From: russell@coker.com.au (Russell Coker) Date: Mon, 20 Feb 2017 16:35:25 +1100 Subject: [refpolicy] [PATCH] yet another draft of systemd patch 1 Message-ID: <20170220053525.kiug5zsw3wpzwfxl@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here's another version of that patch against today's git repository and with changes suggested by Nicolas Iooss. Index: refpolicy-2.20170220/policy/modules/system/udev.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/udev.if +++ refpolicy-2.20170220/policy/modules/system/udev.if @@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',` ######################################## ## +## Allow process to relabelto udev database +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_relabelto_db',` + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) + allow $1 udev_var_run_t:file relabelto_file_perms; + allow $1 udev_var_run_t:lnk_file relabelto_file_perms; +') + +######################################## +## ## Read udev pid files. ## ## Index: refpolicy-2.20170220/policy/modules/kernel/devices.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/devices.te +++ refpolicy-2.20170220/policy/modules/kernel/devices.te @@ -21,6 +21,9 @@ files_mountpoint(device_t) files_associate_tmp(device_t) fs_xattr_type(device_t) fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); +optional_policy(` + systemd_tmpfiles_manage_object(device_t, fifo_file) +') # # Type for /dev/agpgart Index: refpolicy-2.20170220/policy/modules/kernel/files.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/files.te +++ refpolicy-2.20170220/policy/modules/kernel/files.te @@ -174,6 +174,10 @@ type var_run_t; files_pid_file(var_run_t) files_mountpoint(var_run_t) +optional_policy(` + systemd_tmpfiles_manage_object(var_run_t, lnk_file) +') + # # var_spool_t is the type of /var/spool # Index: refpolicy-2.20170220/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/kernel.te +++ refpolicy-2.20170220/policy/modules/kernel/kernel.te @@ -361,6 +361,8 @@ optional_policy(` optional_policy(` init_sigchld(kernel_t) + init_dyntrans(kernel_t) + domain_dyntrans_type(kernel_t) ') optional_policy(` Index: refpolicy-2.20170220/policy/modules/system/authlogin.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/authlogin.te +++ refpolicy-2.20170220/policy/modules/system/authlogin.te @@ -30,6 +30,9 @@ role system_r types chkpwd_t; type faillog_t; logging_log_file(faillog_t) +optional_policy(` + systemd_tmpfiles_manage_object(faillog_t, file) +') type lastlog_t; logging_log_file(lastlog_t) @@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_ # type var_auth_t; files_type(var_auth_t) +optional_policy(` + systemd_tmpfiles_manage_object(var_auth_t, dir) +') type wtmp_t; logging_log_file(wtmp_t) Index: refpolicy-2.20170220/policy/modules/system/init.fc =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/init.fc +++ refpolicy-2.20170220/policy/modules/system/init.fc @@ -57,6 +57,8 @@ ifdef(`distro_gentoo', ` /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) /run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) ifdef(`distro_debian',` Index: refpolicy-2.20170220/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/init.if +++ refpolicy-2.20170220/policy/modules/system/init.if @@ -127,7 +127,11 @@ interface(`init_domain',` role system_r types $1; - domtrans_pattern(init_t, $2, $1) + ifdef(`init_systemd', ` + domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') ifdef(`init_systemd',` allow $1 init_t:unix_stream_socket { getattr read write ioctl }; @@ -164,10 +168,12 @@ interface(`init_ranged_domain',` ifdef(`enable_mcs',` range_transition init_t $2:process $3; + range_transition initrc_t $2:process $3; ') ifdef(`enable_mls',` range_transition init_t $2:process $3; + range_transition initrc_t $2:process $3; mls_rangetrans_target($1) ') ') @@ -210,8 +216,10 @@ interface(`init_ranged_domain',` interface(`init_daemon_domain',` gen_require(` type initrc_t; + type init_t; role system_r; attribute daemon; + attribute initrc_transition_domain; ') typeattribute $1 daemon; @@ -223,6 +231,12 @@ interface(`init_daemon_domain',` domtrans_pattern(initrc_t, $2, $1) + ifdef(`init_systemd', ` + domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') + # daemons started from init will # inherit fds from init for the console init_dontaudit_use_fds($1) @@ -292,6 +306,7 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; + type init_t; ') ifdef(`init_systemd',` @@ -301,11 +316,13 @@ interface(`init_ranged_daemon_domain',` ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; mls_rangetrans_target($1) + range_transition init_t $2:process $3; ') ') ') @@ -400,8 +417,10 @@ interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; + attribute systemprocess; ') + typeattribute $1 systemprocess; application_domain($1, $2) role system_r types $1; @@ -459,6 +478,7 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; + type init_t; ') ifdef(`init_systemd',` @@ -468,15 +488,35 @@ interface(`init_ranged_system_domain',` ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; mls_rangetrans_target($1) ') ') ') +###################################### +## +## Allow domain dyntransition to init_t domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_dyntrans',` + gen_require(` + type init_t; + ') + + dyntrans_pattern($1, init_t) +') + ######################################## ## ## Mark the file type as a daemon pid file, allowing initrc_t @@ -675,6 +715,7 @@ interface(`init_stream_connect',` stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) files_search_pids($1) + allow $1 init_t:unix_stream_socket getattr; ') ######################################## @@ -1195,19 +1236,25 @@ interface(`init_telinit',` type initctl_t; ') + corecmd_exec_bin($1) + dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) - tunable_policy(`init_upstart',` + ifdef(`init_systemd',` gen_require(` type init_t; ') + ps_process_pattern($1, init_t) + allow $1 init_t:process signal; # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; + #576913 + allow $1 init_t:unix_stream_socket connectto; ') ') @@ -1217,7 +1264,7 @@ interface(`init_telinit',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -1315,18 +1362,21 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) + domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') @@ -1402,9 +1452,14 @@ interface(`init_manage_script_service',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; + # service script searches all filesystems via mountpoint + fs_search_all($1) domtrans_pattern($1, $2, initrc_t) + allow $1 $2:file ioctl; files_search_etc($1) ') @@ -1536,9 +1591,10 @@ interface(`init_run_daemon',` interface(`init_startstop_all_script_services',` gen_require(` attribute init_script_file_type; + class service { start status stop reload }; ') - allow $1 init_script_file_type:service { start status stop }; + allow $1 init_script_file_type:service { start status stop reload }; ') ######################################## @@ -1746,12 +1802,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) - read_files_pattern($1, initrc_t, initrc_t) - read_lnk_files_pattern($1, initrc_t, initrc_t) - list_dirs_pattern($1, initrc_t, initrc_t) - - # should move this to separate interface - allow $1 initrc_t:process getattr; + ps_process_pattern($1, initrc_t) ') ######################################## @@ -2335,7 +2386,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') - dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; + dontaudit $1 initrc_var_run_t:file rw_file_perms; ') ######################################## @@ -2376,6 +2427,25 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') +####################################### +## +## Create a directory in the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_create_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir list_dir_perms; + create_dirs_pattern($1, init_var_run_t, init_var_run_t) +') + ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket @@ -2550,6 +2620,43 @@ interface(`init_start_all_units',` allow $1 systemdunit:service start; ') +####################################### +## +## Allow the specified domain to write to +## init sock file. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_pid_socket',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:sock_file write; +') + +######################################## +## +## Read init unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_pipes',` + gen_require(` + type init_var_run_t; + ') + + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') + ######################################## ## ## Stop all systemd units. @@ -2587,3 +2694,21 @@ interface(`init_reload_all_units',` allow $1 systemdunit:service reload; ') + +######################################## +## +## Rename and unlink init_var_run_t files +## +## +## +## domain +## +## +# +interface(`rename_unlink_init_var_run',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:file { rename getattr unlink }; +') Index: refpolicy-2.20170220/policy/modules/system/init.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/init.te +++ refpolicy-2.20170220/policy/modules/system/init.te @@ -16,13 +16,29 @@ gen_require(` ## gen_tunable(init_upstart, false) +## +##

+## Allow all daemons the ability to read/write terminals +##

+##
+gen_tunable(allow_daemons_use_tty, false) + +## +##

+## Allow all daemons to write corefiles to / +##

+##
+gen_tunable(allow_daemons_dump_core, false) + attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; attribute systemdunit; +attribute initrc_transition_domain; # Mark process types as daemons attribute daemon; +attribute systemprocess; # Mark file type as a daemon pid file attribute daemonpidfile; @@ -33,7 +49,7 @@ attribute daemonrundir; # # init_t is the domain of the init process. # -type init_t; +type init_t, initrc_transition_domain; type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) @@ -66,6 +82,7 @@ type initrc_exec_t, init_script_file_typ domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) init_named_socket_activation(initrc_t, init_var_run_t) +allow init_run_all_scripts_domain systemdunit:service { status start stop }; role system_r types initrc_t; # should be part of the true block # of the below init_upstart tunable @@ -110,6 +127,7 @@ ifdef(`enable_mls',` # Use capabilities. old rule: allow init_t self:capability ~sys_module; +allow init_t self:capability2 { wake_alarm block_suspend }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -128,6 +146,9 @@ allow init_t initrc_t:unix_stream_socket allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t, init_var_run_t, file) +# for systemd to manage service file symlinks +allow init_t init_var_run_t:file manage_lnk_file_perms; + allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) @@ -147,6 +168,7 @@ dev_rw_generic_chr_files(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) +domain_getattr_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -355,6 +377,11 @@ optional_policy(` ') optional_policy(` + udev_read_db(init_t) + udev_relabelto_db(init_t) +') + +optional_policy(` unconfined_domain(init_t) ') @@ -408,6 +435,7 @@ manage_files_pattern(initrc_t, initrc_tm manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) +allow initrc_t initrc_tmp_t:dir relabelfrom; manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) @@ -450,6 +478,7 @@ corenet_sendrecv_all_client_packets(init dev_read_rand(initrc_t) dev_read_urand(initrc_t) +dev_dontaudit_read_kmsg(initrc_t) dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) @@ -460,8 +489,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) +dev_setattr_generic_dirs(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) +dev_rw_generic_chr_files(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) @@ -469,17 +500,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) domain_signull_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t) +domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -domain_dontaudit_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: @@ -487,6 +517,7 @@ domain_dontaudit_getattr_all_udp_sockets domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) +domain_obj_id_change_exemption(initrc_t) files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) @@ -494,8 +525,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) -files_delete_all_locks(initrc_t) +files_manage_all_locks(initrc_t) +files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) +files_delete_root_files(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) @@ -509,8 +542,12 @@ files_manage_generic_spool(initrc_t) # cjp: not sure why these are here; should use mount policy files_list_default(initrc_t) files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) -fs_write_cgroup_files(initrc_t) +fs_delete_cgroup_dirs(initrc_t) +fs_list_cgroup_dirs(initrc_t) +fs_rw_cgroup_files(initrc_t) fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs @@ -520,9 +557,13 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) +mcs_file_read_all(initrc_t) +mcs_file_write_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) @@ -532,6 +573,7 @@ mls_process_read_all_levels(initrc_t) mls_process_write_all_levels(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) +mls_socket_write_to_clearance(initrc_t) selinux_get_enforce_mode(initrc_t) @@ -563,7 +605,11 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_generic_cert_files(initrc_t) + +optional_policy(` + init_get_system_status(initrc_t) +') seutil_read_config(initrc_t) @@ -571,7 +617,7 @@ userdom_read_user_home_content_files(ini # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. -userdom_use_user_terminals(initrc_t) +userdom_use_inherited_user_terminals(initrc_t) ifdef(`distro_debian',` kernel_getattr_core_if(initrc_t) @@ -643,6 +689,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + + optional_policy(` alsa_read_lib(initrc_t) ') @@ -663,7 +713,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd - kernel_dontaudit_use_fds(initrc_t) + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd @@ -698,6 +748,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) + miscfiles_filetrans_named_content(initrc_t) miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) @@ -707,8 +758,35 @@ ifdef(`distro_redhat',` ') optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + + optional_policy(` bind_manage_config_dirs(initrc_t) + bind_manage_config(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) + ') + + optional_policy(` + devicekit_append_inherited_log_files(initrc_t) + ') + + optional_policy(` + dirsrvadmin_read_config(initrc_t) + dirsrv_manage_var_run(initrc_t) + ') + + optional_policy(` + gnome_manage_gconf_config(initrc_t) + ') + + optional_policy(` + ldap_read_db_files(initrc_t) + ') + + optional_policy(` + pulseaudio_stream_connect(initrc_t) ') optional_policy(` @@ -716,14 +794,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') + optional_policy(` + rpcbind_stream_connect(initrc_t) + ') optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) + sysnet_manage_dhcpc_state(initrc_t) + sysnet_relabelfrom_dhcpc_state(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) + sysnet_relabelto_net_conf(initrc_t) + sysnet_filetrans_named_content(initrc_t) + ') + + optional_policy(` + wdmd_manage_pid_files(initrc_t) ') optional_policy(` xserver_delete_log(initrc_t) + xserver_manage_user_fonts_dir(initrc_t) ') ') @@ -746,9 +837,11 @@ ifdef(`init_systemd',` files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set) create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) + allow initrc_t systemd_unit_t:service reload; manage_files_pattern(initrc_t, systemdunit, systemdunit) manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) + allow initrc_t systemdunit:service reload; kernel_dgram_send(initrc_t) @@ -781,6 +874,8 @@ ifdef(`init_systemd',` seutil_read_file_contexts(initrc_t) systemd_start_power_units(initrc_t) + allow initrc_t init_t:system { status reboot halt reload }; + dev_manage_null_service(initrc_t) optional_policy(` # create /var/lock/lvm/ @@ -788,6 +883,32 @@ ifdef(`init_systemd',` ') ') +domain_dontaudit_use_interactive_fds(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_ttys(daemon) + term_use_all_ptys(daemon) +',` + term_dontaudit_use_unallocated_ttys(daemon) + term_dontaudit_use_generic_ptys(daemon) + term_dontaudit_use_all_ttys(daemon) + term_dontaudit_use_all_ptys(daemon) + ') + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` + files_manage_root_files(daemon) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + unconfined_dontaudit_rw_stream(daemon) + userdom_dontaudit_read_user_tmp_files(daemon) + userdom_dontaudit_write_user_tmp_files(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -800,6 +921,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) + # webmin seems to cause this. + apache_search_sys_content(daemon) ') optional_policy(` @@ -821,6 +944,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) + domain_setpriority_all_domains(initrc_t) ') optional_policy(` @@ -837,6 +961,12 @@ optional_policy(` ') optional_policy(` + cron_read_pipes(initrc_t) + # managing /etc/cron.d/mailman content + cron_manage_system_spool(initrc_t) +') + +optional_policy(` dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) @@ -853,9 +983,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) + dbus_manage_lib_files(initrc_t) + + init_dbus_chat(initrc_t) optional_policy(` consolekit_dbus_chat(initrc_t) + consolekit_manage_log(initrc_t) ') optional_policy(` @@ -897,6 +1031,11 @@ optional_policy(` ') optional_policy(` + modutils_read_module_config(initrc_t) + modutils_domtrans_insmod(initrc_t) +') + +optional_policy(` inn_exec_config(initrc_t) ') @@ -937,6 +1076,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) + lpd_manage_spool(init_t) ') optional_policy(` @@ -960,6 +1100,7 @@ optional_policy(` optional_policy(` mta_read_config(initrc_t) + mta_write_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -982,6 +1123,10 @@ optional_policy(` ') optional_policy(` + plymouthd_stream_connect(initrc_t) +') + +optional_policy(` postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') @@ -994,6 +1139,7 @@ optional_policy(` puppet_rw_tmp(initrc_t) ') + optional_policy(` quota_manage_flags(initrc_t) ') @@ -1024,8 +1170,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) - # why is this needed: - rpm_manage_db(initrc_t) ') optional_policy(` @@ -1043,10 +1187,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') +ifdef(`enabled_mls',` optional_policy(` # allow init scripts to su su_restricted_domain_template(initrc, initrc_t, system_r) ') +') optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) @@ -1062,7 +1208,6 @@ optional_policy(` ') optional_policy(` - udev_rw_db(initrc_t) udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) @@ -1079,6 +1224,10 @@ optional_policy(` optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) + mcs_file_read_all(initrc_t) + mcs_file_write_all(initrc_t) + mcs_killall(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited @@ -1088,6 +1237,15 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') + + optional_policy(` + rtkit_scheduled(initrc_t) + ') +') + +optional_policy(` + rpm_read_db(initrc_t) + rpm_delete_db(initrc_t) ') optional_policy(` @@ -1113,3 +1271,265 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') + +userdom_dontaudit_rw_stream(daemon) + +logging_inherit_append_all_logs(daemon) + +optional_policy(` + # sudo service restart causes this + unconfined_signull(daemon) +') + + +optional_policy(` + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(daemon) + ') + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files(daemon) + ') +') + +init_rw_script_stream_sockets(daemon) + +optional_policy(` + abrt_stream_connect(daemon) +') + +optional_policy(` + fail2ban_read_lib_files(daemon) +') + +init_rw_stream_sockets(daemon) + +allow init_t var_run_t:dir relabelto; + +init_stream_connect(initrc_t) +init_start_all_units(initrc_t) +init_stop_all_units(initrc_t) + +allow initrc_t daemon:process siginh; +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_transition_domain:fd use; + +storage_raw_rw_fixed_disk(init_t) + +optional_policy(` + modutils_domtrans_insmod(init_t) +') + +optional_policy(` + postfix_list_spool(init_t) + mta_read_aliases(init_t) +') + +ifdef(`init_systemd',` + allow init_t self:system { status reboot halt reload }; + + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate setrlimit }; + allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + allow init_t self:udp_socket create_socket_perms; + allow init_t self:netlink_route_socket create_netlink_socket_perms; + allow init_t initrc_t:unix_dgram_socket create_socket_perms; + allow init_t self:capability2 audit_read; + + kernel_list_unlabeled(init_t) + kernel_read_network_state(init_t) + kernel_rw_kernel_sysctl(init_t) + kernel_rw_net_sysctls(init_t) + kernel_read_all_sysctls(init_t) + kernel_read_software_raid_state(init_t) + kernel_unmount_debugfs(init_t) + kernel_setsched(init_t) + + dev_write_kmsg(init_t) + dev_write_urand(init_t) + dev_rw_lvm_control(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_symlinks(init_t) + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) + dev_read_generic_chr_files(init_t) + dev_relabel_generic_dev_dirs(init_t) + dev_relabel_all_dev_nodes(init_t) + dev_relabel_all_dev_files(init_t) + dev_manage_sysfs_dirs(init_t) + dev_relabel_sysfs_dirs(init_t) + # systemd writes to /dev/watchdog on shutdown + dev_write_watchdog(init_t) + + files_search_all(init_t) + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) + files_manage_generic_tmp_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) + files_delete_all_pids(init_t) + files_exec_generic_pid_files(init_t) + files_create_all_pid_pipes(init_t) + files_create_all_spool_sockets(init_t) + files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_list_spool(init_t) + files_list_var(init_t) + files_create_lock_dirs(init_t) + files_relabel_all_lock_dirs(init_t) + + fs_getattr_all_fs(init_t) + fs_manage_cgroup_dirs(init_t) + fs_manage_cgroup_files(init_t) + fs_manage_hugetlbfs_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) + fs_mount_all_fs(init_t) + fs_unmount_all_fs(init_t) + fs_remount_all_fs(init_t) + fs_list_auto_mountpoints(init_t) + fs_search_cgroup_dirs(daemon) + + selinux_compute_create_context(init_t) + selinux_validate_context(init_t) + selinux_unmount_fs(init_t) + + storage_getattr_removable_dev(init_t) + + term_relabel_ptys_dirs(init_t) + + auth_relabel_login_records(init_t) + auth_relabel_pam_console_data_dirs(init_t) + + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) + + + systemd_manage_unit_dirs_files(init_t) + + allow initrc_t init_script_file_type:service { stop start status reload }; + + +') +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) + +optional_policy(` + systemd_filetrans_named_content(init_t) +') + +optional_policy(` + lvm_rw_pipes(init_t) +') + +ifdef(`init_systemd',` + allow init_t daemon:unix_stream_socket create_stream_socket_perms; + allow init_t daemon:unix_dgram_socket create_socket_perms; + allow init_t daemon:tcp_socket create_stream_socket_perms; + allow init_t daemon:udp_socket create_socket_perms; + allow daemon init_t:unix_dgram_socket sendto; + # need write to /var/run/systemd/notify + init_write_pid_socket(daemon) + allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; +') + +# daemons started from init will +# inherit fds from init for the console +init_dontaudit_use_fds(daemon) +term_dontaudit_use_console(daemon) +# init script ptys are the stdin/out/err +# when using run_init +init_use_script_ptys(daemon) + +allow init_t daemon:process siginh; + +ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fds(daemon) + ') + + dontaudit daemon init_t:dir search_dir_perms; +') + +optional_policy(` + nscd_socket_use(daemon) +') + +optional_policy(` + puppet_rw_tmp(daemon) +') + +allow initrc_t systemprocess:process siginh; +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow systemprocess initrc_transition_domain:fd use; + +dontaudit systemprocess init_t:unix_stream_socket getattr; + + +ifdef(`init_systemd',` + # Handle upstart/systemd direct transition to a executable + allow init_t systemprocess:process { dyntransition siginh }; + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; + allow init_t systemprocess:unix_dgram_socket create_socket_perms; + allow systemprocess init_t:unix_dgram_socket sendto; + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; +') + +ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fds(systemprocess) + ') +') + +userdom_dontaudit_search_user_home_dirs(systemprocess) +userdom_dontaudit_rw_stream(systemprocess) +userdom_dontaudit_write_user_tmp_files(systemprocess) + +tunable_policy(`allow_daemons_use_tty',` + term_use_all_ttys(systemprocess) + term_use_all_ptys(systemprocess) +',` + term_dontaudit_use_all_ttys(systemprocess) + term_dontaudit_use_all_ptys(systemprocess) +') + +# these apps are often redirect output to random log files +logging_inherit_append_all_logs(systemprocess) + +optional_policy(` + abrt_stream_connect(systemprocess) +') + +optional_policy(` + cron_rw_pipes(systemprocess) +') + +optional_policy(` + puppet_rw_tmp(systemprocess) +') + +optional_policy(` + unconfined_dontaudit_rw_pipes(systemprocess) + unconfined_dontaudit_rw_stream(systemprocess) + userdom_dontaudit_read_user_tmp_files(systemprocess) +') + +init_rw_script_stream_sockets(systemprocess) + +role system_r types systemprocess; +role system_r types daemon; + +#ifdef(`enable_mls',` +# mls_rangetrans_target(systemprocess) +#') + Index: refpolicy-2.20170220/policy/modules/system/logging.fc =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/logging.fc +++ refpolicy-2.20170220/policy/modules/system/logging.fc @@ -1,4 +1,5 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -80,3 +81,10 @@ ifdef(`distro_redhat',` /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) Index: refpolicy-2.20170220/policy/modules/system/miscfiles.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/miscfiles.te +++ refpolicy-2.20170220/policy/modules/system/miscfiles.te @@ -40,6 +40,9 @@ files_type(locale_t) # type man_t alias catman_t; files_type(man_t) +optional_policy(` + systemd_tmpfiles_manage_object(man_t, dir) +') type man_cache_t; files_type(man_cache_t) Index: refpolicy-2.20170220/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/logging.te +++ refpolicy-2.20170220/policy/modules/system/logging.te @@ -94,6 +94,26 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') +ifdef(`init_systemd', ` + dev_read_kmsg(syslogd_t) + dev_write_kmsg(syslogd_t) + allow syslogd_t self:capability sys_ptrace; + init_read_pipes(syslogd_t) + init_read_state(syslogd_t) + allow syslogd_t init_var_run_t:file { read write create open }; + allow syslogd_t var_run_t:dir create; + init_create_pid_dirs(syslogd_t) + kernel_read_ring_buffer(syslogd_t) + dev_read_urand(syslogd_t) + domain_read_all_domains_state(syslogd_t) + systemd_manage_journal_files(syslogd_t) + + # for systemd-journal + allow syslogd_t self:netlink_audit_socket connected_socket_perms; + allow syslogd_t self:capability2 audit_read; + rename_unlink_init_var_run(syslogd_t) +') + ######################################## # # Auditctl local policy @@ -230,6 +250,9 @@ optional_policy(` udev_read_db(auditd_t) ') +# for systemd but can not be conditional +filetrans_pattern(syslogd_t, var_run_t, syslogd_tmp_t, dir, "log") + ######################################## # # audit dispatcher local policy @@ -396,6 +419,9 @@ allow syslogd_t syslog_conf_t:file read_ # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t, devlog_t, sock_file) +init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") + +seutil_read_config(syslogd_t) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -416,6 +442,7 @@ files_search_var_lib(syslogd_t) # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) +allow syslogd_t syslogd_var_run_t:dir create_dir_perms; kernel_read_system_state(syslogd_t) kernel_read_network_state(syslogd_t) Index: refpolicy-2.20170220/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170220/policy/modules/kernel/devices.if @@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',` ######################################## ## +## Allow full relabeling (to and from) of all device files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dev_relabel_all_dev_files',` + gen_require(` + type device_t; + ') + + relabel_files_pattern($1, device_t, device_t) +') + +######################################## +## ## List all of the device nodes in a device directory. ## ## @@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',` ') ######################################## +## +## Relabel hardware state directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabel_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + relabel_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## ## ## Read and write the TPM device. ## Index: refpolicy-2.20170220/policy/modules/system/logging.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/logging.if +++ refpolicy-2.20170220/policy/modules/system/logging.if @@ -822,6 +822,24 @@ interface(`logging_append_all_logs',` ######################################## ## +## Append to all log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_inherit_append_all_logs',` + gen_require(` + attribute logfile; + ') + + allow $1 logfile:file { getattr append ioctl lock }; +') + +######################################## +## ## Read all log files. ## ## Index: refpolicy-2.20170220/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170220/policy/modules/system/userdomain.if @@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template', optional_policy(` setroubleshoot_stream_connect($1_t) ') + + optional_policy(` + systemd_dbus_chat_logind($1_t) + ') ') ####################################### @@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',` ######################################## ## +## Read and write a inherited user TTYs and PTYs. +## +## +##

+## Allow the specified domain to read and write inherited user +## TTYs and PTYs. This will allow the domain to +## interact with the user via the terminal. Typically +## all interactive applications will require this +## access. +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_use_inherited_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + +######################################## +## ## Read and write a user TTYs and PTYs. ## ## @@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users', allow $1 userdomain:dbus send_msg; ') + +######################################## +## +## Do not audit attempts to write users +## temporary files. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:file write; +') + +######################################## +## +## Do not audit attempts to read and write +## unserdomain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`userdom_dontaudit_rw_stream',` + gen_require(` + attribute userdomain; + ') + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') Index: refpolicy-2.20170220/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20170220/policy/modules/system/authlogin.if @@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) + userdom_search_user_runtime($1) + userdom_read_user_tmpfs_files($1) + tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') + + optional_policy(` + systemd_read_logind_state($1) + systemd_write_inherited_logind_sessions_pipes($1) + systemd_passwd_agent_inherits_fd($1) + ') ') ######################################## Index: refpolicy-2.20170220/policy/modules/kernel/terminal.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/terminal.if +++ refpolicy-2.20170220/policy/modules/kernel/terminal.if @@ -500,6 +500,24 @@ interface(`term_list_ptys',` ######################################## ## +## Relabel the /dev/pts directory +## +## +## +## Domain allowed access. +## +## +# +interface(`term_relabel_ptys_dirs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:dir relabel_dir_perms; +') + +######################################## +## ## Do not audit attempts to read the ## /dev/pts directory. ## Index: refpolicy-2.20170220/policy/modules/system/lvm.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/lvm.if +++ refpolicy-2.20170220/policy/modules/system/lvm.if @@ -187,3 +187,21 @@ interface(`lvm_admin',` files_search_tmp($1) admin_pattern($1, lvm_tmp_t) ') + +######################################## +## +## Read and write a lvm unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_rw_pipes',` + gen_require(` + type lvm_var_run_t; + ') + + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') Index: refpolicy-2.20170220/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170220/policy/modules/kernel/files.if @@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid ######################################## ## +## manage all pidfile directories +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + + manage_dirs_pattern($1,pidfile,pidfile) +') + +######################################## +## ## Read all process ID files. ## ## @@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',` ######################################## ## +## Execute generic programs in /var/run in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_generic_pid_files',` + gen_require(` + type var_run_t; + ') + + exec_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## +## Relable all pid files +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_all_pid_files',` + gen_require(` + attribute pidfile; + ') + + relabel_files_pattern($1, pidfile, pidfile) +') + +######################################## +## ## Delete all process IDs. ## ## @@ -6898,3 +6953,100 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') + +######################################## +## +## Create a core files in / +## +## +##

+## Create a core file in /, +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') + + manage_files_pattern($1, root_t, root_t) +') + +######################################## +## +## Create all pid sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:sock_file create_sock_file_perms; +') + +######################################## +## +## Create all pid named pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + + allow $1 pidfile:fifo_file create_fifo_file_perms; +') + +######################################## +## +## Create all spool sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## +## Delete all spool sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_all_spool_sockets',` + gen_require(` + attribute spoolfile; + ') + + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + Index: refpolicy-2.20170220/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/systemd.if +++ refpolicy-2.20170220/policy/modules/system/systemd.if @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',` ') files_search_pids($1) - read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) + allow $1 systemd_logind_var_run_t:dir list_dir_perms; + allow $1 systemd_logind_var_run_t:file read_file_perms; ') ###################################### @@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',` allow $1 systemd_logind_t:fd use; ') +###################################### +## +## Write inherited logind sessions pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_write_inherited_logind_sessions_pipes',` + gen_require(` + type systemd_logind_t, systemd_sessions_var_run_t; + ') + + allow $1 systemd_logind_t:fd use; + allow $1 systemd_sessions_var_run_t:fifo_file write; + allow systemd_logind_t $1:process signal; +') + ######################################## ## ## Send and receive messages from @@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',` write_files_pattern($1, var_run_t, systemd_kmod_conf_t) ') +####################################### +## +## Allow systemd_tmpfiles_t to manage filesystem objects +## +## +## +## type of object to manage +## +## +## +## +## object class to manage +## +## +# +interface(`systemd_tmpfiles_manage_object',` + gen_require(` + type systemd_tmpfiles_t; + ') + + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; +') + ######################################## ## ## Allow process to relabel to systemd_kmod_conf_t. @@ -137,6 +181,83 @@ interface(`systemd_relabelto_kmod_files' ######################################## ## +## allow systemd_passwd_agent to inherit fds +## +## +## +## Domain that owns the fds +## +## +# +interface(`systemd_passwd_agent_inherits_fd',` + gen_require(` + type systemd_passwd_agent_t; + ') + + allow systemd_passwd_agent_t $1:fd use; +') + +######################################## +## +## Transition to systemd named content +## need a better name for this +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_filetrans_named_content',` + gen_require(` + type systemd_passwd_var_run_t; + ') + + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") +') + +######################################## +## +## manage systemd unit dirs and the files in them +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_unit_dirs_files',` + gen_require(` + attribute systemdunit; + ') + + manage_dirs_pattern($1, systemdunit, systemdunit) + manage_files_pattern($1, systemdunit, systemdunit) + manage_lnk_files_pattern($1, systemdunit, systemdunit) +') + +######################################## +## +## Allow domain to create/manage systemd_journal_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_journal_files',` + gen_require(` + type systemd_logind_t; + ') + + manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) + manage_files_pattern($1, systemd_journal_t, systemd_journal_t) +') + +######################################## +## ## Allow systemd_logind_t to read process state for cgroup file ## ## @@ -209,3 +330,4 @@ interface(`systemd_start_power_units',` allow $1 power_unit_t:service start; ') + Index: refpolicy-2.20170220/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170220/policy/modules/system/systemd.te @@ -12,6 +12,14 @@ policy_module(systemd, 1.3.3) ## gen_tunable(systemd_tmpfiles_manage_all, false) +## +##

+## Allow systemd-nspawn to create a labelled namespace with the same types +## as parent environment +##

+##
+gen_tunable(systemd_nspawn_labeled_namespace, false) + attribute systemd_log_parse_env_type; type systemd_activate_t; @@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t) domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t) role system_r types systemd_cgroups_t; +type systemd_notify_t; +type systemd_notify_exec_t; +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) + +type systemd_journal_t; +files_type(systemd_journal_t) + type systemd_cgroups_var_run_t; files_pid_file(systemd_cgroups_var_run_t) init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups") @@ -57,6 +72,9 @@ type systemd_coredump_t; type systemd_coredump_exec_t; init_system_domain(systemd_coredump_t, systemd_coredump_exec_t) +type systemd_coredump_var_lib_t; +files_type(systemd_coredump_var_lib_t) + type systemd_detect_virt_t; type systemd_detect_virt_exec_t; init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) @@ -85,9 +103,18 @@ type systemd_machined_t; type systemd_machined_exec_t; init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) +type systemd_machined_var_run_t; +files_pid_file(systemd_machined_var_run_t) +init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") + type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) +kernel_unconfined(systemd_nspawn_t) + +type systemd_nspawn_var_run_t; +files_pid_file(systemd_nspawn_var_run_t) +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) type systemd_resolved_t; type systemd_resolved_exec_t; @@ -108,6 +135,9 @@ type systemd_passwd_agent_t; type systemd_passwd_agent_exec_t; init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) +type systemd_passwd_var_run_t; +files_pid_file(systemd_passwd_var_run_t) + type systemd_sessions_t; type systemd_sessions_exec_t; init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) @@ -122,6 +152,12 @@ type systemd_kmod_conf_t; files_config_file(systemd_kmod_conf_t) init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) +manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) +manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) +allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; +allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; +logging_log_file(systemd_journal_t) + # # Unit file types # @@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel kernel_read_system_state(systemd_log_parse_env_type) dev_write_kmsg(systemd_log_parse_env_type) - -term_use_console(systemd_log_parse_env_type) - init_read_state(systemd_log_parse_env_type) - logging_send_syslog_msg(systemd_log_parse_env_type) +term_use_console(systemd_log_parse_env_type) ###################################### # # Backlight local policy # +allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms }; + allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms; -init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t) - systemd_log_parse_environment(systemd_backlight_t) # Allow systemd-backlight to write to /sys/class/backlight/*/brightness dev_rw_sysfs(systemd_backlight_t) - +# for udev.conf files_read_etc_files(systemd_backlight_t) +init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir) +# for /run/udev/data/+backlight* udev_read_pid_files(systemd_backlight_t) ####################################### @@ -304,7 +339,6 @@ init_pid_filetrans(systemd_resolved_t, s kernel_read_crypto_sysctls(systemd_resolved_t) kernel_read_kernel_sysctls(systemd_resolved_t) -kernel_read_system_state(systemd_resolved_t) corenet_tcp_bind_generic_node(systemd_resolved_t) corenet_tcp_bind_llmnr_port(systemd_resolved_t) Index: refpolicy-2.20170220/policy/modules/system/systemd.fc =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/systemd.fc +++ refpolicy-2.20170220/policy/modules/system/systemd.fc @@ -7,6 +7,7 @@ /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0) /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) @@ -32,14 +33,20 @@ /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) +/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) +/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0) + +/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) +/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) Index: refpolicy-2.20170220/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20170220/policy/modules/system/unconfined.if @@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',` allow $1 unconfined_t:dbus acquire_svc; ') + +######################################## +## +## Do not audit attempts to read and write +## unconfined domain stream. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_rw_stream',` + gen_require(` + type unconfined_t; + ') + + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') Index: refpolicy-2.20170220/policy/modules/contrib/cron.if =================================================================== --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if +++ refpolicy-2.20170220/policy/modules/contrib/cron.if @@ -891,3 +891,22 @@ interface(`cron_admin',` files_search_spool($1) admin_pattern($1, cron_spool_type) ') + +######################################## +## +## Search the directory containing user cron tables. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_manage_system_spool',` + gen_require(` + type cron_system_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) +')