From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 25 Mar 2017 13:52:52 -0400
Subject: [refpolicy] [PATCH] another version of systemd cgroups
 hostnamed and logind
In-Reply-To: <20170322125922.zheujse7e3acuzt3@athena.coker.com.au>
References: <20170322125922.zheujse7e3acuzt3@athena.coker.com.au>
Message-ID: <b8a8ebb8-2be5-f145-979c-0d7232703cb0@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/22/2017 08:59 AM, Russell Coker via refpolicy wrote:
> This depends on the sort patch I posted a few hours ago.


I've merged this but made a few minor changes.


> Description: systemd-cgroups, hostnamed, and logind policy
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-03-22
>
> Index: refpolicy-2.20170313/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170313/policy/modules/system/systemd.te
> @@ -199,14 +199,25 @@ fs_register_binary_executable_type(syste
>  # Cgroups local policy
>  #
>
> +allow systemd_cgroups_t self:capability net_admin;
> +
>  kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>  kernel_dgram_send(systemd_cgroups_t)
>
> +# for /proc/cmdline
> +kernel_read_system_state(systemd_cgroups_t)
> +
> +# for /proc/1/environ
> +init_read_state(systemd_cgroups_t)
> +
> +
>  # write to /run/systemd/cgroups-agent
>  init_dgram_send(systemd_cgroups_t)
>  init_stream_connect(systemd_cgroups_t)
>
>  selinux_getattr_fs(systemd_cgroups_t)
> +seutil_libselinux_linked(systemd_cgroups_t)
> +
>  systemd_log_parse_environment(systemd_cgroups_t)
>
>  ######################################
> @@ -254,6 +265,7 @@ seutil_search_default_contexts(systemd_c
>
>  kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> +dev_read_sysfs(systemd_hostnamed_t)
>  files_read_etc_files(systemd_hostnamed_t)
>  seutil_read_file_contexts(systemd_hostnamed_t)
>  systemd_log_parse_environment(systemd_hostnamed_t)
> @@ -263,6 +275,10 @@ optional_policy(`
>  	dbus_system_bus_client(systemd_hostnamed_t)
>  ')
>
> +optional_policy(`
> +	networkmanager_dbus_chat(systemd_hostnamed_t)
> +')
> +
>  #######################################
>  #
>  # locale local policy
> @@ -304,40 +320,64 @@ logging_send_syslog_msg(systemd_log_pars
>  # Logind local policy
>  #
>
> -allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
> -allow systemd_logind_t self:process getcap;
> +allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:process { getcap setfscreate };
>  allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
>  allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
>
> -allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
> -init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> -
> +allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
> +allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
> +allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms;
>  manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
>  manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
> +allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
> +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
>
>  kernel_read_kernel_sysctls(systemd_logind_t)
>
>  auth_manage_faillog(systemd_logind_t)
>  dev_getattr_dri_dev(systemd_logind_t)
> +dev_getattr_kvm_dev(systemd_logind_t)
>  dev_getattr_sound_dev(systemd_logind_t)
> +dev_manage_wireless(systemd_logind_t)
> +dev_read_urand(systemd_logind_t)
> +dev_rw_dri(systemd_logind_t)
>  dev_rw_input_dev(systemd_logind_t)
>  dev_rw_sysfs(systemd_logind_t)
>  dev_setattr_dri_dev(systemd_logind_t)
> +dev_setattr_kvm_dev(systemd_logind_t)
>  dev_setattr_sound_dev(systemd_logind_t)
> +domain_obj_id_change_exemption(systemd_logind_t)
>  files_read_etc_files(systemd_logind_t)
>  files_search_pids(systemd_logind_t)
>
> +fs_getattr_cgroup(systemd_logind_t)
>  fs_getattr_tmpfs(systemd_logind_t)
> +fs_getattr_tmpfs_dirs(systemd_logind_t)
> +fs_list_tmpfs(systemd_logind_t)
> +fs_mount_tmpfs(systemd_logind_t)
> +fs_read_cgroup_files(systemd_logind_t)
>  fs_read_efivarfs_files(systemd_logind_t)
> +fs_relabelfrom_tmpfs_dir(systemd_logind_t)
> +fs_unmount_tmpfs(systemd_logind_t)
>
> +init_dbus_send_script(systemd_logind_t)
>  init_get_all_units_status(systemd_logind_t)
> +init_get_system_status(systemd_logind_t)
>  init_service_start(systemd_logind_t)
>  init_service_status(systemd_logind_t)
>  init_start_all_units(systemd_logind_t)
>  init_stop_all_units(systemd_logind_t)
> +init_start_system(systemd_logind_t)
> +init_stop_system(systemd_logind_t)
> +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
>  locallogin_read_state(systemd_logind_t)
>
> +selinux_get_enforce_mode(systemd_logind_t)
> +seutil_libselinux_linked(systemd_logind_t)
> +seutil_read_default_contexts(systemd_logind_t)
> +seutil_read_file_contexts(systemd_logind_t)
>  storage_getattr_removable_dev(systemd_logind_t)
>  storage_getattr_scsi_generic_dev(systemd_logind_t)
>  storage_setattr_removable_dev(systemd_logind_t)
> @@ -345,11 +385,23 @@ storage_setattr_scsi_generic_dev(systemd
>  systemd_log_parse_environment(systemd_logind_t)
>  systemd_start_power_units(systemd_logind_t)
>
> +term_setattr_unallocated_ttys(systemd_logind_t)
>  term_use_unallocated_ttys(systemd_logind_t)
>
> +udev_list_pids(systemd_logind_t)
>  udev_read_db(systemd_logind_t)
>  udev_read_pid_files(systemd_logind_t)
>
> +userdom_manage_user_runtime_dirs(systemd_logind_t)
> +userdom_manage_user_runtime_root_dirs(systemd_logind_t)
> +userdom_mounton_user_runtime_dirs(systemd_logind_t)
> +userdom_read_all_users_state(systemd_logind_t)
> +userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
> +userdom_relabel_user_tmpfs_files(systemd_logind_t)
> +userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
> +userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> +userdom_setattr_user_ttys(systemd_logind_t)
> +userdom_delete_user_runtime_files(systemd_logind_t)
>  userdom_use_user_ttys(systemd_logind_t)
>
>  optional_policy(`
> @@ -357,6 +409,29 @@ optional_policy(`
>  	dbus_system_bus_client(systemd_logind_t)
>  ')
>
> +optional_policy(`
> +	networkmanager_dbus_chat(systemd_logind_t)
> +')
> +
> +optional_policy(`
> +	devicekit_dbus_chat_power(systemd_logind_t)
> +')
> +
> +optional_policy(`
> +	policykit_dbus_chat(systemd_logind_t)
> +')
> +
> +optional_policy(`
> +	xserver_read_state(systemd_logind_t)
> +	xserver_dbus_chat(systemd_logind_t)
> +	xserver_dbus_chat_xdm(systemd_logind_t)
> +	xserver_read_xdm_state(systemd_logind_t)
> +')
> +
> +optional_policy(`
> +	unconfined_dbus_send(systemd_logind_t)
> +')
> +
>  #########################################
>  #
>  # machined local policy
> Index: refpolicy-2.20170313/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170313/policy/modules/kernel/devices.if
> @@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',`
>
>  ########################################
>  ## <summary>
> +##	manage the wireless device.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_manage_wireless',`
> +	gen_require(`
> +		type device_t, wireless_device_t;
> +	')
> +
> +	manage_chr_files_pattern($1, device_t, wireless_device_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read and write Xen devices.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170313/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170313/policy/modules/kernel/filesystem.if
> @@ -4087,6 +4087,24 @@ interface(`fs_relabelfrom_tmpfs',`
>
>  ########################################
>  ## <summary>
> +##      Relabel from tmpfs_t dir
> +## </summary>
> +## <param name="type">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_dir',`
> +	gen_require(`
> +		type tmpfs_t;
> +	')
> +
> +	allow $1 tmpfs_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the attributes of tmpfs directories.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170313/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170313/policy/modules/system/udev.if
> @@ -282,6 +282,25 @@ interface(`udev_search_pids',`
>
>  ########################################
>  ## <summary>
> +##      list udev pid content
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`udev_list_pids',`
> +	gen_require(`
> +		type udev_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 udev_var_run_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete
>  ##	udev pid directories
>  ## </summary>
> Index: refpolicy-2.20170313/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170313/policy/modules/system/userdomain.if
> @@ -2824,6 +2824,45 @@ interface(`userdom_read_user_tmpfs_files
>
>  ########################################
>  ## <summary>
> +##	relabel to/from user tmpfs dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_tmpfs_dirs',`
> +	gen_require(`
> +		type user_tmpfs_t;
> +	')
> +
> +	allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom };
> +	fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> +##	relabel to/from user tmpfs files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_relabel_user_tmpfs_files',`
> +	gen_require(`
> +		type user_tmpfs_t;
> +	')
> +
> +	allow $1 user_tmpfs_t:dir list_dir_perms;
> +	allow $1 user_tmpfs_t:file { relabelto relabelfrom };
> +	fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Search users runtime directories.
>  ## </summary>
>  ## <param name="domain">
> @@ -2938,6 +2977,43 @@ interface(`userdom_relabelto_user_runtim
>  ')
>
>  ########################################
> +## <summary>
> +##	Relabel from user runtime directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_relabelfrom_user_runtime_dirs',`
> +	gen_require(`
> +		type user_runtime_t;
> +	')
> +
> +	allow $1 user_runtime_t:dir relabelfrom;
> +')
> +
> +########################################
> +## <summary>
> +##	delete user runtime files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_runtime_files',`
> +	gen_require(`
> +		type user_runtime_t;
> +	')
> +
> +	allow $1 user_runtime_t:dir list_dir_perms;
> +	allow $1 user_runtime_t:file unlink;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Create objects in the pid directory
>  ##	with an automatic type transition to
> Index: refpolicy-2.20170313/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170313.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170313/policy/modules/services/xserver.if
> @@ -1331,6 +1367,25 @@ interface(`xserver_kill',`
>
>  ########################################
>  ## <summary>
> +##      Allow reading xserver_t files to get cgroup and sessionid
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`xserver_read_state',`
> +	gen_require(`
> +		type xserver_t;
> +	')
> +
> +	allow $1 xserver_t:dir search;
> +	allow $1 xserver_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read and write X server Sys V Shared
>  ##	memory segments.
>  ## </summary>
> @@ -1426,6 +1481,25 @@ interface(`xserver_read_tmp_files',`
>  ')
>
>  ########################################
> +## <summary>
> +##      talk to xserver_t by dbus
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`xserver_dbus_chat',`
> +	gen_require(`
> +		type xserver_t;
> +	')
> +
> +	allow $1 xserver_t:dbus send_msg;
> +	allow xserver_t $1:dbus send_msg;
> +')
> +
> +########################################
>  ## <summary>
>  ##	Interface to provide X object permissions on a given X server to
>  ##	an X client domain.  Gives the domain permission to read the
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito