From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 12 Feb 2017 14:25:20 -0500 Subject: [refpolicy] [PATCH] little misc patches In-Reply-To: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au> References: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/17 06:38, Russell Coker via refpolicy wrote: > This is a bunch of minor fixes that I split out from another patch which also > has some of the interfaces needed for the systemd core patch I sent a few > days ago (which is why that one didn't work). > > After we get this one done I'll create a patch set for systemd that should > make pebenito happy. ;) > > Fix some minor labelling issues for init. > > Make lots of things optional_policy to allow more modular builds. > > Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd > as well as upstart. > > Allow kerneloops_t to read /proc/cpuinfo etc > > make xserver_create_xdm_tmp_socket() also allow unlinking the socket in > question > > > Index: refpolicy-2.20170212/policy/modules/system/init.fc > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/init.fc > +++ refpolicy-2.20170212/policy/modules/system/init.fc > @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', ` > /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) > ') > > +/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) > +/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0) > > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', ` > /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) This doesn't seem right. Then if you don't have XDM, regular users can't run startx. > +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) > > ifdef(`distro_gentoo', ` > /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) > Index: refpolicy-2.20170212/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/logging.te > +++ refpolicy-2.20170212/policy/modules/system/logging.te > @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t) > > init_dontaudit_use_fds(auditctl_t) > > -locallogin_dontaudit_use_fds(auditctl_t) > +optional_policy(` > + locallogin_dontaudit_use_fds(auditctl_t) > +') This new optional should be moved down with the other auditctl_t ones, above the mta_send_mail(). > logging_set_audit_parameters(auditctl_t) > logging_send_syslog_msg(auditctl_t) > @@ -565,6 +567,8 @@ optional_policy(` > > optional_policy(` > udev_read_db(syslogd_t) > + # for systemd-journal to read seat data from /run/udev/data > + udev_read_pid_files(syslogd_t) > ') > > optional_policy(` > Index: refpolicy-2.20170212/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20170212/policy/modules/system/lvm.te > @@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t) > init_use_script_ptys(lvm_t) > init_read_script_state(lvm_t) > > +# for systemd-cryptsetup > +dev_write_kmsg(lvm_t) > + > logging_send_syslog_msg(lvm_t) > > miscfiles_read_localization(lvm_t) > Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te > @@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond > files_read_non_auth_files(restorecond_t) > auth_use_nsswitch(restorecond_t) > > -locallogin_dontaudit_use_fds(restorecond_t) > +optional_policy(` > + locallogin_dontaudit_use_fds(restorecond_t) > +') This optional should move down to the above the optional with rpm_use_script_fds(). > logging_send_syslog_msg(restorecond_t) > > @@ -482,7 +484,9 @@ term_use_all_terms(semanage_t) > # Running genhomedircon requires this for finding all users > auth_use_nsswitch(semanage_t) > > -locallogin_use_fds(semanage_t) > +optional_policy(` > + locallogin_use_fds(semanage_t) > +') This new optional should go down after the distro_ubuntu block. > logging_send_syslog_msg(semanage_t) > > Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te > @@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t) > > miscfiles_read_localization(dhcpc_t) > > -modutils_run_insmod(dhcpc_t, dhcpc_roles) > +optional_policy(` > + modutils_run_insmod(dhcpc_t, dhcpc_roles) > +') This new optional should go down above the netutil_run*(dhcpc_t) optional block. > sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) > > @@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t) > > miscfiles_read_localization(ifconfig_t) > > -modutils_domtrans_insmod(ifconfig_t) > +optional_policy(` > + modutils_domtrans_insmod(ifconfig_t) > +') This new optional should go down after the ipsec_*() optional block. > seutil_use_runinit_fds(ifconfig_t) > > Index: refpolicy-2.20170212/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/init.te > +++ refpolicy-2.20170212/policy/modules/system/init.te > @@ -304,10 +304,6 @@ ifdef(`init_systemd',` > ',` > tunable_policy(`init_upstart',` > corecmd_shell_domtrans(init_t, initrc_t) > - ',` > - # Run the shell in the sysadm role for single-user mode. > - # causes problems with upstart > - sysadm_shell_domtrans(init_t) I don't think we want to remove this, as it will impact sysvinit, which Gentoo still uses. > ') > ') > > @@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t) > # slapd needs to read cert files from its initscript > miscfiles_read_generic_certs(initrc_t) > > -modutils_read_module_config(initrc_t) > -modutils_domtrans_insmod(initrc_t) > +optional_policy(` > + modutils_read_module_config(initrc_t) > + modutils_domtrans_insmod(initrc_t) > +') This new optional should much farther down, between the mailman and mta optional blocks. > seutil_read_config(initrc_t) > > Index: refpolicy-2.20170212/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/udev.te > +++ refpolicy-2.20170212/policy/modules/system/udev.te > @@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con > allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; > allow udev_t self:netlink_generic_socket create_socket_perms; > allow udev_t self:rawip_socket create_socket_perms; > +fs_read_cgroup_files(udev_t) The should go down with the other fs_* calls. > allow udev_t udev_exec_t:file write; > can_exec(udev_t, udev_exec_t) > @@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run > kernel_load_module(udev_t) > kernel_read_system_state(udev_t) > kernel_request_load_module(udev_t) > +# systemd-udevd needs kernel_load_module > +kernel_load_module(udev_t) This rule is already in, at the top of the hunk actually :) > kernel_getattr_core_if(udev_t) > kernel_use_fds(udev_t) > kernel_read_device_sysctls(udev_t) > Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te > +++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te > @@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne > files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) > > kernel_read_ring_buffer(kerneloops_t) > +kernel_read_system_state(kerneloops_t) > > domain_use_interactive_fds(kerneloops_t) > > Index: refpolicy-2.20170212/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20170212/policy/modules/system/locallogin.te > @@ -62,6 +62,8 @@ kernel_link_key(local_login_t) > > corecmd_list_bin(local_login_t) > corecmd_read_bin_symlinks(local_login_t) > +# for /bin/uname > +corecmd_exec_bin(local_login_t) Why would /bin/login run uname? > # cjp: these are probably not needed: > corecmd_read_bin_files(local_login_t) > corecmd_read_bin_pipes(local_login_t) > Index: refpolicy-2.20170212/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20170212.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20170212/policy/modules/services/xserver.if > @@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs' > > ######################################## > ## > -## Create a named socket in a XDM > +## Create and unlink a named socket in a XDM > ## temporary directory. > ## > ## > @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket > files_search_tmp($1) > allow $1 xdm_tmp_t:dir list_dir_perms; > create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) > + allow $1 xdm_tmp_t:sock_file unlink; This should be a new interface, as callers won't expect the unlink access from a "create" interface. -- Chris PeBenito