From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 15 Feb 2017 19:08:13 -0500
Subject: [refpolicy] [PATCH] dpkg related patches
In-Reply-To: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au>
References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au>
Message-ID: <6c6cbb82-985e-6e0a-d6e1-e28ea82886b7@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 02/14/17 01:41, Russell Coker via refpolicy wrote:
> The following patch has all the latest dpkg.te policy taken from several
> patch files in the Debian package so there's more rules than the previous
> patch I sent. It also has init.if, unconfined.if, and dirmngr.if changes for
> dpkg systemd support and changing password support, the interfaces in question
> are also used by other modules in my tree, I'll send patches for that later.
>
> It removes the TODO block discussed previously as well as some other access
> that dpkg_t no longer needs.
>
> It allows bootloader_t to read dpkg and apt configuration due to Debian
> scripts for configuring kernels running as bootloader_t and needing access
> to the package configuration.
>
> There is a change to usermanage.te to support dpkg creating users and setting
> passwords etc (passwd -L etc).
>
> There is a change to userdomain.te to allow regular users to list the packages
> installed. This is mainly for dpkg-buildpackage but there's lots of other
> reasons to allow this.
>
> Finally I made some adjtime references optional, as I needed to do that to
> make the policy even build for me.
>
> Please apply this to git.
>
>
> Index: refpolicy-2.20170214/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170214/policy/modules/contrib/dpkg.te
> @@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
> domain_interactive_fd(dpkg_script_t)
> role dpkg_roles types dpkg_script_t;
>
> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
What are these files? I don't know dpkg, but this seems odd.
> type dpkg_script_tmp_t;
> files_tmp_file(dpkg_script_tmp_t)
>
> @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
> kernel_read_system_state(dpkg_t)
> kernel_read_kernel_sysctls(dpkg_t)
>
> -corecmd_exec_all_executables(dpkg_t)
> -
> corenet_all_recvfrom_unlabeled(dpkg_t)
> corenet_all_recvfrom_netlabel(dpkg_t)
> corenet_tcp_sendrecv_generic_if(dpkg_t)
> @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
>
> userdom_use_user_terminals(dpkg_t)
> userdom_use_unpriv_users_fds(dpkg_t)
> +userdom_use_all_users_fds(dpkg_t)
>
> dpkg_domtrans_script(dpkg_t)
>
> @@ -176,18 +178,10 @@ optional_policy(`
> unconfined_domain(dpkg_t)
> ')
>
> -# TODO: the following was copied from dpkg_script_t, and could probably
> -# be removed again when dpkg_script_t is actually used...
> -domain_signal_all_domains(dpkg_t)
> -domain_signull_all_domains(dpkg_t)
> -files_read_etc_runtime_files(dpkg_t)
> -files_exec_usr_files(dpkg_t)
> -miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
> -seutil_run_loadpolicy(dpkg_t, dpkg_roles)
> -seutil_run_setfiles(dpkg_t, dpkg_roles)
> -userdom_use_all_users_fds(dpkg_t)
> +optional_policy(`
> + modutils_run_depmod(dpkg_t, dpkg_roles)
> + modutils_run_insmod(dpkg_t, dpkg_roles)
> +')
>
> optional_policy(`
> mta_send_mail(dpkg_t)
> @@ -202,8 +196,8 @@ optional_policy(`
> # Script Local policy
> #
>
> -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
> -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setfcap setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod setfcap };
> +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> allow dpkg_script_t self:fd use;
> allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
> allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
> @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
> allow dpkg_script_t self:sem create_sem_perms;
> allow dpkg_script_t self:msgq create_msgq_perms;
> allow dpkg_script_t self:msg { send receive };
> +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow dpkg_script_t self:udp_socket create_socket_perms;
>
> allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
>
> @@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
> kernel_read_kernel_sysctls(dpkg_script_t)
> kernel_read_system_state(dpkg_script_t)
>
> +auth_manage_shadow(dpkg_script_t)
> corecmd_exec_all_executables(dpkg_script_t)
>
> +dev_null_manage_service(dpkg_script_t)
> dev_list_sysfs(dpkg_script_t)
> # Use named file transition to fix this
> # dev_manage_generic_blk_files(dpkg_script_t)
> @@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
> selinux_compute_create_context(dpkg_script_t)
> selinux_compute_relabel_context(dpkg_script_t)
> selinux_compute_user_contexts(dpkg_script_t)
> +selinux_read_policy(dpkg_script_t)
>
> storage_raw_read_fixed_disk(dpkg_script_t)
> storage_raw_write_fixed_disk(dpkg_script_t)
>
> term_use_all_terms(dpkg_script_t)
>
> -auth_dontaudit_getattr_shadow(dpkg_script_t)
> files_manage_non_auth_files(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> +init_get_generic_units_status(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> +init_status(dpkg_script_t)
> +init_start_generic_units(dpkg_script_t)
> +init_stop_generic_units(dpkg_script_t)
> +init_reload(dpkg_script_t)
> +init_system_stop(dpkg_script_t)
> +init_telinit(dpkg_script_t)
> +initrc_manage_service(dpkg_script_t)
> +init_script_service_restart(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
> @@ -287,13 +294,20 @@ logging_send_syslog_msg(dpkg_script_t)
>
> miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +optional_policy(`
> + dirmngr_service_manage(dpkg_script_t)
> +')
> +
> +optional_policy(`
> + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')
Please move down with the other dpkg_script_t optionals.
> seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
> seutil_run_setfiles(dpkg_script_t, dpkg_roles)
>
> userdom_use_all_users_fds(dpkg_script_t)
> +usermanage_domtrans_passwd(dpkg_script_t)
>
> tunable_policy(`allow_execmem',`
> allow dpkg_script_t self:process execmem;
> @@ -317,6 +331,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_logind_read_process_state(dpkg_script_t)
> + systemd_dbus_chat_logind(dpkg_script_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(dpkg_script_t)
> ')
>
> Index: refpolicy-2.20170214/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170214/policy/modules/admin/bootloader.te
> @@ -149,6 +149,11 @@ ifdef(`distro_debian',`
> fstools_relabelto_entry_files(bootloader_t)
>
> libs_relabelto_lib_files(bootloader_t)
> +
> + # for apt-cache
> + dpkg_read_db(bootloader_t)
> + apt_read_db(bootloader_t)
> + apt_read_cache(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20170214/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20170214/policy/modules/admin/usermanage.te
> @@ -360,6 +360,12 @@ optional_policy(`
> nscd_run(passwd_t, passwd_roles)
> ')
>
> +optional_policy(`
> + # for dpkg to create users
> + permit_in_unconfined_r(passwd_t)
> + unconfined_use_fds(passwd_t)
> +')
I think what you're looking for is to replace the
usermanage_domtrans_passwd() with usermanage_run_passwd() with
dpkg_roles. That would fix the role association.
> ########################################
> #
> # Password admin local policy
> Index: refpolicy-2.20170214/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170214/policy/modules/system/init.if
> @@ -809,6 +809,42 @@ interface(`init_udp_send',`
>
> ########################################
> ##
> +## start service (systemd).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_system_start',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system start;
> +')
> +
> +########################################
> +##
> +## stop service (systemd).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_system_stop',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system stop;
> +')
> +
> +########################################
> +##
> ## Get all service status (systemd).
> ##
> ##
> @@ -2514,3 +2550,57 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +##
> +## Start and stop init_script_file_type services
> +##
> +##
> +##
> +## domain that can start and stop the services
> +##
> +##
> +#
> +interface(`init_script_service_restart',`
init_restart_script_service()
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + allow $1 init_script_file_type:service { start status stop };
> +')
> +
> +########################################
> +##
> +## Get the system status information from init
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`init_status',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system status;
> +')
> +
> +########################################
> +##
> +## Allow manage service for initrc_exec_t scripts
> +##
> +##
> +##
> +## Target domain
> +##
> +##
> +#
> +interface(`initrc_manage_service',`
> + gen_require(`
> + type initrc_exec_t;
require class service { status start stop }; since that is a userspace
class.
> + ')
> +
> + allow $1 initrc_exec_t:service { start stop status };
> +')
> Index: refpolicy-2.20170214/policy/modules/system/userdomain.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te
> +++ refpolicy-2.20170214/policy/modules/system/userdomain.te
> @@ -70,6 +70,10 @@ attribute admindomain;
> # all user domains
> attribute userdomain;
>
> +ifdef(`distro_debian', `
> + dpkg_read_db(userdomain)
> +')
I think that putting this in the userdom_common_user_template() is
better, so that the base user template is kept thin.
> # unprivileged user domains
> attribute unpriv_userdomain;
>
> Index: refpolicy-2.20170214/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170214/policy/modules/kernel/devices.if
> @@ -3260,6 +3260,25 @@ interface(`dev_create_null_dev',`
>
> ########################################
> ##
> +## Manage services with script type null_device_t for when
> +## /lib/systemd/system/something.service is a link to /dev/null
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`dev_null_manage_service',`
Yuck. More systemd mess. Should be named dev_manage_null_service().
> + gen_require(`
> + type null_device_t;
also require class service { status start stop reload }; since that is a
userspace class.
> + ')
> +
> + allow $1 null_device_t:service { status start stop reload };
> +')
> +
> +########################################
> +##
> ## Do not audit attempts to get the attributes
> ## of the BIOS non-volatile RAM device.
> ##
> Index: refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/contrib/dirmngr.if
> +++ refpolicy-2.20170214/policy/modules/contrib/dirmngr.if
> @@ -2,6 +2,25 @@
>
> ########################################
> ##
> +## Allow a domain to restart dirmngr
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`dirmngr_service_manage',`
> + gen_require(`
> + type dirmngr_initrc_exec_t;
> + ')
> +
> + allow $1 dirmngr_initrc_exec_t:service { status start stop };
Please leverage the init_startstop_service() interface to handle most of
this which is intended to be init-agnostic
> +')
> +
> +########################################
> +##
> ## All of the rules required to
> ## administrate an dirmngr environment.
> ##
> Index: refpolicy-2.20170214/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170214/policy/modules/system/systemd.if
> @@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +##
> +## Allow systemd_logind_t to read process state for cgroup file
> +##
> +##
> +##
> +## Domain systemd_logind_t may access.
> +##
> +##
> +#
> +interface(`systemd_logind_read_process_state',`
Should be named systemd_read_logind_state().
> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + allow systemd_logind_t $1:dir list_dir_perms;
> + allow systemd_logind_t $1:file read_file_perms;
> +')
> Index: refpolicy-2.20170214/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170214/policy/modules/system/unconfined.if
> @@ -319,6 +319,23 @@ interface(`unconfined_run_to',`
>
> ########################################
> ##
> +## Allow the specified domain to be in the unconfined role
> +##
> +##
> +##
> +## Domain to permit in unconfined_r
> +##
> +##
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +##
> ## Inherit file descriptors from the unconfined domain.
> ##
> ##
> Index: refpolicy-2.20170214/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170214.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170214/policy/modules/system/init.te
> @@ -277,7 +277,9 @@ ifdef(`init_systemd',`
>
> term_relabel_pty_dirs(init_t)
>
> - clock_read_adjtime(init_t)
> + optional_policy(`
> + clock_read_adjtime(init_t)
> + ')
This should be moved down in the ifdef block with the other init_t
optionals.
> logging_manage_pid_sockets(init_t)
> logging_send_audit_msgs(init_t)
> @@ -628,7 +630,9 @@ ifdef(`distro_gentoo',`
> files_mountpoint(initrc_state_t)
>
> # init scripts touch this
> - clock_dontaudit_write_adjtime(initrc_t)
> + optional_policy(`
> + clock_dontaudit_write_adjtime(initrc_t)
> + ')
Did you really intend to modify a Gentoo block?
--
Chris PeBenito