Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1164152pxb; Wed, 6 Apr 2022 10:13:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJW1cCwBMO/pGcd3fCCvOcvZFuKk3jqhBLcSRd+PI+tauELMUSeDoJhTRNFs+ZYVk5E29r X-Received: by 2002:a65:5941:0:b0:375:9bfd:473d with SMTP id g1-20020a655941000000b003759bfd473dmr7896066pgu.348.1649265198962; Wed, 06 Apr 2022 10:13:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649265198; cv=none; d=google.com; s=arc-20160816; b=l3h33mxqw8b6XtaLCj9O9qbt3pMTRAX7grSWqsqYcfu7LhlyJi3uHB85+YaaAsFcyY 3b2oDfcrCY6OO9aAvhxi+i40VmOlcotMfO4lf/BMEe9vglHSuLHJ6tLrNkIpRri5s5C3 XDcxd5SM/nXOUE19Bas18yXCNQ5MSDgXCN3y8zmO/d8Eh83LzJM3FDV3692Dr3pjseFi +e+jA7obDI8+0XryXpqyxYC1kXcVdf2fskJnc8OAWjbJoAe6/SkO/ydojUIIuUliCxre gDUX8EESPK/T/pRg8F9fn3HAfE6PTVHmH0zXzCS7qTskp89WGjbWE2kHlWMeJi/z65mM 2C2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=Tz2w/20TEyaH9mvYBdVFduZWZXR4ONljCGVi8nKJIWs=; b=PpDsy9ONRxuotEJkgxM1Np8AY/zfkj8W5YHocjOa3iNlxY+39xqA8zzNWUyCsyJ1u8 1dpF5w9jzkRUMyAjhCAzilMjnqnDueLzmx0i/YCqHAnLhjLTO6leQVIWy/N97yoDLWeq HO6a4LK8YqLIN9oYDjgdU5SrW2moWF0g5uj2wnBiIqoYZ8OMTUVRL+ZStbxjiJDB1IH8 F8L1Gjc0E8/krSrCXeJhjEmlGMniZaJmJ++URNkt5P6FuZceW5RRGTCniGVpvzTMHM3F AlezGUKYsYx58oUyzUCLZ79oklTHaDkmYIEBbZ8ejno8/kNAYvMVwWzu4fjG5NuhnBle 6iRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=AnFv0aZq; spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id c23-20020a63da17000000b003816043f0bdsi16810547pgh.690.2022.04.06.10.13.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 10:13:18 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=AnFv0aZq; spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D2390C6F02; Wed, 6 Apr 2022 09:57:56 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238475AbiDFQ7z (ORCPT + 22 others); Wed, 6 Apr 2022 12:59:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238333AbiDFQ7t (ORCPT ); Wed, 6 Apr 2022 12:59:49 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2271346E7F for ; Wed, 6 Apr 2022 07:52:38 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id E3B21F65E for ; Thu, 7 Apr 2022 00:52:35 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1649256756; bh=Tz2w/20TEyaH9mvYBdVFduZWZXR4ONljCGVi8nKJIWs=; l=4382; h=Date:From:To:Subject:From; b=AnFv0aZqxEGV8gTpzPNitcZXpEq4NT2griZ+DsxNW74twM51TxNE6KycNAuo/ausg JuC8sxIXCmzldYa0cvoKOcdoDkpZ1cG1rRCOb4MS20oyIcgh3qvAD5l88QpDcWhBph 6RIXRp26vfYykJdIruuFQlEmqvi0ixymN+k97ntI= Received: by xev.coker.com.au (Postfix, from userid 1001) id 7105317CA90D; Thu, 7 Apr 2022 00:52:31 +1000 (AEST) Date: Thu, 7 Apr 2022 00:52:31 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] machinectl shell and login fixes Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch fixes a delay in login and allows machinectl shell to work. Signed-off-by: Russell Coker Index: refpolicy-2.20220325/policy/modules/system/init.if =================================================================== --- refpolicy-2.20220325.orig/policy/modules/system/init.if +++ refpolicy-2.20220325/policy/modules/system/init.if @@ -3301,6 +3301,24 @@ interface(`init_tcp_recvfrom_all_daemons corenet_tcp_recvfrom_labeled($1, daemon) ') +###################################### +## +## restart systemd units, for /run/systemd/transient/* +## +## +## +## Domain allowed access. +## +## +# +interface(`init_restart_units',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:service { start status stop }; +') + ######################################## ## ## Allow the specified domain to connect to daemon with a udp socket Index: refpolicy-2.20220325/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20220325.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20220325/policy/modules/system/locallogin.te @@ -129,7 +129,8 @@ auth_manage_pam_runtime_files(local_logi auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) -init_dontaudit_use_fds(local_login_t) +# if local_login_t can not inherit fd from init it takes ages to login +init_use_fds(local_login_t) miscfiles_read_localization(local_login_t) Index: refpolicy-2.20220325/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20220325.orig/policy/modules/system/systemd.te +++ refpolicy-2.20220325/policy/modules/system/systemd.te @@ -851,6 +851,9 @@ init_start_system(systemd_logind_t) init_stop_system(systemd_logind_t) init_watch_utmp(systemd_logind_t) +# for /run/systemd/transient/* +init_restart_units(systemd_logind_t) + locallogin_read_state(systemd_logind_t) seutil_libselinux_linked(systemd_logind_t) Index: refpolicy-2.20220325/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20220325.orig/policy/modules/system/systemd.if +++ refpolicy-2.20220325/policy/modules/system/systemd.if @@ -19,11 +19,6 @@ ## The user domain for the role. ## ## -## -## -## The type for the user pty -## -## # template(`systemd_role_template',` gen_require(` @@ -33,6 +28,7 @@ template(`systemd_role_template',` type systemd_conf_home_t, systemd_data_home_t; type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_user_unit_t, systemd_user_runtime_unit_t; + type systemd_machined_t, user_devpts_t; ') ################################# @@ -60,6 +56,7 @@ template(`systemd_role_template',` allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) + corecmd_shell_entry_type($1_systemd_t) # systemctl --user rules allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen }; @@ -114,6 +111,10 @@ template(`systemd_role_template',` seutil_search_default_contexts($1_systemd_t) seutil_read_file_contexts($1_systemd_t) + # for machinectl shell + term_user_pty($1_systemd_t, user_devpts_t) + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms; + systemd_manage_conf_home_content($1_systemd_t) systemd_manage_data_home_content($1_systemd_t) @@ -144,6 +145,12 @@ template(`systemd_role_template',` allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + # for "machinectl shell" + allow $1_systemd_t systemd_machined_t:fd use; + allow $3 systemd_machined_t:fd use; + allow $3 systemd_machined_t:dbus send_msg; + allow systemd_machined_t $3:dbus send_msg; + allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $3 systemd_user_unit_t:service { reload start status stop };