From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 4 Mar 2017 07:15:08 -0500
Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles
In-Reply-To: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au>
References: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au>
Message-ID: <a878fd65-89b7-b2b2-fe5f-b35df4dd3926@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/28/17 05:30, Russell Coker via refpolicy wrote:
> This patch goes after my patch for cgroups, hostnamed, and logind.  It will
> probably mostly work without it but I only ever tested it after the previous
> patch.

A few trivial things.

> Description: systemd-resolved, sessions, and tmpfiles patches
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-02-28
>
> Index: refpolicy-2.20170227/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170227/policy/modules/system/systemd.te
> @@ -584,15 +670,13 @@ init_pid_filetrans(systemd_resolved_t, s
>  kernel_read_crypto_sysctls(systemd_resolved_t)
>  kernel_read_kernel_sysctls(systemd_resolved_t)
>
> +auth_use_nsswitch(systemd_resolved_t)
>  corenet_tcp_bind_generic_node(systemd_resolved_t)
>  corenet_tcp_bind_llmnr_port(systemd_resolved_t)
>  corenet_udp_bind_generic_node(systemd_resolved_t)
>  corenet_udp_bind_llmnr_port(systemd_resolved_t)
>
> -auth_use_nsswitch(systemd_resolved_t)
> -
>  seutil_read_file_contexts(systemd_resolved_t)
> -
>  systemd_log_parse_environment(systemd_resolved_t)
>
>  optional_policy(`
> @@ -604,9 +688,17 @@ optional_policy(`
>  # Sessions local policy
>  #
>
> +allow systemd_sessions_t self:process setfscreate;
> +
>  allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
>  files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> +selinux_get_enforce_mode(systemd_sessions_t)
> +selinux_get_fs_mount(systemd_sessions_t)
> +seutil_read_config(systemd_sessions_t)
> +seutil_read_default_contexts(systemd_sessions_t)
> +seutil_read_file_contexts(systemd_sessions_t)
> +
>  systemd_log_parse_environment(systemd_sessions_t)
>
>  #########################################
> @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se
>  # Tmpfiles local policy
>  #
>
> -allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
> +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
>  allow systemd_tmpfiles_t self:process { setfscreate getcap };
>
> +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
> +
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
> +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
> +
>  manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
>  manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
>  allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
>  allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
>
>  kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> +kernel_read_network_state(systemd_tmpfiles_t)
>
> +auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_login_records(systemd_tmpfiles_t)
> +auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_login_records(systemd_tmpfiles_t)
> +auth_setattr_login_records(systemd_tmpfiles_t)
> +create_relabel_var_lib_log(systemd_tmpfiles_t)
> +dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> +dev_read_urand(systemd_tmpfiles_t)
>  dev_relabel_all_sysfs(systemd_tmpfiles_t)
>  dev_read_urand(systemd_tmpfiles_t)
>  dev_manage_all_dev_nodes(systemd_tmpfiles_t)
>
> +files_create_lock_dirs(systemd_tmpfiles_t)
> +files_create_manage_all_pid_dirs(systemd_tmpfiles_t)
> +files_delete_usr_files(systemd_tmpfiles_t)
> +files_list_home(systemd_tmpfiles_t)
> +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
> +files_purge_tmp(systemd_tmpfiles_t)
>  files_read_etc_files(systemd_tmpfiles_t)
>  files_relabel_all_lock_dirs(systemd_tmpfiles_t)
>  files_relabel_all_pid_dirs(systemd_tmpfiles_t)
>  files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
> -auth_manage_var_auth(systemd_tmpfiles_t)
> -auth_manage_login_records(systemd_tmpfiles_t)
> -auth_relabel_login_records(systemd_tmpfiles_t)
> -auth_setattr_login_records(systemd_tmpfiles_t)
> +files_relabelfrom_home(systemd_tmpfiles_t)
> +files_relabelto_home(systemd_tmpfiles_t)
> +files_relabelto_etc_dirs(systemd_tmpfiles_t)
> +# for /etc/mtab
> +files_manage_etc_symlinks(systemd_tmpfiles_t)
> +fs_getattr_xattr_fs(systemd_tmpfiles_t)
> +
> +init_manage_utmp(systemd_tmpfiles_t)
> +init_manage_var_lib_files(systemd_tmpfiles_t)
> +# for /proc/1/environ
> +init_read_state(systemd_tmpfiles_t)
> +
> +init_relabel_utmp(systemd_tmpfiles_t)
> +init_relabel_var_lib_dirs(systemd_tmpfiles_t)
> +logging_manage_generic_logs(systemd_tmpfiles_t)
> +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t)
> +miscfiles_manage_man_pages(systemd_tmpfiles_t)
> +miscfiles_relabel_man_cache(systemd_tmpfiles_t)
>
>  # for /run/tmpfiles.d/kmod.conf
>  modutils_read_var_run_files(systemd_tmpfiles_t)
>
> +selinux_get_fs_mount(systemd_tmpfiles_t)
> +selinux_search_fs(systemd_tmpfiles_t)
> +seutil_read_config(systemd_tmpfiles_t)
>  seutil_read_file_contexts(systemd_tmpfiles_t)

Several of the block above could use more blank lines.

> +sysnet_create_config(systemd_tmpfiles_t)
>  systemd_log_parse_environment(systemd_tmpfiles_t)
>
> +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
> +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
> +
>  tunable_policy(`systemd_tmpfiles_manage_all',`
>  	# systemd-tmpfiles can be configured to manage anything.
>  	# have a last-resort option for users to do this.
> @@ -653,3 +785,16 @@ tunable_policy(`systemd_tmpfiles_manage_
>  	files_relabel_non_security_dirs(systemd_tmpfiles_t)
>  	files_relabel_non_security_files(systemd_tmpfiles_t)
>  ')
> +
> +optional_policy(`
> +	dbus_read_lib_files(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> +	xserver_create_console_pipes(systemd_tmpfiles_t)
> +	xserver_create_xdm_tmp_dir(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> +	xfs_create_dirs(systemd_tmpfiles_t)
> +')

This block is out of order

> Index: refpolicy-2.20170227/policy/modules/contrib/xfs.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/contrib/xfs.if
> +++ refpolicy-2.20170227/policy/modules/contrib/xfs.if
> @@ -21,6 +21,25 @@ interface(`xfs_read_sockets',`
>
>  ########################################
>  ## <summary>
> +##	Create xfs temporary dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xfs_create_dirs',`
> +	gen_require(`
> +		type xfs_tmp_t;
> +	')
> +
> +	files_search_tmp($1)
> +	allow $1 xfs_tmp_t:dir create;
> +')
> +
> +########################################
> +## <summary>
>  ##	Connect to xfs with a unix
>  ##	domain stream socket.
>  ## </summary>
> Index: refpolicy-2.20170227/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170227/policy/modules/kernel/files.if
> @@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',`
>
>  ########################################
>  ## <summary>
> +##	relabel directories to etc_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_relabelto_etc_dirs',`
> +	gen_require(`
> +		type etc_t;
> +	')
> +
> +	allow $1 etc_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
>  ##	List the contents of /etc directories.
>  ## </summary>
>  ## <param name="domain">
> @@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',`
>
>  ########################################
>  ## <summary>
> +##	Relabel from user home root (/home).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_relabelfrom_home',`
> +	gen_require(`
> +		type home_root_t;
> +	')
> +
> +	allow $1 home_root_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create objects in /home.
>  ## </summary>
>  ## <param name="domain">
> @@ -5709,6 +5745,30 @@ interface(`files_search_var_lib',`
>
>  ########################################
>  ## <summary>
> +##	Create and label /var/lib and /var/log
> +## </summary>
> +## <desc>
> +##	<p>
> +##	This allows programs to setup directories under /var
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`create_relabel_var_lib_log',`
> +	gen_require(`
> +		type var_t, var_lib_t, var_log_t;
> +	')
> +
> +	allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto manage_dir_perms };
> +')

This needs to be broken up by type and also relabelto/from vs. 
manage_dir_perms.

