Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3153423pxb; Sat, 9 Oct 2021 03:17:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwl5K2nJ82OvCovbM04rpmrwkarrUWDnXJKpHuXHpH6dceCmaJsE9yAbbQKiJJgCYUQC7dq X-Received: by 2002:a17:906:754:: with SMTP id z20mr10150099ejb.365.1633774669202; Sat, 09 Oct 2021 03:17:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633774669; cv=none; d=google.com; s=arc-20160816; b=E3P1dKj88Dch9CnnYnAv1wVi2iJDko2C2nL2f3zKwZXUL2HMNBBzffGK55ae1OJhTN knz6mFevNYaKBeyQ2PZ3e++T5dtmlhjIA9WoSuBlDAX2ffdNfkl6TEKjJJBEOs8fbh6R jHn+tY6hV2fPFlEOs5wM6wx7QHnvIq74Qx/sjkCccMbi4WLGSbByy1O+izhpzXaH1/fM kTJRc253Sp3J+Xuvgrn9eJaYgykrk0/ng+OOEe6w7G8dNxTC2elRQycNIPPZow1lZlL2 vcFLlH4kRTC0UgVFgxhE/Tk0PZO60kgtBRbmttEEGA0SmlF2IdGNdtcmfCCMLhF3RKqE IUAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=Knojctk1uNweAAmxSuxXlH6OlV2/cds5+asFrmNfse8=; b=LyupcoWZauFEJ95gxokcHsJsHXk6n7FiSLZwtNPh6SFW5IIrBVeAL+lEE1O1NaLkib fgs0aOzBIz0qQZJdeDLrjfja/rm+xP7tkklzVwooZ5xmChR8BludHVJ5tEwvLBVbNKEF NyPK5vQWh2MDKU6EjRg8jz0U8vALGGZ6PS7hXZU5eBd8EdHF8nBiQ3fhcuY1jJ8D/qOl yJnGssmo4JSe/13wMXB8dr+mbDlCvm/oj15aaGHCDIfDKt0sFEk+D2VASbd1P4r0ZNfv Wh866jlbL0KUe7Xq+lEtOLBXqnlk/dB3SYebadjHkU87Tha+tYImf9ZZDwF1WFwVV9pv 2/JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=g5sA76vq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dy9si2434867edb.37.2021.10.09.03.17.42; Sat, 09 Oct 2021 03:17:49 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=g5sA76vq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230478AbhJIKTi (ORCPT + 21 others); Sat, 9 Oct 2021 06:19:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230185AbhJIKTh (ORCPT ); Sat, 9 Oct 2021 06:19:37 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 270A6C061570 for ; Sat, 9 Oct 2021 03:17:41 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 16CBFF117; Sat, 9 Oct 2021 21:17:39 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1633774659; bh=Knojctk1uNweAAmxSuxXlH6OlV2/cds5+asFrmNfse8=; l=2682; h=Date:From:To:Cc:Subject:From; b=g5sA76vqyGbzHMJw6EgWg9E24Vcs6O2RYmKlFbIBH8zct4jH6v3jG1PPVqT2wOmWg n8CFwyZu4M00iot1ROp3xTBaOOsJMp9GK295NOX76oo8TxcKZtqnOBPP3bXKiaItBD WWECqY/jHsML1lrInHzxwq3oC5quWXH1Ggo0r5pY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 8CEC715FF051; Sat, 9 Oct 2021 21:17:34 +1100 (AEDT) Date: Sat, 9 Oct 2021 21:17:34 +1100 From: Russell Coker To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] another systemd misc patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote: > > +interface(`systemd_watch_logind_runtime_dir',` > > systemd_watch_logind_runtime_dirs (plural) Done. > > +interface(`systemd_watch_logind_sessions_dir',` > > systemd_watch_logind_sessions_dirs (plural) Done. > > +interface(`systemd_watch_machines_dir',` > > systemd_watch_machines_dirs (plural) Done. > > - domtrans_pattern($1, systemd_passwd_agent_exec_t, > > systemd_passwd_agent_t) > > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, > > systemd_passwd_agent_t) > domtrans_pattern() is the standard pattern. This change has no effect. OK, I'll remove that. > > -allow systemd_coredump_t self:capability { dac_override dac_read_search > > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t > > self:unix_stream_socket connectto; > > +allow systemd_coredump_t self:capability { dac_override dac_read_search > > setgid setuid setpcap net_admin sys_ptrace }; > net_admin? That doesn't seem necessary for core dumping. That's one of the systemd programs that wanted netadmin to set socket buffers. I'll dontaudit it. > > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump > > > > seutil_search_default_contexts(systemd_coredump_t) > > > > +allow systemd_generator_t self:fifo_file rw_file_perms; > > +allow systemd_generator_t self:process setfscreate; > The systemd_generator_t rules need to move to proper places. Done. > > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ > > > > kernel_read_kernel_sysctls(systemd_logind_t) > > > > +auth_read_shadow(systemd_logind_t) > > If this is necessary, it seems Debian specific. I'll try removing it. > > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) > > > > term_search_ptys(systemd_nspawn_t) > > term_setattr_generic_ptys(systemd_nspawn_t) > > term_use_ptmx(systemd_nspawn_t) > > > > +term_use_generic_ptys(systemd_nspawn_t) > > Perhaps this should have a pty type? OK. > > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se > > > > # systemd-user-runtime-dir local policy > > # > > > > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin > > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t > > self:capability { chown dac_override dac_read_search dac_override fowner > > sys_admin mknod }; > sys_admin and mknod? What is sys_admin used for; also, I don't see any > rules for creating devices. That's because of something that I hadn't included in that patch. It has to unlink device nodes labelled user_tmp_t. I just sent another patch for this.