From: justinmattock@yahoo.com (Justin Mattock) Date: Fri, 23 Sep 2011 07:54:13 -0700 (PDT) Subject: [refpolicy] [RFC V2 2/2] Rebase systemd for mainline policy. Message-ID: <1316789653.91763.YahooMailNeo@web114302.mail.gq1.yahoo.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com >From 6bc3327eee3ba5070b1f3beb424e2539727a7042 Mon Sep 17 00:00:00 2001 From: "Justin P. Mattock" Date: Fri, 23 Sep 2011 07:03:33 -0700 Subject: [RFC V2 2/2]Rebase systemd for mainline policy CONTRIB NOTE: I pulled this directory, rather than using the regular commands for the contrib files. The patch below is a try at trying to adopt(rebase) systemd from fedoras policy to the mainline policy. I am able to build all the way through this time(NOTE: the first patch I sent out, I was able to build through only once, telling me that I must have done something wrong along the way). NOTE:Keep in mind that this is a _work in progress_ I am able to compile all the way, and install, but am hit with an error while loading the policy: ?libsepol.permission_copy_callback: Module abrt depends on permission all_service_perms in class service, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). /usr/sbin/semodule:? Failed! make: *** [load] Error 1 once I finish other tasks, and have the time I will have a try at this build error. If you are interested, feel free to hack away at this, and add anything that gets this working properly. Signed-off-by: Justin P. Mattock --- ?apache.fc???? |??? 2 ++ ?apache.if???? |?? 27 +++++++++++++++++++++++++++ ?apache.te???? |?? 10 ++++++++++ ?apt.te??????? |??? 6 +++++- ?chronyd.fc??? |??? 2 ++ ?chronyd.if??? |?? 22 ++++++++++++++++++++++ ?chronyd.te??? |??? 3 +++ ?consolekit.te |??? 2 ++ ?cron.if?????? |?? 21 +++++++++++++++++++++ ?cron.te?????? |??? 5 +++++ ?dbus.te?????? |??? 9 +++++++++ ?gnomeclock.te |??? 9 +++++++++ ?logrotate.te? |??? 2 ++ ?nis.fc??????? |??? 5 +++++ ?nis.if??????? |?? 21 +++++++++++++++++++++ ?nis.te??????? |??? 6 ++++++ ?ntp.fc??????? |??? 2 ++ ?ntp.if??????? |?? 40 ++++++++++++++++++++++++++++++++++++++++ ?ntp.te??????? |??? 3 +++ ?prelink.te??? |??? 2 ++ ?readahead.fc? |??? 4 ++++ ?readahead.if? |?? 23 +++++++++++++++++++++++ ?readahead.te? |??? 3 +++ ?shutdown.if?? |??? 5 +++++ ?24 files changed, 233 insertions(+), 1 deletions(-) diff --git a/apache.fc b/apache.fc index 9e39aa5..0a7a941 100644 --- a/apache.fc +++ b/apache.fc @@ -16,6 +16,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u ?/etc/vhosts??? ??? ??? --??? gen_context(system_u:object_r:httpd_config_t,s0) ?/etc/zabbix/web(/.*)???? ??? ??? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ? +/lib/systemd/system/httpd.?\.service? --????????????? gen_context(system_u:object_r:httpd_unit_t,s0) + ?/srv/([^/]*/)?www(/.*)???? ??? ??? gen_context(system_u:object_r:httpd_sys_content_t,s0) ?/srv/gallery2(/.*)???? ??? ??? gen_context(system_u:object_r:httpd_sys_content_t,s0) ? diff --git a/apache.if b/apache.if index 6480167..6cc0792 100644 --- a/apache.if +++ b/apache.if @@ -1216,3 +1216,30 @@ interface(`apache_admin',` ???? admin_pattern($1, httpd_php_tmp_t) ???? admin_pattern($1, httpd_suexec_tmp_t) ?') + +######################################## +## +##??? Allow the specified domain to delete +##??? apache system content rw files. +## +## +##??? +##??? Domain allowed access. +##??? +## +## +# +interface(`apache_delete_sys_content_rw',` +??? gen_require(` +??? ??? type httpd_sys_rw_content_t; +??? ') + +??? files_search_tmp($1) +??? delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +??? delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +??? delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +??? delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +??? delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + + diff --git a/apache.te b/apache.te index 5b02edb..b492d17 100644 --- a/apache.te +++ b/apache.te @@ -177,6 +177,9 @@ role system_r types httpd_helper_t; ?type httpd_initrc_exec_t; ?init_script_file(httpd_initrc_exec_t) ? +type httpd_unit_t; +systemd_unit_file(httpd_unit_t) + ?type httpd_lock_t; ?files_lock_file(httpd_lock_t) ? @@ -899,3 +902,10 @@ tunable_policy(`httpd_enable_homedirs',` ???? userdom_search_user_home_dirs(httpd_suexec_t) ???? userdom_search_user_home_dirs(httpd_user_script_t) ?') + +######################################## +# +# httpd_passwd local policy +# + +systemd_passwd_agent_dev_template(httpd) diff --git a/apt.te b/apt.te index 4044710..4bfdda8 100644 --- a/apt.te +++ b/apt.te @@ -7,7 +7,11 @@ policy_module(apt, 1.6.0) ? ?type apt_t; ?type apt_exec_t; -init_system_domain(apt_t, apt_exec_t) +#init_system_domain(apt_t, apt_exec_t) + +# not sure why I was hitting an error here to make me do the below. +init_daemon_domain(apt_t, apt_exec_t) + ?domain_system_change_exemption(apt_t) ?role system_r types apt_t; ? diff --git a/chronyd.fc b/chronyd.fc index fd8cd0b..68fc39d 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -2,6 +2,8 @@ ? ?/etc/rc\.d/init\.d/chronyd??? --??? gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) ? +/etc/rc\.d/init\.d/chronyd??? --??? gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + ?/usr/sbin/chronyd??? ??? --??? gen_context(system_u:object_r:chronyd_exec_t,s0) ? ?/var/lib/chrony(/.*)???? ??? ??? gen_context(system_u:object_r:chronyd_var_lib_t,s0) diff --git a/chronyd.if b/chronyd.if index 9a0da94..95b7f32 100644 --- a/chronyd.if +++ b/chronyd.if @@ -103,3 +103,25 @@ interface(`chronyd_admin',` ???? files_search_tmp($1) ???? admin_pattern($1, chronyd_tmp_t) ?') + +######################################## +## +##??? Execute chronyd server in the chronyd domain. +## +## +##??? +##??? Domain allowed to transition. +##??? +## +# +interface(`chronyd_systemctl',` +??? gen_require(` +??? ??? type chronyd_unit_t; +??? ') + +??? systemd_exec_systemctl($1) +??? systemd_search_unit_dirs($1) +??? allow $1 chronyd_unit_t:file read_file_perms; +??? allow $1 chronyd_unit_t:service all_service_perms; +') + diff --git a/chronyd.te b/chronyd.te index fa82327..d36ad29 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) ?type chronyd_var_lib_t; ?files_type(chronyd_var_lib_t) ? +type chronyd_unit_t; +systemd_unit_file(chronyd_unit_t) + ?type chronyd_var_log_t; ?logging_log_file(chronyd_var_log_t) ? diff --git a/consolekit.te b/consolekit.te index 42ed6a6..046514c 100644 --- a/consolekit.te +++ b/consolekit.te @@ -69,6 +69,8 @@ logging_send_audit_msgs(consolekit_t) ? ?miscfiles_read_localization(consolekit_t) ? +systemd_exec_systemctl(consolekit_t) + ?userdom_dontaudit_read_user_home_content_files(consolekit_t) ?userdom_read_user_tmp_files(consolekit_t) ? diff --git a/cron.if b/cron.if index 35241ed..f73d8c1 100644 --- a/cron.if +++ b/cron.if @@ -377,6 +377,27 @@ interface(`cron_read_pipes',` ? ?######################################## ?## +##??? Send and receive messages from +##??? crond over dbus. +## +## +##??? +##??? Domain allowed access. +##??? +## +# +interface(`cron_dbus_chat_crond',` +??? gen_require(` +??? ??? type crond_t; +??? ??? class dbus send_msg; +??? ') + +??? allow $1 crond_t:dbus send_msg; +??? allow crond_t $1:dbus send_msg; +') + +######################################## +## ?##??? Do not audit attempts to write cron daemon unnamed pipes. ?## ?## diff --git a/cron.te b/cron.te index f22d27c..4733c0a 100644 --- a/cron.te +++ b/cron.te @@ -286,6 +286,11 @@ optional_policy(` ?') ? ?optional_policy(` +??? systemd_use_fds_logind(crond_t) +??? systemd_write_inherited_logind_sessions_pipes(crond_t) +') + +optional_policy(` ???? udev_read_db(crond_t) ?') ? diff --git a/dbus.te b/dbus.te index 7ef5158..e4b3226 100644 --- a/dbus.te +++ b/dbus.te @@ -151,12 +151,21 @@ optional_policy(` ?') ? ?optional_policy(` +??? systemd_use_fds_logind(system_dbusd_t) +??? systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) +') + +optional_policy(` ???? udev_read_db(system_dbusd_t) ?') ? + + ?######################################## ?# ?# Unconfined access to this module ?# ? ?allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; + + diff --git a/gnomeclock.te b/gnomeclock.te index 4fde46b..db21911 100644 --- a/gnomeclock.te +++ b/gnomeclock.te @@ -9,6 +9,8 @@ type gnomeclock_t; ?type gnomeclock_exec_t; ?dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ? +systemd_systemctl_domain(gnomeclock) + ?######################################## ?# ?# gnomeclock local policy @@ -44,3 +46,10 @@ optional_policy(` ???? policykit_read_lib(gnomeclock_t) ???? policykit_read_reload(gnomeclock_t) ?') + +####################################### +# +# gnomeclock systemctl local policy +# + +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) diff --git a/logrotate.te b/logrotate.te index 7090dae..eb62def 100644 --- a/logrotate.te +++ b/logrotate.te @@ -116,6 +116,8 @@ miscfiles_read_localization(logrotate_t) ? ?seutil_dontaudit_read_config(logrotate_t) ? +systemd_exec_systemctl(logrotate_t) + ?userdom_use_user_terminals(logrotate_t) ?userdom_list_user_home_dirs(logrotate_t) ?userdom_use_unpriv_users_fds(logrotate_t) diff --git a/nis.fc b/nis.fc index 15448d5..7b1b312 100644 --- a/nis.fc +++ b/nis.fc @@ -19,3 +19,8 @@ ?/var/run/ypbind.*??? --??? gen_context(system_u:object_r:ypbind_var_run_t,s0) ?/var/run/ypserv.*??? --??? gen_context(system_u:object_r:ypserv_var_run_t,s0) ?/var/run/yppass.*??? --??? gen_context(system_u:object_r:yppasswdd_var_run_t,s0) + +/lib/systemd/system/ypbind\.service??? --??? gen_context(system_u:object_r:ypbind_unit_t,s0) +/lib/systemd/system/ypserv\.service??? --??? gen_context(system_u:object_r:nis_unit_t,s0) +/lib/systemd/system/yppasswdd\.service??? --??? gen_context(system_u:object_r:nis_unit_t,s0) +/lib/systemd/system/ypxfrd\.service??? --??? gen_context(system_u:object_r:nis_unit_t,s0) diff --git a/nis.if b/nis.if index abe3f7f..493b74e 100644 --- a/nis.if +++ b/nis.if @@ -337,6 +337,27 @@ interface(`nis_initrc_domtrans_ypbind',` ? ?######################################## ?## +##??? Execute ypbind server in the ypbind domain. +## +## +##??? +##??? Domain allowed to transition. +##??? +## +# +interface(`nis_systemctl_ypbind',` +??? gen_require(` +??? ??? type ypbind_unit_t; +??? ') + +??? systemd_exec_systemctl($1) +??? systemd_search_unit_dirs($1) +??? allow $1 ypbind_unit_t:file read_file_perms; +??? allow $1 ypbind_unit_t:service all_service_perms; +') + +######################################## +## ?##??? All of the rules required to administrate ?##??? an nis environment ?## diff --git a/nis.te b/nis.te index 4876cae..d56cccf 100644 --- a/nis.te +++ b/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) ?type ypbind_var_run_t; ?files_pid_file(ypbind_var_run_t) ? +type ypbind_unit_t; +systemd_unit_file(ypbind_unit_t) + ?type yppasswdd_t; ?type yppasswdd_exec_t; ?init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) @@ -52,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) ?type ypxfr_var_run_t; ?files_pid_file(ypxfr_var_run_t) ? +type nis_unit_t; +systemd_unit_file(nis_unit_t) + ?######################################## ?# ?# ypbind local policy diff --git a/ntp.fc b/ntp.fc index e79dccc..50202ef 100644 --- a/ntp.fc +++ b/ntp.fc @@ -10,6 +10,8 @@ ? ?/etc/rc\.d/init\.d/ntpd??? ??? --??? gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) ? +/lib/systemd/system/ntpd\.service?????????????? --????? gen_context(system_u:object_r:ntpd_unit_file_t,s0) + ?/usr/sbin/ntpd??? ??? ??? --??? gen_context(system_u:object_r:ntpd_exec_t,s0) ?/usr/sbin/ntpdate??? ??? --??? gen_context(system_u:object_r:ntpdate_exec_t,s0) ? diff --git a/ntp.if b/ntp.if index e80f8c0..1bfce3d 100644 --- a/ntp.if +++ b/ntp.if @@ -163,3 +163,43 @@ interface(`ntp_admin',` ???? files_list_pids($1) ???? admin_pattern($1, ntpd_var_run_t) ?') + +##################################### +## +##????? Allow domain to read ntpd systemd unit files. +## +## +##????? +##????? Domain allowed access. +##????? +## +# +interface(`ntp_read_unit_file',` +??????? gen_require(` +??????????????? type ntpd_unit_file_t; +??????? ') + +??????? files_search_var_lib($1) +??????? allow $1 ntpd_unit_file_t:file read_file_perms; +') + +######################################## +## +##??? Execute ntpd server in the ntpd domain. +## +## +##??? +##??? Domain allowed to transition. +##??? +## +# +interface(`ntp_systemctl',` +??? gen_require(` +??? ??? type ntpd_unit_t; +??? ') + +??? systemd_exec_systemctl($1) +??? systemd_search_unit_dirs($1) +??? allow $1 ntpd_unit_t:file read_file_perms; +??? allow $1 ntpd_unit_t:service all_service_perms; +') diff --git a/ntp.te b/ntp.te index c61adc8..7ba1783 100644 --- a/ntp.te +++ b/ntp.te @@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) ?type ntpd_initrc_exec_t; ?init_script_file(ntpd_initrc_exec_t) ? +type ntpd_unit_file_t; +systemd_unit_file(ntpd_unit_file_t) + ?type ntpd_key_t; ?files_type(ntpd_key_t) ? diff --git a/prelink.te b/prelink.te index af55369..1e2a468 100644 --- a/prelink.te +++ b/prelink.te @@ -98,6 +98,8 @@ libs_delete_lib_symlinks(prelink_t) ? ?miscfiles_read_localization(prelink_t) ? +systemd_read_unit_files(prelink_t) + ?userdom_use_user_terminals(prelink_t) ? ?optional_policy(` diff --git a/readahead.fc b/readahead.fc index 7077413..6bc0fa8 100644 --- a/readahead.fc +++ b/readahead.fc @@ -1,3 +1,7 @@ ?/usr/sbin/readahead.*??? --??? gen_context(system_u:object_r:readahead_exec_t,s0) ?/sbin/readahead.*??? --??? gen_context(system_u:object_r:readahead_exec_t,s0) ?/var/lib/readahead(/.*)???? gen_context(system_u:object_r:readahead_var_lib_t,s0) +/lib/systemd/systemd-readahead.*??? --??? gen_context(system_u:object_r:readahead_exec_t,s0) + +/dev/\.systemd/readahead(/.*)???? gen_context(system_u:object_r:readahead_var_run_t,s0) +/var/run/systemd/readahead(/.*)?? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/readahead.if b/readahead.if index 47c4723..9a0b9d1 100644 --- a/readahead.if +++ b/readahead.if @@ -1 +1,24 @@ ?## Readahead, read files into page cache for improved performance +######################################## +## +##??? Manage readahead var_run files. +## +## +##??? +##??? Domain allowed access. +##??? +## +# +interface(`readahead_manage_pid_files',` +??? gen_require(` +??? ??? type readahead_var_run_t; +??? ') + +??? manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t) +??? manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) +??? dev_filetrans($1, readahead_var_run_t, { dir? file }) +??? init_pid_filetrans($1, readahead_var_run_t, { dir file }) +??? files_search_pids($1)??? +??? init_search_pid_dirs($1) +') + diff --git a/readahead.te b/readahead.te index b4ac57e..0adb060 100644 --- a/readahead.te +++ b/readahead.te @@ -82,11 +82,14 @@ auth_dontaudit_read_shadow(readahead_t) ?init_use_fds(readahead_t) ?init_use_script_ptys(readahead_t) ?init_getattr_initctl(readahead_t) +# needs to write to /run/systemd/notify +init_write_pid_socket(readahead_t) ? ?logging_send_syslog_msg(readahead_t) ?logging_set_audit_parameters(readahead_t) ?logging_dontaudit_search_audit_config(readahead_t) ? + ?miscfiles_read_localization(readahead_t) ? ?userdom_dontaudit_use_unpriv_user_fds(readahead_t) diff --git a/shutdown.if b/shutdown.if index d0604cf..329a7f1 100644 --- a/shutdown.if +++ b/shutdown.if @@ -18,6 +18,11 @@ interface(`shutdown_domtrans',` ???? corecmd_search_bin($1) ???? domtrans_pattern($1, shutdown_exec_t, shutdown_t) ? +??? optional_policy(` +??? ??? systemd_exec_systemctl($1) +??? ??? init_stream_connect($1) +??? ') + ???? ifdef(`hide_broken_symptoms', ` ???? ??? dontaudit shutdown_t $1:socket_class_set { read write }; ???? ??? dontaudit shutdown_t $1:fifo_file { read write }; -- 1.7.6.2