2017-02-14 06:41:40

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

The following patch has all the latest dpkg.te policy taken from several
patch files in the Debian package so there's more rules than the previous
patch I sent. It also has init.if, unconfined.if, and dirmngr.if changes for
dpkg systemd support and changing password support, the interfaces in question
are also used by other modules in my tree, I'll send patches for that later.

It removes the TODO block discussed previously as well as some other access
that dpkg_t no longer needs.

It allows bootloader_t to read dpkg and apt configuration due to Debian
scripts for configuring kernels running as bootloader_t and needing access
to the package configuration.

There is a change to usermanage.te to support dpkg creating users and setting
passwords etc (passwd -L etc).

There is a change to userdomain.te to allow regular users to list the packages
installed. This is mainly for dpkg-buildpackage but there's lots of other
reasons to allow this.

Finally I made some adjtime references optional, as I needed to do that to
make the policy even build for me.

Please apply this to git.


Index: refpolicy-2.20170214/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170214/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
domain_interactive_fd(dpkg_script_t)
role dpkg_roles types dpkg_script_t;

+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

@@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

-corecmd_exec_all_executables(dpkg_t)
-
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)

userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)

dpkg_domtrans_script(dpkg_t)

@@ -176,18 +178,10 @@ optional_policy(`
unconfined_domain(dpkg_t)
')

-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
-userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ modutils_run_depmod(dpkg_t, dpkg_roles)
+ modutils_run_insmod(dpkg_t, dpkg_roles)
+')

optional_policy(`
mta_send_mail(dpkg_t)
@@ -202,8 +196,8 @@ optional_policy(`
# Script Local policy
#

-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setfcap setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod setfcap };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

@@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

+auth_manage_shadow(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)

+dev_null_manage_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_use_all_terms(dpkg_script_t)

-auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)

init_all_labeled_script_domtrans(dpkg_script_t)
+init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
+init_status(dpkg_script_t)
+init_start_generic_units(dpkg_script_t)
+init_stop_generic_units(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_system_stop(dpkg_script_t)
+init_telinit(dpkg_script_t)
+initrc_manage_service(dpkg_script_t)
+init_script_service_restart(dpkg_script_t)

libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
@@ -287,13 +294,20 @@ logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
+optional_policy(`
+ dirmngr_service_manage(dpkg_script_t)
+')
+
+optional_policy(`
+ modutils_run_depmod(dpkg_script_t, dpkg_roles)
+ modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')

seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)

userdom_use_all_users_fds(dpkg_script_t)
+usermanage_domtrans_passwd(dpkg_script_t)

tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
@@ -317,6 +331,11 @@ optional_policy(`
')

optional_policy(`
+ systemd_logind_read_process_state(dpkg_script_t)
+ systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
unconfined_domain(dpkg_script_t)
')

Index: refpolicy-2.20170214/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20170214/policy/modules/admin/bootloader.te
@@ -149,6 +149,11 @@ ifdef(`distro_debian',`
fstools_relabelto_entry_files(bootloader_t)

libs_relabelto_lib_files(bootloader_t)
+
+ # for apt-cache
+ dpkg_read_db(bootloader_t)
+ apt_read_db(bootloader_t)
+ apt_read_cache(bootloader_t)
')

ifdef(`distro_redhat',`
Index: refpolicy-2.20170214/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20170214/policy/modules/admin/usermanage.te
@@ -360,6 +360,12 @@ optional_policy(`
nscd_run(passwd_t, passwd_roles)
')

+optional_policy(`
+ # for dpkg to create users
+ permit_in_unconfined_r(passwd_t)
+ unconfined_use_fds(passwd_t)
+')
+
########################################
#
# Password admin local policy
Index: refpolicy-2.20170214/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/system/init.if
+++ refpolicy-2.20170214/policy/modules/system/init.if
@@ -809,6 +809,42 @@ interface(`init_udp_send',`

########################################
## <summary>
+## start service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_system_start',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system start;
+')
+
+########################################
+## <summary>
+## stop service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_system_stop',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system stop;
+')
+
+########################################
+## <summary>
## Get all service status (systemd).
## </summary>
## <param name="domain">
@@ -2514,3 +2550,57 @@ interface(`init_reload_all_units',`

allow $1 systemdunit:service reload;
')
+
+########################################
+## <summary>
+## Start and stop init_script_file_type services
+## </summary>
+## <param name="domain">
+## <summary>
+## domain that can start and stop the services
+## </summary>
+## </param>
+#
+interface(`init_script_service_restart',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ allow $1 init_script_file_type:service { start status stop };
+')
+
+########################################
+## <summary>
+## Get the system status information from init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Allow manage service for initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`initrc_manage_service',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ allow $1 initrc_exec_t:service { start stop status };
+')
Index: refpolicy-2.20170214/policy/modules/system/userdomain.te
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te
+++ refpolicy-2.20170214/policy/modules/system/userdomain.te
@@ -70,6 +70,10 @@ attribute admindomain;
# all user domains
attribute userdomain;

+ifdef(`distro_debian', `
+ dpkg_read_db(userdomain)
+')
+
# unprivileged user domains
attribute unpriv_userdomain;

Index: refpolicy-2.20170214/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170214/policy/modules/kernel/devices.if
@@ -3260,6 +3260,25 @@ interface(`dev_create_null_dev',`

########################################
## <summary>
+## Manage services with script type null_device_t for when
+## /lib/systemd/system/something.service is a link to /dev/null
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_null_manage_service',`
+ gen_require(`
+ type null_device_t;
+ ')
+
+ allow $1 null_device_t:service { status start stop reload };
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
Index: refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/contrib/dirmngr.if
+++ refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
@@ -2,6 +2,25 @@

########################################
## <summary>
+## Allow a domain to restart dirmngr
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dirmngr_service_manage',`
+ gen_require(`
+ type dirmngr_initrc_exec_t;
+ ')
+
+ allow $1 dirmngr_initrc_exec_t:service { status start stop };
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
Index: refpolicy-2.20170214/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170214/policy/modules/system/systemd.if
@@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`

allow $1 power_unit_t:service start;
')
+
+########################################
+## <summary>
+## Allow systemd_logind_t to read process state for cgroup file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain systemd_logind_t may access.
+## </summary>
+## </param>
+#
+interface(`systemd_logind_read_process_state',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow systemd_logind_t $1:dir list_dir_perms;
+ allow systemd_logind_t $1:file read_file_perms;
+')
Index: refpolicy-2.20170214/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170214/policy/modules/system/unconfined.if
@@ -319,6 +319,23 @@ interface(`unconfined_run_to',`

########################################
## <summary>
+## Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to permit in unconfined_r
+## </summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+ gen_require(`
+ role unconfined_r;
+ ')
+ role unconfined_r types $1;
+')
+
+########################################
+## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170214/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170214.orig/policy/modules/system/init.te
+++ refpolicy-2.20170214/policy/modules/system/init.te
@@ -277,7 +277,9 @@ ifdef(`init_systemd',`

term_relabel_pty_dirs(init_t)

- clock_read_adjtime(init_t)
+ optional_policy(`
+ clock_read_adjtime(init_t)
+ ')

logging_manage_pid_sockets(init_t)
logging_send_audit_msgs(init_t)
@@ -628,7 +630,9 @@ ifdef(`distro_gentoo',`
files_mountpoint(initrc_state_t)

# init scripts touch this
- clock_dontaudit_write_adjtime(initrc_t)
+ optional_policy(`
+ clock_dontaudit_write_adjtime(initrc_t)
+ ')

logging_send_audit_msgs(initrc_t)



2017-02-16 00:08:13

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

On 02/14/17 01:41, Russell Coker via refpolicy wrote:
> The following patch has all the latest dpkg.te policy taken from several
> patch files in the Debian package so there's more rules than the previous
> patch I sent. It also has init.if, unconfined.if, and dirmngr.if changes for
> dpkg systemd support and changing password support, the interfaces in question
> are also used by other modules in my tree, I'll send patches for that later.
>
> It removes the TODO block discussed previously as well as some other access
> that dpkg_t no longer needs.
>
> It allows bootloader_t to read dpkg and apt configuration due to Debian
> scripts for configuring kernels running as bootloader_t and needing access
> to the package configuration.
>
> There is a change to usermanage.te to support dpkg creating users and setting
> passwords etc (passwd -L etc).
>
> There is a change to userdomain.te to allow regular users to list the packages
> installed. This is mainly for dpkg-buildpackage but there's lots of other
> reasons to allow this.
>
> Finally I made some adjtime references optional, as I needed to do that to
> make the policy even build for me.
>
> Please apply this to git.
>
>
> Index: refpolicy-2.20170214/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170214/policy/modules/contrib/dpkg.te
> @@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
> domain_interactive_fd(dpkg_script_t)
> role dpkg_roles types dpkg_script_t;
>
> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)

What are these files? I don't know dpkg, but this seems odd.

> type dpkg_script_tmp_t;
> files_tmp_file(dpkg_script_tmp_t)
>
> @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
> kernel_read_system_state(dpkg_t)
> kernel_read_kernel_sysctls(dpkg_t)
>
> -corecmd_exec_all_executables(dpkg_t)
> -
> corenet_all_recvfrom_unlabeled(dpkg_t)
> corenet_all_recvfrom_netlabel(dpkg_t)
> corenet_tcp_sendrecv_generic_if(dpkg_t)
> @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
>
> userdom_use_user_terminals(dpkg_t)
> userdom_use_unpriv_users_fds(dpkg_t)
> +userdom_use_all_users_fds(dpkg_t)
>
> dpkg_domtrans_script(dpkg_t)
>
> @@ -176,18 +178,10 @@ optional_policy(`
> unconfined_domain(dpkg_t)
> ')
>
> -# TODO: the following was copied from dpkg_script_t, and could probably
> -# be removed again when dpkg_script_t is actually used...
> -domain_signal_all_domains(dpkg_t)
> -domain_signull_all_domains(dpkg_t)
> -files_read_etc_runtime_files(dpkg_t)
> -files_exec_usr_files(dpkg_t)
> -miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
> -seutil_run_loadpolicy(dpkg_t, dpkg_roles)
> -seutil_run_setfiles(dpkg_t, dpkg_roles)
> -userdom_use_all_users_fds(dpkg_t)
> +optional_policy(`
> + modutils_run_depmod(dpkg_t, dpkg_roles)
> + modutils_run_insmod(dpkg_t, dpkg_roles)
> +')
>
> optional_policy(`
> mta_send_mail(dpkg_t)
> @@ -202,8 +196,8 @@ optional_policy(`
> # Script Local policy
> #
>
> -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
> -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setfcap setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod setfcap };
> +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> allow dpkg_script_t self:fd use;
> allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
> allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
> @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
> allow dpkg_script_t self:sem create_sem_perms;
> allow dpkg_script_t self:msgq create_msgq_perms;
> allow dpkg_script_t self:msg { send receive };
> +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow dpkg_script_t self:udp_socket create_socket_perms;
>
> allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
>
> @@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
> kernel_read_kernel_sysctls(dpkg_script_t)
> kernel_read_system_state(dpkg_script_t)
>
> +auth_manage_shadow(dpkg_script_t)
> corecmd_exec_all_executables(dpkg_script_t)
>
> +dev_null_manage_service(dpkg_script_t)
> dev_list_sysfs(dpkg_script_t)
> # Use named file transition to fix this
> # dev_manage_generic_blk_files(dpkg_script_t)
> @@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
> selinux_compute_create_context(dpkg_script_t)
> selinux_compute_relabel_context(dpkg_script_t)
> selinux_compute_user_contexts(dpkg_script_t)
> +selinux_read_policy(dpkg_script_t)
>
> storage_raw_read_fixed_disk(dpkg_script_t)
> storage_raw_write_fixed_disk(dpkg_script_t)
>
> term_use_all_terms(dpkg_script_t)
>
> -auth_dontaudit_getattr_shadow(dpkg_script_t)
> files_manage_non_auth_files(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> +init_get_generic_units_status(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> +init_status(dpkg_script_t)
> +init_start_generic_units(dpkg_script_t)
> +init_stop_generic_units(dpkg_script_t)
> +init_reload(dpkg_script_t)
> +init_system_stop(dpkg_script_t)
> +init_telinit(dpkg_script_t)
> +initrc_manage_service(dpkg_script_t)
> +init_script_service_restart(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
> @@ -287,13 +294,20 @@ logging_send_syslog_msg(dpkg_script_t)
>
> miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +optional_policy(`
> + dirmngr_service_manage(dpkg_script_t)
> +')
> +
> +optional_policy(`
> + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')

Please move down with the other dpkg_script_t optionals.


> seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
> seutil_run_setfiles(dpkg_script_t, dpkg_roles)
>
> userdom_use_all_users_fds(dpkg_script_t)
> +usermanage_domtrans_passwd(dpkg_script_t)
>
> tunable_policy(`allow_execmem',`
> allow dpkg_script_t self:process execmem;
> @@ -317,6 +331,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_logind_read_process_state(dpkg_script_t)
> + systemd_dbus_chat_logind(dpkg_script_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(dpkg_script_t)
> ')
>
> Index: refpolicy-2.20170214/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170214/policy/modules/admin/bootloader.te
> @@ -149,6 +149,11 @@ ifdef(`distro_debian',`
> fstools_relabelto_entry_files(bootloader_t)
>
> libs_relabelto_lib_files(bootloader_t)
> +
> + # for apt-cache
> + dpkg_read_db(bootloader_t)
> + apt_read_db(bootloader_t)
> + apt_read_cache(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20170214/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20170214/policy/modules/admin/usermanage.te
> @@ -360,6 +360,12 @@ optional_policy(`
> nscd_run(passwd_t, passwd_roles)
> ')
>
> +optional_policy(`
> + # for dpkg to create users
> + permit_in_unconfined_r(passwd_t)
> + unconfined_use_fds(passwd_t)
> +')

I think what you're looking for is to replace the
usermanage_domtrans_passwd() with usermanage_run_passwd() with
dpkg_roles. That would fix the role association.


> ########################################
> #
> # Password admin local policy
> Index: refpolicy-2.20170214/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170214/policy/modules/system/init.if
> @@ -809,6 +809,42 @@ interface(`init_udp_send',`
>
> ########################################
> ## <summary>
> +## start service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_system_start',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system start;
> +')
> +
> +########################################
> +## <summary>
> +## stop service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_system_stop',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system stop;
> +')
> +
> +########################################
> +## <summary>
> ## Get all service status (systemd).
> ## </summary>
> ## <param name="domain">
> @@ -2514,3 +2550,57 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## Start and stop init_script_file_type services
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain that can start and stop the services
> +## </summary>
> +## </param>
> +#
> +interface(`init_script_service_restart',`

init_restart_script_service()

> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + allow $1 init_script_file_type:service { start status stop };
> +')
> +
> +########################################
> +## <summary>
> +## Get the system status information from init
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_status',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system status;
> +')
> +
> +########################################
> +## <summary>
> +## Allow manage service for initrc_exec_t scripts
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Target domain
> +## </summary>
> +## </param>
> +#
> +interface(`initrc_manage_service',`
> + gen_require(`
> + type initrc_exec_t;

require class service { status start stop }; since that is a userspace
class.

> + ')
> +
> + allow $1 initrc_exec_t:service { start stop status };
> +')
> Index: refpolicy-2.20170214/policy/modules/system/userdomain.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te
> +++ refpolicy-2.20170214/policy/modules/system/userdomain.te
> @@ -70,6 +70,10 @@ attribute admindomain;
> # all user domains
> attribute userdomain;
>
> +ifdef(`distro_debian', `
> + dpkg_read_db(userdomain)
> +')

I think that putting this in the userdom_common_user_template() is
better, so that the base user template is kept thin.


> # unprivileged user domains
> attribute unpriv_userdomain;
>
> Index: refpolicy-2.20170214/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170214/policy/modules/kernel/devices.if
> @@ -3260,6 +3260,25 @@ interface(`dev_create_null_dev',`
>
> ########################################
> ## <summary>
> +## Manage services with script type null_device_t for when
> +## /lib/systemd/system/something.service is a link to /dev/null
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_null_manage_service',`

Yuck. More systemd mess. Should be named dev_manage_null_service().

> + gen_require(`
> + type null_device_t;

also require class service { status start stop reload }; since that is a
userspace class.

> + ')
> +
> + allow $1 null_device_t:service { status start stop reload };
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the attributes
> ## of the BIOS non-volatile RAM device.
> ## </summary>
> Index: refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/contrib/dirmngr.if
> +++ refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
> @@ -2,6 +2,25 @@
>
> ########################################
> ## <summary>
> +## Allow a domain to restart dirmngr
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`dirmngr_service_manage',`
> + gen_require(`
> + type dirmngr_initrc_exec_t;
> + ')
> +
> + allow $1 dirmngr_initrc_exec_t:service { status start stop };

Please leverage the init_startstop_service() interface to handle most of
this which is intended to be init-agnostic


> +')
> +
> +########################################
> +## <summary>
> ## All of the rules required to
> ## administrate an dirmngr environment.
> ## </summary>
> Index: refpolicy-2.20170214/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170214/policy/modules/system/systemd.if
> @@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +## <summary>
> +## Allow systemd_logind_t to read process state for cgroup file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain systemd_logind_t may access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_logind_read_process_state',`

Should be named systemd_read_logind_state().


> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + allow systemd_logind_t $1:dir list_dir_perms;
> + allow systemd_logind_t $1:file read_file_perms;
> +')
> Index: refpolicy-2.20170214/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170214/policy/modules/system/unconfined.if
> @@ -319,6 +319,23 @@ interface(`unconfined_run_to',`
>
> ########################################
> ## <summary>
> +## Allow the specified domain to be in the unconfined role
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to permit in unconfined_r
> +## </summary>
> +## </param>
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit file descriptors from the unconfined domain.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170214/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170214/policy/modules/system/init.te
> @@ -277,7 +277,9 @@ ifdef(`init_systemd',`
>
> term_relabel_pty_dirs(init_t)
>
> - clock_read_adjtime(init_t)
> + optional_policy(`
> + clock_read_adjtime(init_t)
> + ')

This should be moved down in the ifdef block with the other init_t
optionals.

> logging_manage_pid_sockets(init_t)
> logging_send_audit_msgs(init_t)
> @@ -628,7 +630,9 @@ ifdef(`distro_gentoo',`
> files_mountpoint(initrc_state_t)
>
> # init scripts touch this
> - clock_dontaudit_write_adjtime(initrc_t)
> + optional_policy(`
> + clock_dontaudit_write_adjtime(initrc_t)
> + ')

Did you really intend to modify a Gentoo block?

--
Chris PeBenito

2017-02-16 02:34:47

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

On Thu, 16 Feb 2017 11:08:13 AM Chris PeBenito wrote:
> > +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> > +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
>
> What are these files? I don't know dpkg, but this seems odd.

# ls -l /var/lib/dpkg/info/|grep rwx|head
-rwxr-xr-x. 1 root root 614 Nov 27 08:28 accountsservice.postrm
-rwxr-xr-x. 1 root root 184 Feb 7 2016 acl.postinst
-rwxr-xr-x. 1 root root 165 Feb 7 2016 acl.postrm
-rwxr-xr-x. 1 root root 2718 Sep 20 20:14 acpid.postinst
-rwxr-xr-x. 1 root root 1614 Sep 20 20:14 acpid.postrm
-rwxr-xr-x. 1 root root 1338 Sep 20 20:14 acpid.preinst
-rwxr-xr-x. 1 root root 382 Sep 20 20:14 acpid.prerm
-rwxr-xr-x. 1 root root 956 Sep 25 2015 acpi-fakekey.postinst
-rwxr-xr-x. 1 root root 781 Sep 25 2015 acpi-fakekey.postrm
-rwxr-xr-x. 1 root root 179 Sep 25 2015 acpi-fakekey.prerm

Most Debian packages ship with scripts that are run before or after
installation or removal. They are to run as dpkg_script_t.

> > -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> > -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> > +optional_policy(`
> > + dirmngr_service_manage(dpkg_script_t)
> > +')
> > +
> > +optional_policy(`
> > + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> > + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> > +')
>
> Please move down with the other dpkg_script_t optionals.

OK..

> > +optional_policy(`
> > + # for dpkg to create users
> > + permit_in_unconfined_r(passwd_t)
> > + unconfined_use_fds(passwd_t)
> > +')
>
> I think what you're looking for is to replace the
> usermanage_domtrans_passwd() with usermanage_run_passwd() with
> dpkg_roles. That would fix the role association.

OK.

> > +interface(`init_script_service_restart',`
>
> init_restart_script_service()

OK, but that means start and stop scripts won't necessarily be grouped when
sorting alphabetically.

> > +interface(`initrc_manage_service',`
> > + gen_require(`
> > + type initrc_exec_t;
>
> require class service { status start stop }; since that is a userspace
> class.

OK.

> > --- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te
> > +++ refpolicy-2.20170214/policy/modules/system/userdomain.te
> > @@ -70,6 +70,10 @@ attribute admindomain;
> >
> > # all user domains
> > attribute userdomain;
> >
> > +ifdef(`distro_debian', `
> > + dpkg_read_db(userdomain)
> > +')
>
> I think that putting this in the userdom_common_user_template() is
> better, so that the base user template is kept thin.

OK.

> > +interface(`dev_null_manage_service',`
>
> Yuck. More systemd mess. Should be named dev_manage_null_service().

OK.

> > + gen_require(`
> > + type null_device_t;
>
> also require class service { status start stop reload }; since that is a
> userspace class.

OK.

> > +interface(`dirmngr_service_manage',`
> > + gen_require(`
> > + type dirmngr_initrc_exec_t;
> > + ')
> > +
> > + allow $1 dirmngr_initrc_exec_t:service { status start stop };
>
> Please leverage the init_startstop_service() interface to handle most of
> this which is intended to be init-agnostic

I'll just drop that bit for now so we can get the rest merged.

> > +interface(`systemd_logind_read_process_state',`
>
> Should be named systemd_read_logind_state().

OK.

> >
> > - clock_read_adjtime(init_t)
> > + optional_policy(`
> > + clock_read_adjtime(init_t)
> > + ')
>
> This should be moved down in the ifdef block with the other init_t
> optionals.

OK.

> > # init scripts touch this
> >
> > - clock_dontaudit_write_adjtime(initrc_t)
> > + optional_policy(`
> > + clock_dontaudit_write_adjtime(initrc_t)
> > + ')
>
> Did you really intend to modify a Gentoo block?

OK I'll revert that.

I'll send you a new patch soon.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-02-18 13:10:50

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

On 02/15/17 21:34, Russell Coker wrote:
> On Thu, 16 Feb 2017 11:08:13 AM Chris PeBenito wrote:
>>> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>>> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
>>
>> What are these files? I don't know dpkg, but this seems odd.
>
> # ls -l /var/lib/dpkg/info/|grep rwx|head
> -rwxr-xr-x. 1 root root 614 Nov 27 08:28 accountsservice.postrm
> -rwxr-xr-x. 1 root root 184 Feb 7 2016 acl.postinst
> -rwxr-xr-x. 1 root root 165 Feb 7 2016 acl.postrm
> -rwxr-xr-x. 1 root root 2718 Sep 20 20:14 acpid.postinst
> -rwxr-xr-x. 1 root root 1614 Sep 20 20:14 acpid.postrm
> -rwxr-xr-x. 1 root root 1338 Sep 20 20:14 acpid.preinst
> -rwxr-xr-x. 1 root root 382 Sep 20 20:14 acpid.prerm
> -rwxr-xr-x. 1 root root 956 Sep 25 2015 acpi-fakekey.postinst
> -rwxr-xr-x. 1 root root 781 Sep 25 2015 acpi-fakekey.postrm
> -rwxr-xr-x. 1 root root 179 Sep 25 2015 acpi-fakekey.prerm
>
> Most Debian packages ship with scripts that are run before or after
> installation or removal. They are to run as dpkg_script_t.

Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense?

--
Chris PeBenito

2017-02-19 02:18:20

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote:
> > Most Debian packages ship with scripts that are run before or after
> > installation or removal. They are to run as dpkg_script_t.
>
> Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense?

The same directory also contains non-executable data files that are read by
other domains (such as user_t).

We could have labelling based on file extensions (like .postinst), but do we
really benefit from having yet another type?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-02-19 19:44:23

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches

On 02/18/17 21:18, Russell Coker wrote:
> On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote:
>>> Most Debian packages ship with scripts that are run before or after
>>> installation or removal. They are to run as dpkg_script_t.
>>
>> Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense?
>
> The same directory also contains non-executable data files that are read by
> other domains (such as user_t).
>
> We could have labelling based on file extensions (like .postinst), but do we
> really benefit from having yet another type?

If that's the case, then no.

--
Chris PeBenito