2019-04-04 12:29:18

by Sugar, David

[permalink] [raw]
Subject: [PATCH] Add interface xdm_run_domain

This interface is needed when using the various script options in
lightdm (others?) configuration file. I'm using with 'display-setup-script'
and 'greeter-setup-script', but I suspect the same would be useful for
'display-stopped-script', 'session-cleanup-script' and others. In these
cases lightdm will be executing a configured script to perform some action
during the specified phase of the greeter/session. But without this interface
there is no way to transition into a new domain to execute the action.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/xserver.if | 31 ++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 854f3b90..2faef71d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -734,6 +734,37 @@ interface(`xserver_relabel_console_pipes',`
allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
')

+########################################
+## <summary>
+## Allow display manager to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## This is a interface to support the lightdm *-setup-script
+## options. This will allow the command run by lightdm to
+## be run in a domain other than xdm_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`xdm_run_domain',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ domtrans_pattern(xdm_t,$2,$1)
+')
+
########################################
## <summary>
## Use file descriptors for xdm.
--
2.20.1


2019-04-04 12:29:19

by Sugar, David

[permalink] [raw]
Subject: [PATCH] Resolve some denials related to sending journal messages

type=AVC msg=audit(1554324562.840:159): avc: denied { sendto } for pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_backlight_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1554324271.863:245): avc: denied { sendto } for pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sessions_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1554324635.844:313): avc: denied { sendto } for pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/lvm.te | 1 +
policy/modules/system/systemd.te | 4 ++++
2 files changed, 5 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ec3b4a18..aea199d4 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)

+kernel_dgram_send(lvm_t)
kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f6455f6f..541117a9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
# for udev.conf
files_read_etc_files(systemd_backlight_t)

+kernel_dgram_send(systemd_backlight_t)
+
# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)

@@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)

+kernel_dgram_send(systemd_sessions_t)
+
selinux_get_enforce_mode(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)

--
2.20.1

2019-04-08 00:53:03

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] Resolve some denials related to sending journal messages

On 4/4/19 8:29 AM, Sugar, David wrote:
> type=AVC msg=audit(1554324562.840:159): avc: denied { sendto } for pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_backlight_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
> type=AVC msg=audit(1554324271.863:245): avc: denied { sendto } for pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sessions_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
> type=AVC msg=audit(1554324635.844:313): avc: denied { sendto } for pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

I think we've reached the limit of the explicit kernel_dgram_send() and
it's time to reevaluate putting this in logging_send_syslog_msg().


> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/lvm.te | 1 +
> policy/modules/system/systemd.te | 4 ++++
> 2 files changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index ec3b4a18..aea199d4 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
> files_etc_filetrans(lvm_t, lvm_metadata_t, file)
> files_search_mnt(lvm_t)
>
> +kernel_dgram_send(lvm_t)
> kernel_request_load_module(lvm_t)
> kernel_get_sysvipc_info(lvm_t)
> kernel_read_system_state(lvm_t)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index f6455f6f..541117a9 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
> # for udev.conf
> files_read_etc_files(systemd_backlight_t)
>
> +kernel_dgram_send(systemd_backlight_t)
> +
> # for /run/udev/data/+backlight*
> udev_read_pid_files(systemd_backlight_t)
>
> @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> +kernel_dgram_send(systemd_sessions_t)
> +
> selinux_get_enforce_mode(systemd_sessions_t)
> selinux_get_fs_mount(systemd_sessions_t)
>
>


--
Chris PeBenito

2019-04-08 00:53:05

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] Add interface xdm_run_domain

On 4/4/19 8:29 AM, Sugar, David wrote:
> This interface is needed when using the various script options in
> lightdm (others?) configuration file. I'm using with 'display-setup-script'
> and 'greeter-setup-script', but I suspect the same would be useful for
> 'display-stopped-script', 'session-cleanup-script' and others. In these
> cases lightdm will be executing a configured script to perform some action
> during the specified phase of the greeter/session. But without this interface
> there is no way to transition into a new domain to execute the action.

I'm reluctant to add this "reversed" interface. In other cases, the
domain (init, cron, inetd, etc.) is legitimately transitioning to many
domains. I don't see that here.



> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/xserver.if | 31 ++++++++++++++++++++++++++++++
> 1 file changed, 31 insertions(+)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index 854f3b90..2faef71d 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -734,6 +734,37 @@ interface(`xserver_relabel_console_pipes',`
> allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
> ')
>
> +########################################
> +## <summary>
> +## Allow display manager to execute the specified program in
> +## the specified domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## This is a interface to support the lightdm *-setup-script
> +## options. This will allow the command run by lightdm to
> +## be run in a domain other than xdm_t.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain to execute in.
> +## </summary>
> +## </param>
> +## <param name="entry_file">
> +## <summary>
> +## Domain entry point file.
> +## </summary>
> +## </param>
> +#
> +interface(`xdm_run_domain',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + domtrans_pattern(xdm_t,$2,$1)
> +')
> +
> ########################################
> ## <summary>
> ## Use file descriptors for xdm.
>


--
Chris PeBenito

2019-04-08 13:33:48

by Sugar, David

[permalink] [raw]
Subject: Re: [PATCH] Resolve some denials related to sending journal messages


On 4/7/19 8:52 PM, Chris PeBenito wrote:
> On 4/4/19 8:29 AM, Sugar, David wrote:
>> type=AVC msg=audit(1554324562.840:159): avc:? denied? { sendto } for?
>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket"
>> scontext=system_u:system_r:systemd_backlight_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=1
>> type=AVC msg=audit(1554324271.863:245): avc:? denied? { sendto } for?
>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket"
>> scontext=system_u:system_r:systemd_sessions_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=0
>> type=AVC msg=audit(1554324635.844:313): avc:? denied? { sendto } for?
>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket"
>> scontext=system_u:system_r:lvm_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=1
>
> I think we've reached the limit of the explicit kernel_dgram_send()
> and it's time to reevaluate putting this in logging_send_syslog_msg().
>
That makes sense.? I will submit a patch after I test a bit.? But it
looks like everywhere (except the systemd module) that uses
kernel_dgram_send() already has logging_send_syslog_msg() so once
kernel_dgram_send() is added to logging_send_syslog_msg(),
kernel_dgram_send() can removed from those domains.

The exceptions are:

1) In the systemd module there isn't much use of
logging_send_syslog_msg().? For this case I will add
logging_send_syslog_msg() as required.

2) In the interface init_daemon_domain(), it uses kernel_dgram_send()
directly, there it probably doesn't need to use
logging_send_syslog_msg(). This may be able to go away as modules might
already use logging now, I will try removing and see what breaks.

>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> ? policy/modules/system/lvm.te???? | 1 +
>> ? policy/modules/system/systemd.te | 4 ++++
>> ? 2 files changed, 5 insertions(+)
>>
>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>> index ec3b4a18..aea199d4 100644
>> --- a/policy/modules/system/lvm.te
>> +++ b/policy/modules/system/lvm.te
>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,
>> lvm_metadata_t, file)
>> ? files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>> ? files_search_mnt(lvm_t)
>> ? +kernel_dgram_send(lvm_t)
>> ? kernel_request_load_module(lvm_t)
>> ? kernel_get_sysvipc_info(lvm_t)
>> ? kernel_read_system_state(lvm_t)
>> diff --git a/policy/modules/system/systemd.te
>> b/policy/modules/system/systemd.te
>> index f6455f6f..541117a9 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>> ? # for udev.conf
>> ? files_read_etc_files(systemd_backlight_t)
>> ? +kernel_dgram_send(systemd_backlight_t)
>> +
>> ? # for /run/udev/data/+backlight*
>> ? udev_read_pid_files(systemd_backlight_t)
>> ? @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>> ? allow systemd_sessions_t systemd_sessions_var_run_t:file
>> manage_file_perms;
>> ? files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,
>> file)
>> ? +kernel_dgram_send(systemd_sessions_t)
>> +
>> ? selinux_get_enforce_mode(systemd_sessions_t)
>> ? selinux_get_fs_mount(systemd_sessions_t)
>>
>
>

2019-04-08 13:41:58

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] Resolve some denials related to sending journal messages

"Sugar, David" <[email protected]> writes:


> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for 
>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket"
>>> scontext=system_u:system_r:systemd_backlight_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=1
>>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for 
>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket"
>>> scontext=system_u:system_r:systemd_sessions_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=0
>>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for 
>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket"
>>> scontext=system_u:system_r:lvm_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=1
>>
>> I think we've reached the limit of the explicit kernel_dgram_send()
>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>
> That makes sense.  I will submit a patch after I test a bit.  But it
> looks like everywhere (except the systemd module) that uses
> kernel_dgram_send() already has logging_send_syslog_msg() so once
> kernel_dgram_send() is added to logging_send_syslog_msg(),
> kernel_dgram_send() can removed from those domains.
>
> The exceptions are:
>
> 1) In the systemd module there isn't much use of
> logging_send_syslog_msg().  For this case I will add
> logging_send_syslog_msg() as required.

see:

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410

So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"

>
> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()
> directly, there it probably doesn't need to use
> logging_send_syslog_msg(). This may be able to go away as modules might
> already use logging now, I will try removing and see what breaks.
>
>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>>   policy/modules/system/lvm.te     | 1 +
>>>   policy/modules/system/systemd.te | 4 ++++
>>>   2 files changed, 5 insertions(+)
>>>
>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>> index ec3b4a18..aea199d4 100644
>>> --- a/policy/modules/system/lvm.te
>>> +++ b/policy/modules/system/lvm.te
>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,
>>> lvm_metadata_t, file)
>>>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>   files_search_mnt(lvm_t)
>>>   +kernel_dgram_send(lvm_t)
>>>   kernel_request_load_module(lvm_t)
>>>   kernel_get_sysvipc_info(lvm_t)
>>>   kernel_read_system_state(lvm_t)
>>> diff --git a/policy/modules/system/systemd.te
>>> b/policy/modules/system/systemd.te
>>> index f6455f6f..541117a9 100644
>>> --- a/policy/modules/system/systemd.te
>>> +++ b/policy/modules/system/systemd.te
>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>   # for udev.conf
>>>   files_read_etc_files(systemd_backlight_t)
>>>   +kernel_dgram_send(systemd_backlight_t)
>>> +
>>>   # for /run/udev/data/+backlight*
>>>   udev_read_pid_files(systemd_backlight_t)
>>>   @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>   allow systemd_sessions_t systemd_sessions_var_run_t:file
>>> manage_file_perms;
>>>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,
>>> file)
>>>   +kernel_dgram_send(systemd_sessions_t)
>>> +
>>>   selinux_get_enforce_mode(systemd_sessions_t)
>>>   selinux_get_fs_mount(systemd_sessions_t)
>>>
>>
>>

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

2019-04-08 13:56:36

by Sugar, David

[permalink] [raw]
Subject: Re: [PATCH] Resolve some denials related to sending journal messages



On 4/8/19 9:41 AM, Dominick Grift wrote:
> "Sugar, David" <[email protected]> writes:
>
>
>> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for
>>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_backlight_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for
>>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_sessions_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=0
>>>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for
>>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:lvm_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>
>>> I think we've reached the limit of the explicit kernel_dgram_send()
>>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>>
>> That makes sense.  I will submit a patch after I test a bit.  But it
>> looks like everywhere (except the systemd module) that uses
>> kernel_dgram_send() already has logging_send_syslog_msg() so once
>> kernel_dgram_send() is added to logging_send_syslog_msg(),
>> kernel_dgram_send() can removed from those domains.
>>
>> The exceptions are:
>>
>> 1) In the systemd module there isn't much use of
>> logging_send_syslog_msg().  For this case I will add
>> logging_send_syslog_msg() as required.
>
> see:
>
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410
>
> So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"
>

Thanks for that, I hadn't noticed.

>>
>> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()
>> directly, there it probably doesn't need to use
>> logging_send_syslog_msg(). This may be able to go away as modules might
>> already use logging now, I will try removing and see what breaks.
>>

Initial testing is showing this can be removed with no negative side
effect (at least for the domains I'm using). I will continue testing
before submitting a patch.

>>>
>>>> Signed-off-by: Dave Sugar <[email protected]>
>>>> ---
>>>>   policy/modules/system/lvm.te     | 1 +
>>>>   policy/modules/system/systemd.te | 4 ++++
>>>>   2 files changed, 5 insertions(+)
>>>>
>>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>>> index ec3b4a18..aea199d4 100644
>>>> --- a/policy/modules/system/lvm.te
>>>> +++ b/policy/modules/system/lvm.te
>>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,
>>>> lvm_metadata_t, file)
>>>>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>>   files_search_mnt(lvm_t)
>>>>   +kernel_dgram_send(lvm_t)
>>>>   kernel_request_load_module(lvm_t)
>>>>   kernel_get_sysvipc_info(lvm_t)
>>>>   kernel_read_system_state(lvm_t)
>>>> diff --git a/policy/modules/system/systemd.te
>>>> b/policy/modules/system/systemd.te
>>>> index f6455f6f..541117a9 100644
>>>> --- a/policy/modules/system/systemd.te
>>>> +++ b/policy/modules/system/systemd.te
>>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>>   # for udev.conf
>>>>   files_read_etc_files(systemd_backlight_t)
>>>>   +kernel_dgram_send(systemd_backlight_t)
>>>> +
>>>>   # for /run/udev/data/+backlight*
>>>>   udev_read_pid_files(systemd_backlight_t)
>>>>   @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>>   allow systemd_sessions_t systemd_sessions_var_run_t:file
>>>> manage_file_perms;
>>>>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,
>>>> file)
>>>>   +kernel_dgram_send(systemd_sessions_t)
>>>> +
>>>>   selinux_get_enforce_mode(systemd_sessions_t)
>>>>   selinux_get_fs_mount(systemd_sessions_t)
>>>>
>>>
>>>
>