2017-11-08 03:04:15

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and trying to start GDM/Gnome. While in permissive I'm seeing a bunch of denials related to xdm_t (enforcing the greeter never starts). I'm happy to go through and fix these things to get stuff working. I just want to make sure that before I begin adding additional rules to allow the items I'm seeing that I'm not just missing something (a boolean set incorrectly or a missing module or something else?). I was kind of assuming that this would just work but maybe that isn't the case.

Here are the denials I'm seeing. Any thoughts?

#============= colord_t ==============
allow colord_t systemd_sessions_var_run_t:file { getattr open read };
allow colord_t xdm_t:dir search;
allow colord_t xdm_t:file { getattr open read };

#============= init_t ==============
allow init_t xdm_t:dbus send_msg;

#============= initrc_t ==============
allow initrc_t xdm_t:dbus send_msg;
allow initrc_t xdm_t:process getsched;

#============= systemd_locale_t ==============
allow systemd_locale_t xdm_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t crond_t:dbus send_msg;
allow systemd_logind_t crond_t:dir search;
allow systemd_logind_t crond_t:file { getattr open read };
allow systemd_logind_t init_t:service stop;
allow systemd_logind_t init_var_run_t:service { start status };
allow systemd_logind_t tmpfs_t:dir { remove_name write };

#!!!! The file '/run/user/42' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/user/42
allow systemd_logind_t user_runtime_root_t:dir mounton;
allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
allow systemd_logind_t user_tmpfs_t:file unlink;
allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name rmdir write };
allow systemd_logind_t xdm_tmpfs_t:file unlink;
allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;

#============= systemd_sessions_t ==============

#!!!! The file '/run/systemd/journal/socket' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;

#============= xdm_t ==============
allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
allow xdm_t init_t:dbus send_msg;
allow xdm_t init_t:system status;
allow xdm_t initrc_t:dbus send_msg;

#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
allow xdm_t kernel_t:unix_stream_socket connectto;
allow xdm_t self:capability net_admin;
allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow xdm_t self:netlink_selinux_socket { bind create };
allow xdm_t self:process setcap;
allow xdm_t sound_device_t:chr_file { ioctl open read write };
allow xdm_t staff_t:key { link search write };
allow xdm_t sysctl_crypto_t:dir search;
allow xdm_t sysctl_crypto_t:file { getattr open read };
allow xdm_t sysctl_vm_overcommit_t:file { open read };
allow xdm_t sysctl_vm_t:dir search;
allow xdm_t systemd_locale_t:dbus send_msg;
allow xdm_t systemd_logind_var_run_t:dir read;
allow xdm_t systemd_logind_var_run_t:fifo_file write;
allow xdm_t systemd_machined_var_run_t:dir read;
allow xdm_t systemd_sessions_var_run_t:dir { open read };
allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
allow xdm_t udev_var_run_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'
allow xdm_t user_home_dir_t:dir create;
allow xdm_t user_home_dir_t:file { append create open read setattr write };
allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
allow xdm_t xdm_tmp_t:file execute;
allow xdm_t xkb_var_lib_t:dir search;
allow xdm_t xkb_var_lib_t:file { getattr open read };

#============= xserver_t ==============
allow xserver_t self:capability sys_ptrace;
allow xserver_t staff_t:file { open read };
allow xserver_t staff_t:lnk_file read;
allow xserver_t xdm_t:file { open read };
allow xserver_t xdm_t:lnk_file read;


Thanks,
Dave Syugar
dsugar at tresys.com


2017-11-08 14:28:51

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

Hello!

I am running gnome-shell (wm module) with both the original xdm from Xorg and with gdm from Gnome but *without systemd* and I have not been experiencing problems since a long time ago, when I submitted patches for the wm module.

Why don't you start trying out X without systemd and with the simpler xdm?

In my opinion systemd just adds unneeded complexity and requires non-trivial security permissions!

Regards,

Guido

Il 08 novembre 2017 04:04:15 CET, David Sugar via refpolicy <[email protected]> ha scritto:
>I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
>trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
>denials related to xdm_t (enforcing the greeter never starts). I'm
>happy to go through and fix these things to get stuff working. I just
>want to make sure that before I begin adding additional rules to allow
>the items I'm seeing that I'm not just missing something (a boolean set
>incorrectly or a missing module or something else?). I was kind of
>assuming that this would just work but maybe that isn't the case.
>
>Here are the denials I'm seeing. Any thoughts?
>
>#============= colord_t ==============
>allow colord_t systemd_sessions_var_run_t:file { getattr open read };
>allow colord_t xdm_t:dir search;
>allow colord_t xdm_t:file { getattr open read };
>
>#============= init_t ==============
>allow init_t xdm_t:dbus send_msg;
>
>#============= initrc_t ==============
>allow initrc_t xdm_t:dbus send_msg;
>allow initrc_t xdm_t:process getsched;
>
>#============= systemd_locale_t ==============
>allow systemd_locale_t xdm_t:dbus send_msg;
>
>#============= systemd_logind_t ==============
>allow systemd_logind_t crond_t:dbus send_msg;
>allow systemd_logind_t crond_t:dir search;
>allow systemd_logind_t crond_t:file { getattr open read };
>allow systemd_logind_t init_t:service stop;
>allow systemd_logind_t init_var_run_t:service { start status };
>allow systemd_logind_t tmpfs_t:dir { remove_name write };
>
>#!!!! The file '/run/user/42' is mislabeled on your system.
>#!!!! Fix with $ restorecon -R -v /run/user/42
>allow systemd_logind_t user_runtime_root_t:dir mounton;
>allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
>allow systemd_logind_t user_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
>rmdir write };
>allow systemd_logind_t xdm_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
>
>#============= systemd_sessions_t ==============
>
>#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
>allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>
>#============= xdm_t ==============
>allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
>allow xdm_t init_t:dbus send_msg;
>allow xdm_t init_t:system status;
>allow xdm_t initrc_t:dbus send_msg;
>
>#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
>allow xdm_t kernel_t:unix_stream_socket connectto;
>allow xdm_t self:capability net_admin;
>allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
>read setopt };
>allow xdm_t self:netlink_selinux_socket { bind create };
>allow xdm_t self:process setcap;
>allow xdm_t sound_device_t:chr_file { ioctl open read write };
>allow xdm_t staff_t:key { link search write };
>allow xdm_t sysctl_crypto_t:dir search;
>allow xdm_t sysctl_crypto_t:file { getattr open read };
>allow xdm_t sysctl_vm_overcommit_t:file { open read };
>allow xdm_t sysctl_vm_t:dir search;
>allow xdm_t systemd_locale_t:dbus send_msg;
>allow xdm_t systemd_logind_var_run_t:dir read;
>allow xdm_t systemd_logind_var_run_t:fifo_file write;
>allow xdm_t systemd_machined_var_run_t:dir read;
>allow xdm_t systemd_sessions_var_run_t:dir { open read };
>allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
>allow xdm_t udev_var_run_t:file { getattr open read };
>
>#!!!! This avc can be allowed using the boolean
>'allow_polyinstantiation'
>allow xdm_t user_home_dir_t:dir create;
>allow xdm_t user_home_dir_t:file { append create open read setattr
>write };
>allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
>};
>allow xdm_t xdm_tmp_t:file execute;
>allow xdm_t xkb_var_lib_t:dir search;
>allow xdm_t xkb_var_lib_t:file { getattr open read };
>
>#============= xserver_t ==============
>allow xserver_t self:capability sys_ptrace;
>allow xserver_t staff_t:file { open read };
>allow xserver_t staff_t:lnk_file read;
>allow xserver_t xdm_t:file { open read };
>allow xserver_t xdm_t:lnk_file read;
>
>
>Thanks,
>Dave Syugar
>dsugar at tresys.com
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-11-08 14:36:09

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

I forgot to add something... See below.

On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy <[email protected]> wrote:
>I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
>trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
>denials related to xdm_t (enforcing the greeter never starts). I'm
>happy to go through and fix these things to get stuff working. I just
>want to make sure that before I begin adding additional rules to allow
>the items I'm seeing that I'm not just missing something (a boolean set
>incorrectly or a missing module or something else?). I was kind of
>assuming that this would just work but maybe that isn't the case.
>
>Here are the denials I'm seeing. Any thoughts?
>
>#============= colord_t ==============
>allow colord_t systemd_sessions_var_run_t:file { getattr open read };
>allow colord_t xdm_t:dir search;
>allow colord_t xdm_t:file { getattr open read };
>
>#============= init_t ==============
>allow init_t xdm_t:dbus send_msg;
>
>#============= initrc_t ==============
>allow initrc_t xdm_t:dbus send_msg;
>allow initrc_t xdm_t:process getsched;
>
>#============= systemd_locale_t ==============
>allow systemd_locale_t xdm_t:dbus send_msg;
>
>#============= systemd_logind_t ==============
>allow systemd_logind_t crond_t:dbus send_msg;
>allow systemd_logind_t crond_t:dir search;
>allow systemd_logind_t crond_t:file { getattr open read };
>allow systemd_logind_t init_t:service stop;
>allow systemd_logind_t init_var_run_t:service { start status };
>allow systemd_logind_t tmpfs_t:dir { remove_name write };
>
>#!!!! The file '/run/user/42' is mislabeled on your system.
>#!!!! Fix with $ restorecon -R -v /run/user/42

You should fix the above labels. As far as I know, systemd is supposed to relabel /run/user/, but eventually something didn't work on your system, so you should find another way to relabel, especially if as suggested you are going to run without systemd.

