Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp815731pxb; Thu, 21 Jan 2021 23:03:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJxrJQe7LwCQYf7+bmRb4lbEIjcOrgegViV1uWLdzPtrlGy0UlOT9O8wvZFR2E/de/kDxJCA X-Received: by 2002:a50:c209:: with SMTP id n9mr2099483edf.123.1611299004157; Thu, 21 Jan 2021 23:03:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611299004; cv=none; d=google.com; s=arc-20160816; b=XTG5uIfGawjCFUawuYbhHBN65lAxsbBeFlStmag3vea/EzM/G/ZWJ5gvVFBjaQfzMc uqeA7dwkwVcrWIxgxNG0jYyqtSB3tsMtXIYMT9G4uDZ4VrHxdy9Vw/GUhFPE7Ji2rfBl sXvTbxhK+Glymgo3uDLHeXQWEhNavQ9Tjy3/czd6XxT1RV6RnR1KDAniZ4nFs7oQU/qt IhELrgFP6Q4xwaU3+guygoDHJnUM8f2Ox9ndl9doWrb7jqRSYXaVQt7M/+V0JbdVo0vR pXzJza1OInHR5uK77WqmNs+Ug4VLH1TtKaHRcaLRsnGH9bFJ8bKa0AidnJKut/gAnTWr kXmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to:dkim-signature:dkim-filter; bh=3JtaVo1TpO270/1IV5uM9Dd9bBofagpdCKskW51gvhQ=; b=OEVhvQHjWOTLC57rrr96SvoqJx4HmCgPl6o6OyemrS0YY6l68POzj84gnLn5hZGodr wVxTKz1QgSsm+P99syOb1TwMK7fPg3eRzhd/gp2sDHYt8XP1QkXN/ozmtdw8otoVf/iS EQAWheAynTc3cnReGRgCHZDX/r7iSuTNv27wIR2A3JpfEhek2F1HUt/Z8eCqUCo9SyMf 6QyfgVTXWIjJy6829iz0WBsip9UE0y7WxNBCKP37epzQGPK1Lo9KOPM90d/0w+UlVuDU t2BokO4X5hI9njZTz1DdA4l3FpxstJ0WfGMsQ9Vix9/Do8oS+LBSEkotRpm7NMsHd4yH anwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=Nwu5kOZT; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u21si3219440edy.478.2021.01.21.23.03.16; Thu, 21 Jan 2021 23:03:24 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=Nwu5kOZT; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726065AbhAVHDB (ORCPT + 16 others); Fri, 22 Jan 2021 02:03:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725854AbhAVHDA (ORCPT ); Fri, 22 Jan 2021 02:03:00 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C651DC06174A for ; Thu, 21 Jan 2021 23:02:19 -0800 (PST) Received: from [IPv6:2001:985:d55d::438] (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id BBBBF2A0065; Fri, 22 Jan 2021 08:02:16 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl BBBBF2A0065 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611298937; bh=3JtaVo1TpO270/1IV5uM9Dd9bBofagpdCKskW51gvhQ=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=Nwu5kOZT2BTgBgWKjjWLje9or/AIlf6BoEGggarjaIRF3MpJbaS0hwJgV/tBBNb8k eNRCZd2ww7diGb3erFCaG1Ib7e7WdJ7SI4/ipJJlCSoRMX8VPJJgy8FOdjIScGAhnI cLjhOQNk7RK+6b88sGzBk+4g0Yb//rJRO5ErLyjc= To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <1730727.gRP4Mpsj7r@liv> <60db511b-f9a3-5489-182b-88a0b727b9c2@defensec.nl> <3798733.Xe6EjoDzsm@liv> From: Dominick Grift Subject: Re: [PATCH] misc services patches Message-ID: <5a0604c0-edc3-5fff-d02c-547c59382a2f@defensec.nl> Date: Fri, 22 Jan 2021 08:02:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <3798733.Xe6EjoDzsm@liv> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/22/21 3:24 AM, Russell Coker wrote: > On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote: >>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te >>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',` >>>>> >>>>> init_dbus_chat(sshd_t) >>>>> systemd_dbus_chat_logind(sshd_t) >>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t) >>>>> >>>>> + systemd_read_logind_sessions_files(sshd_t) >>>> >>>> This should probably be addressed on the lower authlogin level instead >>> >>> auth_login_pgm_domain()? >> >> I would consider adding it to auth_use_pam(). but its a good question. >> >>> In another patch I have systemd_connect_machined(sshd_t) which I guess >>> should go in the same one too. >> >> Which patch was that? > > A patch I haven't sent to the list yet. > >> That does not look right if only that the name of >> the interface isnt very descriptive (there is no way unix stream connect >> or unix dgram sendto machined. >> >> So this is either about systemd's nss mymachines (in which case it >> belongs in auth_use_nsswitch() or about reading systemd >> /var/run/machines in which case the interface name is wrong. > > I don't have the libnss-systemd or libnss-mymachines packages installed on the > machines that are giving this, /etc/nsswitch.conf hasn't been changed since > 2018. > > When I comment out the pam_systemd.so line from /etc/pam.d/common-session that > access isn't required. So it's a PAM thing. > > +interface(`systemd_connect_machined',` > + gen_require(` > + type systemd_machined_t; > + ') > + > + allow $1 systemd_machined_t:unix_stream_socket connectto; > +') > > Should I put this access in systemd_stream_connect_userdb()? The socket file > is /run/systemd/userdb/io.systemd.Machine and is labelled as > systemd_userdb_runtime_t. > I forgot about this functionality. From systemd-machined.service: For each container registered with systemd-machined.service that employs user namespacing, users/groups are synthesized for the used UIDs/GIDs. These are made available to the system using the User/Group Record Lookup API via Varlink[4], and thus may be resolved with userdbctl(1) or the usual glibc NSS calls. So this is "nss password/group" similar to DynamicUser.io I guess What i did in my personal policy is create a machined_unix_stream_connect_userdb (roughly): https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/systemd/systemd_machine.cil;h=9ea214e7d124e2be4254e57c7bf78e09914db7bf;hb=HEAD#l72 and then call that in auth_use_nsswitch() optionally (because if you dont have machined then you dont need this)