Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4439755pxb; Tue, 26 Jan 2021 23:47:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJxcz++WgL2ZNAeubWKKJhhtJ4aiqMl2D9InzWN9XZbbASON6DyMylahjE/Zc4DDWy+dGTIp X-Received: by 2002:a17:906:1719:: with SMTP id c25mr6128043eje.251.1611733673219; Tue, 26 Jan 2021 23:47:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611733673; cv=none; d=google.com; s=arc-20160816; b=nCX4lF21S9ZqeGnBusTFKT2JePpRvr2Zl5ucFlENAQi0H0w9GvEStjoci+g19JYy7L BjONivVVyXUru4mG6JOrANdy+2kNYYj0Fiq4VEJoC01wWI4fcbM3o8wZrMejrYhCqILp L0Weicr77bmMdNwLtBzD9dGCxtAuknkUm9hRv47kDwMbkQlVBTRko/zqSzRscC5lRzlC 2F1Rbphxk12UgKunicA8GSXwmF9GnNG7pMSiCZH/hVf1A3OBykukVLkL3MjnYjIW/caQ lLA0ArMOu6oEPwPE6faJq/S3AsGvyq3/Il8rN+fjKmf203C4+eohYehOehGGBYT7Ecz8 Xg5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FOAv9dXuorMturcKY6azxp76fyGB96ckxUVHzyC3UOI=; b=W2ikRXAWgB9zAPFG1SzcbSPi+Dwxe/9RpWtNBQAOAwN5MaZMqxl/lEWXx04MPGMG+2 qxrH/fzca1or00hYsxJx5+NCIQmOF9LghcNUabVp85HdBSZrjXKkc7kxsHHL19JuGBZ1 /IifBrh5TVgIa2l8UoIjHFuwEu/QIuZmoJgK3IkIDecys3JdzX0BcQr+rU62/KJpcx6n K8L+7s+U89oBuL5c6kNV56dcq3zbUpdhrx2zYh0OQ77cHEk2GQIqdn9ZSWsc1ZWHWc5R lymabHKZU1G2C//IRyH8RdZtD/rVOVpQAQ0BI2nczZZMKSv4capy4u/WaUWs9Eh6wfLh D/XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=E8j1e5EI; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n2si548508ejl.444.2021.01.26.23.47.48; Tue, 26 Jan 2021 23:47:53 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=E8j1e5EI; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231200AbhA0FFN (ORCPT + 16 others); Wed, 27 Jan 2021 00:05:13 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:57216 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238111AbhA0EG2 (ORCPT ); Tue, 26 Jan 2021 23:06:28 -0500 Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 07469F816; Wed, 27 Jan 2021 15:05:35 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611720336; bh=FOAv9dXuorMturcKY6azxp76fyGB96ckxUVHzyC3UOI=; l=10795; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E8j1e5EI0ERXnob80TokYr+idBXxIJYdPxOsn7aKmvFTggBCr3nThCkbwJx1w5b3k FXVr+JPju3Xmh2CWYV9ZZcUU/4gacHjvWFPfA1QGPQvmvW+6WaLynJyy9bsbCkyrx+ 4Yek6/JonQ4zKbuL7KyOuy1ErIA0w9ClNavoUm7E= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc kernel and system patches Date: Wed, 27 Jan 2021 15:05:31 +1100 Message-ID: <43567489.y7f9mAODUD@liv> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 21 January 2021 1:36:46 AM AEDT Dominick Grift wrote: > > Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if > > +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if > > @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables' > > > > corecmd_search_bin($1) > > read_files_pattern($1, exec_type, exec_type) > > > > + allow $1 exec_type:file map; > > create a corecmd_map_read_all_executables() instead. This macro name is > "read_all_executables" if you extend it with this rule then you > effectively do several things: OK, I'll do that in another patch. > > +interface(`files_mounton_kernel_symbol_table',` > > + gen_require(` > > + type boot_t, system_map_t; > > + ') > > + > > + allow $1 boot_t:dir list_dir_perms; > > + allow $1 system_map_t:file mounton; > > mount != listing boot_t dirs (i know its semi-related but you might want > to mount on symbox table and not list boot_t and this will shut the door > on that) > > instead you should probably imply getattr here: > > allow $1 system_map_t:file { getattr mounton }; > > Would be even better to declare "mounton_file_perms" on a lower level > and use that > > define(`mounton_file_perms',`{ getattr mounton }') OK, that will be in the next version. > > +## Mount on the selinuxfs filesystem. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`selinux_mounton_fs',` > > + gen_require(` > > + type security_t; > > + ') > > + > > + allow $1 security_t:dir mounton; > > getattr should probably be implied here > > a mounton_dir_perms would be even better: > > define(`mounton_dir_perms',`{ getattr mounton }') OK. > > Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te > > +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te > > @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t) > > > > fs_xattr_type(devpts_t) > > fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); > > > > +# for systemd-nspawn > > +allow console_device_t devpts_t:filesystem associate; > > I am a fairly big user of systemd_nspawn and i have never ever > encountered this. only pty devices should ever associate with devpts_t > filesystems AFAIK OK, I'll remove that and investigate other solutions. > > +## Allow a domain to be transitioned to from init_t with nnp_transition > > +## > > +## > > +## > > +## Domain to transition > > +## > > +## > > +# > > +interface(`init_nnp_domain',` > > + gen_require(` > > + type init_t; > > + ') > > + > > + allow init_t $1:process2 nnp_transition; > > +') > > This is redundant. In systems with systemd (ifdef init_systemd) this access > is already allowed. OK, I'll remove it. > > +###################################### > > +## > > +## restart systemd units, for /run/systemd/transient/* > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`init_restart_units',` > > + gen_require(` > > + type init_var_run_t; > > + ') > > + > > + allow $1 init_var_run_t:service { start status stop }; > > +') > > i would probably create a private type for "runtime units" > but also in another patch you create another "restart_units" interface > and that has different permissions (probably best to associate > consistent permissions with interface names) > > not where "restart_units" means something different somewhere else I'll move this to another patch. > > Index: refpolicy-2.20210120/policy/modules/system/init.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/system/init.te > > +++ refpolicy-2.20210120/policy/modules/system/init.te > > @@ -239,7 +239,8 @@ ifdef(`init_systemd',` > > > > allow init_t self:unix_stream_socket { create_stream_socket_perms > > connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay > > create_socket_perms }; allow init_t self:netlink_selinux_socket > > create_socket_perms; > > > > - allow init_t self:system { status reboot halt reload }; > > + # why does kernel 4.9 make it need start and stop while 4.19 does not? > > + allow init_t self:system { start stop status reboot halt reload > > > > }; > > I would remove the above change. might have been a bug in 4.9, no need > to support bugs besides kernel 4.9 is old. OK, I've removed that. > > @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',` > > > > ifdef(`init_systemd',` > > > > allow initrc_t init_t:system { start status reboot halt reload }; > > > > + allow init_t initrc_t:process2 nnp_transition; > > this is dedundant. Should already be allowed OK. > > Index: refpolicy-2.20210120/policy/modules/system/locallogin.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te > > +++ refpolicy-2.20210120/policy/modules/system/locallogin.te > > @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi > > > > auth_manage_pam_console_data(local_login_t) > > auth_domtrans_pam_console(local_login_t) > > > > -init_dontaudit_use_fds(local_login_t) > > +# if local_login_t can not inherit fd from init it takes ages to login > > +init_use_fds(local_login_t) > > Yes i think youre right but i think this applies to all processes forked > by systemd. I believe that addressing rules associated with systemd > forked processes should probably be addressed on a lower level instead > > for example: > > init_domain is obviously systemd forked in a systemd system (init_domain > is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in > init_domain(). > > Howver local_login is not a direct fork of systemd (its not an > init_daemon) and instead its a indirect forked process of systemd (it > gets executed by a init domain but not by init itself) > > I would create a type attribute "systemd_forked_type" and then associate > the forked related rules to that and then use that > > i think these (or somthing like it): > > allow $1 systemd_forked_type:fd use; > allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms; > > These these can be removed: I'll move this to another patch and another discussion. > https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662 > ff7efa2395572/policy/modules/system/init.if#L186 > https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/syst > em/init.if#L149 etc > > otherwise you end up with very decentralized policy which is hard to > maintain. > > +###################################### > > +## > > +## Allow lvm_t to use a semaphore > > +## > > +## > > +## > > +## Domain that created the semaphore > > +## > > +## > > +# > > +interface(`lvm_use_sem',` > > + gen_require(` > > + type lvm_t; > > + ') > > + > > + allow lvm_t $1:sem all_sem_perms; > > Thats not allowed like this generally OK, I'll do it differently. > > @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t) > > > > fs_dontaudit_use_tmpfs_chr_dev(kmod_t) > > fs_search_tracefs(kmod_t) > > > > +init_nnp_domain(kmod_t) > > shouldnt be needed : kmod is a init_system_domain which is a > init_domain, and systemd can already nnp transition to all init_domain > if ifdef init_systemd is set OK, I'll test that out. > > +term_use_unallocated_ttys(systemd_passwd_agent_t) > > > > auth_use_nsswitch(systemd_passwd_agent_t) > > > > @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t > > > > allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create > > getattr read setopt };> > > +allow systemd_rfkill_t self:netlink_kobject_uevent_socket > > client_stream_socket_perms; > thats not a stream socket, do this instead: > > - allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create > getattr read setopt }; + allow systemd_rfkill_t > self:netlink_kobject_uevent_socket create_socket_perms; OK. > > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal > > > > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; > > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; > > > > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink; > > questionable Why? > > Index: refpolicy-2.20210120/policy/modules/system/unconfined.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te > > +++ refpolicy-2.20210120/policy/modules/system/unconfined.te > > @@ -83,6 +83,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + certbot_run(unconfined_t, unconfined_r) > > unconfined should be unconfined. certbot needs execmem, we generally don't want to give that to unconfined, so running certbot in a different domain seems better. > > optional_policy(` > > > > lvm_run(unconfined_t, unconfined_r) > > > > + lvm_use_sem(unconfined_t) > > that lvm_use_sem should probably just be part of lvm_run() > > ie "allow $1 lvm_t:semd rw_sem_perms;" OK, I'll do that. > But in my personal view unconfined_t shouldnt run lvm with a domain > transition in the first place (defeats the purpose of the unconfined domain) I think the problem is the type transition rules. Run lvm etc as unconfined_t and then lvm run from init etc won't be able to access it's temporary files etc. > > Index: refpolicy-2.20210120/policy/modules/system/userdomain.if > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if > > +++ refpolicy-2.20210120/policy/modules/system/userdomain.if > > @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten > > > > ') > > > > read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) > > > > + allow $1 user_home_t:file map; > > read != map > and file != lnk_file > > by generalizing interfaces you shut doors for fine grained access control OK, I'll remove that. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/