Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp846005rwi; Mon, 10 Oct 2022 07:59:07 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7HtNcMrRE0YTcEdFuiAktI6WKnQo/EkjscoxUd6zvtCAwS6f5RlExagxcaegg6Gj0N2S7S X-Received: by 2002:a05:6402:1394:b0:456:97cd:e9d4 with SMTP id b20-20020a056402139400b0045697cde9d4mr18844879edv.174.1665413947586; Mon, 10 Oct 2022 07:59:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665413947; cv=none; d=google.com; s=arc-20160816; b=hLmLL83fwMpm9wbtPTEuo68Wu7Tk+nIORhDLo0i3LkM4L6sinzYQkjNu2e+2+7Jiw1 ecZiIBV38QH75W9J4WXx4FcqWQhE6uVmkBQdR3IT65wR992rMwafwmpQPktARobqoneM xXLqZx1P3sNq7ry3QU2Mj6kagRW0M8SBfgj4Bv/yQhv28ICpdHaOC+82FG8o48R5XOX4 Ec8T9amDs/sqCOOhy0HNM1NO29/qXCS7Imj9Ib6OHEasOvbtiOLpnnAObfEOAOXTSpm8 9oQ92tzbGAk9T23PeJwGrqSmbhnk+gg143ueiTrMUJXpsnzrfjK94nKbz72MJBxoWKG3 12Vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=EqUHo23k4LlayjkLhv7qeFuU/G/pe+y3LX/Z36w7MRQ=; b=A50xaWrk0ov9qN87khYB3AWoXH6Z/MMKI72FLlHPrWwdASSu/rZltdvdEfp6/96avM 1k8ws4qUEf6n/4K3m83RsuC2T+GIWGEsctHlAdQAFxs/WAtC650YhR4NB05nW6y/tn+H +UxOIxToj5Qx68L1uMTnTAULFQ7BF7tBe7qJUSAc2ViD+LWlfk53PbW3L9EvUTbrALys AENqacRfJeHiJJPwlGntX7kmyUUWxFpo13uLGy2M0lMVShlygDMOKVazu59qg81eKhvC c+0fBTr+ptyMOEZ6AIllp2FYgdWvBpPP5ZTI27SxLtJvYvdZDVztZFpeB4QMb3N84rKa D2yQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=OWqFtQkq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r5-20020aa7c145000000b00458b87a0919si9505778edp.114.2022.10.10.07.58.59; Mon, 10 Oct 2022 07:59:07 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=OWqFtQkq; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230003AbiJJOzv (ORCPT + 21 others); Mon, 10 Oct 2022 10:55:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230007AbiJJOzj (ORCPT ); Mon, 10 Oct 2022 10:55:39 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8479B1FCCF for ; Mon, 10 Oct 2022 07:55:11 -0700 (PDT) Received: from [192.168.254.22] (unknown [68.33.139.110]) by linux.microsoft.com (Postfix) with ESMTPSA id 5780620EC32C; Mon, 10 Oct 2022 07:55:10 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5780620EC32C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1665413710; bh=EqUHo23k4LlayjkLhv7qeFuU/G/pe+y3LX/Z36w7MRQ=; h=Date:Subject:To:References:From:In-Reply-To:From; b=OWqFtQkqYmO2vcRZKmh/tzBGYadGQJs5H+1MTG/mwn3e1qNG/8qN8Npvq0g6J8cS2 rXQ5O3Ga/MV6pjDVQB42IbZnTti5rUbqH7CYtMRURMhtRQW9iUB0yHUfVwYaoF5ML4 zRptvkfGX+K0blD3PLrmx2p1Mxu6qJGkT0n/OEIY= Message-ID: <5e1dd36f-0bbb-53dc-e199-13d51d3b1365@linux.microsoft.com> Date: Mon, 10 Oct 2022 10:55:09 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [PATCH] misc strict patches Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-21.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 9/25/2022 09:57, Russell Coker wrote: > Some misc patches to make things work in a "strict" configuration. > > Allow base user domains to read crypto and vm overcommit status. > > Allow pulseaudio to write all user_runtime_content_type named sockets. > > Allow sysadm_t to read/write netlink_generic_socket, read > netlink_tcpdiag_socket, have audit_write capability, get schedulint data, > get systemd unit status, talk to logind via dbus, and have direct USB access. > > Allow the xserver_role domains to accept a unix_stream_socket from xdm_t and > map xkb_var_lib_t. > > Add extra access to the $1_dbusd_t domains. > > Allow the ssh agent to write to an inherited xsession log. > > Removed the domain systemd_analyze_t, all it's doing is talking to systemd > and formatting the output it gets. > > Allow system_cronjob_t to read fs sysctls, and allow ntpd_t to get generic > units status. > > I think this is ready to merge. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220925/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20220925/policy/modules/system/userdomain.if > @@ -69,6 +69,8 @@ template(`userdom_base_user_template',` > dontaudit $1_t user_tty_device_t:chr_file ioctl; > > kernel_read_kernel_sysctls($1_t) > + kernel_read_crypto_sysctls($1_t) > + kernel_read_vm_overcommit_sysctl($1_t) > kernel_dontaudit_list_unlabeled($1_t) > kernel_dontaudit_getattr_unlabeled_files($1_t) > kernel_dontaudit_getattr_unlabeled_symlinks($1_t) > @@ -3664,6 +3666,25 @@ interface(`userdom_relabelfrom_user_runt > ') > > ######################################## > +## > +## write user runtime socket files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_all_user_runtime_named_sockets',` > + gen_require(` > + attribute user_runtime_content_type; > + ') > + > + allow $1 user_runtime_content_type:dir list_dir_perms; > + allow $1 user_runtime_content_type:sock_file write; > +') > + > +######################################## > ## > ## delete user runtime files > ## > Index: refpolicy-2.20220925/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20220925/policy/modules/roles/sysadm.te > @@ -33,11 +33,22 @@ ifndef(`enable_mls',` > # Local policy > # > > +allow sysadm_t self:netlink_generic_socket { create setopt bind write read }; > + > +# for ptrace > +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read }; Please use socket permission sets. > +allow sysadm_t self:capability audit_write; > +allow sysadm_t self:system status; > + > corecmd_exec_shell(sysadm_t) > > corenet_ib_access_unlabeled_pkeys(sysadm_t) > corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) > > +domain_getsched_all_domains(sysadm_t) > + > +dev_read_cpuid(sysadm_t) > dev_read_kmsg(sysadm_t) > dev_rw_ipmi_dev(sysadm_t) > > @@ -59,6 +70,9 @@ init_admin(sysadm_t) > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) > > +# for systemd-analyze > +files_get_etc_unit_status(sysadm_t) > + > ifdef(`direct_sysadm_daemon',` > optional_policy(` > init_run_daemon(sysadm_t, sysadm_r) > @@ -1049,6 +1063,10 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(sysadm_t) > +') Is this logind access for a privileged operation, or should this potentially be applied to other userdomains? > +optional_policy(` > tboot_run_txtstat(sysadm_t, sysadm_r) > ') > > @@ -1116,6 +1134,7 @@ optional_policy(` > ') > > optional_policy(` > + dev_rw_generic_usb_dev(sysadm_t) > usbmodules_run(sysadm_t, sysadm_r) > ') > > Index: refpolicy-2.20220925/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20220925/policy/modules/services/xserver.if > @@ -111,6 +111,7 @@ template(`xserver_restricted_role',` > xserver_xsession_entry_type($2) > xserver_dontaudit_write_log($2) > xserver_stream_connect_xdm($2) > + xserver_use_user_fonts($2) > # certain apps want to read xdm.pid file > xserver_read_xdm_runtime_files($2) > # gnome-session creates socket under /tmp/.ICE-unix/ > @@ -169,7 +170,7 @@ template(`xserver_role',` > gen_require(` > type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; > type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > - type mesa_shader_cache_t; > + type mesa_shader_cache_t, xdm_t; > ') > > xserver_restricted_role($1, $2, $3, $4) > @@ -212,6 +213,8 @@ template(`xserver_role',` > > xserver_read_xkb_libs($2) > > + allow $2 xdm_t:unix_stream_socket accept; What process is accepting in the user domain? > optional_policy(` > systemd_user_app_status($1, xserver_t) > ') > @@ -1256,6 +1259,7 @@ interface(`xserver_read_xkb_libs',` > allow $1 xkb_var_lib_t:dir list_dir_perms; > read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > + allow $1 xkb_var_lib_t:file map; > ') > > ######################################## > Index: refpolicy-2.20220925/policy/modules/services/dbus.if > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/services/dbus.if > +++ refpolicy-2.20220925/policy/modules/services/dbus.if > @@ -85,6 +85,7 @@ template(`dbus_role_template',` > > allow $3 $1_dbusd_t:unix_stream_socket connectto; > allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; > + allow $1_dbusd_t $3:dbus send_msg; > allow $3 $1_dbusd_t:fd use; > > dontaudit $1_dbusd_t