2017-04-14 15:41:20

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] more systemd stuff

This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.

Index: refpolicy-2.20170410/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170410/policy/modules/system/systemd.if
@@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',`

allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+######################################
+## <summary>
+## Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ ')
+
+ allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
Index: refpolicy-2.20170410/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170410/policy/modules/system/systemd.te
@@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_
kernel_read_kernel_sysctls(systemd_logind_t)

dev_getattr_dri_dev(systemd_logind_t)
+dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
+dev_getattr_video_dev(systemd_logind_t)
dev_manage_wireless(systemd_logind_t)
dev_read_urand(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)

domain_obj_id_change_exemption(systemd_logind_t)

files_read_etc_files(systemd_logind_t)
+files_dontaudit_getattr_tmpfs_file(systemd_logind_t)
files_search_pids(systemd_logind_t)

fs_getattr_cgroup(systemd_logind_t)
@@ -448,7 +453,7 @@ optional_policy(`
# machined local policy
#

-allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };

@@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t)

fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
+fs_read_nsfs_files(systemd_machined_t)

selinux_getattr_fs(systemd_machined_t)

Index: refpolicy-2.20170410/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170410/policy/modules/system/udev.te
@@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)

+init_domtrans_script(udev_t)
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)

@@ -27,6 +29,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
init_daemon_pid_file(udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")

ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent
allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;

+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)

@@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+fs_search_tracefs_dirs(udev_t)

mcs_ptrace_all(udev_t)

@@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+sysnet_var_run_dirtrans_config(udev_t, "network")

userdom_dontaudit_search_user_home_content(udev_t)

ifdef(`distro_debian',`
+ # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
+ files_read_default_files(udev_t)
+
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")

optional_policy(`
@@ -202,6 +213,11 @@ ifdef(`distro_debian',`
')
')

+optional_policy(`
+ # for systemd-udevd when starting xen domu
+ virt_read_config(udev_t)
+')
+
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
# existence to determine if we are in early booting
@@ -344,6 +360,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
+ fs_manage_xenfs_files(udev_t)
')

optional_policy(`
Index: refpolicy-2.20170410/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170410/policy/modules/kernel/files.if
@@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`

########################################
## <summary>
+## Do not audit getattr of /dev/shm files
+## </summary>
+## <param name="type">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_file',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
## Get the attributes of all directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if
@@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',`
')

########################################
+## <summary>
+## search directories on a tracefs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir search;
+')
+
+########################################
## <summary>
## Get the attributes of files
## on a trace filesystem.
Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if
@@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config',

#######################################
## <summary>
+## Create directories in /var/run with the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`sysnet_var_run_dirtrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_pid_filetrans($1, net_conf_t, dir, $2)
+ allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
## Create, read, write, and delete network config files.
## </summary>
## <param name="domain">


2017-04-14 17:38:06

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] more systemd stuff

2017-04-14 17:41 GMT+02:00 Russell Coker via refpolicy
<[email protected]>:
> This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
> I'll add another patch to use shortly.
>
> It has a number of changes needed by systemd_logind_t to set permissions for
> local logins.
>
> It has some more permissions that systemd_machined_t needs, I don't think it's
> everything that systemd_machined_t needs but it's a start.
>
> It has some changes for udev_t for systemd-udevd.
>
> Index: refpolicy-2.20170410/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170410/policy/modules/system/systemd.if
> @@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',`
>
> allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> ')
> +
> +######################################
> +## <summary>
> +## Allow to domain to create systemd-passwd symlink
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_lnk_file_passwd_run',`
> + gen_require(`
> + type systemd_passwd_var_run_t;
> + ')
> +
> + allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
> +')
> Index: refpolicy-2.20170410/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170410/policy/modules/system/systemd.te
> @@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_
> kernel_read_kernel_sysctls(systemd_logind_t)
>
> dev_getattr_dri_dev(systemd_logind_t)
> +dev_getattr_generic_usb_dev(systemd_logind_t)
> dev_getattr_kvm_dev(systemd_logind_t)
> dev_getattr_sound_dev(systemd_logind_t)
> +dev_getattr_video_dev(systemd_logind_t)
> dev_manage_wireless(systemd_logind_t)
> dev_read_urand(systemd_logind_t)
> dev_rw_dri(systemd_logind_t)
> dev_rw_input_dev(systemd_logind_t)
> dev_rw_sysfs(systemd_logind_t)
> dev_setattr_dri_dev(systemd_logind_t)
> +dev_setattr_generic_usb_dev(systemd_logind_t)
> dev_setattr_kvm_dev(systemd_logind_t)
> dev_setattr_sound_dev(systemd_logind_t)
> +dev_setattr_video_dev(systemd_logind_t)
>
> domain_obj_id_change_exemption(systemd_logind_t)
>
> files_read_etc_files(systemd_logind_t)
> +files_dontaudit_getattr_tmpfs_file(systemd_logind_t)

do we want to dontaudit this?
i think it is related to
https://www.freedesktop.org/software/systemd/man/logind.conf.html#RemoveIPC=

> files_search_pids(systemd_logind_t)
>
> fs_getattr_cgroup(systemd_logind_t)
> @@ -448,7 +453,7 @@ optional_policy(`
> # machined local policy
> #
>
> -allow systemd_machined_t self:capability sys_ptrace;
> +allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
> allow systemd_machined_t self:process setfscreate;
> allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
>
> @@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t)
>
> fs_getattr_cgroup(systemd_machined_t)
> fs_getattr_tmpfs(systemd_machined_t)
> +fs_read_nsfs_files(systemd_machined_t)
>
> selinux_getattr_fs(systemd_machined_t)
>
> Index: refpolicy-2.20170410/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170410/policy/modules/system/udev.te
> @@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
> init_daemon_domain(udev_t, udev_exec_t)
> init_named_socket_activation(udev_t, udev_var_run_t)
>
> +init_domtrans_script(udev_t)
> +
> type udev_etc_t alias etc_udev_t;
> files_config_file(udev_etc_t)
>
> @@ -27,6 +29,7 @@ files_type(udev_rules_t)
> type udev_var_run_t;
> files_pid_file(udev_var_run_t)
> init_daemon_pid_file(udev_var_run_t, dir, "udev")
> +files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
>
> ifdef(`enable_mcs',`
> kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent
> allow udev_t self:netlink_generic_socket create_socket_perms;
> allow udev_t self:rawip_socket create_socket_perms;
>
> +# for systemd-udevd to rename interfaces
> +allow udev_t self:netlink_route_socket nlmsg_write;
> +
> allow udev_t udev_exec_t:file write;
> can_exec(udev_t, udev_exec_t)
>
> @@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t)
> fs_list_inotifyfs(udev_t)
> fs_read_cgroup_files(udev_t)
> fs_rw_anon_inodefs_files(udev_t)
> +fs_search_tracefs_dirs(udev_t)
>
> mcs_ptrace_all(udev_t)
>
> @@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t)
> sysnet_signal_dhcpc(udev_t)
> sysnet_manage_config(udev_t)
> sysnet_etc_filetrans_config(udev_t)
> +sysnet_var_run_dirtrans_config(udev_t, "network")
>
> userdom_dontaudit_search_user_home_content(udev_t)
>
> ifdef(`distro_debian',`
> + # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
> + files_read_default_files(udev_t)
> +
> files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
>
> optional_policy(`
> @@ -202,6 +213,11 @@ ifdef(`distro_debian',`
> ')
> ')
>
> +optional_policy(`
> + # for systemd-udevd when starting xen domu
> + virt_read_config(udev_t)
> +')
> +
> ifdef(`distro_gentoo',`
> # during boot, init scripts use /dev/.rcsysinit
> # existence to determine if we are in early booting
> @@ -344,6 +360,7 @@ optional_policy(`
> kernel_read_xen_state(udev_t)
> xen_manage_log(udev_t)
> xen_read_image_files(udev_t)
> + fs_manage_xenfs_files(udev_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170410/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170410/policy/modules/kernel/files.if
> @@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`
>
> ########################################
> ## <summary>
> +## Do not audit getattr of /dev/shm files
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Domain to not audit
> +## </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_getattr_tmpfs_file',`
> + gen_require(`
> + attribute tmpfsfile;
> + ')
> +
> + dontaudit $1 tmpfsfile:file getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of all directories.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if
> @@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',`
> ')
>
> ########################################
> +## <summary>
> +## search directories on a tracefs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_search_tracefs_dirs',`
> + gen_require(`
> + type tracefs_t;
> + ')
> +
> + allow $1 tracefs_t:dir search;
> +')
> +
> +########################################
> ## <summary>
> ## Get the attributes of files
> ## on a trace filesystem.
> Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if
> @@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config',
>
> #######################################
> ## <summary>
> +## Create directories in /var/run with the type used for
> +## the network config files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_var_run_dirtrans_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_pid_filetrans($1, net_conf_t, dir, $2)
> + allow $1 net_conf_t:dir create_dir_perms;
> +')
> +
> +#######################################
> +## <summary>
> ## Create, read, write, and delete network config files.
> ## </summary>
> ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-16 23:49:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] more systemd stuff

On 04/14/2017 11:41 AM, Russell Coker via refpolicy wrote:
> This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
> I'll add another patch to use shortly.
>
> It has a number of changes needed by systemd_logind_t to set permissions for
> local logins.
>
> It has some more permissions that systemd_machined_t needs, I don't think it's
> everything that systemd_machined_t needs but it's a start.
>
> It has some changes for udev_t for systemd-udevd.

I merged this except for the one other question posed and:

> +interface(`sysnet_var_run_dirtrans_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_pid_filetrans($1, net_conf_t, dir, $2)
> + allow $1 net_conf_t:dir create_dir_perms;
> +')

This should be split into two interfaces.

--
Chris PeBenito