 of the 2 dbus programs (and the newer and faster 1 of the 2) is a very small trade-off, smaller than some of the other trade-offs for running SE Linux. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/