From: russell@coker.com.au (Russell Coker) Date: Tue, 28 Feb 2017 20:45:14 +1100 Subject: [refpolicy] [PATCH] systemd cgroups, hostnamed, and logind patches Message-ID: <20170228094514.as4x5rynkthuysgh@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is the next in my set of systemd patches. Description: systemd-cgroups, hostnamed, and logind policy Author: Russell Coker Last-Update: 2017-02-28 Index: refpolicy-2.20170227/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170227/policy/modules/system/systemd.te @@ -197,15 +197,26 @@ fs_register_binary_executable_type(syste # Cgroups local policy # +allow systemd_cgroups_t self:capability net_admin; + kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) kernel_dgram_send(systemd_cgroups_t) -selinux_getattr_fs(systemd_cgroups_t) +# for /proc/cmdline +kernel_read_system_state(systemd_cgroups_t) + +# for /proc/1/environ +init_read_state(systemd_cgroups_t) + # write to /run/systemd/cgroups-agent init_dgram_send(systemd_cgroups_t) init_stream_connect(systemd_cgroups_t) +selinux_get_fs_mount(systemd_cgroups_t) +selinux_getattr_fs(systemd_cgroups_t) +seutil_read_config(systemd_cgroups_t) + systemd_log_parse_environment(systemd_cgroups_t) ###################################### @@ -253,15 +264,18 @@ seutil_search_default_contexts(systemd_c kernel_read_kernel_sysctls(systemd_hostnamed_t) +dev_read_sysfs(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) - seutil_read_file_contexts(systemd_hostnamed_t) - systemd_log_parse_environment(systemd_hostnamed_t) optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) dbus_connect_system_bus(systemd_hostnamed_t) + dbus_system_bus_client(systemd_hostnamed_t) +') + +optional_policy(` + networkmanager_dbus_chat(systemd_hostnamed_t) ') ####################################### @@ -305,62 +319,119 @@ logging_send_syslog_msg(systemd_log_pars # Logind local policy # -allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; -allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config }; +allow systemd_logind_t self:process { getcap setfscreate }; allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_logind_t self:unix_dgram_socket create_socket_perms; allow systemd_logind_t self:fifo_file rw_fifo_file_perms; -allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; -init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) - +allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; +allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; +allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms; manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) -files_search_pids(systemd_logind_t) +allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; +domain_obj_id_change_exemption(systemd_logind_t) kernel_read_kernel_sysctls(systemd_logind_t) auth_manage_faillog(systemd_logind_t) - -dev_rw_sysfs(systemd_logind_t) -dev_rw_input_dev(systemd_logind_t) dev_getattr_dri_dev(systemd_logind_t) -dev_setattr_dri_dev(systemd_logind_t) +dev_getattr_kvm_dev(systemd_logind_t) dev_getattr_sound_dev(systemd_logind_t) +dev_manage_wireless(systemd_logind_t) +dev_read_urand(systemd_logind_t) +dev_rw_dri(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_kvm_dev(systemd_logind_t) dev_setattr_sound_dev(systemd_logind_t) - files_read_etc_files(systemd_logind_t) +files_search_pids(systemd_logind_t) -fs_read_efivarfs_files(systemd_logind_t) - +fs_getattr_cgroup(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t) +fs_getattr_tmpfs_dirs(systemd_logind_t) +fs_list_tmpfs(systemd_logind_t) +fs_mount_tmpfs(systemd_logind_t) +fs_read_cgroup_files(systemd_logind_t) +fs_read_efivarfs_files(systemd_logind_t) +fs_relabelfrom_tmpfs_dir(systemd_logind_t) +fs_unmount_tmpfs(systemd_logind_t) -storage_getattr_removable_dev(systemd_logind_t) -storage_setattr_removable_dev(systemd_logind_t) -storage_getattr_scsi_generic_dev(systemd_logind_t) -storage_setattr_scsi_generic_dev(systemd_logind_t) - -term_use_unallocated_ttys(systemd_logind_t) - +init_dbus_send_script(systemd_logind_t) init_get_all_units_status(systemd_logind_t) +init_get_system_status(systemd_logind_t) +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") +init_service_start(systemd_logind_t) +init_service_status(systemd_logind_t) init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) -init_service_status(systemd_logind_t) -init_service_start(systemd_logind_t) - +init_start_system(systemd_logind_t) +init_stop_system(systemd_logind_t) +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) locallogin_read_state(systemd_logind_t) -systemd_log_parse_environment(systemd_logind_t) +selinux_get_enforce_mode(systemd_logind_t) +selinux_get_fs_mount(systemd_logind_t) +seutil_read_config(systemd_logind_t) +seutil_read_default_contexts(systemd_logind_t) +seutil_read_file_contexts(systemd_logind_t) +storage_getattr_removable_dev(systemd_logind_t) +storage_getattr_scsi_generic_dev(systemd_logind_t) +storage_setattr_removable_dev(systemd_logind_t) +storage_setattr_scsi_generic_dev(systemd_logind_t) systemd_start_power_units(systemd_logind_t) +systemd_log_parse_environment(systemd_logind_t) + +term_setattr_unallocated_ttys(systemd_logind_t) +term_use_unallocated_ttys(systemd_logind_t) +udev_list_pids(systemd_logind_t) udev_read_db(systemd_logind_t) udev_read_pid_files(systemd_logind_t) +userdom_manage_tmp_role(system_r, systemd_logind_t) +userdom_manage_tmpfs_role(system_r, systemd_logind_t) +userdom_manage_user