From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 25 Feb 2017 09:37:32 -0500
Subject: [refpolicy] [PATCH] reorder systemd and add some policy
In-Reply-To: <20170224104540.lyektyqpk5alkhg6@athena.coker.com.au>
References: <20170224104540.lyektyqpk5alkhg6@athena.coker.com.au>
Message-ID: <11a85d3f-fcb8-8525-1dd1-635ea8450ebe@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/24/17 05:45, Russell Coker via refpolicy wrote:
> The following patch reorders systemd.te to have all the module policy sections
> in alphabetical order and to add policy for coredump, hostnamed, machined,
> notify, and passwd_agent.  It also adds some interfaces needed by the added
> policy.

I merged this, though moved some stuff and renamed an interface.  I 
dropped one piece, the one with init_var_run_t service status.  I 
believe these are transient units, and I think they should probably have 
a new type (you asked the question in a comment in the patch)

> Index: refpolicy-2.20170224/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170224/policy/modules/system/systemd.te
> @@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
>
>  ######################################
>  #
> -# systemd log parse enviroment
> -#
> -
> -# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> -dontaudit systemd_log_parse_env_type self:capability net_admin;
> -
> -kernel_read_system_state(systemd_log_parse_env_type)
> -
> -dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
> -init_read_state(systemd_log_parse_env_type)
> -
> -logging_send_syslog_msg(systemd_log_parse_env_type)
> -
> -######################################
> -#
>  # Backlight local policy
>  #
>
> @@ -226,6 +208,55 @@ init_stream_connect(systemd_cgroups_t)
>
>  systemd_log_parse_environment(systemd_cgroups_t)
>
> +######################################
> +#
> +# coredump local policy
> +#
> +
> +allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
> +allow systemd_coredump_t self:capability { setgid setuid setpcap };
> +allow systemd_coredump_t self:process { getcap setcap setfscreate };
> +
> +manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
> +
> +kernel_read_kernel_sysctls(systemd_coredump_t)
> +kernel_read_system_state(systemd_coredump_t)
> +kernel_rw_pipes(systemd_coredump_t)
> +kernel_use_fds(systemd_coredump_t)
> +
> +corecmd_exec_bin(systemd_coredump_t)
> +corecmd_read_all_executables(systemd_coredump_t)
> +dev_write_kmsg(systemd_coredump_t)
> +files_read_etc_files(systemd_coredump_t)
> +files_search_var_lib(systemd_coredump_t)
> +fs_getattr_xattr_fs(systemd_coredump_t)
> +logging_send_syslog_msg(systemd_coredump_t)
> +init_list_var_lib_dirs(systemd_coredump_t)
> +init_read_state(systemd_coredump_t)
> +init_search_pid_dirs(systemd_coredump_t)
> +init_write_pid_socket(systemd_coredump_t)
> +selinux_getattr_fs(systemd_coredump_t)
> +seutil_search_default_contexts(systemd_coredump_t)
> +
> +
> +#######################################
> +#
> +# Hostnamed policy
> +#
> +
> +kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +
> +files_read_etc_files(systemd_hostnamed_t)
> +
> +seutil_read_file_contexts(systemd_hostnamed_t)
> +
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> +optional_policy(`
> +	dbus_system_bus_client(systemd_hostnamed_t)
> +	dbus_connect_system_bus(systemd_hostnamed_t)
> +')
> +
>  #######################################
>  #
>  # locale local policy
> @@ -244,23 +275,23 @@ optional_policy(`
>  	dbus_system_bus_client(systemd_locale_t)
>  ')
>
> -#######################################
> +######################################
>  #
> -# Hostnamed policy
> +# systemd log parse enviroment
>  #
>
> -kernel_read_kernel_sysctls(systemd_hostnamed_t)
> +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
>
> -files_read_etc_files(systemd_hostnamed_t)
> +kernel_read_system_state(systemd_log_parse_env_type)
>
> -seutil_read_file_contexts(systemd_hostnamed_t)
> +dev_write_kmsg(systemd_log_parse_env_type)
>
