Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp882373pxb; Wed, 27 Oct 2021 14:24:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZKbnNdg0nES1Ms7ShgDcDB74AQlshcp3si9ZdyiOpQZtVkTFIbR52shn6C4t5XhQn6lT9 X-Received: by 2002:aa7:de8f:: with SMTP id j15mr404645edv.347.1635369857637; Wed, 27 Oct 2021 14:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635369857; cv=none; d=google.com; s=arc-20160816; b=hQcTjXre8UNwMv7XTYYSEaFZdU46OT6aa6GzvvGaqPWJUlUam0qj/Rc+Yh0vaqdhmS /KQgx5GYuMRU0v22JzexpMrWepf7CRnCQBFf1ls8JeTI05E9fkFHjA5ZLHwFZGvsibVM KunFMp9uCTty55C0pNtJMluqabjOZPbdQG7hKWVKtMuooNJ7gmpiuzjTOKe9RKLjOk7f gmsiJa08bUwHKg+rHGo85i8KJ6MTnjv+7kV61SYH1nK5YHT0EVkfYf5tv4f0G1MINNri hgixtqH1bhZ50d1I0tc4ahVnsHVoSHdE9XtdanuqOSOjAc0CwaO2sxomilslSKzwXDG6 VmIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-language:references:to:subject:from:user-agent:mime-version :date:message-id:dkim-signature; bh=/hsBokXnmbjLLzOqAgxoJ01hE5lMiXw3cOjR5R2ludM=; b=g4wGfbdwbDYidL67ZV2y6afW3RZs1dUzcZf6qtennt4szKTIkBzQw+djP00KmtUSrF nF1ehBqkwmIgbk98RwfEnfty4mB3Rqz8ABPhH9GoOiyR8NATyGJF3f1TIZbLAlDqa7SQ U0TVPsHGpqvkp8c+KkILpgWi+bziFGWW2ANaKLDWbZG+mn+PtUE4JXlqmGhU2vfIezh1 xMK8Xp3FJv2ftl+tI8G29fufdYhh1CN4ZFfwX4bHUh8DMFrXWA/r3sMnxrcXOakkv++x 3SXpxYCJWIXI/BuDeNZQazoLTBSJb3Q/KcTEP5us2jZzu/rv2/0uzgXH6gD/RzNJkrdA i0wA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=NwenDaA0; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t19si1702943edd.74.2021.10.27.14.24.12; Wed, 27 Oct 2021 14:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=NwenDaA0; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237191AbhJ0NN5 (ORCPT + 20 others); Wed, 27 Oct 2021 09:13:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236993AbhJ0NNx (ORCPT ); Wed, 27 Oct 2021 09:13:53 -0400 Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05232C061570 for ; Wed, 27 Oct 2021 06:11:28 -0700 (PDT) Received: by mail-qk1-x72d.google.com with SMTP id bp7so2287436qkb.12 for ; Wed, 27 Oct 2021 06:11:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:from:subject:to:references :content-language:in-reply-to:content-transfer-encoding; bh=/hsBokXnmbjLLzOqAgxoJ01hE5lMiXw3cOjR5R2ludM=; b=NwenDaA0oBM6CWkKfXGhxi4iWTHQ9eGdhuWu0Ue8uz6OTPtrCnzrSRRKcvEJHDopLi 2BcuAJ5a+ThuxzBBhTJX+BxISTgZMOS9nqOOs3seNdklm9qh6y4xtp5576mgmB0Cr/3v rFQY/MTUuAMRXaFGHTVHkQRrZN2e6S3TtSQ5c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:from :subject:to:references:content-language:in-reply-to :content-transfer-encoding; bh=/hsBokXnmbjLLzOqAgxoJ01hE5lMiXw3cOjR5R2ludM=; b=JcP/6xwn+8lCjPmQAs1RG7QlZlEPgwoNTT29YfOY4JxeTeu6c7+l98trKR1SJibVnh OEE3x+EY3z6Reh+7AFvOWn+B0lmRzq14ClW/otB+Y3wYruumteO6hmUY0sJoj6IcReeb Eto8zHrvD9HhbzuGpwiLTps7gNIOy6feYGRcCwwGw0vteAuR+DyUjUbFx8GzHP60WkQA v3VOHESipAFhvNiZQRoEfGpl7uq9/8peubWi8rqzWO559SinxseD4WyaRCv4sEeqIGOP 8pRAray5mB6E7JPlPQTIgGoaCXFXlzkHZsKbV7iVkra2A7M+WBvt07FWwdI1A3+PbPqd cvWA== X-Gm-Message-State: AOAM530dKjU8XMNLRDcq/Dc7ATaYKqH1i/JbZJyh0BBoWrELz4Sx23+Y TYy/Nq9FnLeciidiJRQwR4ciNk33uIF8GFNg X-Received: by 2002:a05:620a:b4d:: with SMTP id x13mr5555681qkg.430.1635340287128; Wed, 27 Oct 2021 06:11:27 -0700 (PDT) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id f10sm4445677qkp.135.2021.10.27.06.11.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Oct 2021 06:11:26 -0700 (PDT) Message-ID: <6973a9dc-c7e9-e995-6853-6b4bc192dd66@ieee.org> Date: Wed, 27 Oct 2021 09:09:40 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 From: Chris PeBenito Subject: Re: [PATCH] strict policy patches To: Russell Coker , selinux-refpolicy@vger.kernel.org References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 10/9/21 06:05, Russell Coker wrote: > Allow user domains to read kernel sysctls and crypto sysctls. > > Add userdom_write_all_user_runtime_named_sockets interface (for pulseaudio_t). > > Give sysadm_t more access. > > Give dbus domains a little more access. > > Allow ssh agent to write to an inherited log file from the X server. > > Make systemd_analyze_exec_t an alias for bin_t and remove systemd_analyze_t > omain. > > Allow system cronjobs to read fs sysctls. > > Signed-off-by: Russell Coker [...] > Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20210908/policy/modules/roles/sysadm.te > @@ -33,11 +33,22 @@ ifndef(`enable_mls',` > # Local policy > # > > +allow sysadm_t self:netlink_generic_socket { create setopt bind write read }; > + > +# for ptrace > +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read }; > + > +allow sysadm_t self:capability audit_write; > +allow sysadm_t self:system status; This seems a bit odd. I would have expected sysadm_systemd_t would be the target. Was the sysadm systemd --user session running in sysadm_t? > corecmd_exec_shell(sysadm_t) > > corenet_ib_access_unlabeled_pkeys(sysadm_t) > corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) > > +domain_getsched_all_domains(sysadm_t) > + > +dev_read_cpuid(sysadm_t) > dev_read_kmsg(sysadm_t) > > logging_watch_all_logs(sysadm_t) > @@ -58,6 +69,9 @@ init_admin(sysadm_t) > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) > > +# for systemd-analyze > +files_get_etc_unit_status(sysadm_t) > + > ifdef(`direct_sysadm_daemon',` > optional_policy(` > init_run_daemon(sysadm_t, sysadm_r) > @@ -1033,6 +1047,10 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(sysadm_t) > +') > + > +optional_policy(` > tboot_run_txtstat(sysadm_t, sysadm_r) > ') > > @@ -1100,6 +1118,7 @@ optional_policy(` > ') > > optional_policy(` > + dev_rw_generic_usb_dev(sysadm_t) Is this related to usbmodules? > usbmodules_run(sysadm_t, sysadm_r) > ') > > Index: refpolicy-2.20210908/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20210908/policy/modules/services/xserver.if > @@ -100,6 +100,7 @@ interface(`xserver_restricted_role',` > xserver_xsession_entry_type($2) > xserver_dontaudit_write_log($2) > xserver_stream_connect_xdm($2) > + xserver_use_user_fonts($2) > # certain apps want to read xdm.pid file > xserver_read_xdm_runtime_files($2) > # gnome-session creates socket under /tmp/.ICE-unix/ > @@ -141,7 +142,7 @@ interface(`xserver_role',` > gen_require(` > type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; > type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > - type mesa_shader_cache_t; > + type mesa_shader_cache_t, xdm_t; > ') > > xserver_restricted_role($1, $2) > @@ -184,6 +185,8 @@ interface(`xserver_role',` > > xserver_read_xkb_libs($2) > > + allow $2 xdm_t:unix_stream_socket accept; Do you have any context on this? Userdomains don't have read/write xdm_t unix_stream_socket access, so they wouldn't be able to do anything with it. > + > optional_policy(` > xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") > ') > @@ -1224,6 +1227,7 @@ interface(`xserver_read_xkb_libs',` > allow $1 xkb_var_lib_t:dir list_dir_perms; > read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > + allow $1 xkb_var_lib_t:file map; > ') > > ######################################## > Index: refpolicy-2.20210908/policy/modules/services/dbus.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/services/dbus.if > +++ refpolicy-2.20210908/policy/modules/services/dbus.if > @@ -85,6 +85,7 @@ template(`dbus_role_template',` > > allow $3 $1_dbusd_t:unix_stream_socket connectto; > allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; > + allow $1_dbusd_t $3:dbus send_msg; > allow $3 $1_dbusd_t:fd use; > > dontaudit $1_dbusd_t self:process getcap; > @@ -103,9 +104,13 @@ template(`dbus_role_template',` > > allow $1_dbusd_t $3:process sigkill; > > + allow $1_dbusd_t self:process getcap; > + > corecmd_bin_domtrans($1_dbusd_t, $3) > corecmd_shell_domtrans($1_dbusd_t, $3) > > + dev_read_sysfs($1_dbusd_t) > + > auth_use_nsswitch($1_dbusd_t) > > ifdef(`hide_broken_symptoms',` > @@ -117,6 +122,15 @@ template(`dbus_role_template',` > systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t) > systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t) > ') > + > + optional_policy(` > + init_dbus_chat($1_dbusd_t) > + dbus_system_bus_client($1_dbusd_t) This opens up bridging the user session busses to the system bus. I don't think we want this. > + ') > + > + optional_policy(` > + xdg_read_data_files($1_dbusd_t) > + ') > ') -- Chris PeBenito