Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp846005rwi;
        Mon, 10 Oct 2022 07:59:07 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM7HtNcMrRE0YTcEdFuiAktI6WKnQo/EkjscoxUd6zvtCAwS6f5RlExagxcaegg6Gj0N2S7S
X-Received: by 2002:a05:6402:1394:b0:456:97cd:e9d4 with SMTP id b20-20020a056402139400b0045697cde9d4mr18844879edv.174.1665413947586;
        Mon, 10 Oct 2022 07:59:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665413947; cv=none;
        d=google.com; s=arc-20160816;
        b=hLmLL83fwMpm9wbtPTEuo68Wu7Tk+nIORhDLo0i3LkM4L6sinzYQkjNu2e+2+7Jiw1
         ecZiIBV38QH75W9J4WXx4FcqWQhE6uVmkBQdR3IT65wR992rMwafwmpQPktARobqoneM
         xXLqZx1P3sNq7ry3QU2Mj6kagRW0M8SBfgj4Bv/yQhv28ICpdHaOC+82FG8o48R5XOX4
         Ec8T9amDs/sqCOOhy0HNM1NO29/qXCS7Imj9Ib6OHEasOvbtiOLpnnAObfEOAOXTSpm8
         9oQ92tzbGAk9T23PeJwGrqSmbhnk+gg143ueiTrMUJXpsnzrfjK94nKbz72MJBxoWKG3
         12Vg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:to:content-language:subject:user-agent:mime-version:date
         :message-id:dkim-signature:dkim-filter;
        bh=EqUHo23k4LlayjkLhv7qeFuU/G/pe+y3LX/Z36w7MRQ=;
        b=A50xaWrk0ov9qN87khYB3AWoXH6Z/MMKI72FLlHPrWwdASSu/rZltdvdEfp6/96avM
         1k8ws4qUEf6n/4K3m83RsuC2T+GIWGEsctHlAdQAFxs/WAtC650YhR4NB05nW6y/tn+H
         +UxOIxToj5Qx68L1uMTnTAULFQ7BF7tBe7qJUSAc2ViD+LWlfk53PbW3L9EvUTbrALys
         AENqacRfJeHiJJPwlGntX7kmyUUWxFpo13uLGy2M0lMVShlygDMOKVazu59qg81eKhvC
         c+0fBTr+ptyMOEZ6AIllp2FYgdWvBpPP5ZTI27SxLtJvYvdZDVztZFpeB4QMb3N84rKa
         D2yQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=OWqFtQkq;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id r5-20020aa7c145000000b00458b87a0919si9505778edp.114.2022.10.10.07.58.59;
        Mon, 10 Oct 2022 07:59:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=OWqFtQkq;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230003AbiJJOzv (ORCPT <rfc822;axel6043@gmail.com> + 21 others);
        Mon, 10 Oct 2022 10:55:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35832 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230007AbiJJOzj (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 10 Oct 2022 10:55:39 -0400
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8479B1FCCF
        for <selinux-refpolicy@vger.kernel.org>; Mon, 10 Oct 2022 07:55:11 -0700 (PDT)
Received: from [192.168.254.22] (unknown [68.33.139.110])
        by linux.microsoft.com (Postfix) with ESMTPSA id 5780620EC32C;
        Mon, 10 Oct 2022 07:55:10 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5780620EC32C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
        s=default; t=1665413710;
        bh=EqUHo23k4LlayjkLhv7qeFuU/G/pe+y3LX/Z36w7MRQ=;
        h=Date:Subject:To:References:From:In-Reply-To:From;
        b=OWqFtQkqYmO2vcRZKmh/tzBGYadGQJs5H+1MTG/mwn3e1qNG/8qN8Npvq0g6J8cS2
         rXQ5O3Ga/MV6pjDVQB42IbZnTti5rUbqH7CYtMRURMhtRQW9iUB0yHUfVwYaoF5ML4
         zRptvkfGX+K0blD3PLrmx2p1Mxu6qJGkT0n/OEIY=
Message-ID: <5e1dd36f-0bbb-53dc-e199-13d51d3b1365@linux.microsoft.com>
Date:   Mon, 10 Oct 2022 10:55:09 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.10.0
Subject: Re: [PATCH] misc strict patches
Content-Language: en-US
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YzBeMFKezm6Zg6XE@xev.coker.com.au>
From:   Chris PeBenito <chpebeni@linux.microsoft.com>
In-Reply-To: <YzBeMFKezm6Zg6XE@xev.coker.com.au>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-21.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_DKIM_WL,
        USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 9/25/2022 09:57, Russell Coker wrote:
> Some misc patches to make things work in a "strict" configuration.
> 
> Allow base user domains to read crypto and vm overcommit status.
> 
> Allow pulseaudio to write all user_runtime_content_type named sockets.
> 
> Allow sysadm_t to read/write netlink_generic_socket, read
> netlink_tcpdiag_socket, have audit_write capability, get schedulint data,
> get systemd unit status, talk to logind via dbus, and have direct USB access.
> 
> Allow the xserver_role domains to accept a unix_stream_socket from xdm_t and
> map xkb_var_lib_t.
> 
> Add extra access to the $1_dbusd_t domains.
> 
> Allow the ssh agent to write to an inherited xsession log.
> 
> Removed the domain systemd_analyze_t, all it's doing is talking to systemd
> and formatting the output it gets.
> 
> Allow system_cronjob_t to read fs sysctls, and allow ntpd_t to get generic
> units status.
> 
> I think this is ready to merge.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20220925/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20220925/policy/modules/system/userdomain.if
> @@ -69,6 +69,8 @@ template(`userdom_base_user_template',`
>   	dontaudit $1_t user_tty_device_t:chr_file ioctl;
>   
>   	kernel_read_kernel_sysctls($1_t)
> +	kernel_read_crypto_sysctls($1_t)
> +	kernel_read_vm_overcommit_sysctl($1_t)
>   	kernel_dontaudit_list_unlabeled($1_t)
>   	kernel_dontaudit_getattr_unlabeled_files($1_t)
>   	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
> @@ -3664,6 +3666,25 @@ interface(`userdom_relabelfrom_user_runt
>   ')
>   
>   ########################################
> +## <summary>
> +##     write user runtime socket files
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_user_runtime_named_sockets',`
> +	gen_require(`
> +		attribute user_runtime_content_type;
> +	')
> +
> +	allow $1 user_runtime_content_type:dir list_dir_perms;
> +	allow $1 user_runtime_content_type:sock_file write;
> +')
> +
> +########################################
>   ## <summary>
>   ##	delete user runtime files
>   ## </summary>
> Index: refpolicy-2.20220925/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20220925/policy/modules/roles/sysadm.te
> @@ -33,11 +33,22 @@ ifndef(`enable_mls',`
>   # Local policy
>   #
>   
> +allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
> +
> +# for ptrace
> +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };

Please use socket permission sets.


> +allow sysadm_t self:capability audit_write;
> +allow sysadm_t self:system status;
> +
>   corecmd_exec_shell(sysadm_t)
>   
>   corenet_ib_access_unlabeled_pkeys(sysadm_t)
>   corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
>   
> +domain_getsched_all_domains(sysadm_t)
> +
> +dev_read_cpuid(sysadm_t)
>   dev_read_kmsg(sysadm_t)
>   dev_rw_ipmi_dev(sysadm_t)
>   
> @@ -59,6 +70,9 @@ init_admin(sysadm_t)
>   userdom_manage_user_home_dirs(sysadm_t)
>   userdom_home_filetrans_user_home_dir(sysadm_t)
>   
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)
> +
>   ifdef(`direct_sysadm_daemon',`
>   	optional_policy(`
>   		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1049,6 +1063,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')

Is this logind access for a privileged operation, or should this 
potentially be applied to other userdomains?


> +optional_policy(`
>   	tboot_run_txtstat(sysadm_t, sysadm_r)
>   ')
>   
> @@ -1116,6 +1134,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)
>   	usbmodules_run(sysadm_t, sysadm_r)
>   ')
>   
> Index: refpolicy-2.20220925/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20220925/policy/modules/services/xserver.if
> @@ -111,6 +111,7 @@ template(`xserver_restricted_role',`
>   	xserver_xsession_entry_type($2)
>   	xserver_dontaudit_write_log($2)
>   	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>   	# certain apps want to read xdm.pid file
>   	xserver_read_xdm_runtime_files($2)
>   	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -169,7 +170,7 @@ template(`xserver_role',`
>   	gen_require(`
>   		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>   		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>   	')
>   
>   	xserver_restricted_role($1, $2, $3, $4)
> @@ -212,6 +213,8 @@ template(`xserver_role',`
>   
>   	xserver_read_xkb_libs($2)
>   
> +	allow $2 xdm_t:unix_stream_socket accept;

What process is accepting in the user domain?