_runtime_dirs(systemd_logind_t) +userdom_manage_user_runtime_root_dirs(systemd_logind_t) +userdom_mounton_user_runtime_dirs(systemd_logind_t) +userdom_read_all_users_state(systemd_logind_t) +userdom_relabel_user_tmpfs_files(systemd_logind_t) +userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) +userdom_relabelto_user_runtime_dirs(systemd_logind_t) +userdom_setattr_user_ttys(systemd_logind_t) +userdom_unlink_user_runtime_files(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) optional_policy(` - dbus_system_bus_client(systemd_logind_t) dbus_connect_system_bus(systemd_logind_t) + dbus_system_bus_client(systemd_logind_t) +') + +optional_policy(` + networkmanager_dbus_chat(systemd_logind_t) +') + +optional_policy(` + devicekit_dbus_chat_power(systemd_logind_t) +') + +optional_policy(` + policykit_dbus_chat(systemd_logind_t) +') + +optional_policy(` + read_xserver_files(systemd_logind_t) + relabelto_setattr_xconsole_pipes(systemd_tmpfiles_t) + xserver_dbus_chat(systemd_logind_t) + xserver_dbus_chat_xdm(systemd_logind_t) + xserver_read_xdm_state(systemd_logind_t) +') + +optional_policy(` + unconfined_dbus_send(systemd_logind_t) ') ######################################### Index: refpolicy-2.20170227/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170227/policy/modules/kernel/devices.if @@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',` ######################################## ## +## manage the wireless device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_wireless',` + gen_require(` + type device_t, wireless_device_t; + ') + + manage_chr_files_pattern($1, device_t, wireless_device_t) +') + +######################################## +## ## Read and write Xen devices. ## ## Index: refpolicy-2.20170227/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20170227/policy/modules/kernel/filesystem.if @@ -4069,6 +4069,24 @@ interface(`fs_relabelfrom_tmpfs',` ######################################## ## +## Relabel from tmpfs_t dir +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_dir',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir relabelfrom; +') + +######################################## +## ## Get the attributes of tmpfs directories. ## ## Index: refpolicy-2.20170227/policy/modules/system/udev.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/udev.if +++ refpolicy-2.20170227/policy/modules/system/udev.if @@ -282,6 +282,25 @@ interface(`udev_search_pids',` ######################################## ## +## list udev pid content +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_list_pids',` + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) + allow $1 udev_var_run_t:dir list_dir_perms; +') + +######################################## +## ## Create, read, write, and delete ## udev pid directories ## Index: refpolicy-2.20170227/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170227/policy/modules/system/userdomain.if @@ -2824,6 +2824,26 @@ interface(`userdom_read_user_tmpfs_files ######################################## ## +## relabel to/from user tmpfs files type +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabel_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; + allow $1 user_tmpfs_t:file { relabelto relabelfrom }; + fs_search_tmpfs($1) +') + +######################################## +## ## Search users runtime directories. ## ## @@ -2938,6 +2958,42 @@ interface(`userdom_relabelto_user_runtim ') ######################################## +## +## Relabel from user runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabelfrom_user_runtime_dirs',` + gen_require(` + type user_runtime_t; + ') + + allow $1 user_runtime_t:dir relabelfrom; +') + +######################################## +## +## unlink user runtime files +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_unlink_user_runtime_files',` + gen_require(` + type user_runtime_t; + ') + + allow $1 user_runtime_t:file unlink; +') + +######################################## ## ## Create objects in the pid directory ## with an automatic type transition to Index: refpolicy-2.20170227/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if +++ refpolicy-2.20170227/policy/modules/services/xserver.if @@ -682,6 +682,24 @@ interface(`xserver_setattr_console_pipes ######################################## ## +## Label the X windows console named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`relabelto_setattr_xconsole_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto setattr }; +') + +######################################## +## ## Read and write the X windows console named pipe. ## ## @@ -1331,6 +1349,25 @@ interface(`xserver_kill',` ######################################## ## +## Allow reading xserver_t files to get cgroup and sessionid +## +## +## +## Domain allowed access. +## +## +# +interface(`read_xserver_files',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:dir search; + allow $1 xserver_t:file read_file_perms; +') + +######################################## +## ## Read and write X server Sys V Shared ## memory segments. ## @@ -1426,6 +1463,25 @@ interface(`xserver_read_tmp_files',` ') ######################################## +## +## talk to xserver_t by dbus +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dbus_chat',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:dbus send_msg; + allow xserver_t $1:dbus send_msg; +') + +######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the