This patch goes after my patch for cgroups, hostnamed, and logind. It will
probably mostly work without it but I only ever tested it after the previous
patch.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-28
Index: refpolicy-2.20170227/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170227/policy/modules/system/systemd.te
@@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
+auth_use_nsswitch(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
-auth_use_nsswitch(systemd_resolved_t)
-
seutil_read_file_contexts(systemd_resolved_t)
-
systemd_log_parse_environment(systemd_resolved_t)
optional_policy(`
@@ -604,9 +688,17 @@ optional_policy(`
# Sessions local policy
#
+allow systemd_sessions_t self:process setfscreate;
+
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
systemd_log_parse_environment(systemd_sessions_t)
#########################################
@@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+create_relabel_var_lib_log(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-auth_manage_var_auth(systemd_tmpfiles_t)
-auth_manage_login_records(systemd_tmpfiles_t)
-auth_relabel_login_records(systemd_tmpfiles_t)
-auth_setattr_login_records(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
# for /run/tmpfiles.d/kmod.conf
modutils_read_var_run_files(systemd_tmpfiles_t)
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-
+sysnet_create_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
@@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
+
+optional_policy(`
+ dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xserver_create_console_pipes(systemd_tmpfiles_t)
+ xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xfs_create_dirs(systemd_tmpfiles_t)
+')
Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
+++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
@@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
########################################
## <summary>
+## Create xfs temporary dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_create_dirs',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xfs_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## Connect to xfs with a unix
## domain stream socket.
## </summary>
Index: refpolicy-2.20170227/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170227/policy/modules/kernel/files.if
@@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
########################################
## <summary>
+## relabel directories to etc_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
## List the contents of /etc directories.
## </summary>
## <param name="domain">
@@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
########################################
## <summary>
+## Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
## Create objects in /home.
## </summary>
## <param name="domain">
@@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
########################################
## <summary>
+## Create and label /var/lib and /var/log
+## </summary>
+## <desc>
+## <p>
+## This allows programs to setup directories under /var
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`create_relabel_var_lib_log',`
+ gen_require(`
+ type var_t, var_lib_t, var_log_t;
+ ')
+
+ allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## contents of /var/lib.
## </summary>
@@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
')
########################################
+## <summary>
+## create and manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_run_t;
+ ')
+
+ create_dirs_pattern($1,var_run_t,pidfile)
+ allow $1 pidfile:dir manage_dir_perms;
+')
+
+########################################
## <summary>
## manage all pidfile directories
## in the /var/run directory.
Index: refpolicy-2.20170227/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/init.if
+++ refpolicy-2.20170227/policy/modules/system/init.if
@@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
########################################
## <summary>
+## relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
## </summary>
@@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
########################################
## <summary>
+## relabel from/to utmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
Index: refpolicy-2.20170227/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170227/policy/modules/system/logging.if
@@ -1138,3 +1138,23 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
+
+########################################
+## <summary>
+## setattr for syslogd_tmp_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_set_perms_syslogd_tmp',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
+')
+
Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
@@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
########################################
## <summary>
+## relabel man cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+ relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170227/policy/modules/system/userdomain.if
@@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
########################################
## <summary>
+## relabel to/from user_runtime_root_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## runtime dirs.
## </summary>
Index: refpolicy-2.20170227/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170227/policy/modules/services/xserver.if
@@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
gen_require(`
type xdm_t;
class dbus send_msg;
- ')
+ ')
allow $1 xdm_t:dbus send_msg;
allow xdm_t $1:dbus send_msg;
@@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+
+########################################
+## <summary>
+## Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+## Create xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dir',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir create;
+')
On 02/28/17 05:30, Russell Coker via refpolicy wrote:
> This patch goes after my patch for cgroups, hostnamed, and logind. It will
> probably mostly work without it but I only ever tested it after the previous
> patch.
A few trivial things.