> -systemd_log_parse_environment(systemd_hostnamed_t)
> +term_use_console(systemd_log_parse_env_type)
>
> -optional_policy(`
> -	dbus_system_bus_client(systemd_hostnamed_t)
> -	dbus_connect_system_bus(systemd_hostnamed_t)
> -')
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
>
>  #########################################
>  #
> @@ -325,6 +356,66 @@ optional_policy(`
>  	dbus_connect_system_bus(systemd_logind_t)
>  ')
>
> +#########################################
> +#
> +# machined local policy
> +#
> +
> +allow systemd_machined_t self:capability sys_ptrace;
> +allow systemd_machined_t self:process setfscreate;
> +allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
> +
> +manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
> +allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
> +
> +kernel_read_kernel_sysctls(systemd_machined_t)
> +kernel_read_system_state(systemd_machined_t)
> +
> +files_read_etc_files(systemd_machined_t)
> +fs_getattr_cgroup(systemd_machined_t)
> +fs_getattr_tmpfs(systemd_machined_t)
> +init_get_system_status(systemd_machined_t)
> +init_read_state(systemd_machined_t)
> +init_service_start(systemd_machined_t)
> +init_service_status(systemd_machined_t)
> +init_start_system(systemd_machined_t)
> +init_stop_system(systemd_machined_t)
> +logging_send_syslog_msg(systemd_machined_t)
> +
> +read_initrc_files(systemd_machined_t)
> +
> +selinux_getattr_fs(systemd_machined_t)
> +seutil_search_default_contexts(systemd_machined_t)
> +start_stop_init_var_run_service(systemd_machined_t)
> +
> +optional_policy(`
> +	dbus_connect_system_bus(systemd_machined_t)
> +	dbus_system_bus_client(systemd_machined_t)
> +')
> +
> +optional_policy(`
> +	init_dbus_chat(systemd_machined_t)
> +	init_dbus_send_script(systemd_machined_t)
> +')
> +
> +########################################
> +#
> +# systemd_notify local policy
> +#
> +allow systemd_notify_t self:capability chown;
> +allow systemd_notify_t self:process { fork setfscreate setsockcreate };
> +
> +allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
> +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
> +
> +auth_use_nsswitch(systemd_notify_t)
> +domain_use_interactive_fds(systemd_notify_t)
> +files_read_etc_files(systemd_notify_t)
> +files_read_usr_files(systemd_notify_t)
> +fs_getattr_cgroup_files(systemd_notify_t)
> +init_rw_stream_sockets(systemd_notify_t)
> +miscfiles_read_localization(systemd_notify_t)
> +
>  ########################################
>  #
>  # Nspawn local policy
> @@ -332,6 +423,57 @@ optional_policy(`
>
>  init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> +#######################################
> +#
> +# systemd_passwd_agent_t local policy
> +#
> +
> +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
> +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
> +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
> +
> +kernel_read_system_state(systemd_passwd_agent_t)
> +kernel_stream_connect(systemd_passwd_agent_t)
> +
> +auth_use_nsswitch(systemd_passwd_agent_t)
> +dev_create_generic_dirs(systemd_passwd_agent_t)
> +dev_read_generic_files(systemd_passwd_agent_t)
> +dev_write_generic_sock_files(systemd_passwd_agent_t)
> +dev_write_kmsg(systemd_passwd_agent_t)
> +files_read_etc_files(systemd_passwd_agent_t)
> +fs_getattr_xattr_fs(systemd_passwd_agent_t)
> +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
> +init_create_pid_dirs(systemd_passwd_agent_t)
> +init_read_pid_pipes(systemd_passwd_agent_t)
> +init_read_state(systemd_passwd_agent_t)
> +init_read_utmp(systemd_passwd_agent_t)
> +init_stream_connect(systemd_passwd_agent_t)
> +logging_send_syslog_msg(systemd_passwd_agent_t)
> +miscfiles_read_localization(systemd_passwd_agent_t)
> +
> +selinux_get_enforce_mode(systemd_passwd_agent_t)
> +selinux_getattr_fs(systemd_passwd_agent_t)
> +seutil_search_default_contexts(systemd_passwd_agent_t)
> +
> +term_read_console(systemd_passwd_agent_t)
> +userdom_use_user_ptys(systemd_passwd_agent_t)
> +
> +optional_policy(`
> +	lvm_signull(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> +	plymouthd_stream_connect(systemd_passwd_agent_t)
> +')
> +
> +optional_policy(`
> +	getty_use_fds(systemd_passwd_agent_t)
> +')
>
>  #########################################
>  #
> Index: refpolicy-2.20170224/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170224/policy/modules/system/init.if
> @@ -593,6 +593,25 @@ interface(`init_daemon_run_dir',`
>
>  ########################################
>  ## <summary>
> +##      Read initrc_t files for /proc/pid/cgroup etc
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      domain
> +##      </summary>
> +## </param>
> +#
> +interface(`read_initrc_files',`
> +	gen_require(`
> +		type initrc_t;
> +	')
> +
> +	allow $1 initrc_t:dir search;
> +	allow $1 initrc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute init (/sbin/init) with a domain transition.
>  ## </summary>
>  ## <param name="domain">
> @@ -733,6 +752,26 @@ interface(`init_stream_connect',`
>  	allow $1 init_t:unix_stream_socket getattr;
>  ')
>
> +#######################################
> +## <summary>
> +##  Start and stop a service file under /run/systemd/system
> +##  Should we have a different type for this?
> +## </summary>
> +## <param name="domain">
> +##  <summary>
> +##  Domain allowed access.
> +##  </summary>
> +## </param>
> +#
> +interface(`start_stop_init_var_run_service',`
> +	gen_require(`
> +		type init_var_run_t;
> +		class service { start status stop };
> +	')
> +
> +	allow $1 init_var_run_t:service { start status stop };
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Inherit and use file descriptors from init.
> @@ -1101,6 +1140,24 @@ interface(`init_manage_var_lib_files',`
>  ')
>
>  ########################################
> +## <summary>
> +##      list /var/lib/systemd/ dir
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`init_list_var_lib_dirs',`
> +	gen_require(`
> +		type init_var_lib_t;
> +	')
> +
> +	allow $1 init_var_lib_t:dir list_dir_perms;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Create files in /var/lib/systemd
>  ##	with an automatic type transition.
> Index: refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170224/policy/modules/kernel/filesystem.if
> @@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
>
>  ########################################
>  ## <summary>
> +##     Get attributes of cgroup files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`fs_getattr_cgroup_files',`
> +	gen_require(`
> +		type cgroup_t;
> +	')
> +
> +	getattr_files_pattern($1, cgroup_t, cgroup_t)
> +	fs_search_tmpfs($1)
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read cgroup files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170224/policy/modules/kernel/devices.if
> @@ -481,6 +481,24 @@ interface(`dev_getattr_generic_blk_files
>
>  ########################################
>  ## <summary>
> +##     write generic sock files in /dev.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain to not audit.
> +##     </summary>
> +## </param>
> +#
> +interface(`dev_write_generic_sock_files',`
> +	gen_require(`
> +		type device_t;
> +	')
> +
> +	write_sock_files_pattern($1, device_t, device_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Dontaudit getattr on generic block devices.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170224/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20170224.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20170224/policy/modules/system/lvm.if
> @@ -205,3 +205,21 @@ interface(`lvm_admin',`
>  	files_search_tmp($1)
>  	admin_pattern($1, lvm_tmp_t)
>  ')
> +
> +########################################
> +## <summary>
> +##      Send lvm a null signal.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`lvm_signull',`
> +	gen_require(`
> +		type lvm_t;
> +	')
> +
> +	allow $1 lvm_t:process signull;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito