In this patchset a first attempt for tmpfiles is provided.
Dominick, we did look at your implementation in your CIL repo but didn't include
that approach (with opt-in/opt-out object support) for now, instead opted for a
"basic" set of permissions, and optional wider set (through a boolean).
Sven Vermeulen (5):
Introduce interface allowing relabeling from/to non-security file
types
Introduce interface to relabel from/to pidfile associated types
Introduce interface to manage all non-security-sensitive resource
types
Introduce the tmpfiles_t domain
Give kmod access to tmpfiles
policy/modules/kernel/files.if | 73 +++++++++++++++++
policy/modules/system/modutils.te | 5 ++
policy/modules/system/tmpfiles.fc | 7 ++
policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
policy/modules/system/tmpfiles.te | 99 +++++++++++++++++++++++
5 files changed, 345 insertions(+)
create mode 100644 policy/modules/system/tmpfiles.fc
create mode 100644 policy/modules/system/tmpfiles.if
create mode 100644 policy/modules/system/tmpfiles.te
--
1.8.5.5
This interface can be used by domains that have a need for broad
privileges towards the system, but should not need any privileges
towards security-sensitive types.
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 692db45..f2da032 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -543,6 +543,35 @@ interface(`files_write_non_security_dirs',`
allow $1 non_security_file_type:dir write;
')
+#########################################
+## <summary>
+## Allow relabel from and to non-security types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_non_security_file_types',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir list_dir_perms;
+
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+
+ # This is only relabelfrom as there should be no device nodes marked with a type
+ # associated with the non_security_file_type attribute
+ relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
########################################
## <summary>
## Allow attempts to manage non-security directories
--
1.8.5.5
This interface can be used by domains needing wide relabel privileges
towards the *_var_run_t and var_run_t types.
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f2da032..fd56414 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6304,6 +6304,28 @@ interface(`files_delete_all_pid_dirs',`
delete_dirs_pattern($1, pidfile, pidfile)
')
+#########################################
+## <summary>
+## Allow relabeling from and to any pidfile associated type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:dir list_dir_perms;
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+ relabel_files_pattern($1, pidfile, pidfile)
+ relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
########################################
## <summary>
## Create, read, write and delete all
--
1.8.5.5
This interface can be used by domains that need wide management
privileges on the various file-related types (directories, symbolic
links and the like) but should not need this for security-sensitive
resources.
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd56414..b75d03a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -590,6 +590,28 @@ interface(`files_manage_non_security_dirs',`
allow $1 non_security_file_type:dir manage_dir_perms;
')
+#########################################
+## <summary>
+## Manage non-security-sensitive resource types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_non_security_file_types',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
########################################
## <summary>
## Get the attributes of all files.
--
1.8.5.5
The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).
[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).
Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:
(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
of (a.) and (b.)
These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).
Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/tmpfiles.fc | 7 ++
policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
policy/modules/system/tmpfiles.te | 99 +++++++++++++++++++++++
3 files changed, 267 insertions(+)
create mode 100644 policy/modules/system/tmpfiles.fc
create mode 100644 policy/modules/system/tmpfiles.if
create mode 100644 policy/modules/system/tmpfiles.te
diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath -- gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh -- gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+
diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+## Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+ allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+ tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+## Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+ tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+## Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ tmpfiles_read_var_run($1)
+
+ manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+## Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 tmpfiles_conf_t:dir list_dir_perms;
+ allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+## Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+## Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..56a5379
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,99 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether tmpfiles can manage
+## all non-security sensitive resources.
+## Without this, it is only allowed rights towards
+## /run, /tmp, /dev and /var/lock.
+## </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_chr_files(tmpfiles_t)
+dev_create_generic_chr_files(tmpfiles_t)
+dev_create_generic_dirs(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_getattr_generic_locks(tmpfiles_t)
+files_getattr_tmp_dirs(tmpfiles_t)
+files_manage_all_pids(tmpfiles_t)
+files_manage_cgroup_files(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pids(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+ files_manage_non_security_dirs(tmpfiles_t)
+ files_manage_all_non_security_file_types(tmpfiles_t)
+ files_relabel_all_non_security_file_types(tmpfiles_t)
+')
--
1.8.5.5
Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:
kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf
This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.
Signed-off-by: Jason Zaman <[email protected]>
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/modutils.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..dde3f02 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -228,6 +228,11 @@ optional_policy(`
')
optional_policy(`
+ tmpfiles_create_var_run_files(insmod_t)
+ tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
unconfined_domain(insmod_t)
unconfined_dontaudit_rw_pipes(insmod_t)
')
--
1.8.5.5
On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> This interface can be used by domains that have a need for broad
> privileges towards the system, but should not need any privileges
> towards security-sensitive types.
[..]
> +interface(`files_relabel_all_non_security_file_types',`
> + gen_require(`
> + attribute non_security_file_type;
> + ')
> +
> + allow $1 non_security_file_type:dir list_dir_perms;
> +
> + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> +
> + # This is only relabelfrom as there should be no device nodes marked with a type
> + # associated with the non_security_file_type attribute
> + relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> + relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> +')
While there are a few interfaces that are like this with broad object
class usage, I'd rather not have them. I'd prefer that they are broken
up into individual interfaces. #3 patch is like this too.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> +policy_module(tmpfiles, 1.0.0)
[...]
> +type tmpfiles_var_run_t;
> +files_pid_file(tmpfiles_var_run_t)
Nothing really jumped out at me as being a problem, but since most
(all?) distributions have moved towards these files being in /run, I'd
prefer to get away from having "var_run" in the type names. Why don't
we go with something like tmpfiles_run_t or tmpfiles_pid_t?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Thu, 2014-08-14 at 15:40 -0400, Christopher J. PeBenito wrote:
> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > +policy_module(tmpfiles, 1.0.0)
> [...]
> > +type tmpfiles_var_run_t;
> > +files_pid_file(tmpfiles_var_run_t)
>
> Nothing really jumped out at me as being a problem, but since most
> (all?) distributions have moved towards these files being in /run, I'd
> prefer to get away from having "var_run" in the type names. Why don't
> we go with something like tmpfiles_run_t or tmpfiles_pid_t?
>
In that policy tmpfiles is allowed to create chars with type device_t
Also this is not tmpfiles, this is a shell script that mimics tmpfiles
tmpfiles does not run setfiles, it uses libselinux
On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote:
> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > This interface can be used by domains that have a need for broad
> > privileges towards the system, but should not need any privileges
> > towards security-sensitive types.
> [..]
> > +interface(`files_relabel_all_non_security_file_types',`
> > + gen_require(`
> > + attribute non_security_file_type;
> > + ')
> > +
> > + allow $1 non_security_file_type:dir list_dir_perms;
> > +
> > + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
> > + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
> > + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
> > + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
> > + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
> > +
> > + # This is only relabelfrom as there should be no device nodes marked with a type
> > + # associated with the non_security_file_type attribute
> > + relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
> > + relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
> > +')
>
> While there are a few interfaces that are like this with broad object
> class usage, I'd rather not have them. I'd prefer that they are broken
> up into individual interfaces. #3 patch is like this too.
As in, iterate over all the various types that would be matched?
Although I can do that, that might result in many, many more interfaces
being necessary and having updates on the domain as users configure
tmpfiles.
Or we can go the other route and not include the broad privileges to start
with (only the basic resource types such as the pidfiles) until users
start complaining about tmpfiles not creating the directory, socket or file,
and adapt the policy as things go along.
Wkr,
Sven Vermeulen
On Thu, Aug 14, 2014 at 03:40:08PM -0400, Christopher J. PeBenito wrote:
> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > +policy_module(tmpfiles, 1.0.0)
> [...]
> > +type tmpfiles_var_run_t;
> > +files_pid_file(tmpfiles_var_run_t)
>
> Nothing really jumped out at me as being a problem, but since most
> (all?) distributions have moved towards these files being in /run, I'd
> prefer to get away from having "var_run" in the type names. Why don't
> we go with something like tmpfiles_run_t or tmpfiles_pid_t?
I prefer the _run_t suffix, even though this would mean that there will be
interfaces ending with "_run" which aren't the standard _run interfaces (as
in, assign role and perform a domain transition).
But unless some developer starts naming an application "read" or "manage", I
think we can deal with that through the name: tmpfiles_read_run versus
tmpfiles_run.
I'm okay with _pid_t too, but I prefer _run_t because _pid_t "sounds" like
it is specific to pid files (*.pid) whereas /run resources are used for
much, more more than that.
Wkr,
Sven Vermeulen
On Thu, Aug 14, 2014 at 09:53:32PM +0200, Dominick Grift wrote:
> On Thu, 2014-08-14 at 15:40 -0400, Christopher J. PeBenito wrote:
> > On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
> > > +policy_module(tmpfiles, 1.0.0)
> > [...]
> > > +type tmpfiles_var_run_t;
> > > +files_pid_file(tmpfiles_var_run_t)
> >
> > Nothing really jumped out at me as being a problem, but since most
> > (all?) distributions have moved towards these files being in /run, I'd
> > prefer to get away from having "var_run" in the type names. Why don't
> > we go with something like tmpfiles_run_t or tmpfiles_pid_t?