> Description: systemd-resolved, sessions, and tmpfiles patches
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-28
>
> Index: refpolicy-2.20170227/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170227/policy/modules/system/systemd.te
> @@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
> kernel_read_crypto_sysctls(systemd_resolved_t)
> kernel_read_kernel_sysctls(systemd_resolved_t)
>
> +auth_use_nsswitch(systemd_resolved_t)
> corenet_tcp_bind_generic_node(systemd_resolved_t)
> corenet_tcp_bind_llmnr_port(systemd_resolved_t)
> corenet_udp_bind_generic_node(systemd_resolved_t)
> corenet_udp_bind_llmnr_port(systemd_resolved_t)
>
> -auth_use_nsswitch(systemd_resolved_t)
> -
> seutil_read_file_contexts(systemd_resolved_t)
> -
> systemd_log_parse_environment(systemd_resolved_t)
>
> optional_policy(`
> @@ -604,9 +688,17 @@ optional_policy(`
> # Sessions local policy
> #
>
> +allow systemd_sessions_t self:process setfscreate;
> +
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> +selinux_get_enforce_mode(systemd_sessions_t)
> +selinux_get_fs_mount(systemd_sessions_t)
> +seutil_read_config(systemd_sessions_t)
> +seutil_read_default_contexts(systemd_sessions_t)
> +seutil_read_file_contexts(systemd_sessions_t)
> +
> systemd_log_parse_environment(systemd_sessions_t)
>
> #########################################
> @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
> # Tmpfiles local policy
> #
>
> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
> +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
> allow systemd_tmpfiles_t self:process { setfscreate getcap };
>
> +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
> +
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
> +
> manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
>
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> +kernel_read_network_state(systemd_tmpfiles_t)
>
> +auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_login_records(systemd_tmpfiles_t)
> +auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_login_records(systemd_tmpfiles_t)
> +auth_setattr_login_records(systemd_tmpfiles_t)
> +create_relabel_var_lib_log(systemd_tmpfiles_t)
> +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> +dev_read_urand(systemd_tmpfiles_t)
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
>
> +files_create_lock_dirs(systemd_tmpfiles_t)
> +files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
> +files_delete_usr_files(systemd_tmpfiles_t)
> +files_list_home(systemd_tmpfiles_t)
> +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
> +files_purge_tmp(systemd_tmpfiles_t)
> files_read_etc_files(systemd_tmpfiles_t)
> files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
> -auth_manage_var_auth(systemd_tmpfiles_t)
> -auth_manage_login_records(systemd_tmpfiles_t)
> -auth_relabel_login_records(systemd_tmpfiles_t)
> -auth_setattr_login_records(systemd_tmpfiles_t)
> +files_relabelfrom_home(systemd_tmpfiles_t)
> +files_relabelto_home(systemd_tmpfiles_t)
> +files_relabelto_etc_dirs(systemd_tmpfiles_t)
> +# for /etc/mtab
> +files_manage_etc_symlinks(systemd_tmpfiles_t)
> +fs_getattr_xattr_fs(systemd_tmpfiles_t)
> +
> +init_manage_utmp(systemd_tmpfiles_t)
> +init_manage_var_lib_files(systemd_tmpfiles_t)
> +# for /proc/1/environ
> +init_read_state(systemd_tmpfiles_t)
> +
> +init_relabel_utmp(systemd_tmpfiles_t)
> +init_relabel_var_lib_dirs(systemd_tmpfiles_t)
> +logging_manage_generic_logs(systemd_tmpfiles_t)
> +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
> +miscfiles_manage_man_pages(systemd_tmpfiles_t)
> +miscfiles_relabel_man_cache(systemd_tmpfiles_t)
>
> # for /run/tmpfiles.d/kmod.conf
> modutils_read_var_run_files(systemd_tmpfiles_t)
>
> +selinux_get_fs_mount(systemd_tmpfiles_t)
> +selinux_search_fs(systemd_tmpfiles_t)
> +seutil_read_config(systemd_tmpfiles_t)
> seutil_read_file_contexts(systemd_tmpfiles_t)
Several of the block above could use more blank lines.
> +sysnet_create_config(systemd_tmpfiles_t)
> systemd_log_parse_environment(systemd_tmpfiles_t)
>
> +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
> +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
> @@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
> files_relabel_non_security_dirs(systemd_tmpfiles_t)
> files_relabel_non_security_files(systemd_tmpfiles_t)
> ')
> +
> +optional_policy(`
> + dbus_read_lib_files(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> + xserver_create_console_pipes(systemd_tmpfiles_t)
> + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> + xfs_create_dirs(systemd_tmpfiles_t)
> +')
This block is out of order
> Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
> +++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
> @@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
>
> ########################################
> ## <summary>
> +## Create xfs temporary dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xfs_create_dirs',`
> + gen_require(`
> + type xfs_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + allow $1 xfs_tmp_t:dir create;
> +')
> +
> +########################################
> +## <summary>
> ## Connect to xfs with a unix
> ## domain stream socket.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170227/policy/modules/kernel/files.if
> @@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
>
> ########################################
> ## <summary>
> +## relabel directories to etc_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabelto_etc_dirs',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
> ## List the contents of /etc directories.
> ## </summary>
> ## <param name="domain">
> @@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
>
> ########################################
> ## <summary>
> +## Relabel from user home root (/home).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabelfrom_home',`
> + gen_require(`
> + type home_root_t;
> + ')
> +
> + allow $1 home_root_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
> ## Create objects in /home.
> ## </summary>
> ## <param name="domain">
> @@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
>
> ########################################
> ## <summary>
> +## Create and label /var/lib and /var/log
> +## </summary>
> +## <desc>
> +## <p>
> +## This allows programs to setup directories under /var
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`create_relabel_var_lib_log',`
> + gen_require(`
> + type var_t, var_lib_t, var_log_t;
> + ')
> +
> + allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
> +')
This needs to be broken up by type and also relabelto/from vs.
manage_dir_perms.
> +########################################
> +## <summary>
> ## Do not audit attempts to search the
> ## contents of /var/lib.
> ## </summary>
> @@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
> ')
>
> ########################################
> +## <summary>
> +## create and manage all pidfile directories
> +## in the /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_manage_all_pid_dirs',`
> + gen_require(`
> + attribute pidfile;
> + type var_run_t;
> + ')
> +
> + create_dirs_pattern($1,var_run_t,pidfile)
> + allow $1 pidfile:dir manage_dir_perms;
> +')
I'm confused about what this interface is intending. Create is a subset
of manage.
> +########################################
> ## <summary>
> ## manage all pidfile directories
> ## in the /var/run directory.
> Index: refpolicy-2.20170227/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170227/policy/modules/system/init.if
> @@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
>
> ########################################
> ## <summary>
> +## relabel dirs in /var/lib/systemd/.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_relabel_var_lib_dirs',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + allow $1 init_var_lib_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create files in /var/lib/systemd
> ## with an automatic type transition.
> ## </summary>
> @@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
>
> ########################################
> ## <summary>
> +## relabel from/to utmp
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_relabel_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + allow $1 initrc_var_run_t:file { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create files in /var/run with the
> ## utmp file type.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170227/policy/modules/system/logging.if
> @@ -1138,3 +1138,23 @@ interface(`logging_admin',`
> logging_admin_audit($1, $2)
> logging_admin_syslog($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## setattr for syslogd_tmp_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`logging_set_perms_syslogd_tmp',`
> + gen_require(`
> + type syslogd_tmp_t;
> + ')
> +
> + allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
> +')
Please split out the setattr and separate dir/file.
> Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
> @@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
>
> ########################################
> ## <summary>
> +## relabel man cache
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_relabel_man_cache',`
> + gen_require(`
> + type man_cache_t;
> + ')
> +
> + relabel_dirs_pattern($1, man_cache_t, man_cache_t)
> + relabel_files_pattern($1, man_cache_t, man_cache_t)
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete man pages
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170227/policy/modules/system/userdomain.if
> @@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
>
> ########################################
> ## <summary>
> +## relabel to/from user_runtime_root_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_runtime_root_dirs',`
> + gen_require(`
> + type user_runtime_root_t;
> + ')
> +
> + allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete user
> ## runtime dirs.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170227/policy/modules/services/xserver.if
> @@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
> gen_require(`
> type xdm_t;
> class dbus send_msg;
> - ')
> + ')
>
> allow $1 xdm_t:dbus send_msg;
> allow xdm_t $1:dbus send_msg;
> @@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +
> +########################################
> +## <summary>
> +## Create the X windows console named pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_create_console_pipes',`
> + gen_require(`
> + type xconsole_device_t;
> + ')
> +
> + allow $1 xconsole_device_t:fifo_file create;
> +')
> +
> +########################################
> +## <summary>
> +## Create xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_create_xdm_tmp_dir',`
> + gen_require(`
> + type xdm_tmp_t;
> + ')
> +
> + allow $1 xdm_tmp_t:dir create;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On Saturday, 4 March 2017 7:15:08 AM AEDT Chris PeBenito via refpolicy wrote:
> > @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
> >
> > # Tmpfiles local policy
> > #
> >
> > -allow systemd_tmpfiles_t self:capability { chown dac_override fowner
> > fsetid mknod }; +allow systemd_tmpfiles_t self:capability { chown
> > dac_override fowner fsetid mknod net_admin sys_admin };>
> > allow systemd_tmpfiles_t self:process { setfscreate getcap };
> >
> > +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom
> > relabelto manage_file_perms }; +
> > +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
> > relabelto manage_dir_perms }; +allow systemd_tmpfiles_t
> > systemd_coredump_var_lib_t:file manage_file_perms; +
> >
> > manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t,
> > systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t,
> > systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t
> > systemd_journal_t:dir { relabelfrom relabelto }; allow
> > systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
> >
> > kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> >
> > +kernel_read_network_state(systemd_tmpfiles_t)
> >
> > +auth_manage_faillog(systemd_tmpfiles_t)
> > +auth_manage_login_records(systemd_tmpfiles_t)
> > +auth_manage_var_auth(systemd_tmpfiles_t)
> > +auth_relabel_login_records(systemd_tmpfiles_t)
> > +auth_setattr_login_records(systemd_tmpfiles_t)
> > +create_relabel_var_lib_log(systemd_tmpfiles_t)
> > +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> > +dev_read_urand(systemd_tmpfiles_t)
> >
> > dev_relabel_all_sysfs(systemd_tmpfiles_t)
> > dev_read_urand(systemd_tmpfiles_t)
> > dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> >
> > +files_create_lock_dirs(systemd_tmpfiles_t)
> > +files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
> > +files_delete_usr_files(systemd_tmpfiles_t)
> > +files_list_home(systemd_tmpfiles_t)
> > +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
> > +files_purge_tmp(systemd_tmpfiles_t)
> >
> > files_read_etc_files(systemd_tmpfiles_t)
> > files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> > files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> > files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
> >
> > -auth_manage_var_auth(systemd_tmpfiles_t)
> > -auth_manage_login_records(systemd_tmpfiles_t)
> > -auth_relabel_login_records(systemd_tmpfiles_t)
> > -auth_setattr_login_records(systemd_tmpfiles_t)
> > +files_relabelfrom_home(systemd_tmpfiles_t)
> > +files_relabelto_home(systemd_tmpfiles_t)
> > +files_relabelto_etc_dirs(systemd_tmpfiles_t)
> > +# for /etc/mtab
> > +files_manage_etc_symlinks(systemd_tmpfiles_t)
> > +fs_getattr_xattr_fs(systemd_tmpfiles_t)
> > +
> > +init_manage_utmp(systemd_tmpfiles_t)
> > +init_manage_var_lib_files(systemd_tmpfiles_t)
> > +# for /proc/1/environ
> > +init_read_state(systemd_tmpfiles_t)
> > +
> > +init_relabel_utmp(systemd_tmpfiles_t)
> > +init_relabel_var_lib_dirs(systemd_tmpfiles_t)
> > +logging_manage_generic_logs(systemd_tmpfiles_t)
> > +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
> > +miscfiles_manage_man_pages(systemd_tmpfiles_t)
> > +miscfiles_relabel_man_cache(systemd_tmpfiles_t)
> >
> > # for /run/tmpfiles.d/kmod.conf
> > modutils_read_var_run_files(systemd_tmpfiles_t)
> >
> > +selinux_get_fs_mount(systemd_tmpfiles_t)
> > +selinux_search_fs(systemd_tmpfiles_t)
> > +seutil_read_config(systemd_tmpfiles_t)
> >
> > seutil_read_file_contexts(systemd_tmpfiles_t)
>
> Several of the block above could use more blank lines.
Which ones?
> > +
> > +optional_policy(`
> > + dbus_read_lib_files(systemd_tmpfiles_t)
> > +')
> > +
> > +optional_policy(`
> > + xserver_create_console_pipes(systemd_tmpfiles_t)
> > + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
> > +')
> > +
> > +optional_policy(`
> > + xfs_create_dirs(systemd_tmpfiles_t)
> > +')
>
> This block is out of order
OK.
> > +interface(`create_relabel_var_lib_log',`
> > + gen_require(`
> > + type var_t, var_lib_t, var_log_t;
> > + ')
> > +
> > + allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto
> > manage_dir_perms }; +')
>
> This needs to be broken up by type and also relabelto/from vs.
> manage_dir_perms.
OK.
> > +## <summary>
> > +## create and manage all pidfile directories
> > +## in the /var/run directory.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_create_manage_all_pid_dirs',`
> > + gen_require(`
> > + attribute pidfile;
> > + type var_run_t;
> > + ')
> > +
> > + create_dirs_pattern($1,var_run_t,pidfile)
> > + allow $1 pidfile:dir manage_dir_perms;
> > +')
>
> I'm confused about what this interface is intending. Create is a subset
> of manage.
OK, renamed.
> > +########################################
> > +## <summary>
> > +## setattr for syslogd_tmp_t
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`logging_set_perms_syslogd_tmp',`
> > + gen_require(`
> > + type syslogd_tmp_t;
> > + ')
> > +
> > + allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
> > +')
>
> Please split out the setattr and separate dir/file.
OK.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/