This patch series fixes a number of SELinux denials when booting systemd
in strict mode.
Krzysztof Nowicki (4):
Add policy for systemd GPT generator
Distinguish between systemd-tmpfiles runtime and static config
Add policy for systemd-networkd
Enable /etc directory protection using ProtectSystem
policy/modules/kernel/files.if | 19 +++++++++
policy/modules/system/init.if | 19 +++++++++
policy/modules/system/init.te | 4 ++
policy/modules/system/modutils.te | 4 +-
policy/modules/system/systemd.fc | 11 ++++-
policy/modules/system/systemd.if | 16 ++++----
policy/modules/system/systemd.te | 68 ++++++++++++++++++++++++++++++-
7 files changed, 129 insertions(+), 12 deletions(-)
From: Krzysztof Nowicki <[email protected]>
---
policy/modules/system/systemd.fc | 3 +++
policy/modules/system/systemd.te | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index b32c006..7fa03ad 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,9 @@
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+# Systemd generators
+/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
+
# Systemd unit files
/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0a0b34b..7782528 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
+type systemd_generator_gpt_t;
+type systemd_generator_gpt_exec_t;
+init_system_domain(systemd_generator_gpt_t, systemd_generator_gpt_exec_t)
+
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
@@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
+#######################################
+#
+# GPT auto generator local policy
+#
+
+systemd_log_parse_environment(systemd_generator_gpt_t)
+
+storage_raw_read_fixed_disk(systemd_generator_gpt_t)
+dev_read_sysfs(systemd_generator_gpt_t)
+files_read_etc_files(systemd_generator_gpt_t)
+fs_getattr_xattr_fs(systemd_generator_gpt_t)
+
######################################
#
# Cgroups local policy
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
Label all static tmpfiles configuration under one type. Rename the type
used for runtime configuration to indicate its purpose.
---
policy/modules/system/modutils.te | 4 ++--
policy/modules/system/systemd.fc | 6 +++++-
policy/modules/system/systemd.if | 16 ++++++++--------
policy/modules/system/systemd.te | 6 +++++-
4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1f7bdcd..28a4e01 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -27,7 +27,7 @@ ifdef(`init_systemd',`
type kmod_tmpfiles_conf_t;
typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
- systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
+ systemd_tmpfiles_runtime_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
')
########################################
@@ -118,7 +118,7 @@ ifdef(`init_systemd',`
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
- systemd_tmpfiles_creator(kmod_t)
+ systemd_tmpfiles_runtime_config_creator(kmod_t)
init_rw_stream_sockets(kmod_t)
')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 7fa03ad..82307e3 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -37,6 +37,10 @@
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+# Systemd tmpfiles configuration
+/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
@@ -53,7 +57,7 @@
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
-/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de..a750063 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
- interface(`systemd_tmpfiles_conf_file',`
+interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
@@ -418,13 +418,13 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
-interface(`systemd_tmpfiles_creator',`
+interface(`systemd_tmpfiles_runtime_config_creator',`
gen_require(`
- type systemd_tmpfiles_conf_t;
+ type systemd_tmpfiles_runtime_conf_t;
')
- files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
- allow $1 systemd_tmpfiles_conf_t:dir create;
+ files_pid_filetrans($1, systemd_tmpfiles_runtime_conf_t, dir, "tmpfiles.d")
+ allow $1 systemd_tmpfiles_runtime_conf_t:dir create;
')
########################################
@@ -454,13 +454,13 @@ interface(`systemd_tmpfiles_creator',`
## </summary>
## </param>
#
-interface(`systemd_tmpfiles_conf_filetrans',`
+interface(`systemd_tmpfiles_runtime_conf_filetrans',`
gen_require(`
- type systemd_tmpfiles_conf_t;
+ type systemd_tmpfiles_runtime_conf_t;
')
files_search_pids($1)
- filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
+ filetrans_pattern($1, systemd_tmpfiles_runtime_conf_t, $2, $3, $4)
')
#######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7782528..2cbdba2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -154,8 +154,12 @@ type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+type systemd_tmpfiles_runtime_conf_t;
+files_config_file(systemd_tmpfiles_runtime_conf_t)
+
type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)
+typeattribute systemd_tmpfiles_conf_t systemd_tmpfiles_conf_type;
#
# Unit file types
@@ -783,7 +787,7 @@ manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
-allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
This includes policy for socket-activation through the netlink route
socket, which lays some ground for generic API for systemd socket-activation
policies as suggested by Dominick Grift.
