---
dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
gpg.te | 4 ++++
2 files changed, 73 insertions(+)
diff --git a/dirmngr.if b/dirmngr.if
index 4cd2810..2f6875a 100644
--- a/dirmngr.if
+++ b/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/gpg.te b/gpg.te
index 5e87028..d6239c5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
--
2.10.2
---
dirmngr.fc | 2 ++
dirmngr.if | 25 +++++++++++++++++++++++++
dirmngr.te | 13 +++++++++++++
gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/dirmngr.fc b/dirmngr.fc
index a0f261c..a9cf15a 100644
--- a/dirmngr.fc
+++ b/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/dirmngr.if b/dirmngr.if
index 2f6875a..07af506 100644
--- a/dirmngr.if
+++ b/dirmngr.if
@@ -18,6 +18,7 @@
interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+ type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
########################################
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/dirmngr.te b/dirmngr.te
index 23f4045..8e4a1a8 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/gpg.if b/gpg.if
index efffff8..4480f9c 100644
--- a/gpg.if
+++ b/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/gpg.te b/gpg.te
index d6239c5..0ddbc18 100644
--- a/gpg.te
+++ b/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
--
2.10.2
---
dirmngr.fc | 2 ++
dirmngr.te | 7 +++++++
gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/dirmngr.fc b/dirmngr.fc
index a9cf15a..60f19f4 100644
--- a/dirmngr.fc
+++ b/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/dirmngr.te b/dirmngr.te
index 8e4a1a8..17cce56 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/gpg.if b/gpg.if
index 4480f9c..e5a1275 100644
--- a/gpg.if
+++ b/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
--
2.10.2
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
---
dirmngr.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index 17cce56..b64fc61 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
files_read_etc_files(dirmngr_t)
--
2.10.2
---
cgmanager.fc | 9 +++++++++
cgmanager.if | 22 ++++++++++++++++++++
cgmanager.te | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 97 insertions(+)
create mode 100644 cgmanager.fc
create mode 100644 cgmanager.if
create mode 100644 cgmanager.te
diff --git a/cgmanager.fc b/cgmanager.fc
new file mode 100644
index 0000000..d53e92f
--- /dev/null
+++ b/cgmanager.fc
@@ -0,0 +1,9 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)? <<none>>
diff --git a/cgmanager.if b/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/cgmanager.te b/cgmanager.te
new file mode 100644
index 0000000..5c32295
--- /dev/null
+++ b/cgmanager.te
@@ -0,0 +1,66 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
--
2.10.2
setattr chr_files is to setting dev nodes on login
rw sysfs and devicekit for suspend
fifo_files are for inhibit
connect to cgmanager to track sessions with cgroups
---
consolekit.te | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/consolekit.te b/consolekit.te
index c99a6cb..d51634e 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
kernel_read_system_state(consolekit_t)
@@ -53,7 +54,8 @@ corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -104,6 +106,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
@@ -125,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
hal_ptrace(consolekit_t)
')
@@ -156,6 +166,7 @@ optional_policy(`
optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
+ udev_read_pid_files(consolekit_t)
udev_signal(consolekit_t)
')
--
2.10.2
On 05/07/2017 01:43 PM, Jason Zaman wrote:
> ---
> dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gpg.te | 4 ++++
> 2 files changed, 73 insertions(+)
>
> diff --git a/dirmngr.if b/dirmngr.if
> index 4cd2810..2f6875a 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -1,5 +1,74 @@
> ## <summary>Server for managing and downloading certificate revocation lists.</summary>
>
> +############################################################
> +## <summary>
> +## Role access for dirmngr.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_role',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + role $1 types dirmngr_t;
> +
> + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
> +
> + allow $2 dirmngr_t:process { ptrace signal_perms };
> + ps_process_pattern($2, dirmngr_t)
> +
> + allow dirmngr_t $2:fd use;
> + allow dirmngr_t $2:fifo_file { read write };
Why are these here explicitly? They should be in domtrans_pattern.
> +')
> +
> +########################################
> +## <summary>
> +## Execute dirmngr in the dirmngr domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_domtrans',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute the dirmngr in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_exec',`
> + gen_require(`
> + type dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, dirmngr_exec_t)
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> diff --git a/gpg.te b/gpg.te
> index 5e87028..d6239c5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + dirmngr_domtrans(gpg_t)
> +')
> +
> +optional_policy(`
> evolution_read_orbit_tmp_files(gpg_t)
> ')
>
>
--
Chris PeBenito
On 05/07/2017 01:43 PM, Jason Zaman wrote:
> type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> ---
> dirmngr.te | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index 17cce56..b64fc61 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
>
> kernel_read_crypto_sysctls(dirmngr_t)
> +dev_read_rand(dirmngr_t)
> +sysnet_dns_name_resolve(dirmngr_t)
> +
> +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> +corenet_udp_bind_generic_node(dirmngr_t)
> +corenet_udp_bind_all_unreserved_ports(dirmngr_t)
>
> files_read_etc_files(dirmngr_t)
I'm confused. If this is for connecting, why are there binding rules?
--
Chris PeBenito
On 05/07/2017 01:43 PM, Jason Zaman wrote:
> ---
> cgmanager.fc | 9 +++++++++
> cgmanager.if | 22 ++++++++++++++++++++
> cgmanager.te | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 97 insertions(+)
> create mode 100644 cgmanager.fc
> create mode 100644 cgmanager.if
> create mode 100644 cgmanager.te
>
> diff --git a/cgmanager.fc b/cgmanager.fc
> new file mode 100644
> index 0000000..d53e92f
> --- /dev/null
> +++ b/cgmanager.fc
> @@ -0,0 +1,9 @@
> +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +
> +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> +
> +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager/fs(/.*)? <<none>>
> diff --git a/cgmanager.if b/cgmanager.if
> new file mode 100644
> index 0000000..ad459a6
> --- /dev/null
> +++ b/cgmanager.if
> @@ -0,0 +1,22 @@
> +## <summary>Control Group manager daemon.</summary>
> +
> +########################################
> +## <summary>
> +## Connect to cgmanager with a unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cgmanager_stream_connect',`
> + gen_require(`
> + type cgmanager_t, cgmanager_cgroup_t;
> + ')
> +
> + fs_search_cgroup_dirs($1)
> + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> +')
> diff --git a/cgmanager.te b/cgmanager.te
> new file mode 100644
> index 0000000..5c32295
> --- /dev/null
> +++ b/cgmanager.te
> @@ -0,0 +1,66 @@
> +policy_module(cgmanager, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cgmanager_t;
> +type cgmanager_exec_t;
> +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> +
> +type cgmanager_run_t;
> +files_pid_file(cgmanager_run_t)
> +
> +type cgmanager_cgroup_t;
> +files_type(cgmanager_cgroup_t)
> +
> +########################################
> +#
> +# CGManager local policy
> +#
> +
> +allow cgmanager_t self:capability { sys_admin dac_override };
> +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> +allow cgmanager_t cgmanager_run_t:dir mounton;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
> +
> +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
This is started from the kernel?
> +kernel_read_system_state(cgmanager_t)
> +
> +corecmd_exec_bin(cgmanager_t)
> +can_exec(cgmanager_t, cgmanager_exec_t)
> +
> +domain_read_all_domains_state(cgmanager_t)
> +
> +files_read_etc_files(cgmanager_t)
> +
> +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> +files_mounton_all_mountpoints(cgmanager_t)
> +files_unmount_all_file_type_fs(cgmanager_t)
> +fs_unmount_xattr_fs(cgmanager_t)
> +
> +fs_manage_cgroup_dirs(cgmanager_t)
> +fs_manage_cgroup_files(cgmanager_t)
> +
> +fs_getattr_tmpfs(cgmanager_t)
> +
> +fs_manage_tmpfs_dirs(cgmanager_t)
> +fs_manage_tmpfs_files(cgmanager_t)
> +
> +fs_mount_cgroup(cgmanager_t)
> +fs_mount_tmpfs(cgmanager_t)
> +fs_mounton_tmpfs(cgmanager_t)
> +fs_remount_cgroup(cgmanager_t)
> +fs_remount_tmpfs(cgmanager_t)
> +fs_unmount_cgroup(cgmanager_t)
> +fs_unmount_tmpfs(cgmanager_t)
>
--
Chris PeBenito
On Thu, May 11, 2017 at 07:34:11PM -0400, Chris PeBenito wrote:
> On 05/07/2017 01:43 PM, Jason Zaman wrote:
> > ---
> > cgmanager.fc | 9 +++++++++
> > cgmanager.if | 22 ++++++++++++++++++++
> > cgmanager.te | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > 3 files changed, 97 insertions(+)
> > create mode 100644 cgmanager.fc
> > create mode 100644 cgmanager.if
> > create mode 100644 cgmanager.te
> >
> > diff --git a/cgmanager.fc b/cgmanager.fc
> > new file mode 100644
> > index 0000000..d53e92f
> > --- /dev/null
> > +++ b/cgmanager.fc
> > @@ -0,0 +1,9 @@
> > +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +
> > +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> > +
> > +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
> > +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
> > +/run/cgmanager/fs(/.*)? <<none>>
> > diff --git a/cgmanager.if b/cgmanager.if
> > new file mode 100644
> > index 0000000..ad459a6
> > --- /dev/null
> > +++ b/cgmanager.if
> > @@ -0,0 +1,22 @@
> > +## <summary>Control Group manager daemon.</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Connect to cgmanager with a unix
> > +## domain stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`cgmanager_stream_connect',`
> > + gen_require(`
> > + type cgmanager_t, cgmanager_cgroup_t;
> > + ')
> > +
> > + fs_search_cgroup_dirs($1)
> > + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> > +')
> > diff --git a/cgmanager.te b/cgmanager.te
> > new file mode 100644
> > index 0000000..5c32295
> > --- /dev/null
> > +++ b/cgmanager.te
> > @@ -0,0 +1,66 @@
> > +policy_module(cgmanager, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type cgmanager_t;
> > +type cgmanager_exec_t;
> > +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> > +
> > +type cgmanager_run_t;
> > +files_pid_file(cgmanager_run_t)
> > +
> > +type cgmanager_cgroup_t;
> > +files_type(cgmanager_cgroup_t)
> > +
> > +########################################
> > +#
> > +# CGManager local policy
> > +#
> > +
> > +allow cgmanager_t self:capability { sys_admin dac_override };
> > +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> > +
> > +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> > +allow cgmanager_t cgmanager_run_t:dir mounton;
> > +
> > +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
> > +
> > +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
>
> This is started from the kernel?
Yeah, cgmanager sets this:
# grep release_agent /proc/6060/mounts
none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0
none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
which are symlinks to cgm-release-agent so it can handle when things exit.
Dont merge this patch, I just realized an update of cgmanager must have
moved the path for that binary so i'll send an update.
-- Jason
>
>
> > +kernel_read_system_state(cgmanager_t)
> > +
> > +corecmd_exec_bin(cgmanager_t)
> > +can_exec(cgmanager_t, cgmanager_exec_t)
> > +
> > +domain_read_all_domains_state(cgmanager_t)
> > +
> > +files_read_etc_files(cgmanager_t)
> > +
> > +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> > +files_mounton_all_mountpoints(cgmanager_t)
> > +files_unmount_all_file_type_fs(cgmanager_t)
> > +fs_unmount_xattr_fs(cgmanager_t)
> > +
> > +fs_manage_cgroup_dirs(cgmanager_t)
> > +fs_manage_cgroup_files(cgmanager_t)
> > +
> > +fs_getattr_tmpfs(cgmanager_t)
> > +
> > +fs_manage_tmpfs_dirs(cgmanager_t)
> > +fs_manage_tmpfs_files(cgmanager_t)
> > +
> > +fs_mount_cgroup(cgmanager_t)
> > +fs_mount_tmpfs(cgmanager_t)
> > +fs_mounton_tmpfs(cgmanager_t)
> > +fs_remount_cgroup(cgmanager_t)
> > +fs_remount_tmpfs(cgmanager_t)
> > +fs_unmount_cgroup(cgmanager_t)
> > +fs_unmount_tmpfs(cgmanager_t)
> >
>
>
> --
> Chris PeBenito
On Thu, May 11, 2017 at 07:32:02PM -0400, Chris PeBenito wrote:
> On 05/07/2017 01:43 PM, Jason Zaman wrote:
> > type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> > ---
> > dirmngr.te | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/dirmngr.te b/dirmngr.te
> > index 17cce56..b64fc61 100644
> > --- a/dirmngr.te
> > +++ b/dirmngr.te
> > @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> > files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
> >
> > kernel_read_crypto_sysctls(dirmngr_t)
> > +dev_read_rand(dirmngr_t)
> > +sysnet_dns_name_resolve(dirmngr_t)
> > +
> > +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> > +corenet_udp_bind_generic_node(dirmngr_t)
> > +corenet_udp_bind_all_unreserved_ports(dirmngr_t)
> >
> > files_read_etc_files(dirmngr_t)
>
> I'm confused. If this is for connecting, why are there binding rules?
I dont really know why it needs to bind to random udp ports. It failed
hard for me without them tho :(. I could poke around in the source for
an exact answer if you want tho.
I was testing it with gpg --refresh-keys
-- Jason
>
> --
> Chris PeBenito
On Wed, May 17, 2017 at 01:00:45AM +0800, Jason Zaman via refpolicy wrote:
> On Thu, May 11, 2017 at 07:32:02PM -0400, Chris PeBenito wrote:
> > On 05/07/2017 01:43 PM, Jason Zaman wrote:
> > > type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> > > ---
> > > dirmngr.te | 6 ++++++
> > > 1 file changed, 6 insertions(+)
> > >
> > > diff --git a/dirmngr.te b/dirmngr.te
> > > index 17cce56..b64fc61 100644
> > > --- a/dirmngr.te
> > > +++ b/dirmngr.te
> > > @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> > > files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
> > >
> > > kernel_read_crypto_sysctls(dirmngr_t)
> > > +dev_read_rand(dirmngr_t)
> > > +sysnet_dns_name_resolve(dirmngr_t)
> > > +
> > > +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> > > +corenet_udp_bind_generic_node(dirmngr_t)
> > > +corenet_udp_bind_all_unreserved_ports(dirmngr_t)
> > >
> > > files_read_etc_files(dirmngr_t)
> >
> > I'm confused. If this is for connecting, why are there binding rules?
>
> I dont really know why it needs to bind to random udp ports. It failed
> hard for me without them tho :(. I could poke around in the source for
> an exact answer if you want tho.
dns AFAIK
>
> I was testing it with gpg --refresh-keys
>
> -- Jason
>
> >
> > --
> > Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170516/aacb196c/attachment.bin
On 05/16/2017 01:23 PM, Dominick Grift via refpolicy wrote:
> On Wed, May 17, 2017 at 01:00:45AM +0800, Jason Zaman via refpolicy wrote:
>> On Thu, May 11, 2017 at 07:32:02PM -0400, Chris PeBenito wrote:
>>> On 05/07/2017 01:43 PM, Jason Zaman wrote:
>>>> type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
>>>> ---
>>>> dirmngr.te | 6 ++++++
>>>> 1 file changed, 6 insertions(+)
>>>>
>>>> diff --git a/dirmngr.te b/dirmngr.te
>>>> index 17cce56..b64fc61 100644
>>>> --- a/dirmngr.te
>>>> +++ b/dirmngr.te
>>>> @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
>>>> files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
>>>>
>>>> kernel_read_crypto_sysctls(dirmngr_t)
>>>> +dev_read_rand(dirmngr_t)
>>>> +sysnet_dns_name_resolve(dirmngr_t)
>>>> +
>>>> +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
>>>> +corenet_udp_bind_generic_node(dirmngr_t)
>>>> +corenet_udp_bind_all_unreserved_ports(dirmngr_t)
>>>>
>>>> files_read_etc_files(dirmngr_t)
>>>
>>> I'm confused. If this is for connecting, why are there binding rules?
>>
>> I dont really know why it needs to bind to random udp ports. It failed
>> hard for me without them tho :(. I could poke around in the source for
>> an exact answer if you want tho.
>
> dns AFAIK
If that can be confirmed (makes sense to me, especially due to the UDP),
then the sysnet DNS interface makes more sense to cover the binds..
--
Chris PeBenito