2019-12-24 10:11:04

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 1/9] systemd: Add elogind support

Elogind is based off systemd-logind extracted to stand alone.

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/admin/sudo.if | 2 ++
policy/modules/system/authlogin.if | 5 +++++
policy/modules/system/systemd.fc | 5 +++++
policy/modules/system/systemd.te | 27 ++++++++++++++++++++++++++-
4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index c1459364..4f08af28 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -159,6 +159,8 @@ template(`sudo_role_template',`

optional_policy(`
dbus_system_bus_client($1_sudo_t)
+ systemd_dbus_chat_logind($1_sudo_t)
+ systemd_write_inherited_logind_sessions_pipes($1_sudo_t)

ifdef(`init_systemd',`
init_dbus_chat($1_sudo_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c16748f2..83837458 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -71,6 +71,11 @@ interface(`auth_use_pam',`
optional_policy(`
fprintd_dbus_chat($1)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ ')
')

optional_policy(`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 607b1d88..e6831465 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)

+/usr/lib/elogind/elogind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
# Systemd generators
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)

@@ -56,6 +60,7 @@
/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)

/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid -- gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)

/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1422d8e2..f13b7252 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)

type systemd_logind_t;
type systemd_logind_exec_t;
+dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)

@@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
type systemd_logind_runtime_t alias systemd_logind_var_run_t;
files_pid_file(systemd_logind_runtime_t)
init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")

type systemd_logind_var_lib_t;
files_type(systemd_logind_var_lib_t)
@@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
# Logind local policy
#

-allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
+files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
+
+create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)

manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
@@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per

kernel_read_kernel_sysctls(systemd_logind_t)

+auth_write_login_records(systemd_logind_t)
+
dev_getattr_dri_dev(systemd_logind_t)
dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
@@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)

domain_obj_id_change_exemption(systemd_logind_t)

+files_purge_tmp(systemd_logind_t)
files_read_etc_files(systemd_logind_t)
files_search_pids(systemd_logind_t)

fs_getattr_cgroup(systemd_logind_t)
+fs_manage_cgroup_dirs(systemd_logind_t)
+fs_manage_cgroup_files(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
@@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)

+logging_send_audit_msgs(systemd_logind_t)
+
selinux_get_enforce_mode(systemd_logind_t)

storage_getattr_removable_dev(systemd_logind_t)
@@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)

auth_manage_faillog(systemd_logind_t)

+init_create_runtime_dirs(systemd_logind_t)
init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
init_get_system_status(systemd_logind_t)
@@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)

+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(systemd_logind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(systemd_logind_t)
+')
+
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -568,6 +589,10 @@ optional_policy(`
policykit_dbus_chat(systemd_logind_t)
')

+optional_policy(`
+ shutdown_domtrans(systemd_logind_t)
+')
+
optional_policy(`
xserver_read_state(systemd_logind_t)
xserver_dbus_chat(systemd_logind_t)
--
2.24.1


2019-12-24 10:11:06

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 3/9] xserver: ICEauthority can be in /run/user

From: Jason Zaman <[email protected]>

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/xserver.fc | 2 ++
policy/modules/services/xserver.te | 2 ++
2 files changed, 4 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index fa8db862..df06151e 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -143,6 +143,8 @@ ifndef(`distro_debian',`
/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)

+/run/user/%{USERID}/ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f016d429..499f03a6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)

type iceauth_home_t;
userdom_user_home_content(iceauth_home_t)
+userdom_user_runtime_content(iceauth_home_t)

type xauth_t;
type xauth_exec_t;
@@ -211,6 +212,7 @@ optional_policy(`

allow iceauth_t iceauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)

allow xdm_t iceauth_home_t:file read_file_perms;

--
2.24.1

2019-12-24 10:11:09

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock

type=AVC msg=audit(1563073723.106:232): avc: denied { read } for pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563073723.106:232): cwd="/"
type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/devicekit.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 3331bd00..0622b6cf 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -192,6 +192,7 @@ optional_policy(`

optional_policy(`
mount_domtrans(devicekit_disk_t)
+ mount_rw_runtime_files(devicekit_disk_t)
')

optional_policy(`
--
2.24.1

2019-12-24 10:11:13

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 5/9] dirmngr: accept unix stream socket

dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr

type=AVC msg=audit(1554175286.968:2720907): avc: denied { accept } for pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/dirmngr.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te
index 056cd97b..e34295e7 100644
--- a/policy/modules/services/dirmngr.te
+++ b/policy/modules/services/dirmngr.te
@@ -37,6 +37,7 @@ userdom_user_home_content(dirmngr_home_t)
#

allow dirmngr_t self:fifo_file rw_file_perms;
+allow dirmngr_t self:unix_stream_socket rw_stream_socket_perms;

allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
--
2.24.1

2019-12-24 10:11:16

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 6/9] fstools: add zfs-auto-snapshot

Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc: denied { execute } for pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/system/fstools.fc | 1 +
policy/modules/system/fstools.te | 1 +
2 files changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 8fbd5ce4..d871294e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
/usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 8d37e323..64b61485 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,6 +154,7 @@ logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

+mount_exec(fsadm_t)
# for /run/mount/utab
mount_getattr_runtime_files(fsadm_t)
# losetup: bind mount_loopback_t files to loop devices
--
2.24.1

2019-12-24 10:11:19

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 7/9] chromium: allow dbus chat to inhibit power

Chromium will inhibit power saving when playing videos.

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/apps/chromium.if | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
index 2ded3279..f236171e 100644
--- a/policy/modules/apps/chromium.if
+++ b/policy/modules/apps/chromium.if
@@ -22,6 +22,7 @@ interface(`chromium_role',`
type chromium_sandbox_t;
type chromium_naclhelper_t;
type chromium_exec_t;
+ class dbus send_msg;
')

role $1 types chromium_t;
@@ -42,6 +43,9 @@ interface(`chromium_role',`

allow chromium_sandbox_t $2:fd use;
allow chromium_naclhelper_t $2:fd use;
+
+ allow $2 chromium_t:dbus send_msg;
+ allow chromium_t $2:dbus send_msg;
')

#######################################
--
2.24.1

2019-12-24 10:11:22

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd

avc: denied { listen } for pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/virt.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 0d5d1b25..d4c5d05a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1323,6 +1323,7 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)

allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t self:unix_stream_socket create_stream_socket_perms;

allow virtlockd_t virtd_t:dir list_dir_perms;
allow virtlockd_t virtd_t:file read_file_perms;
@@ -1362,6 +1363,7 @@ virt_read_config(virtlockd_t)
#

allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;

allow virtlogd_t virtd_t:dir list_dir_perms;
allow virtlogd_t virtd_t:file read_file_perms;
--
2.24.1

2019-12-24 10:11:26

by Jason Zaman

[permalink] [raw]
Subject: [PATCH 9/9] virt: allow lvm_control access

type=AVC msg=audit(1563034372.505:40675): avc: denied { read write } for pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563034372.505:40675): cwd="/"
type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <[email protected]>
---
policy/modules/services/virt.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index d4c5d05a..fb985f12 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -622,6 +622,7 @@ dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
+dev_rw_lvm_control(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
dev_rw_vhost(virtd_t)
--
2.24.1

2019-12-26 17:30:01

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 1/9] systemd: Add elogind support

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Elogind is based off systemd-logind extracted to stand alone.

I'm not a fan of this. Systemd is already a big mess of permissions by
itself, and I'm relctant to add even more to it to support something else.


> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/admin/sudo.if | 2 ++
> policy/modules/system/authlogin.if | 5 +++++
> policy/modules/system/systemd.fc | 5 +++++
> policy/modules/system/systemd.te | 27 ++++++++++++++++++++++++++-
> 4 files changed, 38 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index c1459364..4f08af28 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -159,6 +159,8 @@ template(`sudo_role_template',`
>
> optional_policy(`
> dbus_system_bus_client($1_sudo_t)
> + systemd_dbus_chat_logind($1_sudo_t)
> + systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
>
> ifdef(`init_systemd',`
> init_dbus_chat($1_sudo_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index c16748f2..83837458 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> optional_policy(`
> fprintd_dbus_chat($1)
> ')
> +
> + optional_policy(`
> + systemd_dbus_chat_logind($1)
> + systemd_write_inherited_logind_sessions_pipes($1)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 607b1d88..e6831465 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -16,6 +16,10 @@
> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>
> +/usr/lib/elogind/elogind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-cgroups-agent -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +/usr/lib/elogind/elogind-uaccess-command -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> +
> # Systemd generators
> /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
>
> @@ -56,6 +60,7 @@
> /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
>
> /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> +/run/elogind\.pid -- gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
>
> /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 1422d8e2..f13b7252 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
>
> type systemd_logind_t;
> type systemd_logind_exec_t;
> +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>
> @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> files_pid_file(systemd_logind_runtime_t)
> init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
>
> type systemd_logind_var_lib_t;
> files_type(systemd_logind_var_lib_t)
> @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> # Logind local policy
> #
>
> -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> allow systemd_logind_t self:process { getcap setfscreate };
> allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> +
> +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
>
> manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
>
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> +auth_write_login_records(systemd_logind_t)
> +
> dev_getattr_dri_dev(systemd_logind_t)
> dev_getattr_generic_usb_dev(systemd_logind_t)
> dev_getattr_kvm_dev(systemd_logind_t)
> @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
>
> domain_obj_id_change_exemption(systemd_logind_t)
>
> +files_purge_tmp(systemd_logind_t)
> files_read_etc_files(systemd_logind_t)
> files_search_pids(systemd_logind_t)
>
> fs_getattr_cgroup(systemd_logind_t)
> +fs_manage_cgroup_dirs(systemd_logind_t)
> +fs_manage_cgroup_files(systemd_logind_t)
> fs_getattr_tmpfs(systemd_logind_t)
> fs_getattr_tmpfs_dirs(systemd_logind_t)
> fs_list_tmpfs(systemd_logind_t)
> @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> fs_unmount_tmpfs(systemd_logind_t)
>
> +logging_send_audit_msgs(systemd_logind_t)
> +
> selinux_get_enforce_mode(systemd_logind_t)
>
> storage_getattr_removable_dev(systemd_logind_t)
> @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
>
> auth_manage_faillog(systemd_logind_t)
>
> +init_create_runtime_dirs(systemd_logind_t)
> init_dbus_send_script(systemd_logind_t)
> init_get_all_units_status(systemd_logind_t)
> init_get_system_status(systemd_logind_t)
> @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> userdom_setattr_user_ttys(systemd_logind_t)
> userdom_use_user_ttys(systemd_logind_t)
>
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_read_nfs_files(systemd_logind_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_read_cifs_files(systemd_logind_t)
> +')
> +
> # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> @@ -568,6 +589,10 @@ optional_policy(`
> policykit_dbus_chat(systemd_logind_t)
> ')
>
> +optional_policy(`
> + shutdown_domtrans(systemd_logind_t)
> +')
> +
> optional_policy(`
> xserver_read_state(systemd_logind_t)
> xserver_dbus_chat(systemd_logind_t)
>


--
Chris PeBenito

2019-12-26 17:30:01

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 6/9] fstools: add zfs-auto-snapshot

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Should be in domain fstools_t, and needs to run zpool which is
> mount_exec_t.
>
> type=AVC msg=audit(1563084061.269:2472): avc: denied { execute } for pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563084061.269:2472): cwd="/root"
> type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/system/fstools.fc | 1 +
> policy/modules/system/fstools.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 8fbd5ce4..d871294e 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -49,6 +49,7 @@
> /usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 8d37e323..64b61485 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -154,6 +154,7 @@ logging_send_syslog_msg(fsadm_t)
>
> miscfiles_read_localization(fsadm_t)
>
> +mount_exec(fsadm_t)
> # for /run/mount/utab
> mount_getattr_runtime_files(fsadm_t)
> # losetup: bind mount_loopback_t files to loop devices

Please add a comment that this is for the zfs command.