---
policy/modules/system/init.if | 19 +++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 46 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 70 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9428453..af95897 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2940,6 +2940,25 @@ interface(`init_reload_all_units',`
########################################
## <summary>
+## Allow subject domain to be socket-activated by systemd
+## through a netlink route socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Subject domain
+## </summary>
+## </param>
+#
+interface(`init_netlink_route_socket_activated_subj_type',`
+ gen_require(`
+ attribute systemd_netlink_route_socket_activated_subj_type;
+ ')
+
+ typeattribute $1 systemd_netlink_route_socket_activated_subj_type;
+')
+
+########################################
+## <summary>
## Allow unconfined access to send instructions to init
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a64783..061bb29 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -28,6 +28,7 @@ attribute init_script_file_type;
attribute init_run_all_scripts_domain;
attribute systemdunit;
attribute initrc_transition_domain;
+attribute systemd_netlink_route_socket_activated_subj_type;
# Mark process types as daemons
attribute daemon;
@@ -246,6 +247,8 @@ ifdef(`init_systemd',`
allow systemprocess init_t:unix_dgram_socket sendto;
allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+ allow init_t systemd_netlink_route_socket_activated_subj_type:netlink_route_socket create_socket_perms;
+
allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 82307e3..d7fd19b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -22,6 +22,7 @@
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
# Systemd generators
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
@@ -56,6 +57,7 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2cbdba2..540cd4b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -127,6 +127,13 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_var_run_t;
files_pid_file(systemd_resolved_var_run_t)
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -752,6 +759,45 @@ optional_policy(`
#########################################
#
+# Networkd local policy
+#
+
+allow systemd_networkd_t self:process { getcap setcap };
+allow systemd_networkd_t self:capability { net_admin dac_override setgid setuid chown setpcap net_raw };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket { create_socket_perms };
+allow systemd_networkd_t self:netlink_route_socket { rw_netlink_socket_perms };
+allow systemd_networkd_t self:unix_dgram_socket { create_socket_perms };
+allow systemd_networkd_t self:udp_socket { create_socket_perms };
+allow systemd_networkd_t self:packet_socket { create_socket_perms };
+allow systemd_networkd_t self:rawip_socket { create_socket_perms };
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+files_read_etc_files(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_netlink_route_socket_activated_subj_type(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+#udev_search_pids(systemd_networkd_t)
+#udev_read_pid_files(systemd_networkd_t)
+udev_read_db(systemd_networkd_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_networkd_t)
+ dbus_connect_system_bus(systemd_networkd_t)
+')
+
+#########################################
+#
# Sessions local policy
#
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8a64031..ac5714f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2851,6 +2851,25 @@ interface(`files_relabelto_etc_dirs',`
########################################
## <summary>
+## Mount a filesystem on the
+## etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 061bb29..86795a2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -291,6 +291,7 @@ ifdef(`init_systemd',`
files_search_kernel_modules(init_t)
# for privatetmp functions
files_mounton_tmp(init_t)
+ files_mounton_etc_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_rw_cgroup_files(init_t)
--
2.10.2
On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> ---
> policy/modules/system/systemd.fc | 3 +++
> policy/modules/system/systemd.te | 16 ++++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index b32c006..7fa03ad 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -23,6 +23,9 @@
> /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
>
> +# Systemd generators
> +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
> +
> # Systemd unit files
> /usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
> /usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 0a0b34b..7782528 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
> type systemd_binfmt_unit_t;
> init_unit_file(systemd_binfmt_unit_t)
>
> +type systemd_generator_gpt_t;
> +type systemd_generator_gpt_exec_t;
> +init_system_domain(systemd_generator_gpt_t, systemd_generator_gpt_exec_t)
I think a type name like systemd_gpt_generator_t would make more sense.
> type systemd_cgroups_t;
> type systemd_cgroups_exec_t;
> domain_type(systemd_cgroups_t)
> @@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
>
> fs_register_binary_executable_type(systemd_binfmt_t)
>
> +#######################################
> +#
> +# GPT auto generator local policy
> +#
> +
> +systemd_log_parse_environment(systemd_generator_gpt_t)
> +
> +storage_raw_read_fixed_disk(systemd_generator_gpt_t)
> +dev_read_sysfs(systemd_generator_gpt_t)
> +files_read_etc_files(systemd_generator_gpt_t)
> +fs_getattr_xattr_fs(systemd_generator_gpt_t)
Please reorder for style.
--
Chris PeBenito
On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> Label all static tmpfiles configuration under one type. Rename the type
> used for runtime configuration to indicate its purpose.
> ---
> policy/modules/system/modutils.te | 4 ++--
> policy/modules/system/systemd.fc | 6 +++++-
> policy/modules/system/systemd.if | 16 ++++++++--------
> policy/modules/system/systemd.te | 6 +++++-
> 4 files changed, 20 insertions(+), 12 deletions(-)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 1f7bdcd..28a4e01 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -27,7 +27,7 @@ ifdef(`init_systemd',`
> type kmod_tmpfiles_conf_t;
> typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
> systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
> - systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
> + systemd_tmpfiles_runtime_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
> ')
>
> ########################################
> @@ -118,7 +118,7 @@ ifdef(`init_systemd',`
> # for /run/tmpfiles.d/kmod.conf
> allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
> # kmod needs to create /run/tmpdiles.d
> - systemd_tmpfiles_creator(kmod_t)
> + systemd_tmpfiles_runtime_config_creator(kmod_t)
>
> init_rw_stream_sockets(kmod_t)
> ')
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 7fa03ad..82307e3 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -37,6 +37,10 @@
> /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
>
> +# Systemd tmpfiles configuration
> +/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> +
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
> @@ -53,7 +57,7 @@
> /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
>
> -/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> +/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
> /run/tmpfiles\.d/.* <<none>>
>
> /var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 10f75de..a750063 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
> ## </summary>
> ## </param>
> #
> - interface(`systemd_tmpfiles_conf_file',`
> +interface(`systemd_tmpfiles_conf_file',`
> gen_require(`
> attribute systemd_tmpfiles_conf_type;
> ')
> @@ -418,13 +418,13 @@ interface(`systemd_start_power_units',`
> ## </summary>
> ## </param>
> #
> -interface(`systemd_tmpfiles_creator',`
> +interface(`systemd_tmpfiles_runtime_config_creator',`
> gen_require(`
> - type systemd_tmpfiles_conf_t;
> + type systemd_tmpfiles_runtime_conf_t;
> ')
>
> - files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d")
> - allow $1 systemd_tmpfiles_conf_t:dir create;
> + files_pid_filetrans($1, systemd_tmpfiles_runtime_conf_t, dir, "tmpfiles.d")
> + allow $1 systemd_tmpfiles_runtime_conf_t:dir create;
> ')
>
> ########################################
> @@ -454,13 +454,13 @@ interface(`systemd_tmpfiles_creator',`
> ## </summary>
> ## </param>
> #
> -interface(`systemd_tmpfiles_conf_filetrans',`
> +interface(`systemd_tmpfiles_runtime_conf_filetrans',`
> gen_require(`
> - type systemd_tmpfiles_conf_t;
> + type systemd_tmpfiles_runtime_conf_t;
> ')
>
> files_search_pids($1)
> - filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
> + filetrans_pattern($1, systemd_tmpfiles_runtime_conf_t, $2, $3, $4)
> ')
>
> #######################################
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 7782528..2cbdba2 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -154,8 +154,12 @@ type systemd_tmpfiles_t;
> type systemd_tmpfiles_exec_t;
> init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
>
> +type systemd_tmpfiles_runtime_conf_t;
> +files_config_file(systemd_tmpfiles_runtime_conf_t)
> +
> type systemd_tmpfiles_conf_t;
> files_config_file(systemd_tmpfiles_conf_t)
> +typeattribute systemd_tmpfiles_conf_t systemd_tmpfiles_conf_type;
>
> #
> # Unit file types
> @@ -783,7 +787,7 @@ manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
>
> -allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> +allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir list_dir_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
With only one domain writing these files, I'm not sure this is warranted
at this time.
--
Chris PeBenito
On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> This includes policy for socket-activation through the netlink route
> socket, which lays some ground for generic API for systemd socket-activation
> policies as suggested by Dominick Grift.
> ---
> policy/modules/system/init.if | 19 +++++++++++++++++
> policy/modules/system/init.te | 3 +++
> policy/modules/system/systemd.fc | 2 ++
> policy/modules/system/systemd.te | 46 ++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 70 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 9428453..af95897 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -2940,6 +2940,25 @@ interface(`init_reload_all_units',`
>
> ########################################
> ## <summary>
> +## Allow subject domain to be socket-activated by systemd
> +## through a netlink route socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Subject domain
> +## </summary>
> +## </param>
> +#
> +interface(`init_netlink_route_socket_activated_subj_type',`
> + gen_require(`
> + attribute systemd_netlink_route_socket_activated_subj_type;
> + ')
> +
> + typeattribute $1 systemd_netlink_route_socket_activated_subj_type;
> +')
This should look like the init_named_socket_activation() interface and
be named init_netlink_socket_activation().
> +########################################
> +## <summary>
> ## Allow unconfined access to send instructions to init
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 9a64783..061bb29 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -28,6 +28,7 @@ attribute init_script_file_type;
> attribute init_run_all_scripts_domain;
> attribute systemdunit;
> attribute initrc_transition_domain;
> +attribute systemd_netlink_route_socket_activated_subj_type;
>
> # Mark process types as daemons
> attribute daemon;
> @@ -246,6 +247,8 @@ ifdef(`init_systemd',`
> allow systemprocess init_t:unix_dgram_socket sendto;
> allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
>
> + allow init_t systemd_netlink_route_socket_activated_subj_type:netlink_route_socket create_socket_perms;
> +
> allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 82307e3..d7fd19b 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -22,6 +22,7 @@
> /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
> +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
>
> # Systemd generators
> /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
> @@ -56,6 +57,7 @@
> /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> +/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
>
> /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
> /run/tmpfiles\.d/.* <<none>>
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2cbdba2..540cd4b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -127,6 +127,13 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
> type systemd_resolved_var_run_t;
> files_pid_file(systemd_resolved_var_run_t)
>
> +type systemd_networkd_t;
> +type systemd_networkd_exec_t;
> +init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
> +
> +type systemd_networkd_var_run_t;
> +files_pid_file(systemd_networkd_var_run_t)
> +
> type systemd_run_t;
> type systemd_run_exec_t;
> init_daemon_domain(systemd_run_t, systemd_run_exec_t)
> @@ -752,6 +759,45 @@ optional_policy(`
>
> #########################################
> #
> +# Networkd local policy
> +#
> +
> +allow systemd_networkd_t self:process { getcap setcap };
> +allow systemd_networkd_t self:capability { net_admin dac_override setgid setuid chown setpcap net_raw };
> +
> +allow systemd_networkd_t self:netlink_kobject_uevent_socket { create_socket_perms };
> +allow systemd_networkd_t self:netlink_route_socket { rw_netlink_socket_perms };
> +allow systemd_networkd_t self:unix_dgram_socket { create_socket_perms };
> +allow systemd_networkd_t self:udp_socket { create_socket_perms };
> +allow systemd_networkd_t self:packet_socket { create_socket_perms };
> +allow systemd_networkd_t self:rawip_socket { create_socket_perms };
The permission sets don't need the curly braces.
> +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +
> +files_read_etc_files(systemd_networkd_t)
> +kernel_read_system_state(systemd_networkd_t)
> +kernel_read_kernel_sysctls(systemd_networkd_t)
> +kernel_rw_net_sysctls(systemd_networkd_t)
> +
> +init_dgram_send(systemd_networkd_t)
> +init_netlink_route_socket_activated_subj_type(systemd_networkd_t)
> +
> +dev_read_sysfs(systemd_networkd_t)
Please reorder the above calls for style.
> +systemd_log_parse_environment(systemd_networkd_t)
> +
> +#udev_search_pids(systemd_networkd_t)
> +#udev_read_pid_files(systemd_networkd_t)
Please remove these.
> +udev_read_db(systemd_networkd_t)
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_networkd_t)
> + dbus_connect_system_bus(systemd_networkd_t)
> +')
> +
> +#########################################
> +#
> # Sessions local policy
> #
>
>
--
Chris PeBenito
On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> Setting this service option to 'full' or 'strict' will also remount the
> /etc directory. Allow this in the policy.
>
> This fixes the systemd-networkd service, but will also positively affect
> any other service using the above hardening option.
> ---
> policy/modules/kernel/files.if | 19 +++++++++++++++++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 20 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 8a64031..ac5714f 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -2851,6 +2851,25 @@ interface(`files_relabelto_etc_dirs',`
>
> ########################################
> ## <summary>
> +## Mount a filesystem on the
> +## etc directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_etc_dirs',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Read generic files in /etc.
> ## </summary>
> ## <desc>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 061bb29..86795a2 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -291,6 +291,7 @@ ifdef(`init_systemd',`
> files_search_kernel_modules(init_t)
> # for privatetmp functions
> files_mounton_tmp(init_t)
> + files_mounton_etc_dirs(init_t)
>
> fs_relabel_cgroup_dirs(init_t)
> fs_rw_cgroup_files(init_t)
Merged.
--
Chris PeBenito
From: Krzysztof Nowicki <[email protected]>
---
policy/modules/system/systemd.fc | 3 +++
policy/modules/system/systemd.te | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index b32c006..57944e1 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -11,6 +11,9 @@
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+# Systemd generators
+/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
+
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0a0b34b..eb70c77 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
+type systemd_gpt_generator_t;
+type systemd_gpt_generator_exec_t;
+init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
+
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
@@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
+#######################################
+#
+# GPT auto generator local policy
+#
+
+dev_read_sysfs(systemd_gpt_generator_t)
+files_read_etc_files(systemd_gpt_generator_t)
+fs_getattr_xattr_fs(systemd_gpt_generator_t)
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+
+systemd_log_parse_environment(systemd_gpt_generator_t)
+
######################################
#
# Cgroups local policy
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
Reuse the label from dynamically created configuration.
---
policy/modules/system/modutils.te | 2 +-
policy/modules/system/systemd.fc | 6 ++++++
policy/modules/system/systemd.if | 4 ++--
policy/modules/system/systemd.te | 1 +
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1f7bdcd..625129f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -118,7 +118,7 @@ ifdef(`init_systemd',`
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
- systemd_tmpfiles_creator(kmod_t)
+ systemd_tmpfiles_config_creator(kmod_t)
init_rw_stream_sockets(kmod_t)
')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 57944e1..8bff2fa 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -37,10 +37,16 @@
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+# Systemd tmpfiles configuration
+/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+# Systemd tmpfiles configuration factory
+/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de..4359d74 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
- interface(`systemd_tmpfiles_conf_file',`
+interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
@@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
-interface(`systemd_tmpfiles_creator',`
+interface(`systemd_tmpfiles_config_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index eb70c77..4535182 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
This includes policy for socket-activation through the netlink route
socket.
---
policy/modules/system/init.if | 20 ++++++++++++++++++
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 45 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9428453..756c306 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -361,6 +361,26 @@ interface(`init_named_socket_activation',`
')
')
+#########################################
+## <summary>
+## Netlink socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_netlink_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:netlink_route_socket create_socket_perms;
+ ')
+')
+
########################################
## <summary>
## Create a domain for short running processes
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 8bff2fa..dd57def 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -58,6 +59,7 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4535182..8756ad2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,13 @@ type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -509,6 +516,44 @@ optional_policy(`
dbus_system_bus_client(systemd_machined_t)
')
+#########################################
+#
+# Networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override net_admin net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_netlink_socket_activation(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+udev_read_db(systemd_networkd_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_networkd_t)
+ dbus_system_bus_client(systemd_networkd_t)
+')
+
########################################
#
# systemd_notify local policy
--
2.10.2
This patch series fixes a number of SELinux denials when booting systemd
in strict mode.
v2:
- Fixed policy coding style according to official guidelines
- Renamed GPT generator type
- Refactored systemd-tmpfiles config patch to reuse existing type
- Refactored systemd-networkd socket activation policy
Krzysztof Nowicki (3):
Add policy for systemd GPT generator
Label systemd-tmpfilesd static configuration files
Add policy for systemd-networkd
policy/modules/system/init.if | 20 ++++++++++
policy/modules/system/modutils.te | 2 +-
policy/modules/system/systemd.fc | 11 ++++++
policy/modules/system/systemd.if | 4 +-
policy/modules/system/systemd.te | 62 +++++++++++++++++++++++++++++++
5 files changed, 96 insertions(+), 3 deletions(-)
From: Krzysztof Nowicki <[email protected]>
---
policy/modules/system/systemd.fc | 3 +++
policy/modules/system/systemd.te | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index b32c006..57944e1 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -11,6 +11,9 @@
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+# Systemd generators
+/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
+
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0a0b34b..eb70c77 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
+type systemd_gpt_generator_t;
+type systemd_gpt_generator_exec_t;
+init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
+
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
@@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
+#######################################
+#
+# GPT auto generator local policy
+#
+
+dev_read_sysfs(systemd_gpt_generator_t)
+files_read_etc_files(systemd_gpt_generator_t)
+fs_getattr_xattr_fs(systemd_gpt_generator_t)
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
+
+systemd_log_parse_environment(systemd_gpt_generator_t)
+
######################################
#
# Cgroups local policy
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
Reuse the label from dynamically created configuration.
---
policy/modules/system/modutils.te | 2 +-
policy/modules/system/systemd.fc | 6 ++++++
policy/modules/system/systemd.if | 4 ++--
policy/modules/system/systemd.te | 1 +
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1f7bdcd..625129f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -118,7 +118,7 @@ ifdef(`init_systemd',`
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
- systemd_tmpfiles_creator(kmod_t)
+ systemd_tmpfiles_config_creator(kmod_t)
init_rw_stream_sockets(kmod_t)
')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 57944e1..8bff2fa 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -37,10 +37,16 @@
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+# Systemd tmpfiles configuration
+/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+# Systemd tmpfiles configuration factory
+/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
+
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de..4359d74 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
- interface(`systemd_tmpfiles_conf_file',`
+interface(`systemd_tmpfiles_conf_file',`
gen_require(`
attribute systemd_tmpfiles_conf_type;
')
@@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
## </summary>
## </param>
#
-interface(`systemd_tmpfiles_creator',`
+interface(`systemd_tmpfiles_config_creator',`
gen_require(`
type systemd_tmpfiles_conf_t;
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index eb70c77..4535182 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
--
2.10.2
From: Krzysztof Nowicki <[email protected]>
This includes policy for socket-activation through the netlink route
socket.
---
policy/modules/system/init.if | 20 ++++++++++++++++++
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 45 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9428453..756c306 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -361,6 +361,26 @@ interface(`init_named_socket_activation',`
')
')
+#########################################
+## <summary>
+## Netlink socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_netlink_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:netlink_route_socket create_socket_perms;
+ ')
+')
+
########################################
## <summary>
## Create a domain for short running processes
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 8bff2fa..dd57def 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -58,6 +59,7 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4535182..8756ad2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,13 @@ type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -509,6 +516,44 @@ optional_policy(`
dbus_system_bus_client(systemd_machined_t)
')
+#########################################
+#
+# Networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override net_admin net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_netlink_socket_activation(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+udev_read_db(systemd_networkd_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_networkd_t)
+ dbus_system_bus_client(systemd_networkd_t)
+')
+
########################################
#
# systemd_notify local policy
--
2.10.2
2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy
<[email protected]>:
> From: Krzysztof Nowicki <[email protected]>
>
> Reuse the label from dynamically created configuration.
> ---
> policy/modules/system/modutils.te | 2 +-
> policy/modules/system/systemd.fc | 6 ++++++
> policy/modules/system/systemd.if | 4 ++--
> policy/modules/system/systemd.te | 1 +
> 4 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 1f7bdcd..625129f 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -118,7 +118,7 @@ ifdef(`init_systemd',`
> # for /run/tmpfiles.d/kmod.conf
> allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
> # kmod needs to create /run/tmpdiles.d
> - systemd_tmpfiles_creator(kmod_t)
> + systemd_tmpfiles_config_creator(kmod_t)
>
> init_rw_stream_sockets(kmod_t)
> ')
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 57944e1..8bff2fa 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -37,10 +37,16 @@
> /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
>
> +# Systemd tmpfiles configuration
> +/usr/lib/tmpfiles.d(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> +
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
>
> +# Systemd tmpfiles configuration factory
> +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
What is the benefit of labeling this directory and the
/usr/lib/tmpfiles.d one with a private type?
Shouldn't the read-only like usr_t type do the job?
Also afaik local changes should be made in /etc/tmpfiles.d
> +
> /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 10f75de..4359d74 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
> ## </summary>
> ## </param>
> #
> - interface(`systemd_tmpfiles_conf_file',`
> +interface(`systemd_tmpfiles_conf_file',`
> gen_require(`
> attribute systemd_tmpfiles_conf_type;
> ')
> @@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
> ## </summary>
> ## </param>
> #
> -interface(`systemd_tmpfiles_creator',`
> +interface(`systemd_tmpfiles_config_creator',`
> gen_require(`
> type systemd_tmpfiles_conf_t;
> ')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index eb70c77..4535182 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
>
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> +allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> --
> 2.10.2
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Dnia czwartek, 18 maja 2017 21:52:09 CEST Christian G?ttsche pisze:
> 2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy
>
> <[email protected]>:
> > From: Krzysztof Nowicki <[email protected]>
> >
> > Reuse the label from dynamically created configuration.
> > ---
> >
> > policy/modules/system/modutils.te | 2 +-
> > policy/modules/system/systemd.fc | 6 ++++++
> > policy/modules/system/systemd.if | 4 ++--
> > policy/modules/system/systemd.te | 1 +
> > 4 files changed, 10 insertions(+), 3 deletions(-)
> >
> > diff --git a/policy/modules/system/modutils.te
> > b/policy/modules/system/modutils.te index 1f7bdcd..625129f 100644
> > --- a/policy/modules/system/modutils.te
> > +++ b/policy/modules/system/modutils.te
> > @@ -118,7 +118,7 @@ ifdef(`init_systemd',`
> >
> > # for /run/tmpfiles.d/kmod.conf
> > allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
> > # kmod needs to create /run/tmpdiles.d
> >
> > - systemd_tmpfiles_creator(kmod_t)
> > + systemd_tmpfiles_config_creator(kmod_t)
> >
> > init_rw_stream_sockets(kmod_t)
> >
> > ')
> >
> > diff --git a/policy/modules/system/systemd.fc
> > b/policy/modules/system/systemd.fc index 57944e1..8bff2fa 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -37,10 +37,16 @@
> >
> > /usr/lib/systemd/system/systemd-backlight.* --
> > gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> > /usr/lib/systemd/system/systemd-binfmt.* --
> > gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)>
> > +# Systemd tmpfiles configuration
> > +/usr/lib/tmpfiles.d(/.*)?
> > gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) +
> >
> > /var/lib/systemd/backlight(/.*)?
> > gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> > /var/lib/systemd/coredump(/.*)?
> > gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> > /var/lib/systemd/linger(/.*)?
> > gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)>
> > +# Systemd tmpfiles configuration factory
> > +/usr/share/factory(/.*)?
> > gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> What is the benefit of labeling this directory and the
> /usr/lib/tmpfiles.d one with a private type?
> Shouldn't the read-only like usr_t type do the job?
> Also afaik local changes should be made in /etc/tmpfiles.d
The idea was to avoid just that - giving the systemd-tmpfiles access to a
generic type. I've always felt that types are there to separate access rules.
If you feel that it's not needed then I can go with usr_t instead.
>
> > +
> >
> > /run/\.nologin[^/]* --
> > gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> > /run/nologin --
> > gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)>
> > diff --git a/policy/modules/system/systemd.if
> > b/policy/modules/system/systemd.if index 10f75de..4359d74 100644
> > --- a/policy/modules/system/systemd.if
> > +++ b/policy/modules/system/systemd.if
> > @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
> >
> > ## </summary>
> > ## </param>
> > #
> >
> > - interface(`systemd_tmpfiles_conf_file',`
> > +interface(`systemd_tmpfiles_conf_file',`
> >
> > gen_require(`
> >
> > attribute systemd_tmpfiles_conf_type;
> >
> > ')
> >
> > @@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
> >
> > ## </summary>
> > ## </param>
> > #
> >
> > -interface(`systemd_tmpfiles_creator',`
> > +interface(`systemd_tmpfiles_config_creator',`
> >
> > gen_require(`
> >
> > type systemd_tmpfiles_conf_t;
> >
> > ')
> >
> > diff --git a/policy/modules/system/systemd.te
> > b/policy/modules/system/systemd.te index eb70c77..4535182 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir {
> > relabelfrom relabelto };>
> > allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto
> > };
> >
> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> >
> > +allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
> >
> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
> >
> > kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> >
> > --
> > 2.10.2
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
On 05/18/2017 04:35 PM, Krzysztof Nowicki via refpolicy wrote:
> Dnia czwartek, 18 maja 2017 21:52:09 CEST Christian G?ttsche pisze:
>> 2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy
>>
>> <[email protected]>:
>>> From: Krzysztof Nowicki <[email protected]>
>>>
>>> Reuse the label from dynamically created configuration.
>>> ---
>>>
>>> policy/modules/system/modutils.te | 2 +-
>>> policy/modules/system/systemd.fc | 6 ++++++
>>> policy/modules/system/systemd.if | 4 ++--
>>> policy/modules/system/systemd.te | 1 +
>>> 4 files changed, 10 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/policy/modules/system/modutils.te
>>> b/policy/modules/system/modutils.te index 1f7bdcd..625129f 100644
>>> --- a/policy/modules/system/modutils.te
>>> +++ b/policy/modules/system/modutils.te
>>> @@ -118,7 +118,7 @@ ifdef(`init_systemd',`
>>>
>>> # for /run/tmpfiles.d/kmod.conf
>>> allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
>>> # kmod needs to create /run/tmpdiles.d
>>>
>>> - systemd_tmpfiles_creator(kmod_t)
>>> + systemd_tmpfiles_config_creator(kmod_t)
>>>
>>> init_rw_stream_sockets(kmod_t)
>>>
>>> ')
>>>
>>> diff --git a/policy/modules/system/systemd.fc
>>> b/policy/modules/system/systemd.fc index 57944e1..8bff2fa 100644
>>> --- a/policy/modules/system/systemd.fc
>>> +++ b/policy/modules/system/systemd.fc
>>> @@ -37,10 +37,16 @@
>>>
>>> /usr/lib/systemd/system/systemd-backlight.* --
>>> gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
>>> /usr/lib/systemd/system/systemd-binfmt.* --
>>> gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)>
>>> +# Systemd tmpfiles configuration
>>> +/usr/lib/tmpfiles.d(/.*)?
>>> gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) +
>>>
>>> /var/lib/systemd/backlight(/.*)?
>>> gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
>>> /var/lib/systemd/coredump(/.*)?
>>> gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
>>> /var/lib/systemd/linger(/.*)?
>>> gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)>
>>> +# Systemd tmpfiles configuration factory
>>> +/usr/share/factory(/.*)?
>>> gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
>> What is the benefit of labeling this directory and the
>> /usr/lib/tmpfiles.d one with a private type?
>> Shouldn't the read-only like usr_t type do the job?
>> Also afaik local changes should be made in /etc/tmpfiles.d
>
> The idea was to avoid just that - giving the systemd-tmpfiles access to a
> generic type. I've always felt that types are there to separate access rules.
>
> If you feel that it's not needed then I can go with usr_t instead.
Generally usr_t is for files that aren't sensitive (generally readable),
and written by the package manager. That seems to fit these files,
unless there's something I'm missing.
--
Chris PeBenito
On Thu, May 18, 2017 at 9:31 PM, Krzysztof Nowicki via refpolicy
<[email protected]> wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> ---
> policy/modules/system/systemd.fc | 3 +++
> policy/modules/system/systemd.te | 16 ++++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index b32c006..57944e1 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -11,6 +11,9 @@
> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>
> +# Systemd generators
> +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> +
> /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
> /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
> /usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 0a0b34b..eb70c77 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
> type systemd_binfmt_unit_t;
> init_unit_file(systemd_binfmt_unit_t)
>
> +type systemd_gpt_generator_t;
> +type systemd_gpt_generator_exec_t;
> +init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
> +
> type systemd_cgroups_t;
> type systemd_cgroups_exec_t;
> domain_type(systemd_cgroups_t)
> @@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
>
> fs_register_binary_executable_type(systemd_binfmt_t)
>
> +#######################################
> +#
> +# GPT auto generator local policy
> +#
> +
> +dev_read_sysfs(systemd_gpt_generator_t)
> +files_read_etc_files(systemd_gpt_generator_t)
> +fs_getattr_xattr_fs(systemd_gpt_generator_t)
> +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
> +
> +systemd_log_parse_environment(systemd_gpt_generator_t)
> +
> ######################################
> #
> # Cgroups local policy
> --
> 2.10.2
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hi,
I am testing refpolicy in a Arch Linux virtual machine and this patch
fixes some AVC denials I got:
type=AVC msg=audit(1504472249.237:247): avc: denied { open } for
pid=1224 comm="systemd-gpt-aut" path="/dev/vda" dev="devtmpfs"
ino=7439 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
type=AVC msg=audit(1504472249.237:247): avc: denied { read } for
pid=1224 comm="systemd-gpt-aut" name="vda" dev="devtmpfs" ino=7439
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
Is there something preventing it from being merged?
Thanks,
Nicolas
On 09/03/2017 05:18 PM, Nicolas Iooss via refpolicy wrote:
> On Thu, May 18, 2017 at 9:31 PM, Krzysztof Nowicki via refpolicy
> <[email protected]> wrote:
>> From: Krzysztof Nowicki <[email protected]>
>>
>> ---
>> policy/modules/system/systemd.fc | 3 +++
>> policy/modules/system/systemd.te | 16 ++++++++++++++++
>> 2 files changed, 19 insertions(+)
>>
>> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
>> index b32c006..57944e1 100644
>> --- a/policy/modules/system/systemd.fc
>> +++ b/policy/modules/system/systemd.fc
>> @@ -11,6 +11,9 @@
>> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
>> /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>>
>> +# Systemd generators
>> +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
>> +
>> /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
>> /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
>> /usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
>> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
>> index 0a0b34b..eb70c77 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
>> type systemd_binfmt_unit_t;
>> init_unit_file(systemd_binfmt_unit_t)
>>
>> +type systemd_gpt_generator_t;
>> +type systemd_gpt_generator_exec_t;
>> +init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
>> +
>> type systemd_cgroups_t;
>> type systemd_cgroups_exec_t;
>> domain_type(systemd_cgroups_t)
>> @@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
>>
>> fs_register_binary_executable_type(systemd_binfmt_t)
>>
>> +#######################################
>> +#
>> +# GPT auto generator local policy
>> +#
>> +
>> +dev_read_sysfs(systemd_gpt_generator_t)
>> +files_read_etc_files(systemd_gpt_generator_t)
>> +fs_getattr_xattr_fs(systemd_gpt_generator_t)
>> +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
>> +
>> +systemd_log_parse_environment(systemd_gpt_generator_t)
>> +
>> ######################################
>> #
>> # Cgroups local policy
>> --
>> 2.10.2
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> Hi,
>
> I am testing refpolicy in a Arch Linux virtual machine and this patch
> fixes some AVC denials I got:
>
> type=AVC msg=audit(1504472249.237:247): avc: denied { open } for
> pid=1224 comm="systemd-gpt-aut" path="/dev/vda" dev="devtmpfs"
> ino=7439 scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> permissive=1
> type=AVC msg=audit(1504472249.237:247): avc: denied { read } for
> pid=1224 comm="systemd-gpt-aut" name="vda" dev="devtmpfs" ino=7439
> scontext=system_u:system_r:initrc_t
> tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
> permissive=1
>
> Is there something preventing it from being merged?
No.
--
Chris PeBenito
On 05/18/2017 03:31 PM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> ---
> policy/modules/system/systemd.fc | 3 +++
> policy/modules/system/systemd.te | 16 ++++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index b32c006..57944e1 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -11,6 +11,9 @@
> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> /usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>
> +# Systemd generators
> +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> +
> /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
> /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
> /usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 0a0b34b..eb70c77 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -48,6 +48,10 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
> type systemd_binfmt_unit_t;
> init_unit_file(systemd_binfmt_unit_t)
>
> +type systemd_gpt_generator_t;
> +type systemd_gpt_generator_exec_t;
> +init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
> +
> type systemd_cgroups_t;
> type systemd_cgroups_exec_t;
> domain_type(systemd_cgroups_t)
> @@ -194,6 +198,18 @@ files_read_etc_files(systemd_binfmt_t)
>
> fs_register_binary_executable_type(systemd_binfmt_t)
>
> +#######################################
> +#
> +# GPT auto generator local policy
> +#
> +
> +dev_read_sysfs(systemd_gpt_generator_t)
> +files_read_etc_files(systemd_gpt_generator_t)
> +fs_getattr_xattr_fs(systemd_gpt_generator_t)
> +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
> +
> +systemd_log_parse_environment(systemd_gpt_generator_t)
> +
> ######################################
> #
> # Cgroups local policy
Merged, though I moved some lines.
--
Chris PeBenito