Received: by 2002:a05:6520:2f93:b029:af:d4db:7a05 with SMTP id 19csp2386613lkf; Fri, 5 Feb 2021 11:48:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJyWgeTjG86VTo+fdb34aqFQK1+znV8DupGSN3hwsJKk3A8a90Hv/R0GO8RBnOokvyskQSZ9 X-Received: by 2002:a17:906:3899:: with SMTP id q25mr5452993ejd.173.1612554520887; Fri, 05 Feb 2021 11:48:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612554520; cv=none; d=google.com; s=arc-20160816; b=kV+haR9lpoO3kh8pfC5JSiZZdYgwk1RsA49Y+pEsVmnOgYp34Q1WdOUF5UHCHA5IZ9 2rTDTjWZthpQoeDYCITOh895WtlLiRUn+mJaXkz+y1Cy7Zd63wvI5kHyKcYX3QvTK69y NxeLQSlNZ/XVaakBELeV0w2stK3Uli5XdSBReHY34TfL4C2o1UF05jUApshQGhSqgAxo S0+3QlYtX+OvsN2BZ6cSwrPFUToHtT9iRuPsGd2cNj0mbajV9OmdPmiUqPoJTOmSXsYa xcuKkprN4d2syeKOzIkiOLYX+KaMbgYX1b5hCNffW9weBJQKvQZGa+CYSrrbSY9s6dmP dttA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=4Mxh0WyVQFoINNx03qLcuSK4ZDkvon0IWaR6yLMGzK4=; b=LrBkvb5auXlw1NiBJHQLKxbtcrow26Pd/G7PDnpHkF+w4Gh3A2a44QIWp2rcWcV6K9 xsj3Uy2Rl4s2T7Nk+FLQ/00y8ZfmrseWAJZnqvo8xGTzV3b8acE65j2GhR4/zwaUMxm2 dVvCVHWYnx4A6OQTRXudJN2c6Ln4izqRDGp03TNOhTEIGHPGl6bMM20DrQn5ok/2BmN+ O5zRlG2koIvKm6LUx2hk+ZRZ8qcnp1TR/SA1Uf1NzycPlsJop+D+9QO8rxPFB8wyrkHD KcV+xQ0tG66ed+Lk2lBlekhNmL2qp4n0lCgG5CHB6jGpoaAL8Vh7Fk36Z3hctpeDVGg7 QYgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Nh16r8Hy; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j17si7072edw.10.2021.02.05.11.48.34; Fri, 05 Feb 2021 11:48:40 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Nh16r8Hy; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233398AbhBESFt (ORCPT + 16 others); Fri, 5 Feb 2021 13:05:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233141AbhBESDh (ORCPT ); Fri, 5 Feb 2021 13:03:37 -0500 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8270C06174A for ; Fri, 5 Feb 2021 11:44:25 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id z32so5842085qtd.8 for ; Fri, 05 Feb 2021 11:44:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=4Mxh0WyVQFoINNx03qLcuSK4ZDkvon0IWaR6yLMGzK4=; b=Nh16r8HyN/S9ZqcfxvKRrLHyJQPXR9CQouFrM8lvMJINsKrPxSdNWQBOHMYLtEqTyJ gzh8LPs2UHVNO15gKDedsbG9UAyX1Z65/7KZH9OaH+Y5Ogz69mt7AnBv4p1aLkWHeDww 93FzWZnV3kwevUtJlFxSIPIjq79fthVqq3hmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=4Mxh0WyVQFoINNx03qLcuSK4ZDkvon0IWaR6yLMGzK4=; b=YHIr9GP9BDcxxkfMiLhJxft5zQ/8MAI3n9GW0ncVA7SBLkaeNZfnQbhhTlZEgPq/l2 QeCj9kwrKp6uEAC+zC+1NhsbCwPXdl2Cq0yinxKxfPz0S4424qQnLWRljVXc61FdWvaJ k1C0HWD4HlvARoEPpQAhI5r832BtVpXavQcOX/QSUgShwOVmnaDOzadSdBiAWhfyg1Cw IIkNP3rbYEsUCD6qIiSmKwvN7s0l6kemaCqcedr9w55Cciwiqp1m5p7s+ry3BtDLcVFG Smiv2L9d1QULIWNRBUEXbhXXzUTCbp5BDCkKas7d/1IrjsK5IGe0phOgxxnx+RszqfRo kwKg== X-Gm-Message-State: AOAM532pEBzUpD+xRPBj0Tl7DydXp1QlBkk9nQkzqFRMEMJlPfd8XrVN RUloMHBgZ6e0E+nP2gD9dmhbWJyWMMOfGA== X-Received: by 2002:a05:622a:4d3:: with SMTP id q19mr5719287qtx.316.1612554264488; Fri, 05 Feb 2021 11:44:24 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id h63sm9095452qtd.14.2021.02.05.11.44.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Feb 2021 11:44:23 -0800 (PST) Subject: Re: [PATCH] another systemd misc patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> Date: Fri, 5 Feb 2021 14:44:21 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/2/21 10:31 PM, Russell Coker wrote: > Lots of littls changes related to systemd. > > Signed-off-by: Russell Coker > > @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_ > > ###################################### > ## > +## Watch systemd-logind runtime dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_watch_logind_runtime_dir',` systemd_watch_logind_runtime_dirs (plural) > + gen_require(` > + type systemd_logind_runtime_t; > + ') > + > + allow $1 systemd_logind_runtime_t:dir watch; > +') > + > +###################################### > +## > ## Use inherited systemd > ## logind file descriptors. > ## > @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login > > ###################################### > ## > +## Watch logind sessions dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_watch_logind_sessions_dir',` systemd_watch_logind_sessions_dirs (plural) > + gen_require(` > + type systemd_sessions_runtime_t; > + ') > + > + allow $1 systemd_sessions_runtime_t:dir watch; > +') > + > +###################################### > +## > ## Write inherited logind inhibit pipes. > ## > ## > @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',` > > ######################################## > ## > +## Allow watching /run/systemd/machines > +## > +## > +## > +## Domain that can watch the machines files > +## > +## > +# > +interface(`systemd_watch_machines_dir',` systemd_watch_machines_dirs (plural) > + gen_require(` > + type systemd_machined_runtime_t; > + ') > + > + allow $1 systemd_machined_runtime_t:dir watch; > +') > + > +######################################## > +## > ## Send and receive messages from > ## systemd hostnamed over dbus. > ## > @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',` > type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; > ') > > - domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) domtrans_pattern() is the standard pattern. This change has no effect. > Index: refpolicy-2.20210203/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210203/policy/modules/system/systemd.te > @@ -129,6 +129,7 @@ type systemd_logind_t; > type systemd_logind_exec_t; > init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) > init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) > +init_stream_connect(systemd_logind_t) > > type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t; > files_runtime_file(systemd_logind_inhibit_runtime_t) > @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli > init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) > manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) > > +kernel_read_kernel_sysctls(systemd_backlight_t) > + > systemd_log_parse_environment(systemd_backlight_t) > > # Allow systemd-backlight to write to /sys/class/backlight/*/brightness > @@ -358,13 +361,15 @@ ifdef(`enable_mls',` > # > > allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; > -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; > +allow systemd_coredump_t self:unix_stream_socket connectto; > +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace }; net_admin? That doesn't seem necessary for core dumping. [...] > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump > > seutil_search_default_contexts(systemd_coredump_t) > > +allow systemd_generator_t self:fifo_file rw_file_perms; > +allow systemd_generator_t self:process setfscreate; > + > +allow systemd_generator_t self:capability dac_override; > +allow systemd_generator_t self:tcp_socket create; > +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; > + > +corecmd_exec_bin(systemd_generator_t) > +corecmd_exec_shell(systemd_generator_t) > +files_exec_etc_files(systemd_generator_t) > +fs_getattr_cgroup(systemd_generator_t) > +fs_getattr_tmpfs(systemd_generator_t) > +fs_rw_tmpfs_files(systemd_generator_t) > +miscfiles_read_localization(systemd_generator_t) > + > +optional_policy(` > + # for /lib/systemd/system-generators/openvpn-generator > + openvpn_read_config(systemd_generator_t) > +') > + > +optional_policy(` > + # it runs postconf > + # maybe /lib/systemd/system-generators/postfix-instance-generator > + postfix_read_config(systemd_generator_t) > +') The systemd_generator_t rules need to move to proper places. > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ > > kernel_read_kernel_sysctls(systemd_logind_t) > > +auth_read_shadow(systemd_logind_t) If this is necessary, it seems Debian specific. [...] > @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm > # for /run/systemd/nspawn/incoming in chroot > allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; > > +kernel_getattr_core_if(systemd_nspawn_t) > +kernel_getattr_proc(systemd_nspawn_t) > +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) > + > kernel_mount_proc(systemd_nspawn_t) > kernel_mounton_sysctl_dirs(systemd_nspawn_t) > kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) > kernel_mounton_message_if(systemd_nspawn_t) > kernel_mounton_proc(systemd_nspawn_t) > +kernel_mounton_sysctl_files(systemd_nspawn_t) > +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) With all of the mounting, perhaps we should consider coalescing on allowing it to mount an all init_mountpoint_types. [..] > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) > term_search_ptys(systemd_nspawn_t) > term_setattr_generic_ptys(systemd_nspawn_t) > term_use_ptmx(systemd_nspawn_t) > +term_use_generic_ptys(systemd_nspawn_t) Perhaps this should have a pty type? > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se > # systemd-user-runtime-dir local policy > # > > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override }; > +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod }; sys_admin and mknod? What is sys_admin used for; also, I don't see any rules for creating devices. > allow systemd_user_runtime_dir_t self:process setfscreate; > > domain_obj_id_change_exemption(systemd_user_runtime_dir_t) > > +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms; > +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink; > +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink; > + > files_read_etc_files(systemd_user_runtime_dir_t) > > fs_mount_tmpfs(systemd_user_runtime_dir_t) > @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r > seutil_libselinux_linked(systemd_user_runtime_dir_t) > > userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) > +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t) > userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) > +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t) > +userdom_list_user_tmp(systemd_user_runtime_dir_t) > userdom_search_user_runtime_root(systemd_user_runtime_dir_t) > userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) > userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) > Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if > +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if > @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks > > allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; > ') > + > +######################################## > +## > +## send dbus messages to dpkg_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_dbus_chat',` > + gen_require(` > + type dpkg_t; > + ') > + > + allow $1 dpkg_t:dbus send_msg; > +') I'd prefer that the dbus chat interfaces are provided by the server process' domain. -- Chris PeBenito