Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp15725pxb; Wed, 27 Jan 2021 00:23:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJxpnEIUgKr14LZmzrUwxWuz2IyUnHGS+wTx7TSYf8ohtEzQaJI/wfq5gDiUSw3722iwbHah X-Received: by 2002:a05:6402:1398:: with SMTP id b24mr7561133edv.108.1611735797079; Wed, 27 Jan 2021 00:23:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611735797; cv=none; d=google.com; s=arc-20160816; b=EyCLZcRA5kSeGtcIu83MzruQTTEySIHykFJVfdSQk9c54WyMG5R0Zw0vNpS3oN3elF XRAIR1LncX3WaVDst65Ld4MJNF7K8KpDukSChbeSeHzOZveCNhNHgqy7IVKh/4FlcWh9 ENDVEAevXarfkz1EBWsHTvtN2mXt2B6EVHWAq8YTCEjtPptaVrTcI6M3yR+lScCEAnQr iXBqL+5PkpOFl1C5gD+FcvrUCD6POyReiJPr4Ywz6TEdM9rDAth5efTpxgMBT2nzgH1r xUqHNjyLzYL/x2W1nvbPI+sgeG/1gXY9F2on7a1VzlaOL8MrcEm0HV4wQoWgbtNogDZX GZig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=ZmqUn9E4NmuTHLrJeaZHRbMVmkVyQKyGMKwY+yH2CKQ=; b=t1/VD/Hl1wnxVTG70oQpoVXbspo4mnQ17m/Vp8rRt4DKbA00CbgXHOzhxnKA8U9rzU svveL5QsnJPOknE+XP2wwP20h0TN6TmVhs2XVBV8T9zGiAyMmLPg9+7Oi/dAjEZhpvA5 vIRAJDIbsH1xDfSPXfAu3vHKOt68zC3ar8aq9Dd59GUvPRSlu7gg9ivrWPqcF6H8K0KX 62Z4wuHUfQFWcPqV0P6h3EqaasYdV1LCqbh9/AQQ1zrqQXqho4rkuLi63CuyOgIvhbNc heAsECHfxtHbkIRi77AAlQvs22hZkTDXxtzBsntFHjAxIQCd1RJIzI0VvitEd4+VjkdF Cecw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=iGGIBifv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q14si647378edw.313.2021.01.27.00.23.11; Wed, 27 Jan 2021 00:23:17 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=iGGIBifv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231417AbhA0GPB (ORCPT + 16 others); Wed, 27 Jan 2021 01:15:01 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:43266 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235284AbhA0GEB (ORCPT ); Wed, 27 Jan 2021 01:04:01 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id F242C2A06F9; Wed, 27 Jan 2021 07:03:09 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl F242C2A06F9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611727392; bh=ZmqUn9E4NmuTHLrJeaZHRbMVmkVyQKyGMKwY+yH2CKQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=iGGIBifv+DuFDSa13LcUW2yydEq3FV3T27oo7hm/f1v0ayFYMgbcrAweu39pK6DOz 02hveEp78eS/ChgBMjj8VJVOD8fXnzU3+cZUsmPZhooaiqQtNApcQZStqQbyBd8V67 /Z1Yb9J/RQyAyck4yLGHCHvf+AlJTrncOJNVIUW4= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc kernel and system patches References: <43567489.y7f9mAODUD@liv> Date: Wed, 27 Jan 2021 07:03:06 +0100 In-Reply-To: <43567489.y7f9mAODUD@liv> (Russell Coker's message of "Wed, 27 Jan 2021 15:05:31 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > On Thursday, 21 January 2021 1:36:46 AM AEDT Dominick Grift wrote: >> > Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if >> > +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if >> > @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables' >> > >> > corecmd_search_bin($1) >> > read_files_pattern($1, exec_type, exec_type) >> > >> > + allow $1 exec_type:file map; >> >> create a corecmd_map_read_all_executables() instead. This macro name is >> "read_all_executables" if you extend it with this rule then you >> effectively do several things: > > OK, I'll do that in another patch. > >> > +interface(`files_mounton_kernel_symbol_table',` >> > + gen_require(` >> > + type boot_t, system_map_t; >> > + ') >> > + >> > + allow $1 boot_t:dir list_dir_perms; >> > + allow $1 system_map_t:file mounton; >> >> mount != listing boot_t dirs (i know its semi-related but you might want >> to mount on symbox table and not list boot_t and this will shut the door >> on that) >> >> instead you should probably imply getattr here: >> >> allow $1 system_map_t:file { getattr mounton }; >> >> Would be even better to declare "mounton_file_perms" on a lower level >> and use that >> >> define(`mounton_file_perms',`{ getattr mounton }') > > OK, that will be in the next version. > >> > +## Mount on the selinuxfs filesystem. >> > +## >> > +## >> > +## >> > +## Domain allowed access. >> > +## >> > +## >> > +# >> > +interface(`selinux_mounton_fs',` >> > + gen_require(` >> > + type security_t; >> > + ') >> > + >> > + allow $1 security_t:dir mounton; >> >> getattr should probably be implied here >> >> a mounton_dir_perms would be even better: >> >> define(`mounton_dir_perms',`{ getattr mounton }') > > OK. > >> > Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te >> > +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te >> > @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t) >> > >> > fs_xattr_type(devpts_t) >> > fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); >> > >> > +# for systemd-nspawn >> > +allow console_device_t devpts_t:filesystem associate; >> >> I am a fairly big user of systemd_nspawn and i have never ever >> encountered this. only pty devices should ever associate with devpts_t >> filesystems AFAIK > > OK, I'll remove that and investigate other solutions. > >> > +## Allow a domain to be transitioned to from init_t with nnp_transition >> > +## >> > +## >> > +## >> > +## Domain to transition >> > +## >> > +## >> > +# >> > +interface(`init_nnp_domain',` >> > + gen_require(` >> > + type init_t; >> > + ') >> > + >> > + allow init_t $1:process2 nnp_transition; >> > +') >> >> This is redundant. In systems with systemd (ifdef init_systemd) this access >> is already allowed. > > OK, I'll remove it. > >> > +###################################### >> > +## >> > +## restart systemd units, for /run/systemd/transient/* >> > +## >> > +## >> > +## >> > +## Domain allowed access. >> > +## >> > +## >> > +# >> > +interface(`init_restart_units',` >> > + gen_require(` >> > + type init_var_run_t; >> > + ') >> > + >> > + allow $1 init_var_run_t:service { start status stop }; >> > +') >> >> i would probably create a private type for "runtime units" >> but also in another patch you create another "restart_units" interface >> and that has different permissions (probably best to associate >> consistent permissions with interface names) >> >> not where "restart_units" means something different somewhere else > > I'll move this to another patch. > >> > Index: refpolicy-2.20210120/policy/modules/system/init.te >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/system/init.te >> > +++ refpolicy-2.20210120/policy/modules/system/init.te >> > @@ -239,7 +239,8 @@ ifdef(`init_systemd',` >> > >> > allow init_t self:unix_stream_socket { create_stream_socket_perms >> > connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay >> > create_socket_perms }; allow init_t self:netlink_selinux_socket >> > create_socket_perms; >> > >> > - allow init_t self:system { status reboot halt reload }; >> > + # why does kernel 4.9 make it need start and stop while 4.19 does not? >> > + allow init_t self:system { start stop status reboot halt reload >> > >> > }; >> >> I would remove the above change. might have been a bug in 4.9, no need >> to support bugs besides kernel 4.9 is old. > > OK, I've removed that. > >> > @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',` >> > >> > ifdef(`init_systemd',` >> > >> > allow initrc_t init_t:system { start status reboot halt reload }; >> > >> > + allow init_t initrc_t:process2 nnp_transition; >> >> this is dedundant. Should already be allowed > > OK. > >> > Index: refpolicy-2.20210120/policy/modules/system/locallogin.te >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te >> > +++ refpolicy-2.20210120/policy/modules/system/locallogin.te >> > @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi >> > >> > auth_manage_pam_console_data(local_login_t) >> > auth_domtrans_pam_console(local_login_t) >> > >> > -init_dontaudit_use_fds(local_login_t) >> > +# if local_login_t can not inherit fd from init it takes ages to login >> > +init_use_fds(local_login_t) >> >> Yes i think youre right but i think this applies to all processes forked >> by systemd. I believe that addressing rules associated with systemd >> forked processes should probably be addressed on a lower level instead >> >> for example: >> >> init_domain is obviously systemd forked in a systemd system (init_domain >> is allowed to use init fd via domtrans_pattern(init_t, $1, $2) in >> init_domain(). >> >> Howver local_login is not a direct fork of systemd (its not an >> init_daemon) and instead its a indirect forked process of systemd (it >> gets executed by a init domain but not by init itself) >> >> I would create a type attribute "systemd_forked_type" and then associate >> the forked related rules to that and then use that >> >> i think these (or somthing like it): >> >> allow $1 systemd_forked_type:fd use; >> allow $1 systemd_forked_type:unix_stream_socket rw_socket_perms; >> >> These these can be removed: > > I'll move this to another patch and another discussion. > >> https://github.com/SELinuxProject/refpolicy/blob/ea6002ddf9c09a307dccc4bf662 >> ff7efa2395572/policy/modules/system/init.if#L186 >> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/syst >> em/init.if#L149 etc >> >> otherwise you end up with very decentralized policy which is hard to >> maintain. > >> > +###################################### >> > +## >> > +## Allow lvm_t to use a semaphore >> > +## >> > +## >> > +## >> > +## Domain that created the semaphore >> > +## >> > +## >> > +# >> > +interface(`lvm_use_sem',` >> > + gen_require(` >> > + type lvm_t; >> > + ') >> > + >> > + allow lvm_t $1:sem all_sem_perms; >> >> Thats not allowed like this generally > > OK, I'll do it differently. > >> > @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t) >> > >> > fs_dontaudit_use_tmpfs_chr_dev(kmod_t) >> > fs_search_tracefs(kmod_t) >> > >> > +init_nnp_domain(kmod_t) >> >> shouldnt be needed : kmod is a init_system_domain which is a >> init_domain, and systemd can already nnp transition to all init_domain >> if ifdef init_systemd is set > > OK, I'll test that out. > >> > +term_use_unallocated_ttys(systemd_passwd_agent_t) >> > >> > auth_use_nsswitch(systemd_passwd_agent_t) >> > >> > @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t >> > >> > allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create >> > getattr read setopt };> >> > +allow systemd_rfkill_t self:netlink_kobject_uevent_socket >> > client_stream_socket_perms; >> thats not a stream socket, do this instead: >> >> - allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create >> getattr read setopt }; + allow systemd_rfkill_t >> self:netlink_kobject_uevent_socket create_socket_perms; > > OK. > >> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal >> > >> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; >> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; >> > >> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink; >> >> questionable > > Why? > Not sure yet. other than that is looks incomplete and that i am wondering why one would be bothering with this. Can you tell me a bit more about this event? >> > Index: refpolicy-2.20210120/policy/modules/system/unconfined.te >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te >> > +++ refpolicy-2.20210120/policy/modules/system/unconfined.te >> > @@ -83,6 +83,10 @@ optional_policy(` >> > >> > ') >> > >> > optional_policy(` >> > >> > + certbot_run(unconfined_t, unconfined_r) >> >> unconfined should be unconfined. > > certbot needs execmem, we generally don't want to give that to unconfined, so > running certbot in a different domain seems better. Those day's are long gone. Nowaday's even `grep` does execmem. > >> > optional_policy(` >> > >> > lvm_run(unconfined_t, unconfined_r) >> > >> > + lvm_use_sem(unconfined_t) >> >> that lvm_use_sem should probably just be part of lvm_run() >> >> ie "allow $1 lvm_t:semd rw_sem_perms;" > > OK, I'll do that. > >> But in my personal view unconfined_t shouldnt run lvm with a domain >> transition in the first place (defeats the purpose of the unconfined domain) > > I think the problem is the type transition rules. Run lvm etc as unconfined_t > and then lvm run from init etc won't be able to access it's temporary files > etc. > why would lvm run for init have any busyness with temporary files? Seems unlikely to me and nowaday's we have a lot more flexibility with type-trans rules. But yes, its a bit late in the game now to change this. It breaks the model though IMHO. >> > Index: refpolicy-2.20210120/policy/modules/system/userdomain.if >> > =================================================================== >> > --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if >> > +++ refpolicy-2.20210120/policy/modules/system/userdomain.if >> > @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten >> > >> > ') >> > >> > read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) >> > >> > + allow $1 user_home_t:file map; >> >> read != map >> and file != lnk_file >> >> by generalizing interfaces you shut doors for fine grained access control > > OK, I'll remove that. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift