From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 25 Mar 2017 13:52:52 -0400 Subject: [refpolicy] [PATCH] another version of systemd cgroups hostnamed and logind In-Reply-To: <20170322125922.zheujse7e3acuzt3@athena.coker.com.au> References: <20170322125922.zheujse7e3acuzt3@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/22/2017 08:59 AM, Russell Coker via refpolicy wrote: > This depends on the sort patch I posted a few hours ago. I've merged this but made a few minor changes. > Description: systemd-cgroups, hostnamed, and logind policy > Author: Russell Coker > Last-Update: 2017-03-22 > > Index: refpolicy-2.20170313/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170313/policy/modules/system/systemd.te > @@ -199,14 +199,25 @@ fs_register_binary_executable_type(syste > # Cgroups local policy > # > > +allow systemd_cgroups_t self:capability net_admin; > + > kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > kernel_dgram_send(systemd_cgroups_t) > > +# for /proc/cmdline > +kernel_read_system_state(systemd_cgroups_t) > + > +# for /proc/1/environ > +init_read_state(systemd_cgroups_t) > + > + > # write to /run/systemd/cgroups-agent > init_dgram_send(systemd_cgroups_t) > init_stream_connect(systemd_cgroups_t) > > selinux_getattr_fs(systemd_cgroups_t) > +seutil_libselinux_linked(systemd_cgroups_t) > + > systemd_log_parse_environment(systemd_cgroups_t) > > ###################################### > @@ -254,6 +265,7 @@ seutil_search_default_contexts(systemd_c > > kernel_read_kernel_sysctls(systemd_hostnamed_t) > > +dev_read_sysfs(systemd_hostnamed_t) > files_read_etc_files(systemd_hostnamed_t) > seutil_read_file_contexts(systemd_hostnamed_t) > systemd_log_parse_environment(systemd_hostnamed_t) > @@ -263,6 +275,10 @@ optional_policy(` > dbus_system_bus_client(systemd_hostnamed_t) > ') > > +optional_policy(` > + networkmanager_dbus_chat(systemd_hostnamed_t) > +') > + > ####################################### > # > # locale local policy > @@ -304,40 +320,64 @@ logging_send_syslog_msg(systemd_log_pars > # Logind local policy > # > > -allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; > -allow systemd_logind_t self:process getcap; > +allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config }; > +allow systemd_logind_t self:process { getcap setfscreate }; > allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; > allow systemd_logind_t self:unix_dgram_socket create_socket_perms; > allow systemd_logind_t self:fifo_file rw_fifo_file_perms; > > -allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; > -init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) > - > +allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; > +allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; > +allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms; > manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) > manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) > +allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; > +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") > > kernel_read_kernel_sysctls(systemd_logind_t) > > auth_manage_faillog(systemd_logind_t) > dev_getattr_dri_dev(systemd_logind_t) > +dev_getattr_kvm_dev(systemd_logind_t) > dev_getattr_sound_dev(systemd_logind_t) > +dev_manage_wireless(systemd_logind_t) > +dev_read_urand(systemd_logind_t) > +dev_rw_dri(systemd_logind_t) > dev_rw_input_dev(systemd_logind_t) > dev_rw_sysfs(systemd_logind_t) > dev_setattr_dri_dev(systemd_logind_t) > +dev_setattr_kvm_dev(systemd_logind_t) > dev_setattr_sound_dev(systemd_logind_t) > +domain_obj_id_change_exemption(systemd_logind_t) > files_read_etc_files(systemd_logind_t) > files_search_pids(systemd_logind_t) > > +fs_getattr_cgroup(systemd_logind_t) > fs_getattr_tmpfs(systemd_logind_t) > +fs_getattr_tmpfs_dirs(systemd_logind_t) > +fs_list_tmpfs(systemd_logind_t) > +fs_mount_tmpfs(systemd_logind_t) > +fs_read_cgroup_files(systemd_logind_t) > fs_read_efivarfs_files(systemd_logind_t) > +fs_relabelfrom_tmpfs_dir(systemd_logind_t) > +fs_unmount_tmpfs(systemd_logind_t) > > +init_dbus_send_script(systemd_logind_t) > init_get_all_units_status(systemd_logind_t) > +init_get_system_status(systemd_logind_t) > init_service_start(systemd_logind_t) > init_service_status(systemd_logind_t) > init_start_all_units(systemd_logind_t) > init_stop_all_units(systemd_logind_t) > +init_start_system(systemd_logind_t) > +init_stop_system(systemd_logind_t) > +init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) > locallogin_read_state(systemd_logind_t) > > +selinux_get_enforce_mode(systemd_logind_t) > +seutil_libselinux_linked(systemd_logind_t) > +seutil_read_default_contexts(systemd_logind_t) > +seutil_read_file_contexts(systemd_logind_t) > storage_getattr_removable_dev(systemd_logind_t) > storage_getattr_scsi_generic_dev(systemd_logind_t) > storage_setattr_removable_dev(systemd_logind_t) > @@ -345,11 +385,23 @@ storage_setattr_scsi_generic_dev(systemd > systemd_log_parse_environment(systemd_logind_t) > systemd_start_power_units(systemd_logind_t) > > +term_setattr_unallocated_ttys(systemd_logind_t) > term_use_unallocated_ttys(systemd_logind_t) > > +udev_list_pids(systemd_logind_t) > udev_read_db(systemd_logind_t) > udev_read_pid_files(systemd_logind_t) > > +userdom_manage_user_runtime_dirs(systemd_logind_t) > +userdom_manage_user_runtime_root_dirs(systemd_logind_t) > +userdom_mounton_user_runtime_dirs(systemd_logind_t) > +userdom_read_all_users_state(systemd_logind_t) > +userdom_relabel_user_tmpfs_dirs(systemd_logind_t) > +userdom_relabel_user_tmpfs_files(systemd_logind_t) > +userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) > +userdom_relabelto_user_runtime_dirs(systemd_logind_t) > +userdom_setattr_user_ttys(systemd_logind_t) > +userdom_delete_user_runtime_files(systemd_logind_t) > userdom_use_user_ttys(systemd_logind_t) > > optional_policy(` > @@ -357,6 +409,29 @@ optional_policy(` > dbus_system_bus_client(systemd_logind_t) > ') > > +optional_policy(` > + networkmanager_dbus_chat(systemd_logind_t) > +') > + > +optional_policy(` > + devicekit_dbus_chat_power(systemd_logind_t) > +') > + > +optional_policy(` > + policykit_dbus_chat(systemd_logind_t) > +') > + > +optional_policy(` > + xserver_read_state(systemd_logind_t) > + xserver_dbus_chat(systemd_logind_t) > + xserver_dbus_chat_xdm(systemd_logind_t) > + xserver_read_xdm_state(systemd_logind_t) > +') > + > +optional_policy(` > + unconfined_dbus_send(systemd_logind_t) > +') > + > ######################################### > # > # machined local policy > Index: refpolicy-2.20170313/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170313/policy/modules/kernel/devices.if > @@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',` > > ######################################## > ## > +## manage the wireless device. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_manage_wireless',` > + gen_require(` > + type device_t, wireless_device_t; > + ') > + > + manage_chr_files_pattern($1, device_t, wireless_device_t) > +') > + > +######################################## > +## > ## Read and write Xen devices. > ## > ## > Index: refpolicy-2.20170313/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170313/policy/modules/kernel/filesystem.if > @@ -4087,6 +4087,24 @@ interface(`fs_relabelfrom_tmpfs',` > > ######################################## > ## > +## Relabel from tmpfs_t dir > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_relabelfrom_tmpfs_dir',` > + gen_require(` > + type tmpfs_t; > + ') > + > + allow $1 tmpfs_t:dir relabelfrom; > +') > + > +######################################## > +## > ## Get the attributes of tmpfs directories. > ## > ## > Index: refpolicy-2.20170313/policy/modules/system/udev.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/system/udev.if > +++ refpolicy-2.20170313/policy/modules/system/udev.if > @@ -282,6 +282,25 @@ interface(`udev_search_pids',` > > ######################################## > ## > +## list udev pid content > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udev_list_pids',` > + gen_require(` > + type udev_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 udev_var_run_t:dir list_dir_perms; > +') > + > +######################################## > +## > ## Create, read, write, and delete > ## udev pid directories > ## > Index: refpolicy-2.20170313/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170313/policy/modules/system/userdomain.if > @@ -2824,6 +2824,45 @@ interface(`userdom_read_user_tmpfs_files > > ######################################## > ## > +## relabel to/from user tmpfs dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_relabel_user_tmpfs_dirs',` > + gen_require(` > + type user_tmpfs_t; > + ') > + > + allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; > + fs_search_tmpfs($1) > +') > + > +######################################## > +## > +## relabel to/from user tmpfs files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_relabel_user_tmpfs_files',` > + gen_require(` > + type user_tmpfs_t; > + ') > + > + allow $1 user_tmpfs_t:dir list_dir_perms; > + allow $1 user_tmpfs_t:file { relabelto relabelfrom }; > + fs_search_tmpfs($1) > +') > + > +######################################## > +## > ## Search users runtime directories. > ## > ## > @@ -2938,6 +2977,43 @@ interface(`userdom_relabelto_user_runtim > ') > > ######################################## > +## > +## Relabel from user runtime directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_relabelfrom_user_runtime_dirs',` > + gen_require(` > + type user_runtime_t; > + ') > + > + allow $1 user_runtime_t:dir relabelfrom; > +') > + > +######################################## > +## > +## delete user runtime files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_delete_user_runtime_files',` > + gen_require(` > + type user_runtime_t; > + ') > + > + allow $1 user_runtime_t:dir list_dir_perms; > + allow $1 user_runtime_t:file unlink; > +') > + > +######################################## > ## > ## Create objects in the pid directory > ## with an automatic type transition to > Index: refpolicy-2.20170313/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20170313.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20170313/policy/modules/services/xserver.if > @@ -1331,6 +1367,25 @@ interface(`xserver_kill',` > > ######################################## > ## > +## Allow reading xserver_t files to get cgroup and sessionid > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_read_state',` > + gen_require(` > + type xserver_t; > + ') > + > + allow $1 xserver_t:dir search; > + allow $1 xserver_t:file read_file_perms; > +') > + > +######################################## > +## > ## Read and write X server Sys V Shared > ## memory segments. > ## > @@ -1426,6 +1481,25 @@ interface(`xserver_read_tmp_files',` > ') > > ######################################## > +## > +## talk to xserver_t by dbus > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_dbus_chat',` > + gen_require(` > + type xserver_t; > + ') > + > + allow $1 xserver_t:dbus send_msg; > + allow xserver_t $1:dbus send_msg; > +') > + > +######################################## > ## > ## Interface to provide X object permissions on a given X server to > ## an X client domain. Gives the domain permission to read the > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito