Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp703150pxb; Thu, 21 Jan 2021 18:40:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJyf1Ir4wOsWV3npY+corrZoPH56YpCLlv1alHTQ560Xykz2ZDn5dhW+Sw5yg2rqRQE+tAAg X-Received: by 2002:a05:6402:60a:: with SMTP id n10mr1539461edv.230.1611283254226; Thu, 21 Jan 2021 18:40:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611283254; cv=none; d=google.com; s=arc-20160816; b=1JwupGC3UvOa9s/mxBAq7G+fE98RgOAMZvwk6vn2xWSrvVj+e+5zCA9IE/SX8MCV49 wARvog9ITeITNr1mhGjg1FwkMRVvdZgjtWauXsB3/vYo1SHs7Fiq6DkP1Wj+x+eIzpj8 oXcwLnlHnj8YJE9JfY2Wtk1LYldTQFlYRYF3RTb7fZlBHU0DXC195WxvSpAoidyX6Yub 5e6LE6s75OlXZpR881OEwEZRDRjKopPXKmrhrZS69wRjXEAt4bPZL4nyd5D2hIwvEbfB Bp8rKmXAymLQsNliEnAAcngE5sBb7US8FPsR/3/F8Tzz2C4LxWq5G7ea+r6NjLrGLSmt Y2yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=V0mFyVvrwy1eNkUwWcggZfnhr/w+qV6uCrsfZg6ZpXo=; b=ls/xQFse6t6kuGtu0V1HAAh5W6H1egvCFtcb/3ZW4bgfvPi2mkN5LveMhKtJCgohiL 2fRSmkmzI6+BJ1Qgu1Cdl+i1p9tvWQXTqozDSz6fs7LzCEgfVAEuuHLjlLntbMEZsIIf 1vtRlls/cRxnDNZkc5rqdy72Xh5VCCyAqRPPNakWH741Y8/QBcS9x0kBpRmeeyopTLV7 hPwj1TR7ndKFMNMfvkVIhPNMgy9HlKvkqTqNQyC8pDFrMoG7BhyGBchV30ArlhSrL282 b3B9WXDdkWI7VcXlyT8wy+j3KyMSpitvJnP/x7CV2qGDxtUNVnavGXyM+4jBrtVrheeD lFjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="Pj9fn2/7"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n7si2438424ejz.740.2021.01.21.18.40.47; Thu, 21 Jan 2021 18:40:54 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="Pj9fn2/7"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726623AbhAVCZn (ORCPT + 16 others); Thu, 21 Jan 2021 21:25:43 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:50084 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726413AbhAVCZk (ORCPT ); Thu, 21 Jan 2021 21:25:40 -0500 Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id D26F516C54; Fri, 22 Jan 2021 13:24:56 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611282297; bh=V0mFyVvrwy1eNkUwWcggZfnhr/w+qV6uCrsfZg6ZpXo=; l=1847; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pj9fn2/7z6rSIW3k+0t1oHvgTegWoCmhaJUlRif5FEc9qljyRS52Fso4D7KCtTMKG 24iOPUWhdjs+L76omhLVkMuQK2QAI36z641OXPk4GZYw3tGm33dnXZNoAX/8RoAzz4 K1qT7d+h6ruQJNyTXeqAZrl7PVPy/lYhdB2vbBJI= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc services patches Date: Fri, 22 Jan 2021 13:24:53 +1100 Message-ID: <3798733.Xe6EjoDzsm@liv> In-Reply-To: <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> References: <1730727.gRP4Mpsj7r@liv> <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote: > >>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te > >>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',` > >>> > >>> init_dbus_chat(sshd_t) > >>> systemd_dbus_chat_logind(sshd_t) > >>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t) > >>> > >>> + systemd_read_logind_sessions_files(sshd_t) > >> > >> This should probably be addressed on the lower authlogin level instead > > > > auth_login_pgm_domain()? > > I would consider adding it to auth_use_pam(). but its a good question. > > > In another patch I have systemd_connect_machined(sshd_t) which I guess > > should go in the same one too. > > Which patch was that? A patch I haven't sent to the list yet. > That does not look right if only that the name of > the interface isnt very descriptive (there is no way unix stream connect > or unix dgram sendto machined. > > So this is either about systemd's nss mymachines (in which case it > belongs in auth_use_nsswitch() or about reading systemd > /var/run/machines in which case the interface name is wrong. I don't have the libnss-systemd or libnss-mymachines packages installed on the machines that are giving this, /etc/nsswitch.conf hasn't been changed since 2018. When I comment out the pam_systemd.so line from /etc/pam.d/common-session that access isn't required. So it's a PAM thing. +interface(`systemd_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + allow $1 systemd_machined_t:unix_stream_socket connectto; +') Should I put this access in systemd_stream_connect_userdb()? The socket file is /run/systemd/userdb/io.systemd.Machine and is labelled as systemd_userdb_runtime_t. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/