From: russell@coker.com.au (Russell Coker) Date: Sun, 26 Mar 2017 21:51:18 +1100 Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles In-Reply-To: References: <20170228103003.xqfjzdzso4tjph6g@athena.coker.com.au> Message-ID: <35491590.mkBOhF3hQv@russell.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Saturday, 4 March 2017 7:15:08 AM AEDT Chris PeBenito via refpolicy wrote: > > @@ -614,37 +706,77 @@ systemd_log_parse_environment(systemd_se > > > > # Tmpfiles local policy > > # > > > > -allow systemd_tmpfiles_t self:capability { chown dac_override fowner > > fsetid mknod }; +allow systemd_tmpfiles_t self:capability { chown > > dac_override fowner fsetid mknod net_admin sys_admin };> > > allow systemd_tmpfiles_t self:process { setfscreate getcap }; > > > > +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom > > relabelto manage_file_perms }; + > > +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom > > relabelto manage_dir_perms }; +allow systemd_tmpfiles_t > > systemd_coredump_var_lib_t:file manage_file_perms; + > > > > manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, > > systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t, > > systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t > > systemd_journal_t:dir { relabelfrom relabelto }; allow > > systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; > > > > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > > > > +kernel_read_network_state(systemd_tmpfiles_t) > > > > +auth_manage_faillog(systemd_tmpfiles_t) > > +auth_manage_login_records(systemd_tmpfiles_t) > > +auth_manage_var_auth(systemd_tmpfiles_t) > > +auth_relabel_login_records(systemd_tmpfiles_t) > > +auth_setattr_login_records(systemd_tmpfiles_t) > > +create_relabel_var_lib_log(systemd_tmpfiles_t) > > +dev_manage_all_dev_nodes(systemd_tmpfiles_t) > > +dev_read_urand(systemd_tmpfiles_t) > > > > dev_relabel_all_sysfs(systemd_tmpfiles_t) > > dev_read_urand(systemd_tmpfiles_t) > > dev_manage_all_dev_nodes(systemd_tmpfiles_t) > > > > +files_create_lock_dirs(systemd_tmpfiles_t) > > +files_create_manage_all_pid_dirs(systemd_tmpfiles_t) > > +files_delete_usr_files(systemd_tmpfiles_t) > > +files_list_home(systemd_tmpfiles_t) > > +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) > > +files_purge_tmp(systemd_tmpfiles_t) > > > > files_read_etc_files(systemd_tmpfiles_t) > > files_relabel_all_lock_dirs(systemd_tmpfiles_t) > > files_relabel_all_pid_dirs(systemd_tmpfiles_t) > > files_relabel_all_tmp_dirs(systemd_tmpfiles_t) > > > > -auth_manage_var_auth(systemd_tmpfiles_t) > > -auth_manage_login_records(systemd_tmpfiles_t) > > -auth_relabel_login_records(systemd_tmpfiles_t) > > -auth_setattr_login_records(systemd_tmpfiles_t) > > +files_relabelfrom_home(systemd_tmpfiles_t) > > +files_relabelto_home(systemd_tmpfiles_t) > > +files_relabelto_etc_dirs(systemd_tmpfiles_t) > > +# for /etc/mtab > > +files_manage_etc_symlinks(systemd_tmpfiles_t) > > +fs_getattr_xattr_fs(systemd_tmpfiles_t) > > + > > +init_manage_utmp(systemd_tmpfiles_t) > > +init_manage_var_lib_files(systemd_tmpfiles_t) > > +# for /proc/1/environ > > +init_read_state(systemd_tmpfiles_t) > > + > > +init_relabel_utmp(systemd_tmpfiles_t) > > +init_relabel_var_lib_dirs(systemd_tmpfiles_t) > > +logging_manage_generic_logs(systemd_tmpfiles_t) > > +logging_set_perms_syslogd_tmp(systemd_tmpfiles_t) > > +miscfiles_manage_man_pages(systemd_tmpfiles_t) > > +miscfiles_relabel_man_cache(systemd_tmpfiles_t) > > > > # for /run/tmpfiles.d/kmod.conf > > modutils_read_var_run_files(systemd_tmpfiles_t) > > > > +selinux_get_fs_mount(systemd_tmpfiles_t) > > +selinux_search_fs(systemd_tmpfiles_t) > > +seutil_read_config(systemd_tmpfiles_t) > > > > seutil_read_file_contexts(systemd_tmpfiles_t) > > Several of the block above could use more blank lines. Which ones? > > + > > +optional_policy(` > > + dbus_read_lib_files(systemd_tmpfiles_t) > > +') > > + > > +optional_policy(` > > + xserver_create_console_pipes(systemd_tmpfiles_t) > > + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t) > > +') > > + > > +optional_policy(` > > + xfs_create_dirs(systemd_tmpfiles_t) > > +') > > This block is out of order OK. > > +interface(`create_relabel_var_lib_log',` > > + gen_require(` > > + type var_t, var_lib_t, var_log_t; > > + ') > > + > > + allow $1 { var_t var_log_t var_lib_t }:dir { relabelfrom relabelto > > manage_dir_perms }; +') > > This needs to be broken up by type and also relabelto/from vs. > manage_dir_perms. OK. > > +## > > +## create and manage all pidfile directories > > +## in the /var/run directory. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_create_manage_all_pid_dirs',` > > + gen_require(` > > + attribute pidfile; > > + type var_run_t; > > + ') > > + > > + create_dirs_pattern($1,var_run_t,pidfile) > > + allow $1 pidfile:dir manage_dir_perms; > > +') > > I'm confused about what this interface is intending. Create is a subset > of manage. OK, renamed. > > +######################################## > > +## > > +## setattr for syslogd_tmp_t > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +# > > +interface(`logging_set_perms_syslogd_tmp',` > > + gen_require(` > > + type syslogd_tmp_t; > > + ') > > + > > + allow $1 syslogd_tmp_t:{ dir file } { setattr relabelfrom relabelto }; > > +') > > Please split out the setattr and separate dir/file. OK. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/