Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp541979pxb; Tue, 2 Feb 2021 11:13:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJw9jALc9A2K4AdWX49WThBVa7IBtUBHyaXN/cEetgieD31gFxr0a4hZzUYBbWtUuMXzLmuG X-Received: by 2002:a17:906:384c:: with SMTP id w12mr24006837ejc.140.1612293197234; Tue, 02 Feb 2021 11:13:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612293197; cv=none; d=google.com; s=arc-20160816; b=H0lLEaXEt/0SCQyJKvuWdex64RvXPzCg0IeH0c6OZQqOLQTKUh05Pjw4dpGWAum13k 2KL3ljtsqyusMsSFemKdFKXa/2Ug9awB1EEwu7U18IsxnArcmr7kHA2uqVqLO7xULcjB S+k41lP5fExLovyLBvwu33Tjvkvtc1Kf7F3rlkm7xc72QNFl/M0OUHQprM8nA3ODFymQ shd6Jv9xSoKPG1xxjhqboKPZa+PYKuiF6IgAvcL4lGNgANLJwlROQ8r1KQQqWZc/qh2U B6u+ecVbg4u+KhEjEVWju/55iR8dir3GID+362dN1BL4+UvUAHS18Vc/QXj4o2P60o9j luHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=cHy/78/UnKDu8kcDFIgGVwieYQLTDra3FYetCNaXBS8=; b=bD78JnXqTzxK4wix9qkR7Qpd5Hdngwv7ZbJ1Sy8461mO0ww81h9p+3bWe0HyXFqig9 wDXaUmBkTQl7M+PTNOF+DoX3tj4eWFU3wT19nwIyw7BSnnyRE9NKEufBkKxyC550dtN6 3Fy+JhAZsI5Nh8gn5dhGsL3EuYCZfVBvzKCvasE1Kkgs+9dSz1d1vsBuup3BCIjdkqNR uE4UoFtvNMQNS3I4mj3ge0B1zmKXccZpQytto1iLA/IOW8wxVMgy2r0G3hkHU0/VM87c SViXe+E30E44oMbhDSAjVc689TrpXy0gacznZ1AC7E2igi/C9jb55hFwowZeTyZcKWBn TSPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=BfwyI3WG; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e6si15818482edz.98.2021.02.02.11.13.10; Tue, 02 Feb 2021 11:13:17 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=BfwyI3WG; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239176AbhBBTLy (ORCPT + 16 others); Tue, 2 Feb 2021 14:11:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59138 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239528AbhBBTGu (ORCPT ); Tue, 2 Feb 2021 14:06:50 -0500 Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EB06C061353 for ; Tue, 2 Feb 2021 11:03:45 -0800 (PST) Received: by mail-qk1-x730.google.com with SMTP id a19so20939654qka.2 for ; Tue, 02 Feb 2021 11:03:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=cHy/78/UnKDu8kcDFIgGVwieYQLTDra3FYetCNaXBS8=; b=BfwyI3WGYPT7y80sesnEqBt8cWxB5ThPz7cReGJFvBhZ4Ou7n/M7PlKwLhKExCuQOF Lpp7OPXYzwgHkNkSAe87PCBfKMNFnssewVg69mEn7Tk03HQnmd3ZFnsosNPijkqWQEF+ Y5uKYN3pwAzLu21vzowtltT0shATRkqo2QzLU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cHy/78/UnKDu8kcDFIgGVwieYQLTDra3FYetCNaXBS8=; b=Mb2zfPAlicdA61k+O0bAkwjfzL4NMPoLc4bD9YGtw1hiRVB9pJCj5AWGwA5/KDM4XY iA61XOHjZ51QpNEKh5VfWllks5l02V5fzhB4glELaC+po92ahssT1YZMmT1/LdwCw6gj Nh00Ytk+TTMt+uxq3AX9xLRe+vl/rxEC0k7lecHPgPdknKnUY/nzYSZUXePEB4q5wqu9 pKrrzO1zMf/QpM9At6kiYmRcjk76eQ0inSGE3+M0XnLVHKCXfV6IyXTwyFrceGXn1AfC iJIvtaokcPJX1tRAIX3+zKQbthScmHDs9DkkKcJjdSh7DW4HYSV+ARu56vYMk7tTF83y OU9w== X-Gm-Message-State: AOAM532Hl5ryls9Cq7X3zQ2HXuO2dVFQ5KSYyUrtdsUJ0ey4ye8GeAC8 OO9m9zax62Ibb4A3XjP4vbcUo6+O91KdBw== X-Received: by 2002:a05:620a:126d:: with SMTP id b13mr21895479qkl.86.1612292624252; Tue, 02 Feb 2021 11:03:44 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id v26sm15431730qth.67.2021.02.02.11.03.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Feb 2021 11:03:43 -0800 (PST) Subject: Re: [PATCH] machined To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: Date: Tue, 2 Feb 2021 14:03:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/2/21 10:07 AM, Russell Coker wrote: > This patch is for systemd-machined. Some of it will probably need > discussion but some is obviously good, so Chris maybe you could take > the bits you like for this release? > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20210203/policy/modules/services/ssh.te > @@ -265,9 +265,10 @@ ifdef(`distro_debian',` > ') > > ifdef(`init_systemd',` > + auth_use_pam_systemd(sshd_t) > init_dbus_chat(sshd_t) > - systemd_dbus_chat_logind(sshd_t) > init_rw_stream_sockets(sshd_t) > + systemd_write_inherited_logind_sessions_pipes(sshd_t) > ') > > tunable_policy(`ssh_sysadm_login',` > @@ -310,11 +311,6 @@ optional_policy(` > ') > > optional_policy(` > - systemd_write_inherited_logind_sessions_pipes(sshd_t) > - systemd_dbus_chat_logind(sshd_t) > -') > - > -optional_policy(` > xserver_domtrans_xauth(sshd_t) > xserver_link_xdm_keys(sshd_t) > ') > Index: refpolicy-2.20210203/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20210203/policy/modules/system/authlogin.if > @@ -91,6 +91,7 @@ interface(`auth_use_pam',` > # > interface(`auth_use_pam_systemd',` > dbus_system_bus_client($1) > + systemd_connect_machined($1) > systemd_dbus_chat_logind($1) > ') > > Index: refpolicy-2.20210203/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210203/policy/modules/system/systemd.te > @@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy > files_runtime_file(systemd_machined_runtime_t) > init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") > > +type systemd_machined_devpts_t; > +term_login_pty(systemd_machined_devpts_t) > + > type systemd_modules_load_t; > type systemd_modules_load_exec_t; > init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) > @@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw > allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; > init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) > > +# for /run/systemd/userdb/io.systemd.Machine > +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; > + > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) > manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) > allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; > @@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine > kernel_read_kernel_sysctls(systemd_machined_t) > kernel_read_system_state(systemd_machined_t) > > +dev_getattr_fs(systemd_machined_t) > + > files_read_etc_files(systemd_machined_t) > > fs_getattr_cgroup(systemd_machined_t) > @@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined > > seutil_search_default_contexts(systemd_machined_t) > > +term_create_pty(systemd_machined_t, systemd_machined_devpts_t) > +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; > +term_getattr_pty_fs(systemd_machined_t) > + > optional_policy(` > init_dbus_chat(systemd_machined_t) > init_dbus_send_script(systemd_machined_t) > Index: refpolicy-2.20210203/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20210203/policy/modules/system/systemd.if > @@ -19,12 +19,18 @@ > ## The user domain for the role. > ## > ## > +## > +## > +## The type for the user pty > +## > +## > # > template(`systemd_role_template',` > gen_require(` > attribute systemd_user_session_type, systemd_log_parse_env_type; > type systemd_user_runtime_t, systemd_user_runtime_notify_t; > - type systemd_run_exec_t, systemd_analyze_exec_t; > + type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t; > + type systemd_machined_t; > ') > > ################################# > @@ -56,9 +62,20 @@ template(`systemd_role_template',` > allow $1_systemd_t $3:process { setsched rlimitinh }; > corecmd_shell_domtrans($1_systemd_t, $3) > corecmd_bin_domtrans($1_systemd_t, $3) > + corecmd_shell_entry_type($1_systemd_t) > + allow $1_systemd_t self:process signal; > + > + files_search_home($1_systemd_t) > > # Allow using file descriptors for user environment generators > allow $3 $1_systemd_t:fd use; > + allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms; > + > + # for "machinectl shell" > + allow $1_systemd_t systemd_machined_t:fd use; > + allow $3 systemd_machined_t:fd use; > + allow $3 systemd_machined_t:dbus send_msg; > + allow systemd_machined_t $3:dbus send_msg; I merged most of this except for this machinectl shell part. > # systemctl --user > stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) > @@ -66,6 +83,14 @@ template(`systemd_role_template',` > can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) > > dbus_system_bus_client($1_systemd_t) > + > + selinux_use_status_page($1_systemd_t) > + seutil_read_file_contexts($1_systemd_t) > + seutil_search_default_contexts($1_systemd_t) > + > + # for machinectl shell > + term_user_pty($1_systemd_t, user_devpts_t) > + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms; > ') > > ###################################### > @@ -489,6 +514,24 @@ interface(`systemd_read_machines',` > > ######################################## > ## > +## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket > +## > +## > +## > +## Domain that can access the socket > +## > +## > +# > +interface(`systemd_connect_machined',` > + gen_require(` > + type systemd_machined_t; > + ') > + > + allow $1 systemd_machined_t:unix_stream_socket connectto; > +') > + > +######################################## > +## > ## Send and receive messages from > ## systemd hostnamed over dbus. > ## > @@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', ` > systemd_domtrans_sysusers($1) > roleattribute $2 systemd_sysusers_roles; > ') > + > +######################################## > +## > +## receive and use a systemd_machined_devpts_t file handle > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`systemd_use_machined_devpts', ` > + gen_require(` > + type systemd_machined_t, systemd_machined_devpts_t; > + ') > + > + allow $1 systemd_machined_t:fd use; > + allow $1 systemd_machined_devpts_t:chr_file { read write }; > +') > Index: refpolicy-2.20210203/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20210203/policy/modules/system/locallogin.te > @@ -142,6 +142,7 @@ ifdef(`init_systemd',` > auth_manage_faillog(local_login_t) > > init_dbus_chat(local_login_t) > + systemd_connect_machined(local_login_t) > systemd_dbus_chat_logind(local_login_t) > systemd_use_logind_fds(local_login_t) > systemd_manage_logind_runtime_pipes(local_login_t) > Index: refpolicy-2.20210203/policy/modules/services/dbus.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/services/dbus.te > +++ refpolicy-2.20210203/policy/modules/services/dbus.te > @@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus > seutil_read_config(system_dbusd_t) > seutil_read_default_contexts(system_dbusd_t) > > +# for machinectl shell > +term_use_ptmx(system_dbusd_t) > + > userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) > userdom_dontaudit_search_user_home_dirs(system_dbusd_t) > # read a file in ~/.local/share > @@ -184,6 +187,9 @@ optional_policy(` > systemd_read_logind_runtime_files(system_dbusd_t) > systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t) > systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) > + > + # for passing around terminal file handles for machinectl shell > + systemd_use_machined_devpts(system_dbusd_t) > ') > > optional_policy(` > -- Chris PeBenito