>allow systemd_logind_t user_runtime_root_t:dir mounton;
>allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
>allow systemd_logind_t user_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
>rmdir write };
>allow systemd_logind_t xdm_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
>
>#============= systemd_sessions_t ==============
>
>#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
>allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>
>#============= xdm_t ==============
>allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
>allow xdm_t init_t:dbus send_msg;
>allow xdm_t init_t:system status;
>allow xdm_t initrc_t:dbus send_msg;
>
>#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
>allow xdm_t kernel_t:unix_stream_socket connectto;
>allow xdm_t self:capability net_admin;
>allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
>read setopt };
>allow xdm_t self:netlink_selinux_socket { bind create };
>allow xdm_t self:process setcap;
>allow xdm_t sound_device_t:chr_file { ioctl open read write };
>allow xdm_t staff_t:key { link search write };
>allow xdm_t sysctl_crypto_t:dir search;
>allow xdm_t sysctl_crypto_t:file { getattr open read };
>allow xdm_t sysctl_vm_overcommit_t:file { open read };
>allow xdm_t sysctl_vm_t:dir search;
>allow xdm_t systemd_locale_t:dbus send_msg;
>allow xdm_t systemd_logind_var_run_t:dir read;
>allow xdm_t systemd_logind_var_run_t:fifo_file write;
>allow xdm_t systemd_machined_var_run_t:dir read;
>allow xdm_t systemd_sessions_var_run_t:dir { open read };
>allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
>allow xdm_t udev_var_run_t:file { getattr open read };
>
>#!!!! This avc can be allowed using the boolean
>'allow_polyinstantiation'
>allow xdm_t user_home_dir_t:dir create;
>allow xdm_t user_home_dir_t:file { append create open read setattr
>write };
>allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
>};
>allow xdm_t xdm_tmp_t:file execute;
>allow xdm_t xkb_var_lib_t:dir search;
>allow xdm_t xkb_var_lib_t:file { getattr open read };
>
>#============= xserver_t ==============
>allow xserver_t self:capability sys_ptrace;
>allow xserver_t staff_t:file { open read };
>allow xserver_t staff_t:lnk_file read;
>allow xserver_t xdm_t:file { open read };
>allow xserver_t xdm_t:lnk_file read;
>
>
>Thanks,
>Dave Syugar
>dsugar at tresys.com

Regards,

Guido

2017-11-08 16:32:37

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

It doesn't appear that anyone has the ability to remove systemd form CentOS (or RHEL/Fedora). So I think that is a non-starter. As much as I agree with you that systemd adds a lot of complexity, I'm in an environment where I am stuck with it. What distribution are you running?

I will begin working on policy for these denials and submit patches back to the list as I get things working.

Thanks,
Dave

> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Guido Trentalancia via refpolicy
> Sent: Wednesday, November 08, 2017 9:36 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>
> I forgot to add something... See below.
>
> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
> <[email protected]> wrote:
> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
> >trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
> >denials related to xdm_t (enforcing the greeter never starts). I'm
> >happy to go through and fix these things to get stuff working. I just
> >want to make sure that before I begin adding additional rules to allow
> >the items I'm seeing that I'm not just missing something (a boolean set
> >incorrectly or a missing module or something else?). I was kind of
> >assuming that this would just work but maybe that isn't the case.
> >
> >Here are the denials I'm seeing. Any thoughts?
> >
> >#============= colord_t ==============
> >allow colord_t systemd_sessions_var_run_t:file { getattr open read };
> >allow colord_t xdm_t:dir search; allow colord_t xdm_t:file { getattr
> >open read };
> >
> >#============= init_t ==============
> >allow init_t xdm_t:dbus send_msg;
> >
> >#============= initrc_t ==============
> >allow initrc_t xdm_t:dbus send_msg;
> >allow initrc_t xdm_t:process getsched;
> >
> >#============= systemd_locale_t ============== allow systemd_locale_t
> >xdm_t:dbus send_msg;
> >
> >#============= systemd_logind_t ============== allow systemd_logind_t
> >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search; allow
> >systemd_logind_t crond_t:file { getattr open read }; allow
> >systemd_logind_t init_t:service stop; allow systemd_logind_t
> >init_var_run_t:service { start status }; allow systemd_logind_t
> >tmpfs_t:dir { remove_name write };
> >
> >#!!!! The file '/run/user/42' is mislabeled on your system.
> >#!!!! Fix with $ restorecon -R -v /run/user/42
>
> You should fix the above labels. As far as I know, systemd is supposed
> to relabel /run/user/, but eventually something didn't work on your
> system, so you should find another way to relabel, especially if as
> suggested you are going to run without systemd.
>
> >allow systemd_logind_t user_runtime_root_t:dir mounton; allow
> >systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write }; allow
> >systemd_logind_t user_tmpfs_t:file unlink; allow systemd_logind_t
> >xdm_tmpfs_t:dir { getattr open read remove_name rmdir write }; allow
> >systemd_logind_t xdm_tmpfs_t:file unlink; allow systemd_logind_t
> >xdm_tmpfs_t:sock_file unlink;
> >
> >#============= systemd_sessions_t ==============
> >
> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
> >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> >
> >#============= xdm_t ==============
> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
> >allow xdm_t initrc_t:dbus send_msg;
> >
> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
> >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> >self:capability net_admin; allow xdm_t
> >self:netlink_kobject_uevent_socket { bind create getattr read setopt };
> >allow xdm_t self:netlink_selinux_socket { bind create }; allow xdm_t
> >self:process setcap; allow xdm_t sound_device_t:chr_file { ioctl open
> >read write }; allow xdm_t staff_t:key { link search write }; allow
> >xdm_t sysctl_crypto_t:dir search; allow xdm_t sysctl_crypto_t:file {
> >getattr open read }; allow xdm_t sysctl_vm_overcommit_t:file { open
> >read }; allow xdm_t sysctl_vm_t:dir search; allow xdm_t
> >systemd_locale_t:dbus send_msg; allow xdm_t
> >systemd_logind_var_run_t:dir read; allow xdm_t
> >systemd_logind_var_run_t:fifo_file write; allow xdm_t
> >systemd_machined_var_run_t:dir read; allow xdm_t
> >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> >udev_var_run_t:file { getattr open read };
> >
> >#!!!! This avc can be allowed using the boolean
> >'allow_polyinstantiation'
> >allow xdm_t user_home_dir_t:dir create; allow xdm_t
> >user_home_dir_t:file { append create open read setattr write }; allow
> >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
> >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
> >
> >#============= xserver_t ============== allow xserver_t self:capability
> >sys_ptrace; allow xserver_t staff_t:file { open read }; allow xserver_t
> >staff_t:lnk_file read; allow xserver_t xdm_t:file { open read }; allow
> >xserver_t xdm_t:lnk_file read;
> >
> >
> >Thanks,
> >Dave Syugar
> >dsugar at tresys.com
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-11-08 17:02:23

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

Hello again.

After looking a bit more closely to the permissions that you report (apart from those related to systemd that I don't use), most of them don't look too suspicious.

So that is the good news, just I can't explain why xserver_t needs to read staff_t files, which might leak privileged data.

Considering that you are reporting more than one labeling error, although it's probably just a sort of systemd or distribution bug, I would recommend a full filesystem relabel before doing anything else...

The following ones are a bit odd:

allow xdm_t self:capability net_admin;

allow xdm_t staff_t:key { link search write };
allow xdm_t sysctl_crypto_t:dir search;
allow xdm_t sysctl_crypto_t:file { getattr open read };

allow xdm_t xdm_tmp_t:file execute;

You might want to try running the system without the above risky permissions (especially the last one). At the end, if I am running the system without them, then there are good chances you are able to do the same.


On the 8th of November 2017 17:32:37 CET, David Sugar via refpolicy <[email protected]> wrote:
>It doesn't appear that anyone has the ability to remove systemd form
>CentOS (or RHEL/Fedora). So I think that is a non-starter. As much as
>I agree with you that systemd adds a lot of complexity, I'm in an
>environment where I am stuck with it. What distribution are you
>running?
>
>I will begin working on policy for these denials and submit patches
>back to the list as I get things working.
>
>Thanks,
>Dave
>
>> -----Original Message-----
>> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
>> bounces at oss.tresys.com] On Behalf Of Guido Trentalancia via refpolicy
>> Sent: Wednesday, November 08, 2017 9:36 AM
>> To: refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>>
>> I forgot to add something... See below.
>>
>> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
>> <[email protected]> wrote:
>> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy
>and
>> >trying to start GDM/Gnome. While in permissive I'm seeing a bunch
>of
>> >denials related to xdm_t (enforcing the greeter never starts). I'm
>> >happy to go through and fix these things to get stuff working. I
>just
>> >want to make sure that before I begin adding additional rules to
>allow
>> >the items I'm seeing that I'm not just missing something (a boolean
>set
>> >incorrectly or a missing module or something else?). I was kind of
>> >assuming that this would just work but maybe that isn't the case.
>> >
>> >Here are the denials I'm seeing. Any thoughts?
>> >
>> >#============= colord_t ==============
>> >allow colord_t systemd_sessions_var_run_t:file { getattr open read
>};
>> >allow colord_t xdm_t:dir search; allow colord_t xdm_t:file { getattr
>> >open read };
>> >
>> >#============= init_t ==============
>> >allow init_t xdm_t:dbus send_msg;
>> >
>> >#============= initrc_t ==============
>> >allow initrc_t xdm_t:dbus send_msg;
>> >allow initrc_t xdm_t:process getsched;
>> >
>> >#============= systemd_locale_t ============== allow
>systemd_locale_t
>> >xdm_t:dbus send_msg;
>> >
>> >#============= systemd_logind_t ============== allow
>systemd_logind_t
>> >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search;
>allow
>> >systemd_logind_t crond_t:file { getattr open read }; allow
>> >systemd_logind_t init_t:service stop; allow systemd_logind_t
>> >init_var_run_t:service { start status }; allow systemd_logind_t
>> >tmpfs_t:dir { remove_name write };
>> >
>> >#!!!! The file '/run/user/42' is mislabeled on your system.
>> >#!!!! Fix with $ restorecon -R -v /run/user/42
>>
>> You should fix the above labels. As far as I know, systemd is
>supposed
>> to relabel /run/user/, but eventually something didn't work on your
>> system, so you should find another way to relabel, especially if as
>> suggested you are going to run without systemd.
>>
>> >allow systemd_logind_t user_runtime_root_t:dir mounton; allow
>> >systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write }; allow
>> >systemd_logind_t user_tmpfs_t:file unlink; allow systemd_logind_t
>> >xdm_tmpfs_t:dir { getattr open read remove_name rmdir write }; allow
>> >systemd_logind_t xdm_tmpfs_t:file unlink; allow systemd_logind_t
>> >xdm_tmpfs_t:sock_file unlink;
>> >
>> >#============= systemd_sessions_t ==============
>> >
>> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>> >system.
>> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
>> >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>> >
>> >#============= xdm_t ==============
>> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read
>};
>> >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
>> >allow xdm_t initrc_t:dbus send_msg;
>> >
>> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>> >system.
>> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
>> >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
>> >self:capability net_admin; allow xdm_t
>> >self:netlink_kobject_uevent_socket { bind create getattr read setopt
>};
>> >allow xdm_t self:netlink_selinux_socket { bind create }; allow xdm_t
>> >self:process setcap; allow xdm_t sound_device_t:chr_file { ioctl
>open
>> >read write }; allow xdm_t staff_t:key { link search write }; allow
>> >xdm_t sysctl_crypto_t:dir search; allow xdm_t sysctl_crypto_t:file {
>> >getattr open read }; allow xdm_t sysctl_vm_overcommit_t:file { open
>> >read }; allow xdm_t sysctl_vm_t:dir search; allow xdm_t
>> >systemd_locale_t:dbus send_msg; allow xdm_t
>> >systemd_logind_var_run_t:dir read; allow xdm_t
>> >systemd_logind_var_run_t:fifo_file write; allow xdm_t
>> >systemd_machined_var_run_t:dir read; allow xdm_t
>> >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
>> >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
>> >udev_var_run_t:file { getattr open read };
>> >
>> >#!!!! This avc can be allowed using the boolean
>> >'allow_polyinstantiation'
>> >allow xdm_t user_home_dir_t:dir create; allow xdm_t
>> >user_home_dir_t:file { append create open read setattr write };
>allow
>> >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
>> >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
>> >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
>> >
>> >#============= xserver_t ============== allow xserver_t
>self:capability
>> >sys_ptrace; allow xserver_t staff_t:file { open read }; allow
>xserver_t
>> >staff_t:lnk_file read; allow xserver_t xdm_t:file { open read };
>allow
>> >xserver_t xdm_t:lnk_file read;
>> >
>> >
>> >Thanks,
>> >Dave Syugar
>> >dsugar at tresys.com

Regards,

Guido

2017-11-08 17:12:20

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

However, if you really want to run without systemd, there is a will there is a way, it's a matter of installing another init daemon such as sysvinit or upstart and rebuild 4 or 5 other system packages such as udev, util-linux and gdm.

I don't have a full list of the packages, but for example you can figure out by trying to remove systemd (without --force) and rpm should tell, or otherwise you could search the whole system to see (ldd and grep) what packages are linked against systemd libraries.

I am not saying it is something which can be done in half an hour and without any pain, but surely, if I am writing, it can be done.

I hope it helps.

Regards,

Guido

Il 08 novembre 2017 17:32:37 CET, David Sugar via refpolicy <[email protected]> ha scritto:
>It doesn't appear that anyone has the ability to remove systemd form
>CentOS (or RHEL/Fedora). So I think that is a non-starter. As much as
>I agree with you that systemd adds a lot of complexity, I'm in an
>environment where I am stuck with it. What distribution are you
>running?
>
>I will begin working on policy for these denials and submit patches
>back to the list as I get things working.
>
>Thanks,
>Dave
>
>> -----Original Message-----
>> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
>> bounces at oss.tresys.com] On Behalf Of Guido Trentalancia via refpolicy
>> Sent: Wednesday, November 08, 2017 9:36 AM
>> To: refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>>
>> I forgot to add something... See below.
>>
>> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
>> <[email protected]> wrote:
>> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy
>and
>> >trying to start GDM/Gnome. While in permissive I'm seeing a bunch
>of
>> >denials related to xdm_t (enforcing the greeter never starts). I'm
>> >happy to go through and fix these things to get stuff working. I
>just
>> >want to make sure that before I begin adding additional rules to
>allow
>> >the items I'm seeing that I'm not just missing something (a boolean
>set
>> >incorrectly or a missing module or something else?). I was kind of
>> >assuming that this would just work but maybe that isn't the case.
>> >
>> >Here are the denials I'm seeing. Any thoughts?
>> >
>> >#============= colord_t ==============
>> >allow colord_t systemd_sessions_var_run_t:file { getattr open read
>};
>> >allow colord_t xdm_t:dir search; allow colord_t xdm_t:file { getattr
>> >open read };
>> >
>> >#============= init_t ==============
>> >allow init_t xdm_t:dbus send_msg;
>> >
>> >#============= initrc_t ==============
>> >allow initrc_t xdm_t:dbus send_msg;
>> >allow initrc_t xdm_t:process getsched;
>> >
>> >#============= systemd_locale_t ============== allow
>systemd_locale_t
>> >xdm_t:dbus send_msg;
>> >
>> >#============= systemd_logind_t ============== allow
>systemd_logind_t
>> >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search;
>allow
>> >systemd_logind_t crond_t:file { getattr open read }; allow
>> >systemd_logind_t init_t:service stop; allow systemd_logind_t
>> >init_var_run_t:service { start status }; allow systemd_logind_t
>> >tmpfs_t:dir { remove_name write };
>> >
>> >#!!!! The file '/run/user/42' is mislabeled on your system.
>> >#!!!! Fix with $ restorecon -R -v /run/user/42
>>
>> You should fix the above labels. As far as I know, systemd is
>supposed
>> to relabel /run/user/, but eventually something didn't work on your
>> system, so you should find another way to relabel, especially if as
>> suggested you are going to run without systemd.
>>
>> >allow systemd_logind_t user_runtime_root_t:dir mounton; allow
>> >systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write }; allow
>> >systemd_logind_t user_tmpfs_t:file unlink; allow systemd_logind_t
>> >xdm_tmpfs_t:dir { getattr open read remove_name rmdir write }; allow
>> >systemd_logind_t xdm_tmpfs_t:file unlink; allow systemd_logind_t
>> >xdm_tmpfs_t:sock_file unlink;
>> >
>> >#============= systemd_sessions_t ==============
>> >
>> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>> >system.
>> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
>> >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>> >
>> >#============= xdm_t ==============
>> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read
>};
>> >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
>> >allow xdm_t initrc_t:dbus send_msg;
>> >
>> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>> >system.
>> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
>> >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
>> >self:capability net_admin; allow xdm_t
>> >self:netlink_kobject_uevent_socket { bind create getattr read setopt
>};
>> >allow xdm_t self:netlink_selinux_socket { bind create }; allow xdm_t
>> >self:process setcap; allow xdm_t sound_device_t:chr_file { ioctl
>open
>> >read write }; allow xdm_t staff_t:key { link search write }; allow
>> >xdm_t sysctl_crypto_t:dir search; allow xdm_t sysctl_crypto_t:file {
>> >getattr open read }; allow xdm_t sysctl_vm_overcommit_t:file { open
>> >read }; allow xdm_t sysctl_vm_t:dir search; allow xdm_t
>> >systemd_locale_t:dbus send_msg; allow xdm_t
>> >systemd_logind_var_run_t:dir read; allow xdm_t
>> >systemd_logind_var_run_t:fifo_file write; allow xdm_t
>> >systemd_machined_var_run_t:dir read; allow xdm_t
>> >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
>> >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
>> >udev_var_run_t:file { getattr open read };
>> >
>> >#!!!! This avc can be allowed using the boolean
>> >'allow_polyinstantiation'
>> >allow xdm_t user_home_dir_t:dir create; allow xdm_t
>> >user_home_dir_t:file { append create open read setattr write };
>allow
>> >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
>> >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
>> >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
>> >
>> >#============= xserver_t ============== allow xserver_t
>self:capability
>> >sys_ptrace; allow xserver_t staff_t:file { open read }; allow
>xserver_t
>> >staff_t:lnk_file read; allow xserver_t xdm_t:file { open read };
>allow
>> >xserver_t xdm_t:lnk_file read;
>> >
>> >
>> >Thanks,
>> >Dave Syugar
>> >dsugar at tresys.com
>>
>> Regards,
>>
>> Guido
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-11-08 18:22:23

by Dac Override

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

On Wed, Nov 08, 2017 at 06:02:23PM +0100, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> After looking a bit more closely to the permissions that you report (apart from those related to systemd that I don't use), most of them don't look too suspicious.
>
> So that is the good news, just I can't explain why xserver_t needs to read staff_t files, which might leak privileged data.

Probably an xserver client (ie an application that uses Xserver) running in the staff_t domain. Xserver needs to read state of Xserver clients

>
> Considering that you are reporting more than one labeling error, although it's probably just a sort of systemd or distribution bug, I would recommend a full filesystem relabel before doing anything else...
>
> The following ones are a bit odd:
>
> allow xdm_t self:capability net_admin;
>
> allow xdm_t staff_t:key { link search write };
> allow xdm_t sysctl_crypto_t:dir search;
> allow xdm_t sysctl_crypto_t:file { getattr open read };
>
> allow xdm_t xdm_tmp_t:file execute;
>
> You might want to try running the system without the above risky permissions (especially the last one). At the end, if I am running the system without them, then there are good chances you are able to do the same.
>
>
> On the 8th of November 2017 17:32:37 CET, David Sugar via refpolicy <[email protected]> wrote:
> >It doesn't appear that anyone has the ability to remove systemd form
> >CentOS (or RHEL/Fedora). So I think that is a non-starter. As much as
> >I agree with you that systemd adds a lot of complexity, I'm in an
> >environment where I am stuck with it. What distribution are you
> >running?
> >
> >I will begin working on policy for these denials and submit patches
> >back to the list as I get things working.
> >
> >Thanks,
> >Dave
> >
> >> -----Original Message-----
> >> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> >> bounces at oss.tresys.com] On Behalf Of Guido Trentalancia via refpolicy
> >> Sent: Wednesday, November 08, 2017 9:36 AM
> >> To: refpolicy at oss.tresys.com
> >> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
> >>
> >> I forgot to add something... See below.
> >>
> >> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
> >> <[email protected]> wrote:
> >> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy
> >and
> >> >trying to start GDM/Gnome. While in permissive I'm seeing a bunch
> >of
> >> >denials related to xdm_t (enforcing the greeter never starts). I'm
> >> >happy to go through and fix these things to get stuff working. I
> >just
> >> >want to make sure that before I begin adding additional rules to
> >allow
> >> >the items I'm seeing that I'm not just missing something (a boolean
> >set
> >> >incorrectly or a missing module or something else?). I was kind of
> >> >assuming that this would just work but maybe that isn't the case.
> >> >
> >> >Here are the denials I'm seeing. Any thoughts?
> >> >
> >> >#============= colord_t ==============
> >> >allow colord_t systemd_sessions_var_run_t:file { getattr open read
> >};
> >> >allow colord_t xdm_t:dir search; allow colord_t xdm_t:file { getattr
> >> >open read };
> >> >
> >> >#============= init_t ==============
> >> >allow init_t xdm_t:dbus send_msg;
> >> >
> >> >#============= initrc_t ==============
> >> >allow initrc_t xdm_t:dbus send_msg;
> >> >allow initrc_t xdm_t:process getsched;
> >> >
> >> >#============= systemd_locale_t ============== allow
> >systemd_locale_t
> >> >xdm_t:dbus send_msg;
> >> >
> >> >#============= systemd_logind_t ============== allow
> >systemd_logind_t
> >> >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search;
> >allow
> >> >systemd_logind_t crond_t:file { getattr open read }; allow
> >> >systemd_logind_t init_t:service stop; allow systemd_logind_t
> >> >init_var_run_t:service { start status }; allow systemd_logind_t
> >> >tmpfs_t:dir { remove_name write };
> >> >
> >> >#!!!! The file '/run/user/42' is mislabeled on your system.
> >> >#!!!! Fix with $ restorecon -R -v /run/user/42
> >>
> >> You should fix the above labels. As far as I know, systemd is
> >supposed
> >> to relabel /run/user/, but eventually something didn't work on your
> >> system, so you should find another way to relabel, especially if as
> >> suggested you are going to run without systemd.
> >>
> >> >allow systemd_logind_t user_runtime_root_t:dir mounton; allow
> >> >systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write }; allow
> >> >systemd_logind_t user_tmpfs_t:file unlink; allow systemd_logind_t
> >> >xdm_tmpfs_t:dir { getattr open read remove_name rmdir write }; allow
> >> >systemd_logind_t xdm_tmpfs_t:file unlink; allow systemd_logind_t
> >> >xdm_tmpfs_t:sock_file unlink;
> >> >
> >> >#============= systemd_sessions_t ==============
> >> >
> >> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> >> >system.
> >> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
> >> >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> >> >
> >> >#============= xdm_t ==============
> >> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read
> >};
> >> >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
> >> >allow xdm_t initrc_t:dbus send_msg;
> >> >
> >> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> >> >system.
> >> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
> >> >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> >> >self:capability net_admin; allow xdm_t
> >> >self:netlink_kobject_uevent_socket { bind create getattr read setopt
> >};
> >> >allow xdm_t self:netlink_selinux_socket { bind create }; allow xdm_t
> >> >self:process setcap; allow xdm_t sound_device_t:chr_file { ioctl
> >open
> >> >read write }; allow xdm_t staff_t:key { link search write }; allow
> >> >xdm_t sysctl_crypto_t:dir search; allow xdm_t sysctl_crypto_t:file {
> >> >getattr open read }; allow xdm_t sysctl_vm_overcommit_t:file { open
> >> >read }; allow xdm_t sysctl_vm_t:dir search; allow xdm_t
> >> >systemd_locale_t:dbus send_msg; allow xdm_t
> >> >systemd_logind_var_run_t:dir read; allow xdm_t
> >> >systemd_logind_var_run_t:fifo_file write; allow xdm_t
> >> >systemd_machined_var_run_t:dir read; allow xdm_t
> >> >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> >> >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> >> >udev_var_run_t:file { getattr open read };
> >> >
> >> >#!!!! This avc can be allowed using the boolean
> >> >'allow_polyinstantiation'
> >> >allow xdm_t user_home_dir_t:dir create; allow xdm_t
> >> >user_home_dir_t:file { append create open read setattr write };
> >allow
> >> >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> >> >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
> >> >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
> >> >
> >> >#============= xserver_t ============== allow xserver_t
> >self:capability
> >> >sys_ptrace; allow xserver_t staff_t:file { open read }; allow
> >xserver_t
> >> >staff_t:lnk_file read; allow xserver_t xdm_t:file { open read };
> >allow
> >> >xserver_t xdm_t:lnk_file read;
> >> >
> >> >
> >> >Thanks,
> >> >Dave Syugar
> >> >dsugar at tresys.com
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171108/b323b88e/attachment.bin

2017-11-08 20:33:52

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

In order of importance (and, to some degree, decreasing safety), the permissions are probably as follows:

#============= init_t ==============
allow init_t xdm_t:dbus send_msg;

#============= initrc_t ==============
allow initrc_t xdm_t:dbus send_msg;
allow initrc_t xdm_t:process getsched;

plus the systemd ones, plus the following ones:

#============= xdm_t ==============
allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
allow xdm_t xkb_var_lib_t:dir search;
allow xdm_t xkb_var_lib_t:file { getattr open read };
allow xdm_t init_t:dbus send_msg;
allow xdm_t init_t:system status;
allow xdm_t initrc_t:dbus send_msg;

allow xdm_t self:process setcap;
allow xdm_t sound_device_t:chr_file { ioctl open read write };

allow xdm_t systemd_locale_t:dbus send_msg;
allow xdm_t systemd_logind_var_run_t:dir read;
allow xdm_t systemd_logind_var_run_t:fifo_file write;
allow xdm_t systemd_machined_var_run_t:dir read;
allow xdm_t systemd_sessions_var_run_t:dir { open read };
allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
allow xdm_t udev_var_run_t:file { getattr open read };

