Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp13873804pxu; Mon, 4 Jan 2021 06:52:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJwbpvQng0wcuPu3NxcVlqaapFxuWjCbb1Vb2RhW6AkXds1KZDl+d5ccm4F0eGTCoIC1vpox X-Received: by 2002:aa7:c884:: with SMTP id p4mr69915443eds.72.1609771936865; Mon, 04 Jan 2021 06:52:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609771936; cv=none; d=google.com; s=arc-20160816; b=tqfy8jPAVESdLxGE4ghH2/3mdZb0l0aVvZdfXqxIvX/cmlG+y0NEb0Yu+O3xUTdTwe WDmMcSzBMz8072zn7+RwZFjhM4TqhBN676hp8FSuFHXOjuEqXbPpR0sgG2BBXXv/uqtg 1CoxO+XdKPT4WBsOZyA6VBZmCVl6KDuOKzYMAN5QBthw4fxa3oO5nyo1EWqnYCcA0i3h omJC8ZLP+2hn+yAEk6v3YrOhP2+/8FYT31tCcxfjPe3L7EaRNnEBkfDMzrx0qQFbI+vC hcgiaP6F6ApwivrHfZcU+hfPsA5kPoYpydp4Q+Ga14H4j57gRn6DmcatSU+Mt9AC/aDx 5S1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=xSbbVa6wG1HTV31TATTeWKLXC2XkhwtUuZ9oXOU0F74=; b=QT0S7mO54YNP6Q4IxvYbQjzL6msadCPQ5//mG5Q1IH4Qi7WuQ2+fQPPmxPSDw8RpeN GtwaBzJoUXnuVtDQthCyi/SS0j6/BG5entEhRFPvTbOtaeypROgM9weFp0R0TffUStkH 9LhlVygHsv/fJ5sI0rtrwFgsprZS2EMtPYPEufJMGiYpa8PzAn+WyMBnaZYbu04J+XoL HbQaFjo5H3lNr8j9pwVoiIVhuIYArwb+AP7o22GNZZMYO27Jy9UsLTiknVLVHu/bpyc1 G72UeGzV9NtHAcNILVKfk3gq/Dwls9m8eKTE+7afoLIoTWsPWY/DPHMlyJ/lN6A7T6jC RCGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=YCjLegig; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q7si28693172edt.86.2021.01.04.06.52.10; Mon, 04 Jan 2021 06:52:16 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=YCjLegig; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726472AbhADOuV (ORCPT + 18 others); Mon, 4 Jan 2021 09:50:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726258AbhADOuU (ORCPT ); Mon, 4 Jan 2021 09:50:20 -0500 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 124B0C061795 for ; Mon, 4 Jan 2021 06:48:45 -0800 (PST) Received: by mail-qk1-x736.google.com with SMTP id p14so23551335qke.6 for ; Mon, 04 Jan 2021 06:48:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=xSbbVa6wG1HTV31TATTeWKLXC2XkhwtUuZ9oXOU0F74=; b=YCjLegigduqV6LPBWjD02ygGdErqE7I7nSCc40N/FnBdMLszyW5XPxo+nd7oOzv+pF 4T0S7kmcXcS7aCPudlxE9DgLt8OZmXCdM4eWreeytnhVfzksbE/tV9o8loQjUr1uaDUK ublypPn/k9HCTX70NI+kDYGbkxCV5SIKQiJiA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=xSbbVa6wG1HTV31TATTeWKLXC2XkhwtUuZ9oXOU0F74=; b=rZNoDdyJdjYV2kBWQo098KcojLniwDSUCaWeKDqY91SnFoSioS0PUFs8c9aBTznVYg ZPokOzmCZ3VfoPLmSsEKC0xCjtIiigYES8RgRsA4vYYhxtZfYnEe69yGcIBrnmCLxrRP bmJS2ubX6djoX8m7Bj5Y/zG6uCGTrkLlicR0BCGKjGeyY8gn4wmJoSVmXELIbKVfcJNX nTATLLiwKDuc2orFDJUU8TSR2HcixEjlaC+T7sC/KeEN0b4Qi76D5CpZojydL09iCkmM OQosaER1nUrSmZUIUqGUp+5hnIOaZ0NYwfahBkMHCNe3b+ddQPTlndeubng8DN680P3r S/Qg== X-Gm-Message-State: AOAM532x5oh0iUAIJa+cMr0KdsnrCYESmLhNcoIaTiPEEPwYPHlVuErz ZD5vgYkW3wLYB+0Gn3dGD7AqxBfxVIWaUw== X-Received: by 2002:a37:b985:: with SMTP id j127mr51085447qkf.85.1609771723995; Mon, 04 Jan 2021 06:48:43 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id u26sm37889388qke.57.2021.01.04.06.48.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Jan 2021 06:48:43 -0800 (PST) Subject: Re: machinectl shell policy To: Russell Coker , Dominick Grift Cc: selinux-refpolicy@vger.kernel.org References: <8322849.62pqQp6Oog@liv> <1723812.Y751QtlBzf@liv> <5735537.jZnottUgFY@liv> From: Chris PeBenito Message-ID: Date: Mon, 4 Jan 2021 09:48:42 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <5735537.jZnottUgFY@liv> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/25/20 4:16 AM, Russell Coker wrote: > On Friday, 25 December 2020 6:58:41 PM AEDT Dominick Grift wrote: >> Russell Coker writes: >>> On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote: >>>>> To enable "machinectl shell" on recent versions of systemd we need >>>>> something like the above policy (which is not complete or ideal, still >>>>> doesn't work so no point polishing it) and something for the below. >>>>> What >>>>> is the below about? >>>> >>>> this should be thoroughly addressed. machined creates a login pty that >>>> gets relabeled on login as per type_change rules. >>> >>> Currently it's not being relabeled on Debian, but that's a separate issue. >> >> Maybe the required type_change rules arent present? > > Here is all the policy to make it work. Maybe we should have a type like > system_dbusd_devpts_t for this. This is not policy for inclusion, this is > policy to discuss before writing that policy. > > term_user_pty(user_systemd_t, user_devpts_t) > term_login_pty(devpts_t) > allow user_systemd_t user_devpts_t:chr_file rw_file_perms; > > # for machinectl shell > allow sysadm_t systemd_machined_t:dbus send_msg; > systemd_manage_userdb_runtime_dirs(systemd_machined_t) > systemd_manage_userdb_runtime_sock_files(systemd_machined_t) > term_use_ptmx(systemd_machined_t) > dev_getattr_fs(systemd_machined_t) > term_getattr_pty_fs(systemd_machined_t) > allow systemd_machined_t sysadm_t:dbus send_msg; > allow systemd_machined_t devpts_t:chr_file rw_file_perms; > allow system_dbusd_t systemd_machined_t:fd use; > allow system_dbusd_t devpts_t:chr_file { read write }; > allow system_dbusd_t ptmx_t:chr_file { read write }; > allow sysadm_t systemd_machined_t:fd use; > allow user_systemd_t shell_exec_t:file entrypoint; The pty stuff seems to make sense, but I'm curious why there is a transition into user_systemd_t for the shell. > allow user_systemd_t systemd_machined_t:fd use; > allow user_systemd_t self:process signal; > allow user_t systemd_machined_t:fd use; > allow user_t user_systemd_t:fifo_file { getattr write }; > allow user_t init_t:process signal; >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001 >>> >>> We have work in progress on dbus-broker in Debian. Would it make sense to >>> only support dbus-broker in SE Linux policy? Being forced to use only 1 >>> of >>> the 2 dbus programs (and the newer and faster 1 of the 2) is a very small >>> trade-off, smaller than some of the other trade-offs for running SE Linux. I'd prefer to keep both unless it becomes onerous. >> should probably be able to support both (conditionally) but could get messy > > Currently we have a heap of ifdef systemd in the policy, as probably the only > people not wanting dbus-broker will be the ones not wanting systemd we could > include it in the same ifdef rules. The "else" of the ifdef can work. -- Chris PeBenito