self:process getcap; > @@ -105,9 +106,13 @@ template(`dbus_role_template',` > > allow $1_dbusd_t $3:process sigkill; > > + allow $1_dbusd_t self:process getcap; > + > corecmd_bin_domtrans($1_dbusd_t, $3) > corecmd_shell_domtrans($1_dbusd_t, $3) > > + dev_read_sysfs($1_dbusd_t) > + > auth_use_nsswitch($1_dbusd_t) > > optional_policy(` > @@ -115,6 +120,15 @@ template(`dbus_role_template',` > systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t) > systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t) > ') > + > + optional_policy(` > + init_dbus_chat($1_dbusd_t) > + dbus_system_bus_client($1_dbusd_t) > + ') > + > + optional_policy(` > + xdg_read_data_files($1_dbusd_t) > + ') > ') > > ####################################### > Index: refpolicy-2.20220925/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20220925/policy/modules/services/ssh.if > @@ -470,6 +470,7 @@ template(`ssh_role_template',` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > xserver_sigchld_xdm($1_ssh_agent_t) > + xserver_write_inherited_xsession_log($1_ssh_agent_t) > ') > ') > > Index: refpolicy-2.20220925/policy/modules/kernel/corecommands.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/kernel/corecommands.te > +++ refpolicy-2.20220925/policy/modules/kernel/corecommands.te > @@ -13,7 +13,7 @@ attribute exec_type; > # > # bin_t is the type of files in the system bin/sbin directories. > # > -type bin_t alias { ls_exec_t sbin_t }; > +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; > typealias bin_t alias { systemd_detect_virt_t systemd_run_exec_t }; > corecmd_executable_file(bin_t) > dev_associate(bin_t) #For /dev/MAKEDEV > Index: refpolicy-2.20220925/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20220925/policy/modules/system/systemd.te > @@ -64,10 +64,6 @@ type systemd_activate_t; > type systemd_activate_exec_t; > init_system_domain(systemd_activate_t, systemd_activate_exec_t) > > -type systemd_analyze_t; > -type systemd_analyze_exec_t; > -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) > - > type systemd_backlight_t; > type systemd_backlight_exec_t; > init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) > @@ -1695,6 +1691,7 @@ tunable_policy(`systemd_tmpfiles_manage_ > ') > > optional_policy(` > + dbus_manage_lib_files(systemd_tmpfiles_t) > dbus_read_lib_files(systemd_tmpfiles_t) > dbus_relabel_lib_dirs(systemd_tmpfiles_t) > ') > Index: refpolicy-2.20220925/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/services/cron.te > +++ refpolicy-2.20220925/policy/modules/services/cron.te > @@ -483,6 +483,7 @@ allow system_cronjob_t crond_tmp_t:file > kernel_getattr_core_if(system_cronjob_t) > kernel_getattr_message_if(system_cronjob_t) > > +kernel_read_fs_sysctls(system_cronjob_t) > kernel_read_irq_sysctls(system_cronjob_t) > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > Index: refpolicy-2.20220925/policy/modules/apps/pulseaudio.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/apps/pulseaudio.te > +++ refpolicy-2.20220925/policy/modules/apps/pulseaudio.te > @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau > userdom_manage_user_tmp_dirs(pulseaudio_t) > userdom_manage_user_tmp_files(pulseaudio_t) > userdom_manage_user_tmp_sockets(pulseaudio_t) > +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) This seems overspecified. Why is this access beyond only user_runtime_t? > tunable_policy(`pulseaudio_execmem',` > allow pulseaudio_t self:process execmem; > Index: refpolicy-2.20220925/policy/modules/services/ntp.te > =================================================================== > --- refpolicy-2.20220925.orig/policy/modules/services/ntp.te > +++ refpolicy-2.20220925/policy/modules/services/ntp.te > @@ -131,6 +131,7 @@ term_use_ptmx(ntpd_t) > auth_use_nsswitch(ntpd_t) > > init_exec_script_files(ntpd_t) > +init_get_generic_units_status(ntpd_t) > > logging_send_syslog_msg(ntpd_t) > > -- Chris PeBenito