Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp7089810pxu;
        Fri, 25 Dec 2020 01:19:59 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy1CENH1W6FCoJ5d9d4taQKJExk+JSCLgwhfn5XdJ/V134Bw40Y7w3zpO4F5PmSoT1kYFNZ
X-Received: by 2002:aa7:d846:: with SMTP id f6mr31289668eds.55.1608887998999;
        Fri, 25 Dec 2020 01:19:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608887998; cv=none;
        d=google.com; s=arc-20160816;
        b=BxoQmCPRzDTWW1E8MF1De0bg1DJsp9SqEE1ibUtV3MU6OC1VlEaPtxGqzRJYJTOthm
         X9ePZL5WouQtfVLxUsV2okZDO3UiSuVobC8gSWR+AGYLS0odajL0bvZIKLE1hhPHlt3A
         X9RizoM66m4EyW5avEgVUxbpyF84sfdn5jN05WuB4w1WhpP+J/hRAsrha32J8VTmm460
         zWDtzHICH2v0wiXEtN7sbhxb9IBaoDOrbaPMqTSoRE2cGGvxn9kI35oQr+dM0V3PsMFb
         AE24Tnze6JsAhCeM+0K7BUn1Wpnbbb09k2/uEmcHm9MnC2/Cw130ep1zRoUbFdJaKyvj
         +GoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=YNztAzEXzfFiecsNHcMxhaxmz+bF0OhadjJmb5PAsM4=;
        b=dEmcRG5XdE8+RrRkUvW8JFIginpHUjZonUmZS1mJiToJsyAu+w4Tz/XSvf4pjjrqhw
         4m85Zyhqra6zKf9uOWBONIbRSPTMIJlwYhs8kYtEXgmFwakpp/Z+xLQyIKYUpXAO6lPg
         9kRjDAKULSBVfBEhnrcY+CjIYgD6lmIj5O/TyYCGSmd/vXdEi4eAP9yd1U2v7EtLVSXl
         THIvDr5muHluqIw+pT5dL5l+DGTQQ1xUBYNXJ1dcq2OhWycsTZnK3JVBc3VH7Z+VLBm4
         ZE6yJzbPzGGFKwR09wGKfOxSrgkfuAX8PDRdMtUhxURkAxESg6mBJLRWsRGpTXfuUW3A
         ePhQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=aBuzu5Ug;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i8si16323058edr.271.2020.12.25.01.19.51;
        Fri, 25 Dec 2020 01:19:58 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=aBuzu5Ug;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728964AbgLYJRC (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Fri, 25 Dec 2020 04:17:02 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60340 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728843AbgLYJRB (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 25 Dec 2020 04:17:01 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2441AC061573
        for <selinux-refpolicy@vger.kernel.org>; Fri, 25 Dec 2020 01:16:21 -0800 (PST)
Received: from liv.coker.com.au (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id 44E0CEC7A;
        Fri, 25 Dec 2020 20:16:15 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1608887777;
        bh=YNztAzEXzfFiecsNHcMxhaxmz+bF0OhadjJmb5PAsM4=; l=2730;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=aBuzu5Ug43TECdyUx087YAcODm5C6Q9EdRcdfntYlHnavkha95JMXnjeE8eZ1SYv+
         f/JR23euUX2Qc0yvXzOeKiLtCVnuDjFRRPAQNUK1+gontWCPm8/5tz9mrJPhZCqMy+
         XktxvtqgvEA3HO2MdZGq3nDf0QE+3ZWt8dmpIoRE=
From:   Russell Coker <russell@coker.com.au>
To:     Dominick Grift <dominick.grift@defensec.nl>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: machinectl shell policy
Date:   Fri, 25 Dec 2020 20:16:07 +1100
Message-ID: <5735537.jZnottUgFY@liv>
In-Reply-To: <ypjl8s9m5nbi.fsf@defensec.nl>
References: <8322849.62pqQp6Oog@liv> <1723812.Y751QtlBzf@liv> <ypjl8s9m5nbi.fsf@defensec.nl>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Friday, 25 December 2020 6:58:41 PM AEDT Dominick Grift wrote:
> Russell Coker <russell@coker.com.au> writes:
> > On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote:
> >> > To enable "machinectl shell" on recent versions of systemd we need
> >> > something like the above policy (which is not complete or ideal, still
> >> > doesn't work so no point polishing it) and something for the below. 
> >> > What
> >> > is the below about?
> >> 
> >> this should be thoroughly addressed. machined creates a login pty that
> >> gets relabeled on login as per type_change rules.
> > 
> > Currently it's not being relabeled on Debian, but that's a separate issue.
> 
> Maybe the required type_change rules arent present?

Here is all the policy to make it work.  Maybe we should have a type like 
system_dbusd_devpts_t for this.  This is not policy for inclusion, this is 
policy to discuss before writing that policy.

term_user_pty(user_systemd_t, user_devpts_t)
term_login_pty(devpts_t)
allow user_systemd_t user_devpts_t:chr_file rw_file_perms;

# for machinectl shell
allow sysadm_t systemd_machined_t:dbus send_msg;
systemd_manage_userdb_runtime_dirs(systemd_machined_t)
systemd_manage_userdb_runtime_sock_files(systemd_machined_t)
term_use_ptmx(systemd_machined_t)
dev_getattr_fs(systemd_machined_t)
term_getattr_pty_fs(systemd_machined_t)
allow systemd_machined_t sysadm_t:dbus send_msg;
allow systemd_machined_t devpts_t:chr_file rw_file_perms;
allow system_dbusd_t systemd_machined_t:fd use;
allow system_dbusd_t devpts_t:chr_file { read write };
allow system_dbusd_t ptmx_t:chr_file { read write };
allow sysadm_t systemd_machined_t:fd use;
allow user_systemd_t shell_exec_t:file entrypoint;
allow user_systemd_t systemd_machined_t:fd use;
allow user_systemd_t self:process signal; 
allow user_t systemd_machined_t:fd use;
allow user_t user_systemd_t:fifo_file { getattr write };
allow user_t init_t:process signal;

> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001
> > 
> > We have work in progress on dbus-broker in Debian.  Would it make sense to
> > only support dbus-broker in SE Linux policy?  Being forced to use only 1
> > of
> > the 2 dbus programs (and the newer and faster 1 of the 2) is a very small
> > trade-off, smaller than some of the other trade-offs for running SE Linux.
> 
> should probably be able to support both (conditionally) but could get messy

Currently we have a heap of ifdef systemd in the policy, as probably the only 
people not wanting dbus-broker will be the ones not wanting systemd we could 
include it in the same ifdef rules.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/