>   	optional_policy(`
>   		systemd_user_app_status($1, xserver_t)
>   	')
> @@ -1256,6 +1259,7 @@ interface(`xserver_read_xkb_libs',`
>   	allow $1 xkb_var_lib_t:dir list_dir_perms;
>   	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>   	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>   ')
>   
>   ########################################
> Index: refpolicy-2.20220925/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20220925/policy/modules/services/dbus.if
> @@ -85,6 +85,7 @@ template(`dbus_role_template',`
>   
>   	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>   	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;
>   	allow $3 $1_dbusd_t:fd use;
>   
>   	dontaudit $1_dbusd_t self:process getcap;
> @@ -105,9 +106,13 @@ template(`dbus_role_template',`
>   
>   	allow $1_dbusd_t $3:process sigkill;
>   
> +	allow $1_dbusd_t self:process getcap;
> +
>   	corecmd_bin_domtrans($1_dbusd_t, $3)
>   	corecmd_shell_domtrans($1_dbusd_t, $3)
>   
> +	dev_read_sysfs($1_dbusd_t)
> +
>   	auth_use_nsswitch($1_dbusd_t)
>   
>   	optional_policy(`
> @@ -115,6 +120,15 @@ template(`dbus_role_template',`
>   		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
>   		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
>   	')
> +
> +	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)
> +	')
> +
> +	optional_policy(`
> +		xdg_read_data_files($1_dbusd_t)
> +	')
>   ')
>   
>   #######################################
> Index: refpolicy-2.20220925/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20220925/policy/modules/services/ssh.if
> @@ -470,6 +470,7 @@ template(`ssh_role_template',`
>   		xserver_use_xdm_fds($1_ssh_agent_t)
>   		xserver_rw_xdm_pipes($1_ssh_agent_t)
>   		xserver_sigchld_xdm($1_ssh_agent_t)
> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
>   	')
>   ')
>   
> Index: refpolicy-2.20220925/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20220925/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
>   #
>   # bin_t is the type of files in the system bin/sbin directories.
>   #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
>   typealias bin_t alias { systemd_detect_virt_t systemd_run_exec_t };
>   corecmd_executable_file(bin_t)
>   dev_associate(bin_t)	#For /dev/MAKEDEV
> Index: refpolicy-2.20220925/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20220925/policy/modules/system/systemd.te
> @@ -64,10 +64,6 @@ type systemd_activate_t;
>   type systemd_activate_exec_t;
>   init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>   
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
>   type systemd_backlight_t;
>   type systemd_backlight_exec_t;
>   init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1695,6 +1691,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>   ')
>   
>   optional_policy(`
> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>   	dbus_read_lib_files(systemd_tmpfiles_t)
>   	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>   ')
> Index: refpolicy-2.20220925/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20220925/policy/modules/services/cron.te
> @@ -483,6 +483,7 @@ allow system_cronjob_t crond_tmp_t:file
>   kernel_getattr_core_if(system_cronjob_t)
>   kernel_getattr_message_if(system_cronjob_t)
>   
> +kernel_read_fs_sysctls(system_cronjob_t)
>   kernel_read_irq_sysctls(system_cronjob_t)
>   kernel_read_kernel_sysctls(system_cronjob_t)
>   kernel_read_network_state(system_cronjob_t)
> Index: refpolicy-2.20220925/policy/modules/apps/pulseaudio.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/apps/pulseaudio.te
> +++ refpolicy-2.20220925/policy/modules/apps/pulseaudio.te
> @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
>   userdom_manage_user_tmp_dirs(pulseaudio_t)
>   userdom_manage_user_tmp_files(pulseaudio_t)
>   userdom_manage_user_tmp_sockets(pulseaudio_t)
> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)

This seems overspecified. Why is this access beyond only user_runtime_t?


>   tunable_policy(`pulseaudio_execmem',`
>   	allow pulseaudio_t self:process execmem;
> Index: refpolicy-2.20220925/policy/modules/services/ntp.te
> ===================================================================
> --- refpolicy-2.20220925.orig/policy/modules/services/ntp.te
> +++ refpolicy-2.20220925/policy/modules/services/ntp.te
> @@ -131,6 +131,7 @@ term_use_ptmx(ntpd_t)
>   auth_use_nsswitch(ntpd_t)
>   
>   init_exec_script_files(ntpd_t)
> +init_get_generic_units_status(ntpd_t)
>   
>   logging_send_syslog_msg(ntpd_t)
>   
> 


-- 
Chris PeBenito