From: russell@coker.com.au (Russell Coker)
Date: Fri, 24 Feb 2017 21:45:40 +1100
Subject: [refpolicy] [PATCH] reorder systemd and add some policy
Message-ID: <20170224104540.lyektyqpk5alkhg6@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
The following patch reorders systemd.te to have all the module policy sections
in alphabetical order and to add policy for coredump, hostnamed, machined,
notify, and passwd_agent. It also adds some interfaces needed by the added
policy.
Index: refpolicy-2.20170224/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170224/policy/modules/system/systemd.te
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
######################################
#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
-######################################
-#
# Backlight local policy
#
@@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
+######################################
+#
+# coredump local policy
+#
+
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
+
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
+
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
+
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+dev_write_kmsg(systemd_coredump_t)
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+fs_getattr_xattr_fs(systemd_coredump_t)
+logging_send_syslog_msg(systemd_coredump_t)
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pid_dirs(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+selinux_getattr_fs(systemd_coredump_t)
+seutil_search_default_contexts(systemd_coredump_t)
+
+
+#######################################
+#
+# Hostnamed policy
+#
+
+kernel_read_kernel_sysctls(systemd_hostnamed_t)
+
+files_read_etc_files(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+systemd_log_parse_environment(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
#######################################
#
# locale local policy
@@ -244,23 +275,23 @@ optional_policy(`
dbus_system_bus_client(systemd_locale_t)
')
-#######################################
+######################################
#
-# Hostnamed policy
+# systemd log parse enviroment
#
-kernel_read_kernel_sysctls(systemd_hostnamed_t)
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
-files_read_etc_files(systemd_hostnamed_t)
+kernel_read_system_state(systemd_log_parse_env_type)
-seutil_read_file_contexts(systemd_hostnamed_t)
+dev_write_kmsg(systemd_log_parse_env_type)
-systemd_log_parse_environment(systemd_hostnamed_t)
+term_use_console(systemd_log_parse_env_type)
-optional_policy(`
- dbus_system_bus_client(systemd_hostnamed_t)
- dbus_connect_system_bus(systemd_hostnamed_t)
-')
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
#########################################
#
@@ -325,6 +356,66 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+logging_send_syslog_msg(systemd_machined_t)
+
+read_initrc_files(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+seutil_search_default_contexts(systemd_machined_t)
+start_stop_init_var_run_service(systemd_machined_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_machined_t)
+ dbus_system_bus_client(systemd_machined_t)
+')
+
+optional_policy(`
+ init_dbus_chat(systemd_machined_t)
+ init_dbus_send_script(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { fork setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+auth_use_nsswitch(systemd_notify_t)
+domain_use_interactive_fds(systemd_notify_t)
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+fs_getattr_cgroup_files(systemd_notify_t)
+init_rw_stream_sockets(systemd_notify_t)
+miscfiles_read_localization(systemd_notify_t)
+
########################################
#
# Nspawn local policy
@@ -332,6 +423,57 @@ optional_policy(`
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+files_read_etc_files(systemd_passwd_agent_t)
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+logging_send_syslog_msg(systemd_passwd_agent_t)
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ getty_use_fds(systemd_passwd_agent_t)
+')
#########################################
#
Index: refpolicy-2.20170224/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/init.if
+++ refpolicy-2.20170224/policy/modules/system/init.if
@@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`
########################################
##
+## Read initrc_t files for /proc/pid/cgroup etc
+##
+##
+##
+## domain
+##
+##
+#
+interface(`read_initrc_files',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:dir search;
+ allow $1 initrc_t:file read_file_perms;
+')
+
+########################################
+##
## Execute init (/sbin/init) with a domain transition.
##
##
@@ -733,6 +752,26 @@ interface(`init_stream_connect',`
allow $1 init_t:unix_stream_socket getattr;
')
+#######################################
+##
+## Start and stop a service file under /run/systemd/system
+## Should we have a different type for this?
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`start_stop_init_var_run_service',`
+ gen_require(`
+ type init_var_run_t;
+ class service { start status stop };
+ ')
+
+ allow $1 init_var_run_t:service { start status stop };
+')
+
########################################
##
## Inherit and use file descriptors from init.
@@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
')
########################################
+##
+## list /var/lib/systemd/ dir
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_list_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
+########################################
##
## Create files in /var/lib/systemd
## with an automatic type transition.
Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
##
+## Get attributes of cgroup files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+##
## Read cgroup files.
##
##
Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170224/policy/modules/kernel/devices.if
@@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files
########################################
##
+## write generic sock files in /dev.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+##
## Dontaudit getattr on generic block devices.
##
##
Index: refpolicy-2.20170224/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20170224/policy/modules/system/lvm.if
@@ -205,3 +205,21 @@ interface(`lvm_admin',`
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
')
+
+########################################
+##
+## Send lvm a null signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')