2017-10-31 05:37:03

by Jason Zaman

Subject: [refpolicy] [PATCH 1/5] mls mcs: Add constraints for key class

Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
policy/mcs | 3 +++
policy/mls | 8 ++++++++
2 files changed, 11 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

+mlsconstrain key { create link read search setattr view write }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/mls b/policy/mls
index 69ca7263..c9be3125 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate


+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));


#
--
2.13.6

2017-10-31 05:37:04

by Jason Zaman

Subject: [refpolicy] [PATCH 2/5] Add key interfaces and perms

Mostly taken from the fedora rawhide policy
---
policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
policy/modules/services/ssh.if | 2 +
policy/modules/services/ssh.te | 1 +
policy/modules/services/xserver.if | 18 +++++++++
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.te | 4 ++
policy/modules/system/locallogin.te | 1 +
policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
8 files changed, 136 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 25467d0a..843b26e3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`

########################################
## <summary>
+## Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+## dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..26c90838 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,8 @@ template(`ssh_role_template',`
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
+ allow $3 ssh_t:key { write search read view };

# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5b939d0c..eaabdcd7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..e70046db 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 758292be..ef56563c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)

corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 11a8ec1c..9b3f3520 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
# nsswitch_domain local policy
#

+allow nsswitch_domain self:key manage_key_perms;
+
files_list_var_lib(nsswitch_domain)

# read /etc/nsswitch.conf
@@ -426,6 +428,8 @@ files_read_etc_files(nsswitch_domain)

sysnet_dns_name_resolve(nsswitch_domain)

+userdom_manage_all_users_keys(nsswitch_domain)
+
tunable_policy(`authlogin_nsswitch_use_ldap',`
miscfiles_read_generic_certs(nsswitch_domain)
sysnet_use_ldap(nsswitch_domain)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5a0c508f..269a61e0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_keys(local_login_t)
')

#################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9d817e32..50035674 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`

allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
+ allow $1_t self:key manage_key_perms;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4018,6 +4019,60 @@ interface(`userdom_sigchld_all_users',`

########################################
## <summary>
+## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
+## Write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key write;
+')
+
+########################################
+## <summary>
+## Read and write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -4036,6 +4091,24 @@ interface(`userdom_create_all_users_keys',`

########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
2.13.6

2017-10-31 05:37:05

by Jason Zaman

Subject: [refpolicy] [PATCH 3/5] gssproxy: Allow others to stream connect

kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
---
policy/modules/kernel/kernel.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 8 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 0fc74648..22d1ebaf 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)

+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 50035674..20b2391e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
')

optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
--
2.13.6

2017-10-31 05:37:06

by Jason Zaman

Subject: [refpolicy] [PATCH 4/5] userdomain: allow admin to rw tape storage

---
policy/modules/system/userdomain.if | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 20b2391e..49eff3a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1230,6 +1230,8 @@ template(`userdom_admin_user_template',`
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)

+ storage_read_tape($1_t)
+ storage_write_tape($1_t)
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)

--
2.13.6

2017-10-31 05:37:07

by Jason Zaman

Subject: [refpolicy] [PATCH 5/5] files: fcontext for /etc/zfs/zpool.cache

---
policy/modules/kernel/files.fc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3c93ddde..5223af27 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -72,6 +72,8 @@ ifdef(`distro_suse',`
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)

+/etc/zfs/zpool.cache -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
--
2.13.6

2017-11-01 22:49:23

by Chris PeBenito

Subject: [refpolicy] [PATCH 1/5] mls mcs: Add constraints for key class

On 10/31/2017 01:37 AM, Jason Zaman wrote:
> Taken from fedoras policy
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> ---
> policy/mcs | 3 +++
> policy/mls | 8 ++++++++
> 2 files changed, 11 insertions(+)
>
> diff --git a/policy/mcs b/policy/mcs
> index 4d030112..94319570 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -123,6 +123,9 @@ mlsconstrain process { signal }
> mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>
> +mlsconstrain key { create link read search setattr view write }
> + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> #
> # MCS policy for SELinux-enabled databases
> #
> diff --git a/policy/mls b/policy/mls
> index 69ca7263..c9be3125 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -281,6 +281,14 @@ mlsconstrain msg send
> # { ipc sem msgq shm } associate
>
>
> +#
> +# MLS policy for the key class
> +#
> +
> +mlsconstrain key { create link read search setattr view write }
> + (( l1 eq l2 ) or
> + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> + ( t1 == mlsprocwrite ));

Why doesn't this have a new set of attributes for exemption, e.g.
mlskeywritetoclr?

--
Chris PeBenito

2017-11-01 22:50:12

by Chris PeBenito

Subject: [refpolicy] [PATCH 2/5] Add key interfaces and perms

On 10/31/2017 01:37 AM, Jason Zaman wrote:
> Mostly taken from the fedora rawhide policy
> ---
> policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
> policy/modules/services/ssh.if | 2 +
> policy/modules/services/ssh.te | 1 +
> policy/modules/services/xserver.if | 18 +++++++++
> policy/modules/services/xserver.te | 1 +
> policy/modules/system/authlogin.te | 4 ++
> policy/modules/system/locallogin.te | 1 +
> policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
> 8 files changed, 136 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 25467d0a..843b26e3 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
>
> ########################################
> ## <summary>
> +## Allow view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + allow $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> +## dontaudit view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + dontaudit $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> ## Allows caller to read the ring buffer.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index aa906680..26c90838 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -338,6 +338,8 @@ template(`ssh_role_template',`
> # for rsync
> allow ssh_t $3:unix_stream_socket rw_socket_perms;
> allow ssh_t $3:unix_stream_socket connectto;
> + allow ssh_t $3:key manage_key_perms;
> + allow $3 ssh_t:key { write search read view };

Is this second rule really needed? It doesn't seem like there should be
reverse access.

> # user can manage the keys and config
> manage_files_pattern($3, ssh_home_t, ssh_home_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 5b939d0c..eaabdcd7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
> allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow ssh_t self:fd use;
> allow ssh_t self:fifo_file rw_fifo_file_perms;
> +allow ssh_t self:key manage_key_perms;
> allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
> allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow ssh_t self:shm create_shm_perms;
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e0c5be82..e70046db 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xdm_keys',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:key { read write setattr };
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 758292be..ef56563c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
> kernel_read_kernel_sysctls(xdm_t)
> kernel_read_net_sysctls(xdm_t)
> kernel_read_network_state(xdm_t)
> +kernel_view_key(xdm_t)
>
> corecmd_exec_shell(xdm_t)
> corecmd_exec_bin(xdm_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 11a8ec1c..9b3f3520 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -419,6 +419,8 @@ optional_policy(`
> # nsswitch_domain local policy
> #
>
> +allow nsswitch_domain self:key manage_key_perms;
> +
> files_list_var_lib(nsswitch_domain)
>
> # read /etc/nsswitch.conf
> @@ -426,6 +428,8 @@ files_read_etc_files(nsswitch_domain)
>
> sysnet_dns_name_resolve(nsswitch_domain)
>
> +userdom_manage_all_users_keys(nsswitch_domain)

This needs explanation.


> tunable_policy(`authlogin_nsswitch_use_ldap',`
> miscfiles_read_generic_certs(nsswitch_domain)
> sysnet_use_ldap(nsswitch_domain)
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 5a0c508f..269a61e0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -209,6 +209,7 @@ optional_policy(`
> optional_policy(`
> xserver_read_xdm_tmp_files(local_login_t)
> xserver_rw_xdm_tmp_files(local_login_t)
> + xserver_rw_xdm_keys(local_login_t)
> ')
>
> #################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9d817e32..50035674 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
>
> allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
> allow $1_t self:fd use;
> + allow $1_t self:key manage_key_perms;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
> allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -4018,6 +4019,60 @@ interface(`userdom_sigchld_all_users',`
>
> ########################################
> ## <summary>
> +## Read keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_read_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key read;
> +')
> +
> +########################################
> +## <summary>
> +## Write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_rw_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key { read view write };
> +')
> +
> +########################################
> +## <summary>
> ## Create keys for all user domains.
> ## </summary>
> ## <param name="domain">
> @@ -4036,6 +4091,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ## <summary>
> +## Manage keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_manage_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Send a dbus message to all user domains.
> ## </summary>
> ## <param name="domain">
>


--
Chris PeBenito

2017-11-01 22:50:21

by Chris PeBenito

Subject: [refpolicy] [PATCH 4/5] userdomain: allow admin to rw tape storage

On 10/31/2017 01:37 AM, Jason Zaman wrote:
> ---
> policy/modules/system/userdomain.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 20b2391e..49eff3a6 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1230,6 +1230,8 @@ template(`userdom_admin_user_template',`
> fs_set_all_quotas($1_t)
> fs_exec_noxattr($1_t)
>
> + storage_read_tape($1_t)
> + storage_write_tape($1_t)
> storage_raw_read_removable_device($1_t)
> storage_raw_write_removable_device($1_t)

Merged.

--
Chris PeBenito

2017-11-01 22:50:26

by Chris PeBenito

Subject: [refpolicy] [PATCH 5/5] files: fcontext for /etc/zfs/zpool.cache

On 10/31/2017 01:37 AM, Jason Zaman wrote:
> ---
> policy/modules/kernel/files.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index 3c93ddde..5223af27 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -72,6 +72,8 @@ ifdef(`distro_suse',`
> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
> +/etc/zfs/zpool.cache -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +
> ifdef(`distro_gentoo', `
> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)

Merged.

--
Chris PeBenito

2017-11-02 11:11:26

by Jason Zaman

Subject: [refpolicy] [PATCH 1/5] mls mcs: Add constraints for key class

On Wed, Nov 01, 2017 at 06:49:23PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > Taken from fedoras policy
> > https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> > https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> > ---
> > policy/mcs | 3 +++
> > policy/mls | 8 ++++++++
> > 2 files changed, 11 insertions(+)
> >
> > diff --git a/policy/mcs b/policy/mcs
> > index 4d030112..94319570 100644
> > --- a/policy/mcs
> > +++ b/policy/mcs
> > @@ -123,6 +123,9 @@ mlsconstrain process { signal }
> > mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> > (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> >
> > +mlsconstrain key { create link read search setattr view write }
> > + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> > +
> > #
> > # MCS policy for SELinux-enabled databases
> > #
> > diff --git a/policy/mls b/policy/mls
> > index 69ca7263..c9be3125 100644
> > --- a/policy/mls
> > +++ b/policy/mls
> > @@ -281,6 +281,14 @@ mlsconstrain msg send
> > # { ipc sem msgq shm } associate
> >
> >
> > +#
> > +# MLS policy for the key class
> > +#
> > +
> > +mlsconstrain key { create link read search setattr view write }
> > + (( l1 eq l2 ) or
> > + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> > + ( t1 == mlsprocwrite ));
>
> Why doesn't this have a new set of attributes for exemption, e.g.
> mlskeywritetoclr?

Oops. I'll fix that and add the interfaces for it.
>
> --
> Chris PeBenito

2017-11-02 14:24:11

by Jason Zaman

Subject: [refpolicy] [PATCH 2/5] Add key interfaces and perms

On Wed, Nov 01, 2017 at 06:50:12PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> > index aa906680..26c90838 100644
> > --- a/policy/modules/services/ssh.if
> > +++ b/policy/modules/services/ssh.if
> > @@ -338,6 +338,8 @@ template(`ssh_role_template',`
> > # for rsync
> > allow ssh_t $3:unix_stream_socket rw_socket_perms;
> > allow ssh_t $3:unix_stream_socket connectto;
> > + allow ssh_t $3:key manage_key_perms;
> > + allow $3 ssh_t:key { write search read view };
>
> Is this second rule really needed? It doesn't seem like there should be
> reverse access.

I dug through fedora's repo git blame and got:

commit e194215de82481660c25adb8715d007f3a59c05f
Author: Dan Walsh <dwalsh@>
Date: Sat Feb 15 02:10:34 2014

Allow domains that transition to ssh_t to manipulate its keyring
---
policy/modules/services/ssh.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index c0413e804..e8dcfa7ff 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -364,7 +364,7 @@ template(`ssh_role_template',`
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
allow ssh_t $3:key manage_key_perms;
- allow $3 ssh_t:key read;
+ allow $3 ssh_t:key { write search read view };


No more info so I guess I'll drop it for now and add it later if
something comes up.

> > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> > index 11a8ec1c..9b3f3520 100644
> > --- a/policy/modules/system/authlogin.te
> > +++ b/policy/modules/system/authlogin.te
> > @@ -419,6 +419,8 @@ optional_policy(`
> > # nsswitch_domain local policy
> > #
> >
> > +allow nsswitch_domain self:key manage_key_perms;
> > +
> > files_list_var_lib(nsswitch_domain)
> >
> > # read /etc/nsswitch.conf
> > @@ -426,6 +428,8 @@ files_read_etc_files(nsswitch_domain)
> >
> > sysnet_dns_name_resolve(nsswitch_domain)
> >
> > +userdom_manage_all_users_keys(nsswitch_domain)
>
> This needs explanation.

Going through their git logs it seems like something that was a stopgap
fix and was supposed to be removed, I'll drop it too.