--
Chris PeBenito

2019-12-26 17:30:02

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 3/9] xserver: ICEauthority can be in /run/user

On 12/24/19 5:10 AM, Jason Zaman wrote:
> From: Jason Zaman <[email protected]>
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/xserver.fc | 2 ++
> policy/modules/services/xserver.te | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index fa8db862..df06151e 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -143,6 +143,8 @@ ifndef(`distro_debian',`
> /run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
> /run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> +/run/user/%{USERID}/ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> +
> ifdef(`distro_suse',`
> /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
> ')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index f016d429..499f03a6 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -117,6 +117,7 @@ userdom_user_application_domain(iceauth_t, iceauth_exec_t)
>
> type iceauth_home_t;
> userdom_user_home_content(iceauth_home_t)
> +userdom_user_runtime_content(iceauth_home_t)
>
> type xauth_t;
> type xauth_exec_t;
> @@ -211,6 +212,7 @@ optional_policy(`
>
> allow iceauth_t iceauth_home_t:file manage_file_perms;
> userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
> +userdom_user_runtime_filetrans(iceauth_t, iceauth_home_t, file)
>
> allow xdm_t iceauth_home_t:file read_file_perms;

Merged.

--
Chris PeBenito

2019-12-26 17:30:03

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 4/9] devicekit: udisks needs access to /run/mount/utab.lock

On 12/24/19 5:10 AM, Jason Zaman wrote:
> type=AVC msg=audit(1563073723.106:232): avc: denied { read } for pid=7850 comm="udisksd" name="utab.lock" dev="tmpfs" ino=18445 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1563073723.106:232): arch=c000003e syscall=254 success=no exit=-13 a0=b a1=55841d66c920 a2=10 a3=0 items=1 ppid=7849 pid=7850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563073723.106:232): cwd="/"
> type=PATH msg=audit(1563073723.106:232): item=0 name="/run/mount/utab.lock" inode=18445 dev=00:16 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_runtime_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/devicekit.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
> index 3331bd00..0622b6cf 100644
> --- a/policy/modules/services/devicekit.te
> +++ b/policy/modules/services/devicekit.te
> @@ -192,6 +192,7 @@ optional_policy(`
>
> optional_policy(`
> mount_domtrans(devicekit_disk_t)
> + mount_rw_runtime_files(devicekit_disk_t)
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito

2019-12-26 17:30:04

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 5/9] dirmngr: accept unix stream socket

On 12/24/19 5:10 AM, Jason Zaman wrote:
> dirmngr needs to listen and accept on /run/user/1000/gnupg/S.dirmngr
>
> type=AVC msg=audit(1554175286.968:2720907): avc: denied { accept } for pid=15692 comm="dirmngr" path="/run/user/1000/gnupg/S.dirmngr" scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/dirmngr.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te
> index 056cd97b..e34295e7 100644
> --- a/policy/modules/services/dirmngr.te
> +++ b/policy/modules/services/dirmngr.te
> @@ -37,6 +37,7 @@ userdom_user_home_content(dirmngr_home_t)
> #
>
> allow dirmngr_t self:fifo_file rw_file_perms;
> +allow dirmngr_t self:unix_stream_socket rw_stream_socket_perms;
>
> allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
> allow dirmngr_t dirmngr_conf_t:file read_file_perms;

Merged.

--
Chris PeBenito

2019-12-26 17:30:05

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 7/9] chromium: allow dbus chat to inhibit power

On 12/24/19 5:10 AM, Jason Zaman wrote:
> Chromium will inhibit power saving when playing videos.
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/apps/chromium.if | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
> index 2ded3279..f236171e 100644
> --- a/policy/modules/apps/chromium.if
> +++ b/policy/modules/apps/chromium.if
> @@ -22,6 +22,7 @@ interface(`chromium_role',`
> type chromium_sandbox_t;
> type chromium_naclhelper_t;
> type chromium_exec_t;
> + class dbus send_msg;
> ')
>
> role $1 types chromium_t;
> @@ -42,6 +43,9 @@ interface(`chromium_role',`
>
> allow chromium_sandbox_t $2:fd use;
> allow chromium_naclhelper_t $2:fd use;
> +
> + allow $2 chromium_t:dbus send_msg;
> + allow chromium_t $2:dbus send_msg;
> ')
>
> #######################################

Merged.

