Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2235401pxb; Fri, 5 Feb 2021 12:19:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJw02XQ8zoNavYLpw7nbSVIwDOAvqhyij5LhlBXtpoj2yB7kZFFEvr9QcOpiMb8FsHwubu6N X-Received: by 2002:a05:6402:105a:: with SMTP id e26mr3543674edu.60.1612556385071; Fri, 05 Feb 2021 12:19:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612556385; cv=none; d=google.com; s=arc-20160816; b=EFh1KDJ8/WmwV1hh7bLthTZNOet3otqtZ3vfkUFbro+/DJgdflJZSNqEf3LfK1vnhM J/4j6JKXqlt7eFY4RIz5uyqN108FnX+qIa1+pOrpb/SCCiT8hfcNIu3w9RcGCD7GG0EM 0yfNCkeeNeDPHKexGHpL3JnFc2zwlL7BG4b6XBrwPmMVzCIx56NIIM66C+cu5XPZte0f BQVfSIPBGWHeCv1U2ZaqQf/uZVbz8DB7R6rIawy14ZOk+HD7IjC7KPaaOagsLI3fZufo 6kB01T65TVZTIOSmpuipHqwrtfqL5i+Kh6JHuUINqdy8xR1RTjblwH1e5EF6CCFEinck i/6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=q6JxCXUjFSwgbDbPIaoVv8cOkx16XdNuGnCM8TvmHgs=; b=ABDA0trd9cqqMKfrwM6e/558e1tpwLTOYKwHYojjw1sADD3xMuu0jU1Bz1CBzvqN5/ ozEqfKHd7SW0t0Dts9Da0E0eGKi6YB2TURYdQQ2NQ5V6Wkik2Ek+6TlW3TegdOV5aA+C +XGtMQxDGm48a8y9FVw8rApfbU6z3DzceHGFPmJHzahg2FEs6jBh85geMxV3y+V3C525 FsccAwwa1RSqrM81hWf5dSg4TcuxdEnMnVP/iX+H5rYDgYUOUvBkX4tFd+OZ/Fu3T3B5 Y0g97Qp2st1v6Jm2KvRJQbga4SQlIQDZTvtbjlRzZlE8y7Pk6u8VP30PV0Kw30fNbShz Jlxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=PMHIM9d7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gq1si5721254ejb.675.2021.02.05.12.19.39; Fri, 05 Feb 2021 12:19:45 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=PMHIM9d7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233184AbhBESgh (ORCPT + 16 others); Fri, 5 Feb 2021 13:36:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233385AbhBESga (ORCPT ); Fri, 5 Feb 2021 13:36:30 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5CF1DC06174A for ; Fri, 5 Feb 2021 12:18:15 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 7BED02A12B5; Fri, 5 Feb 2021 21:18:11 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 7BED02A12B5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1612556292; bh=q6JxCXUjFSwgbDbPIaoVv8cOkx16XdNuGnCM8TvmHgs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=PMHIM9d7u5mEV9Hclr2pVAVvhxiOqVeOsQFXFPxQqmIGj3rBbKXpzX23cJN1XhNtO Vm4uU7JYwPT0z4ZHKrFz64OOpMP/MpeDiAND/pTkS+4NARp5J/DGZEyenGDDxZlGAy +3egZurCmx8BTTRUKKNq7E9O01pgClPYSS0l1FLU= From: Dominick Grift To: Chris PeBenito Cc: Russell Coker , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] another systemd misc patch References: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> Date: Fri, 05 Feb 2021 21:18:09 +0100 In-Reply-To: <8e419ea2-1ba4-5b44-16ae-8fbe80cacf18@ieee.org> (Chris PeBenito's message of "Fri, 5 Feb 2021 14:44:21 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Chris PeBenito writes: > On 2/2/21 10:31 PM, Russell Coker wrote: >> Lots of littls changes related to systemd. >> Signed-off-by: Russell Coker >> > >> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_ >> ###################################### >> ## >> +## Watch systemd-logind runtime dirs >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`systemd_watch_logind_runtime_dir',` > > systemd_watch_logind_runtime_dirs (plural) > >> + gen_require(` >> + type systemd_logind_runtime_t; >> + ') >> + >> + allow $1 systemd_logind_runtime_t:dir watch; >> +') >> + >> +###################################### >> +## >> ## Use inherited systemd >> ## logind file descriptors. >> ## >> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login >> ###################################### >> ## >> +## Watch logind sessions dirs. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`systemd_watch_logind_sessions_dir',` > > systemd_watch_logind_sessions_dirs (plural) > >> + gen_require(` >> + type systemd_sessions_runtime_t; >> + ') >> + >> + allow $1 systemd_sessions_runtime_t:dir watch; >> +') >> + >> +###################################### >> +## >> ## Write inherited logind inhibit pipes. >> ## >> ## >> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',` >> ######################################## >> ## >> +## Allow watching /run/systemd/machines >> +## >> +## >> +## >> +## Domain that can watch the machines files >> +## >> +## >> +# >> +interface(`systemd_watch_machines_dir',` > > systemd_watch_machines_dirs (plural) > >> + gen_require(` >> + type systemd_machined_runtime_t; >> + ') >> + >> + allow $1 systemd_machined_runtime_t:dir watch; >> +') >> + >> +######################################## >> +## >> ## Send and receive messages from >> ## systemd hostnamed over dbus. >> ## >> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',` >> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; >> ') >> - domtrans_pattern($1, systemd_passwd_agent_exec_t, >> systemd_passwd_agent_t) >> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) > > domtrans_pattern() is the standard pattern. This change has no effect. > > > >> Index: refpolicy-2.20210203/policy/modules/system/systemd.te >> =================================================================== >> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te >> +++ refpolicy-2.20210203/policy/modules/system/systemd.te >> @@ -129,6 +129,7 @@ type systemd_logind_t; >> type systemd_logind_exec_t; >> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) >> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) >> +init_stream_connect(systemd_logind_t) >> type systemd_logind_inhibit_runtime_t alias >> systemd_logind_inhibit_var_run_t; >> files_runtime_file(systemd_logind_inhibit_runtime_t) >> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli >> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) >> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) >> +kernel_read_kernel_sysctls(systemd_backlight_t) >> + >> systemd_log_parse_environment(systemd_backlight_t) >> # Allow systemd-backlight to write to >> /sys/class/backlight/*/brightness >> @@ -358,13 +361,15 @@ ifdef(`enable_mls',` >> # >> allow systemd_coredump_t self:unix_dgram_socket { create write >> connect getopt setopt }; >> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; >> +allow systemd_coredump_t self:unix_stream_socket connectto; >> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace }; > > net_admin? That doesn't seem necessary for core dumping. > > > [...] >> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump >> seutil_search_default_contexts(systemd_coredump_t) >> +allow systemd_generator_t self:fifo_file rw_file_perms; >> +allow systemd_generator_t self:process setfscreate; >> + >> +allow systemd_generator_t self:capability dac_override; >> +allow systemd_generator_t self:tcp_socket create; >> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read }; >> + >> +corecmd_exec_bin(systemd_generator_t) >> +corecmd_exec_shell(systemd_generator_t) >> +files_exec_etc_files(systemd_generator_t) >> +fs_getattr_cgroup(systemd_generator_t) >> +fs_getattr_tmpfs(systemd_generator_t) >> +fs_rw_tmpfs_files(systemd_generator_t) >> +miscfiles_read_localization(systemd_generator_t) >> + >> +optional_policy(` >> + # for /lib/systemd/system-generators/openvpn-generator >> + openvpn_read_config(systemd_generator_t) >> +') >> + >> +optional_policy(` >> + # it runs postconf >> + # maybe /lib/systemd/system-generators/postfix-instance-generator >> + postfix_read_config(systemd_generator_t) >> +') > > The systemd_generator_t rules need to move to proper places. > > > >> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ >> kernel_read_kernel_sysctls(systemd_logind_t) >> +auth_read_shadow(systemd_logind_t) > > If this is necessary, it seems Debian specific. This also happens on fedora (not sure why) > > [...] >> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm >> # for /run/systemd/nspawn/incoming in chroot >> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; >> +kernel_getattr_core_if(systemd_nspawn_t) >> +kernel_getattr_proc(systemd_nspawn_t) >> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t) >> + >> kernel_mount_proc(systemd_nspawn_t) >> kernel_mounton_sysctl_dirs(systemd_nspawn_t) >> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) >> kernel_mounton_message_if(systemd_nspawn_t) >> kernel_mounton_proc(systemd_nspawn_t) >> +kernel_mounton_sysctl_files(systemd_nspawn_t) >> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t) > > With all of the mounting, perhaps we should consider coalescing on > allowing it to mount an all init_mountpoint_types. mounton unlabeled dirs indicates that something is unlabeled/mislabeled though. Wouldnt allow that. > > [..] >> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) >> term_search_ptys(systemd_nspawn_t) >> term_setattr_generic_ptys(systemd_nspawn_t) >> term_use_ptmx(systemd_nspawn_t) >> +term_use_generic_ptys(systemd_nspawn_t) > > Perhaps this should have a pty type? Agree > > >> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se >> # systemd-user-runtime-dir local policy >> # >> -allow systemd_user_runtime_dir_t self:capability { fowner chown >> sys_admin dac_read_search dac_override }; >> +allow systemd_user_runtime_dir_t self:capability { chown >> dac_override dac_read_search dac_override fowner sys_admin mknod }; > > sys_admin and mknod? What is sys_admin used for; also, I don't see > any rules for creating devices. its probably old systemd stuff (fixed in more recent version): ie /run/user/UID/inaccessible/blk should be able to ignore this > >> allow systemd_user_runtime_dir_t self:process setfscreate; >> domain_obj_id_change_exemption(systemd_user_runtime_dir_t) >> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir >> manage_dir_perms; >> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink; >> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink; >> + >> files_read_etc_files(systemd_user_runtime_dir_t) >> fs_mount_tmpfs(systemd_user_runtime_dir_t) >> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r >> seutil_libselinux_linked(systemd_user_runtime_dir_t) >> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) >> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t) >> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) >> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t) >> +userdom_list_user_tmp(systemd_user_runtime_dir_t) >> userdom_search_user_runtime_root(systemd_user_runtime_dir_t) >> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) >> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) >> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if >> =================================================================== >> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if >> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if >> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks >> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; >> ') >> + >> +######################################## >> +## >> +## send dbus messages to dpkg_t >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`dpkg_dbus_chat',` >> + gen_require(` >> + type dpkg_t; >> + ') >> + >> + allow $1 dpkg_t:dbus send_msg; >> +') > > I'd prefer that the dbus chat interfaces are provided by the server process' domain. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift