From: russell@coker.com.au (Russell Coker) Date: Tue, 28 Feb 2017 21:30:03 +1100 Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles Message-ID: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch goes after my patch for cgroups, hostnamed, and logind. It will probably mostly work without it but I only ever tested it after the previous patch. Description: systemd-resolved, sessions, and tmpfiles patches Author: Russell Coker Last-Update: 2017-02-28 Index: refpolicy-2.20170227/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170227/policy/modules/system/systemd.te @@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s kernel_read_crypto_sysctls(systemd_resolved_t) kernel_read_kernel_sysctls(systemd_resolved_t) +auth_use_nsswitch(systemd_resolved_t) corenet_tcp_bind_generic_node(systemd_resolved_t) corenet_tcp_bind_llmnr_port(systemd_resolved_t) corenet_udp_bind_generic_node(systemd_resolved_t) corenet_udp_bind_llmnr_port(systemd_resolved_t) -auth_use_nsswitch(systemd_resolved_t) - seutil_read_file_contexts(systemd_resolved_t) - systemd_log_parse_environment(systemd_resolved_t) optional_policy(` @@ -604,9 +688,17 @@ optional_policy(` # Sessions local policy # +allow systemd_sessions_t self:process setfscreate; + allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) +selinux_get_enforce_mode(systemd_sessions_t) +selinux_get_fs_mount(systemd_sessions_t) +seutil_read_config(systemd_sessions_t) +seutil_read_default_contexts(systemd_sessions_t) +seutil_read_file_contexts(systemd_sessions_t) + systemd_log_parse_environment(systemd_sessions_t) ######################################### @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se # Tmpfiles local policy # -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; allow systemd_tmpfiles_t self:process { setfscreate getcap }; +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; + +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; + manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; kernel_read_kernel_sysctls(systemd_tmpfiles_t) +kernel_read_network_state(systemd_tmpfiles_t) +auth_manage_faillog(systemd_tmpfiles_t) +auth_manage_login_records(systemd_tmpfiles_t) +auth_manage_var_auth(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) +create_relabel_var_lib_log(systemd_tmpfiles_t) +dev_manage_all_dev_nodes(systemd_tmpfiles_t) +dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) +files_create_lock_dirs(systemd_tmpfiles_t) +files_create_manage_all_pid_dirs(systemd_tmpfiles_t) +files_delete_usr_files(systemd_tmpfiles_t) +files_list_home(systemd_tmpfiles_t) +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) files_relabel_all_lock_dirs(systemd_tmpfiles_t) files_relabel_all_pid_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t) -auth_manage_var_auth(systemd_tmpfiles_t) -auth_manage_login_records(systemd_tmpfiles_t) -auth_relabel_login_records(systemd_tmpfiles_t) -auth_setattr_login_records(systemd_tmpfiles_t) +files_relabelfrom_home(systemd_tmpfiles_t) +files_relabelto_home(systemd_tmpfiles_t) +files_relabelto_etc_dirs(systemd_tmpfiles_t) +# for /etc/mtab +files_manage_etc_symlinks(systemd_tmpfiles_t) +fs_getattr_xattr_fs(systemd_tmpfiles_t) + +init_manage_utmp(systemd_tmpfiles_t) +init_manage_var_lib_files(systemd_tmpfiles_t) +# for /proc/1/environ +init_read_state(systemd_tmpfiles_t) + +init_relabel_utmp(systemd_tmpfiles_t) +init_relabel_var_lib_dirs(systemd_tmpfiles_t) +logging_manage_generic_logs(systemd_tmpfiles_t) +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) +miscfiles_relabel_man_cache(systemd_tmpfiles_t) # for /run/tmpfiles.d/kmod.conf modutils_read_var_run_files(systemd_tmpfiles_t) +selinux_get_fs_mount(systemd_tmpfiles_t) +selinux_search_fs(systemd_tmpfiles_t) +seutil_read_config(systemd_tmpfiles_t) seutil_read_file_contexts(systemd_tmpfiles_t) - +sysnet_create_config(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_tmpfiles_t) +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) + tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this. @@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_ files_relabel_non_security_dirs(systemd_tmpfiles_t) files_relabel_non_security_files(systemd_tmpfiles_t) ') + +optional_policy(` + dbus_read_lib_files(systemd_tmpfiles_t) +') + +optional_policy(` + xserver_create_console_pipes(systemd_tmpfiles_t) + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t) +') + +optional_policy(` + xfs_create_dirs(systemd_tmpfiles_t) +') Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if +++ refpolicy-2.20170227/policy/modules/contrib/xfs.if @@ -21,6 +21,25 @@ interface(`xfs_read_sockets',` ######################################## ## +## Create xfs temporary dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`xfs_create_dirs',` + gen_require(` + type xfs_tmp_t; + ') + + files_search_tmp($1) + allow $1 xfs_tmp_t:dir create; +') + +######################################## +## ## Connect to xfs with a unix ## domain stream socket. ## Index: refpolicy-2.20170227/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170227/policy/modules/kernel/files.if @@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',` ######################################## ## +## relabel directories to etc_t +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_etc_dirs',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir relabelto; +') + +######################################## +## ## List the contents of /etc directories. ## ## @@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',` ######################################## ## +## Relabel from user home root (/home). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir relabelfrom; +') + +######################################## +## ## Create objects in /home. ## ## @@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',` ######################################## ## +## Create and label /var/lib and /var/log +## +## +##

+## This allows programs to setup directories under /var +##

+## +## +## +## Domain allowed access. +## +## +## +# +interface(`create_relabel_var_lib_log',` + gen_require(` + type var_t, var_lib_t, var_log_t; + ') + + allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms }; +') + +######################################## +## ## Do not audit attempts to search the ## contents of /var/lib. ## @@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid ') ######################################## +## +## create and manage all pidfile directories +## in the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_manage_all_pid_dirs',` + gen_require(` + attribute pidfile; + type var_run_t; + ') + + create_dirs_pattern($1,var_run_t,pidfile) + allow $1 pidfile:dir manage_dir_perms; +') + +######################################## ## ## manage all pidfile directories ## in the /var/run directory. Index: refpolicy-2.20170227/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/init.if +++ refpolicy-2.20170227/policy/modules/system/init.if @@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',` ######################################## ## +## relabel dirs in /var/lib/systemd/. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_relabel_var_lib_dirs',` + gen_require(` + type init_var_lib_t; + ') + + allow $1 init_var_lib_t:dir { relabelfrom relabelto }; +') + +######################################## +## ## Create files in /var/lib/systemd ## with an automatic type transition. ## @@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',` ######################################## ## +## relabel from/to utmp +## +## +## +## Domain allowed access. +## +## +# +interface(`init_relabel_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + allow $1 initrc_var_run_t:file { relabelfrom relabelto }; +') + +######################################## +## ## Create files in /var/run with the ## utmp file type. ## Index: refpolicy-2.20170227/policy/modules/system/logging.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/logging.if +++ refpolicy-2.20170227/policy/modules/system/logging.if @@ -1138,3 +1138,23 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') + +######################################## +## +## setattr for syslogd_tmp_t +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_set_perms_syslogd_tmp',` + gen_require(` + type syslogd_tmp_t; + ') + + allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto }; +') + Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if +++ refpolicy-2.20170227/policy/modules/system/miscfiles.if @@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',` ######################################## ## +## relabel man cache +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_relabel_man_cache',` + gen_require(` + type man_cache_t; + ') + + relabel_dirs_pattern($1, man_cache_t, man_cache_t) + relabel_files_pattern($1, man_cache_t, man_cache_t) +') + +######################################## +## ## Create, read, write, and delete man pages ## ## Index: refpolicy-2.20170227/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20170227/policy/modules/system/userdomain.if @@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r ######################################## ## +## relabel to/from user_runtime_root_t +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_relabel_user_runtime_root_dirs',` + gen_require(` + type user_runtime_root_t; + ') + + allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; +') + +######################################## +## ## Create, read, write, and delete user ## runtime dirs. ## Index: refpolicy-2.20170227/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if +++ refpolicy-2.20170227/policy/modules/services/xserver.if @@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',` gen_require(` type xdm_t; class dbus send_msg; - ') + ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; @@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + + +######################################## +## +## Create the X windows console named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_create_console_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file create; +') + +######################################## +## +## Create xdm_tmp_t directories +## +## +## +## Domain to allow +## +## +# +interface(`xserver_create_xdm_tmp_dir',` + gen_require(` + type xdm_tmp_t; + ') + + allow $1 xdm_tmp_t:dir create; +')