2022-04-06 17:13:19

by Russell Coker

[permalink] [raw]
Subject: [PATCH] machinectl shell and login fixes

This patch fixes a delay in login and allows machinectl shell to work.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20220325/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/init.if
+++ refpolicy-2.20220325/policy/modules/system/init.if
@@ -3301,6 +3301,24 @@ interface(`init_tcp_recvfrom_all_daemons
corenet_tcp_recvfrom_labeled($1, daemon)
')

+######################################
+## <summary>
+## restart systemd units, for /run/systemd/transient/*
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_restart_units',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:service { start status stop };
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a udp socket
Index: refpolicy-2.20220325/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20220325/policy/modules/system/locallogin.te
@@ -129,7 +129,8 @@ auth_manage_pam_runtime_files(local_logi
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)

-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)

miscfiles_read_localization(local_login_t)

Index: refpolicy-2.20220325/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20220325/policy/modules/system/systemd.te
@@ -851,6 +851,9 @@ init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
init_watch_utmp(systemd_logind_t)

+# for /run/systemd/transient/*
+init_restart_units(systemd_logind_t)
+
locallogin_read_state(systemd_logind_t)

seutil_libselinux_linked(systemd_logind_t)
Index: refpolicy-2.20220325/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20220325/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
## The user domain for the role.
## </summary>
## </param>
-## <param name="pty_type">
-## <summary>
-## The type for the user pty
-## </summary>
-## </param>
#
template(`systemd_role_template',`
gen_require(`
@@ -33,6 +28,7 @@ template(`systemd_role_template',`
type systemd_conf_home_t, systemd_data_home_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t, systemd_user_runtime_unit_t;
+ type systemd_machined_t, user_devpts_t;
')

#################################
@@ -60,6 +56,7 @@ template(`systemd_role_template',`
allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
+ corecmd_shell_entry_type($1_systemd_t)

# systemctl --user rules
allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
@@ -114,6 +111,10 @@ template(`systemd_role_template',`
seutil_search_default_contexts($1_systemd_t)
seutil_read_file_contexts($1_systemd_t)

+ # for machinectl shell
+ term_user_pty($1_systemd_t, user_devpts_t)
+ allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
+
systemd_manage_conf_home_content($1_systemd_t)
systemd_manage_data_home_content($1_systemd_t)

@@ -144,6 +145,12 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };

+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };

allow $3 systemd_user_unit_t:service { reload start status stop };


2022-04-25 18:47:12

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] machinectl shell and login fixes

On 4/6/22 10:52, Russell Coker wrote:
> This patch fixes a delay in login and allows machinectl shell to work.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220325/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20220325.orig/policy/modules/system/init.if
> +++ refpolicy-2.20220325/policy/modules/system/init.if
> @@ -3301,6 +3301,24 @@ interface(`init_tcp_recvfrom_all_daemons
> corenet_tcp_recvfrom_labeled($1, daemon)
> ')
>
> +######################################
> +## <summary>
> +## restart systemd units, for /run/systemd/transient/*

There is a new type for these transient units.


> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_restart_units',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:service { start status stop };
> +')
> +
> ########################################
> ## <summary>
> ## Allow the specified domain to connect to daemon with a udp socket
> Index: refpolicy-2.20220325/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20220325.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20220325/policy/modules/system/locallogin.te
> @@ -129,7 +129,8 @@ auth_manage_pam_runtime_files(local_logi
> auth_manage_pam_console_data(local_login_t)
> auth_domtrans_pam_console(local_login_t)
>
> -init_dontaudit_use_fds(local_login_t)
> +# if local_login_t can not inherit fd from init it takes ages to login
> +init_use_fds(local_login_t)
>
> miscfiles_read_localization(local_login_t)
>
> Index: refpolicy-2.20220325/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20220325.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20220325/policy/modules/system/systemd.te
> @@ -851,6 +851,9 @@ init_start_system(systemd_logind_t)
> init_stop_system(systemd_logind_t)
> init_watch_utmp(systemd_logind_t)
>
> +# for /run/systemd/transient/*
> +init_restart_units(systemd_logind_t)
> +
> locallogin_read_state(systemd_logind_t)
>
> seutil_libselinux_linked(systemd_logind_t)
> Index: refpolicy-2.20220325/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20220325.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20220325/policy/modules/system/systemd.if
> @@ -19,11 +19,6 @@
> ## The user domain for the role.
> ## </summary>
> ## </param>
> -## <param name="pty_type">
> -## <summary>
> -## The type for the user pty
> -## </summary>
> -## </param>
> #
> template(`systemd_role_template',`
> gen_require(`
> @@ -33,6 +28,7 @@ template(`systemd_role_template',`
> type systemd_conf_home_t, systemd_data_home_t;
> type systemd_user_runtime_t, systemd_user_runtime_notify_t;
> type systemd_user_unit_t, systemd_user_runtime_unit_t;
> + type systemd_machined_t, user_devpts_t;
> ')
>
> #################################
> @@ -60,6 +56,7 @@ template(`systemd_role_template',`
> allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
> corecmd_shell_domtrans($1_systemd_t, $3)
> corecmd_bin_domtrans($1_systemd_t, $3)
> + corecmd_shell_entry_type($1_systemd_t)
>
> # systemctl --user rules
> allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
> @@ -114,6 +111,10 @@ template(`systemd_role_template',`
> seutil_search_default_contexts($1_systemd_t)
> seutil_read_file_contexts($1_systemd_t)
>
> + # for machinectl shell
> + term_user_pty($1_systemd_t, user_devpts_t)
> + allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
> +
> systemd_manage_conf_home_content($1_systemd_t)
> systemd_manage_data_home_content($1_systemd_t)
>
> @@ -144,6 +145,12 @@ template(`systemd_role_template',`
> allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
> allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
>
> + # for "machinectl shell"
> + allow $1_systemd_t systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:fd use;
> + allow $3 systemd_machined_t:dbus send_msg;
> + allow systemd_machined_t $3:dbus send_msg;
> +
> allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
>
> allow $3 systemd_user_unit_t:service { reload start status stop };


--
Chris PeBenito