Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp367066pxb; Tue, 2 Feb 2021 07:14:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJyABvL+gzDPzr5VS45Axj9isaHcZvbiN4IAl+NdBzuNpJCgXpziJdLZDseMSHs4Ol5Iy8Bo X-Received: by 2002:aa7:dbd4:: with SMTP id v20mr2226000edt.330.1612278865727; Tue, 02 Feb 2021 07:14:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612278865; cv=none; d=google.com; s=arc-20160816; b=n/V9np+ZXgeaolKWCbud6pVe8HR9+0+zFzmjfkSavEy/V2J0phqfqilWWQkrpBFZRr uPHgDtxsYZY1HGOPqa/YEzZGghNTGj0LEor5Gu/GKChfGavCooEb19t+qhjKu4sqHhmk b/GJOB7Q0CNJUg2rmzdrfX9wi56L9ddt9A/0VkpOwlalrLJkA+AokT0ANCTM3ugvABW0 oV/ODIpgKnw3P++M79pJvFf+S9QcjjXRg/4UItFJW0ZFeE1s4jlE1e8WKoAgOS6/RPuc BhZX1W3RO6ihhdbUFv0WBrCmkzTQkKYtPSmciOz7Rw521BunvnyaJzcZ5m7tFXJ2xzFN TFXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=2FIRDtnjMuT1br8hz0gIohb3RFd9cmjIXNI6JbH1/P0=; b=1ACT7NSLrWJ2Aqq9dPJXel4uSOUD2ShMQDAnk4Hopt+rs7GROxgF5TQkUXgSIOmw7D VqkweX4X5MhcN6i2yFKPcqw6u3T8bCX1nF2JcJ3Cw0n5Skvco7tbfU7T//tBqEFh0Dwv M5ora9S55AYYKlrtAV/Kclgl7KjPnNqx0rfrAw+eCMVVGPKAyfXcJyvH1t9se8mEVaVk v9BGM3alrvE6AAFR9F9Aj1Xx51Tc5HgmkOHYnZoPGTloYR/+Setfp+6CqslxMOeg+Ax0 kFDHo9mkqLJWFA9vk1xQs/Rx7RdG8XPEChVswvAsGnCseSfEjWGG5okKiAYCPaoWWeom GYWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="shS/IS16"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g5si437290ejw.275.2021.02.02.07.14.20; Tue, 02 Feb 2021 07:14:25 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b="shS/IS16"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233024AbhBBPKK (ORCPT + 16 others); Tue, 2 Feb 2021 10:10:10 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:45964 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231362AbhBBPIG (ORCPT ); Tue, 2 Feb 2021 10:08:06 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id E5E16F304 for ; Wed, 3 Feb 2021 02:07:16 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1612278437; bh=2FIRDtnjMuT1br8hz0gIohb3RFd9cmjIXNI6JbH1/P0=; l=8327; h=Date:From:To:Subject:From; b=shS/IS16KJABPG557Xz2VZaQ/rszGOXfY2c6FposvV6ghsYMXYvYW/V9K/V5KvcDh yz47OU9Qf1ol/R9sSTkAUTg2Uee5oLdeU9TVA39VaHz/rtvrIiMVv9wb2/Ur8nGzSA 7eVxHqR++IoFwCkTymv9EzQ2qyYFj+aApZbOsBzo= Received: by xev.coker.com.au (Postfix, from userid 1001) id 7B2691353618; Wed, 3 Feb 2021 02:07:12 +1100 (AEDT) Date: Wed, 3 Feb 2021 02:07:12 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] machined Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch is for systemd-machined. Some of it will probably need discussion but some is obviously good, so Chris maybe you could take the bits you like for this release? Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te +++ refpolicy-2.20210203/policy/modules/services/ssh.te @@ -265,9 +265,10 @@ ifdef(`distro_debian',` ') ifdef(`init_systemd',` + auth_use_pam_systemd(sshd_t) init_dbus_chat(sshd_t) - systemd_dbus_chat_logind(sshd_t) init_rw_stream_sockets(sshd_t) + systemd_write_inherited_logind_sessions_pipes(sshd_t) ') tunable_policy(`ssh_sysadm_login',` @@ -310,11 +311,6 @@ optional_policy(` ') optional_policy(` - systemd_write_inherited_logind_sessions_pipes(sshd_t) - systemd_dbus_chat_logind(sshd_t) -') - -optional_policy(` xserver_domtrans_xauth(sshd_t) xserver_link_xdm_keys(sshd_t) ') Index: refpolicy-2.20210203/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20210203/policy/modules/system/authlogin.if @@ -91,6 +91,7 @@ interface(`auth_use_pam',` # interface(`auth_use_pam_systemd',` dbus_system_bus_client($1) + systemd_connect_machined($1) systemd_dbus_chat_logind($1) ') Index: refpolicy-2.20210203/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te +++ refpolicy-2.20210203/policy/modules/system/systemd.te @@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy files_runtime_file(systemd_machined_runtime_t) init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") +type systemd_machined_devpts_t; +term_login_pty(systemd_machined_devpts_t) + type systemd_modules_load_t; type systemd_modules_load_exec_t; init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) @@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) +# for /run/systemd/userdb/io.systemd.Machine +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; + manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; @@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine kernel_read_kernel_sysctls(systemd_machined_t) kernel_read_system_state(systemd_machined_t) +dev_getattr_fs(systemd_machined_t) + files_read_etc_files(systemd_machined_t) fs_getattr_cgroup(systemd_machined_t) @@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined seutil_search_default_contexts(systemd_machined_t) +term_create_pty(systemd_machined_t, systemd_machined_devpts_t) +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; +term_getattr_pty_fs(systemd_machined_t) + optional_policy(` init_dbus_chat(systemd_machined_t) init_dbus_send_script(systemd_machined_t) Index: refpolicy-2.20210203/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/systemd.if +++ refpolicy-2.20210203/policy/modules/system/systemd.if @@ -19,12 +19,18 @@ ## The user domain for the role. ## ## +## +## +## The type for the user pty +## +## # template(`systemd_role_template',` gen_require(` attribute systemd_user_session_type, systemd_log_parse_env_type; type systemd_user_runtime_t, systemd_user_runtime_notify_t; - type systemd_run_exec_t, systemd_analyze_exec_t; + type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t; + type systemd_machined_t; ') ################################# @@ -56,9 +62,20 @@ template(`systemd_role_template',` allow $1_systemd_t $3:process { setsched rlimitinh }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) + corecmd_shell_entry_type($1_systemd_t) + allow $1_systemd_t self:process signal; + + files_search_home($1_systemd_t) # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; + allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms; + + # for "machinectl shell" + allow $1_systemd_t systemd_machined_t:fd use; + allow $3 systemd_machined_t:fd use; + allow $3 systemd_machined_t:dbus send_msg; + allow systemd_machined_t $3:dbus send_msg; # systemctl --user stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) @@ -66,6 +83,14 @@ template(`systemd_role_template',` can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) dbus_system_bus_client($1_systemd_t) + + selinux_use_status_page($1_systemd_t) + seutil_read_file_contexts($1_systemd_t) + seutil_search_default_contexts($1_systemd_t) + + # for machinectl shell + term_user_pty($1_systemd_t, user_devpts_t) + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms; ') ###################################### @@ -489,6 +514,24 @@ interface(`systemd_read_machines',` ######################################## ## +## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket +## +## +## +## Domain that can access the socket +## +## +# +interface(`systemd_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + allow $1 systemd_machined_t:unix_stream_socket connectto; +') + +######################################## +## ## Send and receive messages from ## systemd hostnamed over dbus. ## @@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', ` systemd_domtrans_sysusers($1) roleattribute $2 systemd_sysusers_roles; ') + +######################################## +## +## receive and use a systemd_machined_devpts_t file handle +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_use_machined_devpts', ` + gen_require(` + type systemd_machined_t, systemd_machined_devpts_t; + ') + + allow $1 systemd_machined_t:fd use; + allow $1 systemd_machined_devpts_t:chr_file { read write }; +') Index: refpolicy-2.20210203/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20210203/policy/modules/system/locallogin.te @@ -142,6 +142,7 @@ ifdef(`init_systemd',` auth_manage_faillog(local_login_t) init_dbus_chat(local_login_t) + systemd_connect_machined(local_login_t) systemd_dbus_chat_logind(local_login_t) systemd_use_logind_fds(local_login_t) systemd_manage_logind_runtime_pipes(local_login_t) Index: refpolicy-2.20210203/policy/modules/services/dbus.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/services/dbus.te +++ refpolicy-2.20210203/policy/modules/services/dbus.te @@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) +# for machinectl shell +term_use_ptmx(system_dbusd_t) + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) # read a file in ~/.local/share @@ -184,6 +187,9 @@ optional_policy(` systemd_read_logind_runtime_files(system_dbusd_t) systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t) systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + + # for passing around terminal file handles for machinectl shell + systemd_use_machined_devpts(system_dbusd_t) ') optional_policy(`