> +########################################
> +## <summary>
>  ##	Do not audit attempts to search the
>  ##	contents of /var/lib.
>  ## </summary>
> @@ -6528,6 +6588,27 @@ interface(`files_dontaudit_ioctl_all_pid
>  ')
>
>  ########################################
> +## <summary>
> +##     create and manage all pidfile directories
> +##     in the /var/run directory.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`files_create_manage_all_pid_dirs',`
> +        gen_require(`
> +                attribute pidfile;
> +                type var_run_t;
> +        ')
> +
> +        create_dirs_pattern($1,var_run_t,pidfile)
> +        allow $1 pidfile:dir manage_dir_perms;
> +')

I'm confused about what this interface is intending.  Create is a subset 
of manage.


> +########################################
>  ## <summary>
>  ##     manage all pidfile directories
>  ##     in the /var/run directory.
> Index: refpolicy-2.20170227/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170227/policy/modules/system/init.if
> @@ -1120,6 +1161,24 @@ interface(`init_manage_var_lib_files',`
>
>  ########################################
>  ## <summary>
> +##	relabel dirs in /var/lib/systemd/.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_relabel_var_lib_dirs',`
> +	gen_require(`
> +		type init_var_lib_t;
> +	')
> +
> +	allow $1 init_var_lib_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
>  ##	Create files in /var/lib/systemd
>  ##	with an automatic type transition.
>  ## </summary>
> @@ -2519,6 +2687,24 @@ interface(`init_manage_utmp',`
>
>  ########################################
>  ## <summary>
> +##	relabel from/to utmp
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_relabel_utmp',`
> +	gen_require(`
> +		type initrc_var_run_t;
> +	')
> +
> +	allow $1 initrc_var_run_t:file { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
>  ##	Create files in /var/run with the
>  ##	utmp file type.
>  ## </summary>
> Index: refpolicy-2.20170227/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170227/policy/modules/system/logging.if
> @@ -1138,3 +1138,23 @@ interface(`logging_admin',`
>  	logging_admin_audit($1, $2)
>  	logging_admin_syslog($1, $2)
>  ')
> +
> +########################################
> +## <summary>
> +##	setattr for syslogd_tmp_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`logging_set_perms_syslogd_tmp',`
> +	gen_require(`
> +		type syslogd_tmp_t;
> +	')
> +
> +	allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto };
> +')

Please split out the setattr and separate dir/file.

> Index: refpolicy-2.20170227/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20170227/policy/modules/system/miscfiles.if
> @@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',`
>
>  ########################################
>  ## <summary>
> +##      relabel man cache
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`miscfiles_relabel_man_cache',`
> +	gen_require(`
> +		type man_cache_t;
> +	')
> +
> +	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
> +	relabel_files_pattern($1, man_cache_t, man_cache_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete man pages
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170227/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170227/policy/modules/system/userdomain.if
> @@ -2902,6 +2902,24 @@ interface(`userdom_manage_user_runtime_r
>
>  ########################################
>  ## <summary>
> +##	relabel to/from user_runtime_root_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_runtime_root_dirs',`
> +	gen_require(`
> +		type user_runtime_root_t;
> +	')
> +
> +	allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete user
>  ##	runtime dirs.
>  ## </summary>
> Index: refpolicy-2.20170227/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170227/policy/modules/services/xserver.if
> @@ -806,7 +806,7 @@ interface(`xserver_dbus_chat_xdm',`
>  	gen_require(`
>  		type xdm_t;
>  		class dbus send_msg;
> -        ')
> +	')
>
>  	allow $1 xdm_t:dbus send_msg;
>  	allow xdm_t $1:dbus send_msg;
> @@ -1525,3 +1525,40 @@ interface(`xserver_unconfined',`
>  	typeattribute $1 x_domain;
>  	typeattribute $1 xserver_unconfined_type;
>  ')
> +
> +
> +########################################
> +## <summary>
> +##      Create the X windows console named pipes.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`xserver_create_console_pipes',`
> +	gen_require(`
> +		type xconsole_device_t;
> +	')
> +
> +	allow $1 xconsole_device_t:fifo_file create;
> +')
> +
> +########################################
> +## <summary>
> +##      Create xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to allow
> +##      </summary>
> +## </param>
> +#
> +interface(`xserver_create_xdm_tmp_dir',`
> +	gen_require(`
> +		type xdm_tmp_t;
> +	')
> +
> +	allow $1 xdm_tmp_t:dir create;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito