Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3470840rwb; Sun, 25 Sep 2022 07:06:20 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4rCaGYojLRPD1hpb/fHXZ0XyhvlW3Og6Aqo4nlOJwdMcZlgG7FkezF309zpcEKMuAckYGA X-Received: by 2002:a17:90a:7006:b0:200:aabc:891 with SMTP id f6-20020a17090a700600b00200aabc0891mr20412954pjk.67.1664114780760; Sun, 25 Sep 2022 07:06:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664114780; cv=none; d=google.com; s=arc-20160816; b=M/9REpniQRP4D0U7SzZol3AkjhMM5LGtl1YSJKxUNXqOqrkrwRGorHn/PeNKHMStJI 7+c/MUMILCaqzbAmss9HT+zpnWu5K5x0ibFx+YEFC3n8BWsaFSDmRDOrulz85YmnqFT0 o37Owbq6c1opi/ZfeGTSetOVbVBeammLyEVnaZ4VGwD9QLIMITT4O52r8+KRDmJ9DKvI owCEubtarbUUu6Lx0tBPAzuWZ5SUIch3DhZEVGEon44k4xWbVYtMHfnqaBpIKTP3qqwI yt7QJrgEOBcKPtqZT0MHwn7NIB6z34vV7aL6YZ/dMq9oAGIUdJqWYlNvK9WxDJJEpzpY SxJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=xET5+HNJL1Qs8gStJXeZt05xJdUNSy0SGMlK1KYC4xw=; b=TWJMIURbBOWd1UbueRZPJpg/yukEIFUXb3CpNrxdz88Rsl0B28Lc++1Znkd9m9R6tS +FKyYHSUZqVvOnVUNzlYlCWM66Xg1n0DX78aLxJaODolfPpbddi7LPAxWXK04FVcsTZQ 4XsW9IpdS5J4t1hYAlWdt5MwSzpIwlQnaBQVosY2xhZKVZFCfvF7EcfSt5OlFNRdjG4L yoxJuRYrI3Qmb2ACeXTiyOCFlp/sJPkzbOZ2cSW35apzUaptGTRQAp6JTo1XBIPTQLiI uB5wqRu9G2wWkYkjtrm2D6MNTMDQSIgFKCktgablU9mmD5WV5Kc/nfS4bZjx/fn6LpIq jKKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=Dq8QRKEK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f16-20020a170902ce9000b00176d5b20ebesi9701115plg.355.2022.09.25.07.06.18; Sun, 25 Sep 2022 07:06:20 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=Dq8QRKEK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229674AbiIYODU (ORCPT + 21 others); Sun, 25 Sep 2022 10:03:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbiIYODU (ORCPT ); Sun, 25 Sep 2022 10:03:20 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10E6D25585 for ; Sun, 25 Sep 2022 07:03:18 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B8B801024E for ; Sun, 25 Sep 2022 23:57:09 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1664114230; bh=xET5+HNJL1Qs8gStJXeZt05xJdUNSy0SGMlK1KYC4xw=; l=9920; h=Date:From:To:Subject:From; b=Dq8QRKEKYrPnq8KCk14So5D+tsjMZ0DqIeM4dW72SlRfhCtqcH/UXReuBkGRamuz/ Ui2VCzhukiSmOGrM4mkc/C/qbkjz8S34qVB0tIKLIHllnAbr8hcZL9FwFlyUe6cuc5 NGObaSYv68RjVt1xOnRojyksj8iKEMhgi14FJFjM= Received: by xev.coker.com.au (Postfix, from userid 1001) id E7DE01AB531F; Sun, 25 Sep 2022 23:57:04 +1000 (AEST) Date: Sun, 25 Sep 2022 23:57:04 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] misc strict patches Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Some misc patches to make things work in a "strict" configuration. Allow base user domains to read crypto and vm overcommit status. Allow pulseaudio to write all user_runtime_content_type named sockets. Allow sysadm_t to read/write netlink_generic_socket, read netlink_tcpdiag_socket, have audit_write capability, get schedulint data, get systemd unit status, talk to logind via dbus, and have direct USB access. Allow the xserver_role domains to accept a unix_stream_socket from xdm_t and map xkb_var_lib_t. Add extra access to the $1_dbusd_t domains. Allow the ssh agent to write to an inherited xsession log. Removed the domain systemd_analyze_t, all it's doing is talking to systemd and formatting the output it gets. Allow system_cronjob_t to read fs sysctls, and allow ntpd_t to get generic units status. I think this is ready to merge. Signed-off-by: Russell Coker Index: refpolicy-2.20220925/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20220925.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20220925/policy/modules/system/userdomain.if @@ -69,6 +69,8 @@ template(`userdom_base_user_template',` dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_crypto_sysctls($1_t) + kernel_read_vm_overcommit_sysctl($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) @@ -3664,6 +3666,25 @@ interface(`userdom_relabelfrom_user_runt ') ######################################## +## +## write user runtime socket files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_write_all_user_runtime_named_sockets',` + gen_require(` + attribute user_runtime_content_type; + ') + + allow $1 user_runtime_content_type:dir list_dir_perms; + allow $1 user_runtime_content_type:sock_file write; +') + +######################################## ## ## delete user runtime files ## Index: refpolicy-2.20220925/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20220925/policy/modules/roles/sysadm.te @@ -33,11 +33,22 @@ ifndef(`enable_mls',` # Local policy # +allow sysadm_t self:netlink_generic_socket { create setopt bind write read }; + +# for ptrace +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read }; + +allow sysadm_t self:capability audit_write; +allow sysadm_t self:system status; + corecmd_exec_shell(sysadm_t) corenet_ib_access_unlabeled_pkeys(sysadm_t) corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) +domain_getsched_all_domains(sysadm_t) + +dev_read_cpuid(sysadm_t) dev_read_kmsg(sysadm_t) dev_rw_ipmi_dev(sysadm_t) @@ -59,6 +70,9 @@ init_admin(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +# for systemd-analyze +files_get_etc_unit_status(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t, sysadm_r) @@ -1049,6 +1063,10 @@ optional_policy(` ') optional_policy(` + systemd_dbus_chat_logind(sysadm_t) +') + +optional_policy(` tboot_run_txtstat(sysadm_t, sysadm_r) ') @@ -1116,6 +1134,7 @@ optional_policy(` ') optional_policy(` + dev_rw_generic_usb_dev(sysadm_t) usbmodules_run(sysadm_t, sysadm_r) ') Index: refpolicy-2.20220925/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20220925.orig/policy/modules/services/xserver.if +++ refpolicy-2.20220925/policy/modules/services/xserver.if @@ -111,6 +111,7 @@ template(`xserver_restricted_role',` xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) + xserver_use_user_fonts($2) # certain apps want to read xdm.pid file xserver_read_xdm_runtime_files($2) # gnome-session creates socket under /tmp/.ICE-unix/ @@ -169,7 +170,7 @@ template(`xserver_role',` gen_require(` type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type mesa_shader_cache_t; + type mesa_shader_cache_t, xdm_t; ') xserver_restricted_role($1, $2, $3, $4) @@ -212,6 +213,8 @@ template(`xserver_role',` xserver_read_xkb_libs($2) + allow $2 xdm_t:unix_stream_socket accept; + optional_policy(` systemd_user_app_status($1, xserver_t) ') @@ -1256,6 +1259,7 @@ interface(`xserver_read_xkb_libs',` allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + allow $1 xkb_var_lib_t:file map; ') ######################################## Index: refpolicy-2.20220925/policy/modules/services/dbus.if =================================================================== --- refpolicy-2.20220925.orig/policy/modules/services/dbus.if +++ refpolicy-2.20220925/policy/modules/services/dbus.if @@ -85,6 +85,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:fd use; dontaudit $1_dbusd_t self:process getcap; @@ -105,9 +106,13 @@ template(`dbus_role_template',` allow $1_dbusd_t $3:process sigkill; + allow $1_dbusd_t self:process getcap; + corecmd_bin_domtrans($1_dbusd_t, $3) corecmd_shell_domtrans($1_dbusd_t, $3) + dev_read_sysfs($1_dbusd_t) + auth_use_nsswitch($1_dbusd_t) optional_policy(` @@ -115,6 +120,15 @@ template(`dbus_role_template',` systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t) systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t) ') + + optional_policy(` + init_dbus_chat($1_dbusd_t) + dbus_system_bus_client($1_dbusd_t) + ') + + optional_policy(` + xdg_read_data_files($1_dbusd_t) + ') ') ####################################### Index: refpolicy-2.20220925/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20220925.orig/policy/modules/services/ssh.if +++ refpolicy-2.20220925/policy/modules/services/ssh.if @@ -470,6 +470,7 @@ template(`ssh_role_template',` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) xserver_sigchld_xdm($1_ssh_agent_t) + xserver_write_inherited_xsession_log($1_ssh_agent_t) ') ') Index: refpolicy-2.20220925/policy/modules/kernel/corecommands.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/kernel/corecommands.te +++ refpolicy-2.20220925/policy/modules/kernel/corecommands.te @@ -13,7 +13,7 @@ attribute exec_type; # # bin_t is the type of files in the system bin/sbin directories. # -type bin_t alias { ls_exec_t sbin_t }; +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; typealias bin_t alias { systemd_detect_virt_t systemd_run_exec_t }; corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV Index: refpolicy-2.20220925/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/system/systemd.te +++ refpolicy-2.20220925/policy/modules/system/systemd.te @@ -64,10 +64,6 @@ type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) -type systemd_analyze_t; -type systemd_analyze_exec_t; -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) - type systemd_backlight_t; type systemd_backlight_exec_t; init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) @@ -1695,6 +1691,7 @@ tunable_policy(`systemd_tmpfiles_manage_ ') optional_policy(` + dbus_manage_lib_files(systemd_tmpfiles_t) dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t) ') Index: refpolicy-2.20220925/policy/modules/services/cron.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/services/cron.te +++ refpolicy-2.20220925/policy/modules/services/cron.te @@ -483,6 +483,7 @@ allow system_cronjob_t crond_tmp_t:file kernel_getattr_core_if(system_cronjob_t) kernel_getattr_message_if(system_cronjob_t) +kernel_read_fs_sysctls(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) Index: refpolicy-2.20220925/policy/modules/apps/pulseaudio.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/apps/pulseaudio.te +++ refpolicy-2.20220925/policy/modules/apps/pulseaudio.te @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau userdom_manage_user_tmp_dirs(pulseaudio_t) userdom_manage_user_tmp_files(pulseaudio_t) userdom_manage_user_tmp_sockets(pulseaudio_t) +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) tunable_policy(`pulseaudio_execmem',` allow pulseaudio_t self:process execmem; Index: refpolicy-2.20220925/policy/modules/services/ntp.te =================================================================== --- refpolicy-2.20220925.orig/policy/modules/services/ntp.te +++ refpolicy-2.20220925/policy/modules/services/ntp.te @@ -131,6 +131,7 @@ term_use_ptmx(ntpd_t) auth_use_nsswitch(ntpd_t) init_exec_script_files(ntpd_t) +init_get_generic_units_status(ntpd_t) logging_send_syslog_msg(ntpd_t)