#============= xserver_t ==============
allow xserver_t xdm_t:file { open read };
allow xserver_t xdm_t:lnk_file read;

Then, at the second position, we probably have:

#============= xdm_t ==============
allow xdm_t kernel_t:unix_stream_socket connectto;
allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow xdm_t self:netlink_selinux_socket { bind create };

Then, at the third position:

#============= colord_t ==============
allow colord_t systemd_sessions_var_run_t:file { getattr open read };
allow colord_t xdm_t:dir search;
allow colord_t xdm_t:file { getattr open read };

#============= xdm_t ==============
allow xdm_t sysctl_vm_overcommit_t:file { open read };
allow xdm_t sysctl_vm_t:dir search;

At the fourth position, we probably have the following permissions (if it hasn't started yet):

#============= xdm_t ==============
allow xdm_t sysctl_crypto_t:dir search;
allow xdm_t sysctl_crypto_t:file { getattr open read };

At the fifth position, we probably have (increasingly dangerous):

#============= xdm_t ==============
allow xdm_t staff_t:key { link search write };

#============= xserver_t ==============
allow xserver_t self:capability sys_ptrace;
allow xserver_t staff_t:file { open read };
allow xserver_t staff_t:lnk_file read;

The remaining ones are probably just dangerous and risky (commented out), in particular the following two:

#============= xdm_t ==============
#allow xdm_t xdm_tmp_t:file execute;
#allow xdm_t self:capability net_admin;
#allow xdm_t user_home_dir_t:dir create;
#allow xdm_t user_home_dir_t:file { append create open read setattr write };

#============= xserver_t ==============
#allow xserver_t staff_t:file { open read };
#allow xserver_t staff_t:lnk_file read;

So, after relabeling, I suggest you start implementing supplemental policy from the top of the list and stop as soon as you achieve the desired (or minimum) level of functionality.

I hope it helps.

Regards,

Guido

On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy <[email protected]> wrote:
>I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
>trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
>denials related to xdm_t (enforcing the greeter never starts). I'm
>happy to go through and fix these things to get stuff working. I just
>want to make sure that before I begin adding additional rules to allow
>the items I'm seeing that I'm not just missing something (a boolean set
>incorrectly or a missing module or something else?). I was kind of
>assuming that this would just work but maybe that isn't the case.
>
>Here are the denials I'm seeing. Any thoughts?
>
>#============= colord_t ==============
>allow colord_t systemd_sessions_var_run_t:file { getattr open read };
>allow colord_t xdm_t:dir search;
>allow colord_t xdm_t:file { getattr open read };
>
>#============= init_t ==============
>allow init_t xdm_t:dbus send_msg;
>
>#============= initrc_t ==============
>allow initrc_t xdm_t:dbus send_msg;
>allow initrc_t xdm_t:process getsched;
>
>#============= systemd_locale_t ==============
>allow systemd_locale_t xdm_t:dbus send_msg;
>
>#============= systemd_logind_t ==============
>allow systemd_logind_t crond_t:dbus send_msg;
>allow systemd_logind_t crond_t:dir search;
>allow systemd_logind_t crond_t:file { getattr open read };
>allow systemd_logind_t init_t:service stop;
>allow systemd_logind_t init_var_run_t:service { start status };
>allow systemd_logind_t tmpfs_t:dir { remove_name write };
>
>#!!!! The file '/run/user/42' is mislabeled on your system.
>#!!!! Fix with $ restorecon -R -v /run/user/42
>allow systemd_logind_t user_runtime_root_t:dir mounton;
>allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
>allow systemd_logind_t user_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
>rmdir write };
>allow systemd_logind_t xdm_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
>
>#============= systemd_sessions_t ==============
>
>#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
>allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>
>#============= xdm_t ==============
>allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
>allow xdm_t init_t:dbus send_msg;
>allow xdm_t init_t:system status;
>allow xdm_t initrc_t:dbus send_msg;
>
>#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
>allow xdm_t kernel_t:unix_stream_socket connectto;
>allow xdm_t self:capability net_admin;
>allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
>read setopt };
>allow xdm_t self:netlink_selinux_socket { bind create };
>allow xdm_t self:process setcap;
>allow xdm_t sound_device_t:chr_file { ioctl open read write };
>allow xdm_t staff_t:key { link search write };
>allow xdm_t sysctl_crypto_t:dir search;
>allow xdm_t sysctl_crypto_t:file { getattr open read };
>allow xdm_t sysctl_vm_overcommit_t:file { open read };
>allow xdm_t sysctl_vm_t:dir search;
>allow xdm_t systemd_locale_t:dbus send_msg;
>allow xdm_t systemd_logind_var_run_t:dir read;
>allow xdm_t systemd_logind_var_run_t:fifo_file write;
>allow xdm_t systemd_machined_var_run_t:dir read;
>allow xdm_t systemd_sessions_var_run_t:dir { open read };
>allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
>allow xdm_t udev_var_run_t:file { getattr open read };
>
>#!!!! This avc can be allowed using the boolean
>'allow_polyinstantiation'
>allow xdm_t user_home_dir_t:dir create;
>allow xdm_t user_home_dir_t:file { append create open read setattr
>write };
>allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
>};
>allow xdm_t xdm_tmp_t:file execute;
>allow xdm_t xkb_var_lib_t:dir search;
>allow xdm_t xkb_var_lib_t:file { getattr open read };
>
>#============= xserver_t ==============
>allow xserver_t self:capability sys_ptrace;
>allow xserver_t staff_t:file { open read };
>allow xserver_t staff_t:lnk_file read;
>allow xserver_t xdm_t:file { open read };
>allow xserver_t xdm_t:lnk_file read;
>
>
>Thanks,
>Dave Syugar
>dsugar at tresys.com
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-11-10 15:04:56

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

I'm slowly working my way through this stuff. For the transitions for wm_exec_t and dbusd_exec_t I used the wm_role_template and dbus_role_template which deal with the transitions but lead to other denials (due to the newly created types).

One of the issues with files not being labeled properly is /run/user/<userid> which is created by systemd-logind. systemd-logind is mounting a tmpfs for each user as they login (and removing at logout). But this is getting the type tmpfs_t rather than user_runtime_t (thus the complaint about running restorecon). Anyway, the following seems to work, but is this the correct way? Is there something else that controls the label of this mount point?

I will submit this as a formal patch. I'm sure the name of the new interface 'userdom_user_run_filetrans_user_runtime' needs to be changed. I'm open to suggestions of what might be correct.

The complaint I'm getting is this:
!!!! The file '/run/user/42' is mislabeled on your system.
!!!! Fix with $ restorecon -R -v /run/user/42
allow systemd_logind_t user_runtime_root_t:dir mounton;

The patch to resolve is this:
---
policy/modules/system/systemd.te | 1 +
policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2d0393a3..1498ca32 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -448,6 +448,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_delete_user_runtime_files(systemd_logind_t)
+userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
userdom_use_user_ttys(systemd_logind_t)

optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 49eff3a6..e5fa98fa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`

########################################
## <summary>
+## Create objects in the user runtime root
+## directory with an automatic type transition
+## to the user runtime dir type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_run_filetrans_user_runtime',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read and write user tmpfs files.
## </summary>
## <param name="domain">
--
2.13.6


________________________________________
From: [email protected] <[email protected]> on behalf of Guido Trentalancia via refpolicy <[email protected]>
Sent: Wednesday, November 8, 2017 3:33:52 PM
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] Refpolicy and gdm/gnome?

In order of importance (and, to some degree, decreasing safety), the permissions are probably as follows:

#============= init_t ==============
allow init_t xdm_t:dbus send_msg;

#============= initrc_t ==============
allow initrc_t xdm_t:dbus send_msg;
allow initrc_t xdm_t:process getsched;

plus the systemd ones, plus the following ones:

#============= xdm_t ==============
allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
allow xdm_t xkb_var_lib_t:dir search;
allow xdm_t xkb_var_lib_t:file { getattr open read };
allow xdm_t init_t:dbus send_msg;
allow xdm_t init_t:system status;
allow xdm_t initrc_t:dbus send_msg;

allow xdm_t self:process setcap;
allow xdm_t sound_device_t:chr_file { ioctl open read write };

allow xdm_t systemd_locale_t:dbus send_msg;
allow xdm_t systemd_logind_var_run_t:dir read;
allow xdm_t systemd_logind_var_run_t:fifo_file write;
allow xdm_t systemd_machined_var_run_t:dir read;
allow xdm_t systemd_sessions_var_run_t:dir { open read };
allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
allow xdm_t udev_var_run_t:file { getattr open read };

#============= xserver_t ==============
allow xserver_t xdm_t:file { open read };
allow xserver_t xdm_t:lnk_file read;

Then, at the second position, we probably have:

#============= xdm_t ==============
allow xdm_t kernel_t:unix_stream_socket connectto;
allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow xdm_t self:netlink_selinux_socket { bind create };

Then, at the third position:

#============= colord_t ==============
allow colord_t systemd_sessions_var_run_t:file { getattr open read };
allow colord_t xdm_t:dir search;
allow colord_t xdm_t:file { getattr open read };

#============= xdm_t ==============
allow xdm_t sysctl_vm_overcommit_t:file { open read };
allow xdm_t sysctl_vm_t:dir search;

At the fourth position, we probably have the following permissions (if it hasn't started yet):

#============= xdm_t ==============
allow xdm_t sysctl_crypto_t:dir search;
allow xdm_t sysctl_crypto_t:file { getattr open read };

At the fifth position, we probably have (increasingly dangerous):

#============= xdm_t ==============
allow xdm_t staff_t:key { link search write };

#============= xserver_t ==============
allow xserver_t self:capability sys_ptrace;
allow xserver_t staff_t:file { open read };
allow xserver_t staff_t:lnk_file read;

The remaining ones are probably just dangerous and risky (commented out), in particular the following two:

#============= xdm_t ==============
#allow xdm_t xdm_tmp_t:file execute;
#allow xdm_t self:capability net_admin;
#allow xdm_t user_home_dir_t:dir create;
#allow xdm_t user_home_dir_t:file { append create open read setattr write };

#============= xserver_t ==============
#allow xserver_t staff_t:file { open read };
#allow xserver_t staff_t:lnk_file read;

So, after relabeling, I suggest you start implementing supplemental policy from the top of the list and stop as soon as you achieve the desired (or minimum) level of functionality.

I hope it helps.

Regards,

Guido

On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy <[email protected]> wrote:
>I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
>trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
>denials related to xdm_t (enforcing the greeter never starts). I'm
>happy to go through and fix these things to get stuff working. I just
>want to make sure that before I begin adding additional rules to allow
>the items I'm seeing that I'm not just missing something (a boolean set
>incorrectly or a missing module or something else?). I was kind of
>assuming that this would just work but maybe that isn't the case.
>
>Here are the denials I'm seeing. Any thoughts?
>
>#============= colord_t ==============
>allow colord_t systemd_sessions_var_run_t:file { getattr open read };
>allow colord_t xdm_t:dir search;
>allow colord_t xdm_t:file { getattr open read };
>
>#============= init_t ==============
>allow init_t xdm_t:dbus send_msg;
>
>#============= initrc_t ==============
>allow initrc_t xdm_t:dbus send_msg;
>allow initrc_t xdm_t:process getsched;
>
>#============= systemd_locale_t ==============
>allow systemd_locale_t xdm_t:dbus send_msg;
>
>#============= systemd_logind_t ==============
>allow systemd_logind_t crond_t:dbus send_msg;
>allow systemd_logind_t crond_t:dir search;
>allow systemd_logind_t crond_t:file { getattr open read };
>allow systemd_logind_t init_t:service stop;
>allow systemd_logind_t init_var_run_t:service { start status };
>allow systemd_logind_t tmpfs_t:dir { remove_name write };
>
>#!!!! The file '/run/user/42' is mislabeled on your system.
>#!!!! Fix with $ restorecon -R -v /run/user/42
>allow systemd_logind_t user_runtime_root_t:dir mounton;
>allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
>allow systemd_logind_t user_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
>rmdir write };
>allow systemd_logind_t xdm_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
>
>#============= systemd_sessions_t ==============
>
>#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
>allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>
>#============= xdm_t ==============
>allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
>allow xdm_t init_t:dbus send_msg;
>allow xdm_t init_t:system status;
>allow xdm_t initrc_t:dbus send_msg;
>
>#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>system.
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
>allow xdm_t kernel_t:unix_stream_socket connectto;
>allow xdm_t self:capability net_admin;
>allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
>read setopt };
>allow xdm_t self:netlink_selinux_socket { bind create };
>allow xdm_t self:process setcap;
>allow xdm_t sound_device_t:chr_file { ioctl open read write };
>allow xdm_t staff_t:key { link search write };
>allow xdm_t sysctl_crypto_t:dir search;
>allow xdm_t sysctl_crypto_t:file { getattr open read };
>allow xdm_t sysctl_vm_overcommit_t:file { open read };
>allow xdm_t sysctl_vm_t:dir search;
>allow xdm_t systemd_locale_t:dbus send_msg;
>allow xdm_t systemd_logind_var_run_t:dir read;
>allow xdm_t systemd_logind_var_run_t:fifo_file write;
>allow xdm_t systemd_machined_var_run_t:dir read;
>allow xdm_t systemd_sessions_var_run_t:dir { open read };
>allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
>allow xdm_t udev_var_run_t:file { getattr open read };
>
>#!!!! This avc can be allowed using the boolean
>'allow_polyinstantiation'
>allow xdm_t user_home_dir_t:dir create;
>allow xdm_t user_home_dir_t:file { append create open read setattr
>write };
>allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
>};
>allow xdm_t xdm_tmp_t:file execute;
>allow xdm_t xkb_var_lib_t:dir search;
>allow xdm_t xkb_var_lib_t:file { getattr open read };
>
>#============= xserver_t ==============
>allow xserver_t self:capability sys_ptrace;
>allow xserver_t staff_t:file { open read };
>allow xserver_t staff_t:lnk_file read;
>allow xserver_t xdm_t:file { open read };
>allow xserver_t xdm_t:lnk_file read;
>
>
>Thanks,
>Dave Syugar
>dsugar at tresys.com
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy

2017-11-10 15:27:19

by Dac Override

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?

On Fri, Nov 10, 2017 at 03:04:56PM +0000, David Sugar via refpolicy wrote:
> I'm slowly working my way through this stuff. For the transitions for wm_exec_t and dbusd_exec_t I used the wm_role_template and dbus_role_template which deal with the transitions but lead to other denials (due to the newly created types).
>
> One of the issues with files not being labeled properly is /run/user/<userid> which is created by systemd-logind. systemd-logind is mounting a tmpfs for each user as they login (and removing at logout). But this is getting the type tmpfs_t rather than user_runtime_t (thus the complaint about running restorecon). Anyway, the following seems to work, but is this the correct way? Is there something else that controls the label of this mount point?

If i recall correctly Nicolas Iooss indicated that he fixed that logind labeling issue in systemd (i might be wrong and/or you might still be using a systemd/logind without that fix), but to effectively use this you still probably want to use the %{USERID} libsemanage functionality to specify contexts for user runtime dirs and that might also not be available

Example:
/run/user/%{USERID} -d system_u:object_r:user_runtime_t:s0

Point is that logind should create these user runtime dirs with the context that is generated by genhomedircon for that particular users runtime dir i believe.

>
> I will submit this as a formal patch. I'm sure the name of the new interface 'userdom_user_run_filetrans_user_runtime' needs to be changed. I'm open to suggestions of what might be correct.
>
> The complaint I'm getting is this:
> !!!! The file '/run/user/42' is mislabeled on your system.
> !!!! Fix with $ restorecon -R -v /run/user/42
> allow systemd_logind_t user_runtime_root_t:dir mounton;
>
> The patch to resolve is this:
> ---
> policy/modules/system/systemd.te | 1 +
> policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
> 2 files changed, 31 insertions(+)
>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2d0393a3..1498ca32 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -448,6 +448,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
> userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> userdom_setattr_user_ttys(systemd_logind_t)
> userdom_delete_user_runtime_files(systemd_logind_t)
> +userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
> userdom_use_user_ttys(systemd_logind_t)
>
> optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 49eff3a6..e5fa98fa 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`
>
> ########################################
> ## <summary>
> +## Create objects in the user runtime root
> +## directory with an automatic type transition
> +## to the user runtime dir type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The class of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_user_run_filetrans_user_runtime',`
> + gen_require(`
> + type user_runtime_t;
> + ')
> +
> + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read and write user tmpfs files.
> ## </summary>
> ## <param name="domain">
> --
> 2.13.6
>
>
> ________________________________________
> From: refpolicy-bounces at oss.tresys.com <[email protected]> on behalf of Guido Trentalancia via refpolicy <[email protected]>
> Sent: Wednesday, November 8, 2017 3:33:52 PM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>
> In order of importance (and, to some degree, decreasing safety), the permissions are probably as follows:
>
> #============= init_t ==============
> allow init_t xdm_t:dbus send_msg;
>
> #============= initrc_t ==============
> allow initrc_t xdm_t:dbus send_msg;
> allow initrc_t xdm_t:process getsched;
>
> plus the systemd ones, plus the following ones:
>
> #============= xdm_t ==============
> allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> allow xdm_t xkb_var_lib_t:dir search;
> allow xdm_t xkb_var_lib_t:file { getattr open read };
> allow xdm_t init_t:dbus send_msg;
> allow xdm_t init_t:system status;
> allow xdm_t initrc_t:dbus send_msg;
>
> allow xdm_t self:process setcap;
> allow xdm_t sound_device_t:chr_file { ioctl open read write };
>
> allow xdm_t systemd_locale_t:dbus send_msg;
> allow xdm_t systemd_logind_var_run_t:dir read;
> allow xdm_t systemd_logind_var_run_t:fifo_file write;
> allow xdm_t systemd_machined_var_run_t:dir read;
> allow xdm_t systemd_sessions_var_run_t:dir { open read };
> allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
> allow xdm_t udev_var_run_t:file { getattr open read };
>
> #============= xserver_t ==============
> allow xserver_t xdm_t:file { open read };
> allow xserver_t xdm_t:lnk_file read;
>
> Then, at the second position, we probably have:
>
> #============= xdm_t ==============
> allow xdm_t kernel_t:unix_stream_socket connectto;
> allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
> allow xdm_t self:netlink_selinux_socket { bind create };
>
> Then, at the third position:
>
> #============= colord_t ==============
> allow colord_t systemd_sessions_var_run_t:file { getattr open read };
> allow colord_t xdm_t:dir search;
> allow colord_t xdm_t:file { getattr open read };
>
> #============= xdm_t ==============
> allow xdm_t sysctl_vm_overcommit_t:file { open read };
> allow xdm_t sysctl_vm_t:dir search;
>
> At the fourth position, we probably have the following permissions (if it hasn't started yet):
>
> #============= xdm_t ==============
> allow xdm_t sysctl_crypto_t:dir search;
> allow xdm_t sysctl_crypto_t:file { getattr open read };
>
> At the fifth position, we probably have (increasingly dangerous):
>
> #============= xdm_t ==============
> allow xdm_t staff_t:key { link search write };
>
> #============= xserver_t ==============
> allow xserver_t self:capability sys_ptrace;
> allow xserver_t staff_t:file { open read };
> allow xserver_t staff_t:lnk_file read;
>
> The remaining ones are probably just dangerous and risky (commented out), in particular the following two:
>
> #============= xdm_t ==============
> #allow xdm_t xdm_tmp_t:file execute;
> #allow xdm_t self:capability net_admin;
> #allow xdm_t user_home_dir_t:dir create;
> #allow xdm_t user_home_dir_t:file { append create open read setattr write };
>
> #============= xserver_t ==============
> #allow xserver_t staff_t:file { open read };
> #allow xserver_t staff_t:lnk_file read;
>
> So, after relabeling, I suggest you start implementing supplemental policy from the top of the list and stop as soon as you achieve the desired (or minimum) level of functionality.
>
> I hope it helps.
>
> Regards,
>
> Guido
>
> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy <[email protected]> wrote:
> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
> >trying to start GDM/Gnome. While in permissive I'm seeing a bunch of
> >denials related to xdm_t (enforcing the greeter never starts). I'm
> >happy to go through and fix these things to get stuff working. I just
> >want to make sure that before I begin adding additional rules to allow
> >the items I'm seeing that I'm not just missing something (a boolean set
> >incorrectly or a missing module or something else?). I was kind of
> >assuming that this would just work but maybe that isn't the case.
> >
> >Here are the denials I'm seeing. Any thoughts?
> >
> >#============= colord_t ==============
> >allow colord_t systemd_sessions_var_run_t:file { getattr open read };
> >allow colord_t xdm_t:dir search;
> >allow colord_t xdm_t:file { getattr open read };
> >
> >#============= init_t ==============
> >allow init_t xdm_t:dbus send_msg;
> >
> >#============= initrc_t ==============
> >allow initrc_t xdm_t:dbus send_msg;
> >allow initrc_t xdm_t:process getsched;
> >
> >#============= systemd_locale_t ==============
> >allow systemd_locale_t xdm_t:dbus send_msg;
> >
> >#============= systemd_logind_t ==============
> >allow systemd_logind_t crond_t:dbus send_msg;
> >allow systemd_logind_t crond_t:dir search;
> >allow systemd_logind_t crond_t:file { getattr open read };
> >allow systemd_logind_t init_t:service stop;
> >allow systemd_logind_t init_var_run_t:service { start status };
> >allow systemd_logind_t tmpfs_t:dir { remove_name write };
> >
> >#!!!! The file '/run/user/42' is mislabeled on your system.
> >#!!!! Fix with $ restorecon -R -v /run/user/42
> >allow systemd_logind_t user_runtime_root_t:dir mounton;
> >allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
> >allow systemd_logind_t user_tmpfs_t:file unlink;
> >allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
> >rmdir write };
> >allow systemd_logind_t xdm_tmpfs_t:file unlink;
> >allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
> >
> >#============= systemd_sessions_t ==============
> >
> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
> >allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> >
> >#============= xdm_t ==============
> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> >allow xdm_t init_t:dbus send_msg;
> >allow xdm_t init_t:system status;
> >allow xdm_t initrc_t:dbus send_msg;
> >
> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
> >allow xdm_t kernel_t:unix_stream_socket connectto;
> >allow xdm_t self:capability net_admin;
> >allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
> >read setopt };
> >allow xdm_t self:netlink_selinux_socket { bind create };
> >allow xdm_t self:process setcap;
> >allow xdm_t sound_device_t:chr_file { ioctl open read write };
> >allow xdm_t staff_t:key { link search write };
> >allow xdm_t sysctl_crypto_t:dir search;
> >allow xdm_t sysctl_crypto_t:file { getattr open read };
> >allow xdm_t sysctl_vm_overcommit_t:file { open read };
> >allow xdm_t sysctl_vm_t:dir search;
> >allow xdm_t systemd_locale_t:dbus send_msg;
> >allow xdm_t systemd_logind_var_run_t:dir read;
> >allow xdm_t systemd_logind_var_run_t:fifo_file write;
> >allow xdm_t systemd_machined_var_run_t:dir read;
> >allow xdm_t systemd_sessions_var_run_t:dir { open read };
> >allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
> >allow xdm_t udev_var_run_t:file { getattr open read };
> >
> >#!!!! This avc can be allowed using the boolean
> >'allow_polyinstantiation'
> >allow xdm_t user_home_dir_t:dir create;
> >allow xdm_t user_home_dir_t:file { append create open read setattr
> >write };
> >allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
> >};
> >allow xdm_t xdm_tmp_t:file execute;
> >allow xdm_t xkb_var_lib_t:dir search;
> >allow xdm_t xkb_var_lib_t:file { getattr open read };
> >
> >#============= xserver_t ==============
> >allow xserver_t self:capability sys_ptrace;
> >allow xserver_t staff_t:file { open read };
> >allow xserver_t staff_t:lnk_file read;
> >allow xserver_t xdm_t:file { open read };
> >allow xserver_t xdm_t:lnk_file read;
> >
> >
> >Thanks,
> >Dave Syugar
> >dsugar at tresys.com
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171110/7726e632/attachment-0001.bin

2017-11-10 15:57:46

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] Refpolicy and gdm/gnome?



> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Friday, November 10, 2017 10:27 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>
> On Fri, Nov 10, 2017 at 03:04:56PM +0000, David Sugar via refpolicy
> wrote:
> > I'm slowly working my way through this stuff. For the transitions for
> wm_exec_t and dbusd_exec_t I used the wm_role_template and
> dbus_role_template which deal with the transitions but lead to other
> denials (due to the newly created types).
> >
> > One of the issues with files not being labeled properly is
> /run/user/<userid> which is created by systemd-logind. systemd-logind
> is mounting a tmpfs for each user as they login (and removing at
> logout). But this is getting the type tmpfs_t rather than
> user_runtime_t (thus the complaint about running restorecon). Anyway,
> the following seems to work, but is this the correct way? Is there
> something else that controls the label of this mount point?
>
> If i recall correctly Nicolas Iooss indicated that he fixed that logind
> labeling issue in systemd (i might be wrong and/or you might still be
> using a systemd/logind without that fix), but to effectively use this
> you still probably want to use the %{USERID} libsemanage functionality
> to specify contexts for user runtime dirs and that might also not be
> available
>
> Example:
> /run/user/%{USERID} -d system_u:object_r:user_runtime_t:s0
>
> Point is that logind should create these user runtime dirs with the
> context that is generated by genhomedircon for that particular users
> runtime dir i believe.

You have a good memory. I looked through the systemd git repo and indeed Nicolas Iooss made a change that claims to fix this problem (in February 2016). It appears to be in systemd v229. Unfortunately RHEL/CentOS is still distributing systemd v219 and even though they are back porting some patches this doesn't appear to be one of them (though I have not actually reviewed the source, just the changelog).


> > I will submit this as a formal patch. I'm sure the name of the new
> interface 'userdom_user_run_filetrans_user_runtime' needs to be changed.
> I'm open to suggestions of what might be correct.
> >
> > The complaint I'm getting is this:
> > !!!! The file '/run/user/42' is mislabeled on your system.
> > !!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t
> > user_runtime_root_t:dir mounton;
> >
> > The patch to resolve is this:
> > ---
> > policy/modules/system/systemd.te | 1 +
> > policy/modules/system/userdomain.if | 30
> > ++++++++++++++++++++++++++++++
> > 2 files changed, 31 insertions(+)
> >
> > diff --git a/policy/modules/system/systemd.te
> > b/policy/modules/system/systemd.te
> > index 2d0393a3..1498ca32 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -448,6 +448,7 @@
> > userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
> > userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > userdom_setattr_user_ttys(systemd_logind_t)
> > userdom_delete_user_runtime_files(systemd_logind_t)
> > +userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
> > userdom_use_user_ttys(systemd_logind_t)
> >
> > optional_policy(`
> > diff --git a/policy/modules/system/userdomain.if
> > b/policy/modules/system/userdomain.if
> > index 49eff3a6..e5fa98fa 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -3231,6 +3231,36 @@
> > interface(`userdom_user_runtime_root_filetrans_user_runtime',`
> >
> > ########################################
> > ## <summary>
> > +## Create objects in the user runtime root
> > +## directory with an automatic type transition
> > +## to the user runtime dir type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## The class of the object to be created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`userdom_user_run_filetrans_user_runtime',`
> > + gen_require(`
> > + type user_runtime_t;
> > + ')
> > +
> > + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Read and write user tmpfs files.
> > ## </summary>
> > ## <param name="domain">
> > --
> > 2.13.6
> >
> >
> > ________________________________________
> > From: refpolicy-bounces at oss.tresys.com
> > <[email protected]> on behalf of Guido Trentalancia via
> > refpolicy <[email protected]>
> > Sent: Wednesday, November 8, 2017 3:33:52 PM
> > To: refpolicy at oss.tresys.com
> > Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
> >
> > In order of importance (and, to some degree, decreasing safety), the
> permissions are probably as follows:
> >
> > #============= init_t ==============
> > allow init_t xdm_t:dbus send_msg;
> >
> > #============= initrc_t ============== allow initrc_t xdm_t:dbus
> > send_msg; allow initrc_t xdm_t:process getsched;
> >
> > plus the systemd ones, plus the following ones:
> >
> > #============= xdm_t ==============
> > allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> > allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open
> > read }; allow xdm_t xkb_var_lib_t:dir search; allow xdm_t
> > xkb_var_lib_t:file { getattr open read }; allow xdm_t init_t:dbus
> > send_msg; allow xdm_t init_t:system status; allow xdm_t initrc_t:dbus
> > send_msg;
> >
> > allow xdm_t self:process setcap;
> > allow xdm_t sound_device_t:chr_file { ioctl open read write };
> >
> > allow xdm_t systemd_locale_t:dbus send_msg; allow xdm_t
> > systemd_logind_var_run_t:dir read; allow xdm_t
> > systemd_logind_var_run_t:fifo_file write; allow xdm_t
> > systemd_machined_var_run_t:dir read; allow xdm_t
> > systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> > systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> > udev_var_run_t:file { getattr open read };
> >
> > #============= xserver_t ============== allow xserver_t xdm_t:file {
> > open read }; allow xserver_t xdm_t:lnk_file read;
> >
> > Then, at the second position, we probably have:
> >
> > #============= xdm_t ==============
> > allow xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> > self:netlink_kobject_uevent_socket { bind create getattr read setopt
> > }; allow xdm_t self:netlink_selinux_socket { bind create };
> >
> > Then, at the third position:
> >
> > #============= colord_t ============== allow colord_t
> > systemd_sessions_var_run_t:file { getattr open read }; allow colord_t
> > xdm_t:dir search; allow colord_t xdm_t:file { getattr open read };
> >
> > #============= xdm_t ==============
> > allow xdm_t sysctl_vm_overcommit_t:file { open read }; allow xdm_t
> > sysctl_vm_t:dir search;
> >
> > At the fourth position, we probably have the following permissions (if
> it hasn't started yet):
> >
> > #============= xdm_t ==============
> > allow xdm_t sysctl_crypto_t:dir search; allow xdm_t
> > sysctl_crypto_t:file { getattr open read };
> >
> > At the fifth position, we probably have (increasingly dangerous):
> >
> > #============= xdm_t ==============
> > allow xdm_t staff_t:key { link search write };
> >
> > #============= xserver_t ============== allow xserver_t
> > self:capability sys_ptrace; allow xserver_t staff_t:file { open read
> > }; allow xserver_t staff_t:lnk_file read;
> >
> > The remaining ones are probably just dangerous and risky (commented
> out), in particular the following two:
> >
> > #============= xdm_t ==============
> > #allow xdm_t xdm_tmp_t:file execute;
> > #allow xdm_t self:capability net_admin; #allow xdm_t
> > user_home_dir_t:dir create; #allow xdm_t user_home_dir_t:file { append
> > create open read setattr write };
> >
> > #============= xserver_t ============== #allow xserver_t staff_t:file
> > { open read }; #allow xserver_t staff_t:lnk_file read;
> >
> > So, after relabeling, I suggest you start implementing supplemental
> policy from the top of the list and stop as soon as you achieve the
> desired (or minimum) level of functionality.
> >
> > I hope it helps.
> >
> > Regards,
> >
> > Guido
> >
> > On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
> <[email protected]> wrote:
> > >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy
> > >and trying to start GDM/Gnome. While in permissive I'm seeing a
> > >bunch of denials related to xdm_t (enforcing the greeter never
> > >starts). I'm happy to go through and fix these things to get stuff
> > >working. I just want to make sure that before I begin adding
> > >additional rules to allow the items I'm seeing that I'm not just
> > >missing something (a boolean set incorrectly or a missing module or
> > >something else?). I was kind of assuming that this would just work
> but maybe that isn't the case.
> > >
> > >Here are the denials I'm seeing. Any thoughts?
> > >
> > >#============= colord_t ============== allow colord_t
> > >systemd_sessions_var_run_t:file { getattr open read }; allow colord_t
> > >xdm_t:dir search; allow colord_t xdm_t:file { getattr open read };
> > >
> > >#============= init_t ==============
> > >allow init_t xdm_t:dbus send_msg;
> > >
> > >#============= initrc_t ============== allow initrc_t xdm_t:dbus
> > >send_msg; allow initrc_t xdm_t:process getsched;
> > >
> > >#============= systemd_locale_t ============== allow systemd_locale_t
> > >xdm_t:dbus send_msg;
> > >
> > >#============= systemd_logind_t ============== allow systemd_logind_t
> > >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search;
> > >allow systemd_logind_t crond_t:file { getattr open read }; allow
> > >systemd_logind_t init_t:service stop; allow systemd_logind_t
> > >init_var_run_t:service { start status }; allow systemd_logind_t
> > >tmpfs_t:dir { remove_name write };
> > >
> > >#!!!! The file '/run/user/42' is mislabeled on your system.
> > >#!!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t
> > >user_runtime_root_t:dir mounton; allow systemd_logind_t
> > >user_tmpfs_t:dir { remove_name rmdir write }; allow systemd_logind_t
> > >user_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:dir {
> > >getattr open read remove_name rmdir write }; allow systemd_logind_t
> > >xdm_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:sock_file
> > >unlink;
> > >
> > >#============= systemd_sessions_t ==============
> > >
> > >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> > >system.
> > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
> > >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> > >
> > >#============= xdm_t ==============
> > >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> > >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
> > >allow xdm_t initrc_t:dbus send_msg;
> > >
> > >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> > >system.
> > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
> > >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> > >self:capability net_admin; allow xdm_t
> > >self:netlink_kobject_uevent_socket { bind create getattr read setopt
> > >}; allow xdm_t self:netlink_selinux_socket { bind create }; allow
> > >xdm_t self:process setcap; allow xdm_t sound_device_t:chr_file {
> > >ioctl open read write }; allow xdm_t staff_t:key { link search write
> > >}; allow xdm_t sysctl_crypto_t:dir search; allow xdm_t
> > >sysctl_crypto_t:file { getattr open read }; allow xdm_t
> > >sysctl_vm_overcommit_t:file { open read }; allow xdm_t
> > >sysctl_vm_t:dir search; allow xdm_t systemd_locale_t:dbus send_msg;
> > >allow xdm_t systemd_logind_var_run_t:dir read; allow xdm_t
> > >systemd_logind_var_run_t:fifo_file write; allow xdm_t
> > >systemd_machined_var_run_t:dir read; allow xdm_t
> > >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> > >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> > >udev_var_run_t:file { getattr open read };
> > >
> > >#!!!! This avc can be allowed using the boolean
> > >'allow_polyinstantiation'
> > >allow xdm_t user_home_dir_t:dir create; allow xdm_t
> > >user_home_dir_t:file { append create open read setattr write }; allow
> > >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> > >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
> > >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
> > >
> > >#============= xserver_t ============== allow xserver_t
> > >self:capability sys_ptrace; allow xserver_t staff_t:file { open read
> > >}; allow xserver_t staff_t:lnk_file read; allow xserver_t xdm_t:file
> > >{ open read }; allow xserver_t xdm_t:lnk_file read;
> > >
> > >
> > >Thanks,
> > >Dave Syugar
> > >dsugar at tresys.com
> > >_______________________________________________
> > >refpolicy mailing list
> > >refpolicy at oss.tresys.com
> > >http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift