From: russell@coker.com.au (Russell Coker) Date: Tue, 14 Feb 2017 17:41:40 +1100 Subject: [refpolicy] [PATCH] dpkg related patches Message-ID: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch has all the latest dpkg.te policy taken from several patch files in the Debian package so there's more rules than the previous patch I sent. It also has init.if, unconfined.if, and dirmngr.if changes for dpkg systemd support and changing password support, the interfaces in question are also used by other modules in my tree, I'll send patches for that later. It removes the TODO block discussed previously as well as some other access that dpkg_t no longer needs. It allows bootloader_t to read dpkg and apt configuration due to Debian scripts for configuring kernels running as bootloader_t and needing access to the package configuration. There is a change to usermanage.te to support dpkg creating users and setting passwords etc (passwd -L etc). There is a change to userdomain.te to allow regular users to list the packages installed. This is mainly for dpkg-buildpackage but there's lots of other reasons to allow this. Finally I made some adjtime references optional, as I needed to do that to make the policy even build for me. Please apply this to git. Index: refpolicy-2.20170214/policy/modules/contrib/dpkg.te =================================================================== --- refpolicy-2.20170214.orig/policy/modules/contrib/dpkg.te +++ refpolicy-2.20170214/policy/modules/contrib/dpkg.te @@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri domain_interactive_fd(dpkg_script_t) role dpkg_roles types dpkg_script_t; +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) +domain_entry_file(dpkg_script_t, dpkg_var_lib_t) + type dpkg_script_tmp_t; files_tmp_file(dpkg_script_tmp_t) @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var kernel_read_system_state(dpkg_t) kernel_read_kernel_sysctls(dpkg_t) -corecmd_exec_all_executables(dpkg_t) - corenet_all_recvfrom_unlabeled(dpkg_t) corenet_all_recvfrom_netlabel(dpkg_t) corenet_tcp_sendrecv_generic_if(dpkg_t) @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t) userdom_use_user_terminals(dpkg_t) userdom_use_unpriv_users_fds(dpkg_t) +userdom_use_all_users_fds(dpkg_t) dpkg_domtrans_script(dpkg_t) @@ -176,18 +178,10 @@ optional_policy(` unconfined_domain(dpkg_t) ') -# TODO: the following was copied from dpkg_script_t, and could probably -# be removed again when dpkg_script_t is actually used... -domain_signal_all_domains(dpkg_t) -domain_signull_all_domains(dpkg_t) -files_read_etc_runtime_files(dpkg_t) -files_exec_usr_files(dpkg_t) -miscfiles_read_localization(dpkg_t) -modutils_run_depmod(dpkg_t, dpkg_roles) -modutils_run_insmod(dpkg_t, dpkg_roles) -seutil_run_loadpolicy(dpkg_t, dpkg_roles) -seutil_run_setfiles(dpkg_t, dpkg_roles) -userdom_use_all_users_fds(dpkg_t) +optional_policy(` + modutils_run_depmod(dpkg_t, dpkg_roles) + modutils_run_insmod(dpkg_t, dpkg_roles) +') optional_policy(` mta_send_mail(dpkg_t) @@ -202,8 +196,8 @@ optional_policy(` # Script Local policy # -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setfcap setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod setfcap }; +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_ allow dpkg_script_t self:sem create_sem_perms; allow dpkg_script_t self:msgq create_msgq_perms; allow dpkg_script_t self:msg { send receive }; +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow dpkg_script_t self:udp_socket create_socket_perms; allow dpkg_script_t dpkg_tmp_t:file read_file_perms; @@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s kernel_read_kernel_sysctls(dpkg_script_t) kernel_read_system_state(dpkg_script_t) +auth_manage_shadow(dpkg_script_t) corecmd_exec_all_executables(dpkg_script_t) +dev_null_manage_service(dpkg_script_t) dev_list_sysfs(dpkg_script_t) # Use named file transition to fix this # dev_manage_generic_blk_files(dpkg_script_t) @@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip selinux_compute_create_context(dpkg_script_t) selinux_compute_relabel_context(dpkg_script_t) selinux_compute_user_contexts(dpkg_script_t) +selinux_read_policy(dpkg_script_t) storage_raw_read_fixed_disk(dpkg_script_t) storage_raw_write_fixed_disk(dpkg_script_t) term_use_all_terms(dpkg_script_t) -auth_dontaudit_getattr_shadow(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) +init_get_generic_units_status(dpkg_script_t) init_use_script_fds(dpkg_script_t) +init_status(dpkg_script_t) +init_start_generic_units(dpkg_script_t) +init_stop_generic_units(dpkg_script_t) +init_reload(dpkg_script_t) +init_system_stop(dpkg_script_t) +init_telinit(dpkg_script_t) +initrc_manage_service(dpkg_script_t) +init_script_service_restart(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) @@ -287,13 +294,20 @@ logging_send_syslog_msg(dpkg_script_t) miscfiles_read_localization(dpkg_script_t) -modutils_run_depmod(dpkg_script_t, dpkg_roles) -modutils_run_insmod(dpkg_script_t, dpkg_roles) +optional_policy(` + dirmngr_service_manage(dpkg_script_t) +') + +optional_policy(` + modutils_run_depmod(dpkg_script_t, dpkg_roles) + modutils_run_insmod(dpkg_script_t, dpkg_roles) +') seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) seutil_run_setfiles(dpkg_script_t, dpkg_roles) userdom_use_all_users_fds(dpkg_script_t) +usermanage_domtrans_passwd(dpkg_script_t) tunable_policy(`allow_execmem',` allow dpkg_script_t self:process execmem; @@ -317,6 +331,11 @@ optional_policy(` ') optional_policy(` + systemd_logind_read_process_state(dpkg_script_t) + systemd_dbus_chat_logind(dpkg_script_t) +') + +optional_policy(` unconfined_domain(dpkg_script_t) ') Index: refpolicy-2.20170214/policy/modules/admin/bootloader.te =================================================================== --- refpolicy-2.20170214.orig/policy/modules/admin/bootloader.te +++ refpolicy-2.20170214/policy/modules/admin/bootloader.te @@ -149,6 +149,11 @@ ifdef(`distro_debian',` fstools_relabelto_entry_files(bootloader_t) libs_relabelto_lib_files(bootloader_t) + + # for apt-cache + dpkg_read_db(bootloader_t) + apt_read_db(bootloader_t) + apt_read_cache(bootloader_t) ') ifdef(`distro_redhat',` Index: refpolicy-2.20170214/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20170214.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20170214/policy/modules/admin/usermanage.te @@ -360,6 +360,12 @@ optional_policy(` nscd_run(passwd_t, passwd_roles) ') +optional_policy(` + # for dpkg to create users + permit_in_unconfined_r(passwd_t) + unconfined_use_fds(passwd_t) +') + ######################################## # # Password admin local policy Index: refpolicy-2.20170214/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170214.orig/policy/modules/system/init.if +++ refpolicy-2.20170214/policy/modules/system/init.if @@ -809,6 +809,42 @@ interface(`init_udp_send',` ######################################## ## +## start service (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_system_start',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system start; +') + +######################################## +## +## stop service (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_system_stop',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system stop; +') + +######################################## +## ## Get all service status (systemd). ## ## @@ -2514,3 +2550,57 @@ interface(`init_reload_all_units',` allow $1 systemdunit:service reload; ') + +######################################## +## +## Start and stop init_script_file_type services +## +## +## +## domain that can start and stop the services +## +## +# +interface(`init_script_service_restart',` + gen_require(` + attribute init_script_file_type; + ') + + allow $1 init_script_file_type:service { start status stop }; +') + +######################################## +## +## Get the system status information from init +## +## +## +## Domain allowed access. +## +## +# +interface(`init_status',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system status; +') + +######################################## +## +## Allow manage service for initrc_exec_t scripts +## +## +## +## Target domain +## +## +# +interface(`initrc_manage_service',` + gen_require(` + type initrc_exec_t; + ') + + allow $1 initrc_exec_t:service { start stop status }; +') Index: refpolicy-2.20170214/policy/modules/system/userdomain.te =================================================================== --- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te +++ refpolicy-2.20170214/policy/modules/system/userdomain.te @@ -70,6 +70,10 @@ attribute admindomain; # all user domains attribute userdomain; +ifdef(`distro_debian', ` + dpkg_read_db(userdomain) +') + # unprivileged user domains attribute unpriv_userdomain; Index: refpolicy-2.20170214/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170214.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170214/policy/modules/kernel/devices.if @@ -3260,6 +3260,25 @@ interface(`dev_create_null_dev',` ######################################## ## +## Manage services with script type null_device_t for when +## /lib/systemd/system/something.service is a link to /dev/null +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_null_manage_service',` + gen_require(` + type null_device_t; + ') + + allow $1 null_device_t:service { status start stop reload }; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## Index: refpolicy-2.20170214/policy/modules/contrib/dirmngr.if =================================================================== --- refpolicy-2.20170214.orig/policy/modules/contrib/dirmngr.if +++ refpolicy-2.20170214/policy/modules/contrib/dirmngr.if @@ -2,6 +2,25 @@ ######################################## ## +## Allow a domain to restart dirmngr +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dirmngr_service_manage',` + gen_require(` + type dirmngr_initrc_exec_t; + ') + + allow $1 dirmngr_initrc_exec_t:service { status start stop }; +') + +######################################## +## ## All of the rules required to ## administrate an dirmngr environment. ## Index: refpolicy-2.20170214/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20170214.orig/policy/modules/system/systemd.if +++ refpolicy-2.20170214/policy/modules/system/systemd.if @@ -190,3 +190,22 @@ interface(`systemd_start_power_units',` allow $1 power_unit_t:service start; ') + +######################################## +## +## Allow systemd_logind_t to read process state for cgroup file +## +## +## +## Domain systemd_logind_t may access. +## +## +# +interface(`systemd_logind_read_process_state',` + gen_require(` + type systemd_logind_t; + ') + + allow systemd_logind_t $1:dir list_dir_perms; + allow systemd_logind_t $1:file read_file_perms; +') Index: refpolicy-2.20170214/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20170214.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20170214/policy/modules/system/unconfined.if @@ -319,6 +319,23 @@ interface(`unconfined_run_to',` ######################################## ## +## Allow the specified domain to be in the unconfined role +## +## +## +## Domain to permit in unconfined_r +## +## +# +interface(`permit_in_unconfined_r',` + gen_require(` + role unconfined_r; + ') + role unconfined_r types $1; +') + +######################################## +## ## Inherit file descriptors from the unconfined domain. ## ## Index: refpolicy-2.20170214/policy/modules/system/init.te =================================================================== --- refpolicy-2.20170214.orig/policy/modules/system/init.te +++ refpolicy-2.20170214/policy/modules/system/init.te @@ -277,7 +277,9 @@ ifdef(`init_systemd',` term_relabel_pty_dirs(init_t) - clock_read_adjtime(init_t) + optional_policy(` + clock_read_adjtime(init_t) + ') logging_manage_pid_sockets(init_t) logging_send_audit_msgs(init_t) @@ -628,7 +630,9 @@ ifdef(`distro_gentoo',` files_mountpoint(initrc_state_t) # init scripts touch this - clock_dontaudit_write_adjtime(initrc_t) + optional_policy(` + clock_dontaudit_write_adjtime(initrc_t) + ') logging_send_audit_msgs(initrc_t)