> >
>
> In that policy tmpfiles is allowed to create chars with type device_t
>
> Also this is not tmpfiles, this is a shell script that mimics tmpfiles
I think that's a matter of looking at things. I see "tmpfiles" as the API
and functionality as described by freedesktop.org, and the main
implementation of it is systemd-tmpfiles, but other implementations exist as
well.
The reference policy has many examples of domains that are providing the
rules for multiple implementations.
> tmpfiles does not run setfiles, it uses libselinux
I'll happily put the Gentoo specifics inside an ifdef(`distro_gentoo',...)
block once I know which ones that would be.
Wkr,
Sven Vermeulen
On 08/15/2014 05:35 AM, Sven Vermeulen wrote:
> On Thu, Aug 14, 2014 at 03:40:08PM -0400, Christopher J. PeBenito wrote:
>> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
>>> +policy_module(tmpfiles, 1.0.0)
>> [...]
>>> +type tmpfiles_var_run_t;
>>> +files_pid_file(tmpfiles_var_run_t)
>> Nothing really jumped out at me as being a problem, but since most
>> (all?) distributions have moved towards these files being in /run, I'd
>> prefer to get away from having "var_run" in the type names. Why don't
>> we go with something like tmpfiles_run_t or tmpfiles_pid_t?
> I prefer the _run_t suffix, even though this would mean that there will be
> interfaces ending with "_run" which aren't the standard _run interfaces (as
> in, assign role and perform a domain transition).
>
> But unless some developer starts naming an application "read" or "manage", I
> think we can deal with that through the name: tmpfiles_read_run versus
> tmpfiles_run.
>
> I'm okay with _pid_t too, but I prefer _run_t because _pid_t "sounds" like
> it is specific to pid files (*.pid) whereas /run resources are used for
> much, more more than that.
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I like _run also.
On 8/15/2014 5:31 AM, Sven Vermeulen wrote:
> On Thu, Aug 14, 2014 at 03:35:47PM -0400, Christopher J. PeBenito wrote:
>> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
>>> This interface can be used by domains that have a need for broad
>>> privileges towards the system, but should not need any privileges
>>> towards security-sensitive types.
>> [..]
>>> +interface(`files_relabel_all_non_security_file_types',`
>>> + gen_require(`
>>> + attribute non_security_file_type;
>>> + ')
>>> +
>>> + allow $1 non_security_file_type:dir list_dir_perms;
>>> +
>>> + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
>>> + relabel_files_pattern($1, non_security_file_type, non_security_file_type)
>>> + relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
>>> + relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
>>> + relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +
>>> + # This is only relabelfrom as there should be no device nodes marked with a type
>>> + # associated with the non_security_file_type attribute
>>> + relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type)
>>> + relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type)
>>> +')
>>
>> While there are a few interfaces that are like this with broad object
>> class usage, I'd rather not have them. I'd prefer that they are broken
>> up into individual interfaces. #3 patch is like this too.
>
> As in, iterate over all the various types that would be matched?
Yes.
> Although I can do that, that might result in many, many more interfaces
> being necessary and having updates on the domain as users configure
> tmpfiles.
>
> Or we can go the other route and not include the broad privileges to start
> with (only the basic resource types such as the pidfiles) until users
> start complaining about tmpfiles not creating the directory, socket or file,
> and adapt the policy as things go along.
I'm fine with that too.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 8/15/2014 5:35 AM, Sven Vermeulen wrote:
> On Thu, Aug 14, 2014 at 03:40:08PM -0400, Christopher J. PeBenito wrote:
>> On 8/7/2014 2:05 PM, Sven Vermeulen wrote:
>>> +policy_module(tmpfiles, 1.0.0)
>> [...]
>>> +type tmpfiles_var_run_t;
>>> +files_pid_file(tmpfiles_var_run_t)
>>
>> Nothing really jumped out at me as being a problem, but since most
>> (all?) distributions have moved towards these files being in /run, I'd
>> prefer to get away from having "var_run" in the type names. Why don't
>> we go with something like tmpfiles_run_t or tmpfiles_pid_t?
>
> I prefer the _run_t suffix, even though this would mean that there will be
> interfaces ending with "_run" which aren't the standard _run interfaces (as
> in, assign role and perform a domain transition).
>
> But unless some developer starts naming an application "read" or "manage", I
> think we can deal with that through the name: tmpfiles_read_run versus
> tmpfiles_run.
>
> I'm okay with _pid_t too, but I prefer _run_t because _pid_t "sounds" like
> it is specific to pid files (*.pid) whereas /run resources are used for
> much, more more than that.
How about _runtime? There already are a couple types with that naming.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com