--
Chris PeBenito

2019-12-26 17:30:07

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 8/9] virt: Add unix socket for virtlogd/virtlockd

On 12/24/19 5:10 AM, Jason Zaman wrote:
> avc: denied { listen } for pid=3236 comm="virtlogd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/virt.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 0d5d1b25..d4c5d05a 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -1323,6 +1323,7 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
>
> allow virtlockd_t self:capability dac_override;
> allow virtlockd_t self:fifo_file rw_fifo_file_perms;
> +allow virtlockd_t self:unix_stream_socket create_stream_socket_perms;
>
> allow virtlockd_t virtd_t:dir list_dir_perms;
> allow virtlockd_t virtd_t:file read_file_perms;
> @@ -1362,6 +1363,7 @@ virt_read_config(virtlockd_t)
> #
>
> allow virtlogd_t self:fifo_file rw_fifo_file_perms;
> +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
>
> allow virtlogd_t virtd_t:dir list_dir_perms;
> allow virtlogd_t virtd_t:file read_file_perms;

Merged.

--
Chris PeBenito

2019-12-26 17:30:09

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 9/9] virt: allow lvm_control access

On 12/24/19 5:10 AM, Jason Zaman wrote:
> type=AVC msg=audit(1563034372.505:40675): avc: denied { read write } for pid=64033 comm="libvirtd" name="control" dev="devtmpfs" ino=1273 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
> type=SYSCALL msg=audit(1563034372.505:40675): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff9a09cd180 a2=2 a3=0 items=1 ppid=1 pid=64033 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
> type=CWD msg=audit(1563034372.505:40675): cwd="/"
> type=PATH msg=audit(1563034372.505:40675): item=0 name="/dev/mapper/control" inode=1273 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=0a:ec obj=system_u:object_r:lvm_control_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>
> Signed-off-by: Jason Zaman <[email protected]>
> ---
> policy/modules/services/virt.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index d4c5d05a..fb985f12 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -622,6 +622,7 @@ dev_rw_sysfs(virtd_t)
> dev_read_urand(virtd_t)
> dev_read_rand(virtd_t)
> dev_rw_kvm(virtd_t)
> +dev_rw_lvm_control(virtd_t)
> dev_getattr_all_chr_files(virtd_t)
> dev_rw_mtrr(virtd_t)
> dev_rw_vhost(virtd_t)

Merged.

--
Chris PeBenito

2019-12-28 04:35:13

by Jason Zaman

[permalink] [raw]
Subject: Re: [PATCH 1/9] systemd: Add elogind support

On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> On 12/24/19 5:10 AM, Jason Zaman wrote:
> > Elogind is based off systemd-logind extracted to stand alone.
>
> I'm not a fan of this. Systemd is already a big mess of permissions by
> itself, and I'm relctant to add even more to it to support something else.

I'm not super happy about it either. I tried to make elogind_t
standalone originally. it didnt end up working that well cuz it really
*is* systemd-logind, just without systemd as pid1. The problem is all
the paths are the same, everything in /run and /var and all that gets
used exactly the same, so the fcontexts would conflict. A lot of the
perms I ended up adding seem like things that systemd-logind should be
able to do anyway too (like purging tmp to clean up /run/user when
people logout, or sending audit logs) or do these things end up done by
pid1 instead if its systemd?

It's a similar issue to how tmpfiles works on gentoo. We made a policy
for opentmpfiles (originally in openrc) then later the systemd policy in
upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
around those fcontexts and it kind of works but its pretty awkward and
makes switching between openrc/systemd more annoying than it should be.

I'd be up for modularizing systemd.te if it'd make things easier but I'm
not completely sure how. I see a few different parts that need to be
handled carefully: 1) the paths on disk, these should ideally be the
same for all the implementations of things. 2) the daemons themselves,
these could be the same or different domains makes little difference. 3)
how other programs interact with the daemons. I'm not really sure
duplicating perms in every other policy is the right way to go? like
everything would have to call both systemd_logind_foo() and
elogind_foo()?

If you have better ideas how to approach this, I'm all ears :)

-- Jason


>
>
> > Signed-off-by: Jason Zaman <[email protected]>
> > ---
> > policy/modules/admin/sudo.if | 2 ++
> > policy/modules/system/authlogin.if | 5 +++++
> > policy/modules/system/systemd.fc | 5 +++++
> > policy/modules/system/systemd.te | 27 ++++++++++++++++++++++++++-
> > 4 files changed, 38 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > index c1459364..4f08af28 100644
> > --- a/policy/modules/admin/sudo.if
> > +++ b/policy/modules/admin/sudo.if
> > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> >
> > optional_policy(`
> > dbus_system_bus_client($1_sudo_t)
> > + systemd_dbus_chat_logind($1_sudo_t)
> > + systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> >
> > ifdef(`init_systemd',`
> > init_dbus_chat($1_sudo_t)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index c16748f2..83837458 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> > optional_policy(`
> > fprintd_dbus_chat($1)
> > ')
> > +
> > + optional_policy(`
> > + systemd_dbus_chat_logind($1)
> > + systemd_write_inherited_logind_sessions_pipes($1)
> > + ')
> > ')
> >
> > optional_policy(`
> > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > index 607b1d88..e6831465 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -16,6 +16,10 @@
> > /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> > /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> >
> > +/usr/lib/elogind/elogind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-cgroups-agent -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-uaccess-command -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +
> > # Systemd generators
> > /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> >
> > @@ -56,6 +60,7 @@
> > /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> >
> > /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > +/run/elogind\.pid -- gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> >
> > /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > index 1422d8e2..f13b7252 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> >
> > type systemd_logind_t;
> > type systemd_logind_exec_t;
> > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> > init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> > init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> >
> > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> > type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> > files_pid_file(systemd_logind_runtime_t)
> > init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> >
> > type systemd_logind_var_lib_t;
> > files_type(systemd_logind_var_lib_t)
> > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> > # Logind local policy
> > #
> >
> > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> > allow systemd_logind_t self:process { getcap setfscreate };
> > allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> > allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > +
> > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> >
> > manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> >
> > kernel_read_kernel_sysctls(systemd_logind_t)
> >
> > +auth_write_login_records(systemd_logind_t)
> > +
> > dev_getattr_dri_dev(systemd_logind_t)
> > dev_getattr_generic_usb_dev(systemd_logind_t)
> > dev_getattr_kvm_dev(systemd_logind_t)
> > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> >
> > domain_obj_id_change_exemption(systemd_logind_t)
> >
> > +files_purge_tmp(systemd_logind_t)
> > files_read_etc_files(systemd_logind_t)
> > files_search_pids(systemd_logind_t)
> >
> > fs_getattr_cgroup(systemd_logind_t)
> > +fs_manage_cgroup_dirs(systemd_logind_t)
> > +fs_manage_cgroup_files(systemd_logind_t)
> > fs_getattr_tmpfs(systemd_logind_t)
> > fs_getattr_tmpfs_dirs(systemd_logind_t)
> > fs_list_tmpfs(systemd_logind_t)
> > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> > fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> > fs_unmount_tmpfs(systemd_logind_t)
> >
> > +logging_send_audit_msgs(systemd_logind_t)
> > +
> > selinux_get_enforce_mode(systemd_logind_t)
> >
> > storage_getattr_removable_dev(systemd_logind_t)
> > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> >
> > auth_manage_faillog(systemd_logind_t)
> >
> > +init_create_runtime_dirs(systemd_logind_t)
> > init_dbus_send_script(systemd_logind_t)
> > init_get_all_units_status(systemd_logind_t)
> > init_get_system_status(systemd_logind_t)
> > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > userdom_setattr_user_ttys(systemd_logind_t)
> > userdom_use_user_ttys(systemd_logind_t)
> >
> > +tunable_policy(`use_nfs_home_dirs',`
> > + fs_read_nfs_files(systemd_logind_t)
> > +')
> > +
> > +tunable_policy(`use_samba_home_dirs',`
> > + fs_read_cifs_files(systemd_logind_t)
> > +')
> > +
> > # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> > # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> > # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > @@ -568,6 +589,10 @@ optional_policy(`
> > policykit_dbus_chat(systemd_logind_t)
> > ')
> >
> > +optional_policy(`
> > + shutdown_domtrans(systemd_logind_t)
> > +')
> > +
> > optional_policy(`
> > xserver_read_state(systemd_logind_t)
> > xserver_dbus_chat(systemd_logind_t)
> >
>
>
> --
> Chris PeBenito

2019-12-28 15:59:56

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH 1/9] systemd: Add elogind support

On Sat, Dec 28, 2019 at 12:35:04PM +0800, Jason Zaman wrote:
> On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> > On 12/24/19 5:10 AM, Jason Zaman wrote:
> > > Elogind is based off systemd-logind extracted to stand alone.
> >
> > I'm not a fan of this. Systemd is already a big mess of permissions by
> > itself, and I'm relctant to add even more to it to support something else.
>
> I'm not super happy about it either. I tried to make elogind_t
> standalone originally. it didnt end up working that well cuz it really
> *is* systemd-logind, just without systemd as pid1. The problem is all
> the paths are the same, everything in /run and /var and all that gets
> used exactly the same, so the fcontexts would conflict. A lot of the
> perms I ended up adding seem like things that systemd-logind should be
> able to do anyway too (like purging tmp to clean up /run/user when
> people logout, or sending audit logs) or do these things end up done by
> pid1 instead if its systemd?
>
> It's a similar issue to how tmpfiles works on gentoo. We made a policy
> for opentmpfiles (originally in openrc) then later the systemd policy in
> upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
> around those fcontexts and it kind of works but its pretty awkward and
> makes switching between openrc/systemd more annoying than it should be.
>
> I'd be up for modularizing systemd.te if it'd make things easier but I'm
> not completely sure how. I see a few different parts that need to be
> handled carefully: 1) the paths on disk, these should ideally be the
> same for all the implementations of things. 2) the daemons themselves,
> these could be the same or different domains makes little difference. 3)
> how other programs interact with the daemons. I'm not really sure
> duplicating perms in every other policy is the right way to go? like
> everything would have to call both systemd_logind_foo() and
> elogind_foo()?
>
> If you have better ideas how to approach this, I'm all ears :)

I guess there are two options here. Either make your elogind module depend on whatever module has the types declared that need to be used by both logind and elogind (less optimal but less intrusive), or strip the "shared" types from the module that currently has it declared and declare it in a separate "shared" module so that both logind and elogind can tap into that (would require some refactoring but should be doable and be more optimal i suspect i suspect).

The same would apply to tmpfiles i gather.

>
> -- Jason
>
>
> >
> >
> > > Signed-off-by: Jason Zaman <[email protected]>
> > > ---
> > > policy/modules/admin/sudo.if | 2 ++
> > > policy/modules/system/authlogin.if | 5 +++++
> > > policy/modules/system/systemd.fc | 5 +++++
> > > policy/modules/system/systemd.te | 27 ++++++++++++++++++++++++++-
> > > 4 files changed, 38 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > > index c1459364..4f08af28 100644
> > > --- a/policy/modules/admin/sudo.if
> > > +++ b/policy/modules/admin/sudo.if
> > > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> > >
> > > optional_policy(`
> > > dbus_system_bus_client($1_sudo_t)
> > > + systemd_dbus_chat_logind($1_sudo_t)
> > > + systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> > >
> > > ifdef(`init_systemd',`
> > > init_dbus_chat($1_sudo_t)
> > > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > > index c16748f2..83837458 100644
> > > --- a/policy/modules/system/authlogin.if
> > > +++ b/policy/modules/system/authlogin.if
> > > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> > > optional_policy(`
> > > fprintd_dbus_chat($1)
> > > ')
> > > +
> > > + optional_policy(`
> > > + systemd_dbus_chat_logind($1)
> > > + systemd_write_inherited_logind_sessions_pipes($1)
> > > + ')
> > > ')
> > >
> > > optional_policy(`
> > > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > > index 607b1d88..e6831465 100644
> > > --- a/policy/modules/system/systemd.fc
> > > +++ b/policy/modules/system/systemd.fc
> > > @@ -16,6 +16,10 @@
> > > /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> > > /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> > >
> > > +/usr/lib/elogind/elogind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-cgroups-agent -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +/usr/lib/elogind/elogind-uaccess-command -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > > +
> > > # Systemd generators
> > > /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> > >
> > > @@ -56,6 +60,7 @@
> > > /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> > >
> > > /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > > +/run/elogind\.pid -- gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> > > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > >
> > > /run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > > index 1422d8e2..f13b7252 100644
> > > --- a/policy/modules/system/systemd.te
> > > +++ b/policy/modules/system/systemd.te
> > > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> > >
> > > type systemd_logind_t;
> > > type systemd_logind_exec_t;
> > > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> > > init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> > > init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> > >
> > > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> > > type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> > > files_pid_file(systemd_logind_runtime_t)
> > > init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> > >
> > > type systemd_logind_var_lib_t;
> > > files_type(systemd_logind_var_lib_t)
> > > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> > > # Logind local policy
> > > #
> > >
> > > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> > > allow systemd_logind_t self:process { getcap setfscreate };
> > > allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> > > allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> > > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > > manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> > > allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > > +
> > > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> > >
> > > manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > > manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> > >
> > > kernel_read_kernel_sysctls(systemd_logind_t)
> > >
> > > +auth_write_login_records(systemd_logind_t)
> > > +
> > > dev_getattr_dri_dev(systemd_logind_t)
> > > dev_getattr_generic_usb_dev(systemd_logind_t)
> > > dev_getattr_kvm_dev(systemd_logind_t)
> > > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> > >
> > > domain_obj_id_change_exemption(systemd_logind_t)
> > >
> > > +files_purge_tmp(systemd_logind_t)
> > > files_read_etc_files(systemd_logind_t)
> > > files_search_pids(systemd_logind_t)
> > >
> > > fs_getattr_cgroup(systemd_logind_t)
> > > +fs_manage_cgroup_dirs(systemd_logind_t)
> > > +fs_manage_cgroup_files(systemd_logind_t)
> > > fs_getattr_tmpfs(systemd_logind_t)
> > > fs_getattr_tmpfs_dirs(systemd_logind_t)
> > > fs_list_tmpfs(systemd_logind_t)
> > > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> > > fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> > > fs_unmount_tmpfs(systemd_logind_t)
> > >
> > > +logging_send_audit_msgs(systemd_logind_t)
> > > +
> > > selinux_get_enforce_mode(systemd_logind_t)
> > >
> > > storage_getattr_removable_dev(systemd_logind_t)
> > > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> > >
> > > auth_manage_faillog(systemd_logind_t)
> > >
> > > +init_create_runtime_dirs(systemd_logind_t)
> > > init_dbus_send_script(systemd_logind_t)
> > > init_get_all_units_status(systemd_logind_t)
> > > init_get_system_status(systemd_logind_t)
> > > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > > userdom_setattr_user_ttys(systemd_logind_t)
> > > userdom_use_user_ttys(systemd_logind_t)
> > >
> > > +tunable_policy(`use_nfs_home_dirs',`
> > > + fs_read_nfs_files(systemd_logind_t)
> > > +')
> > > +
> > > +tunable_policy(`use_samba_home_dirs',`
> > > + fs_read_cifs_files(systemd_logind_t)
> > > +')
> > > +
> > > # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> > > # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> > > # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > > @@ -568,6 +589,10 @@ optional_policy(`
> > > policykit_dbus_chat(systemd_logind_t)
> > > ')
> > >
> > > +optional_policy(`
> > > + shutdown_domtrans(systemd_logind_t)
> > > +')
> > > +
> > > optional_policy(`
> > > xserver_read_state(systemd_logind_t)
> > > xserver_dbus_chat(systemd_logind_t)
> > >
> >
> >
> > --
> > Chris PeBenito

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


Attachments:
(No filename) (10.74 kB)
signature.asc (673.00 B)
Download all attachments