From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 28 Mar 2017 18:52:15 -0400 Subject: [refpolicy] [PATCH] systemd-resolvd, sessions, and tmpfiles take2 In-Reply-To: <20170326110227.3npv5zdhjlmqgakn@athena.coker.com.au> References: <20170326110227.3npv5zdhjlmqgakn@athena.coker.com.au> Message-ID: <446d3f4a-4f54-1698-f8fa-d5146a5dda73@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/26/2017 07:02 AM, Russell Coker via refpolicy wrote: > I believe that I have addressed all the issues Chris raised, so here's a newer > version of the patch which applies to today's git version. > > > Description: systemd-resolved, sessions, and tmpfiles patches > Author: Russell Coker > Last-Update: 2017-03-26 I merged this, though moved a few lines and renamed a few interfaces. > Index: refpolicy-2.20170326/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170326/policy/modules/system/systemd.te > @@ -593,15 +593,13 @@ init_pid_filetrans(systemd_resolved_t, s > kernel_read_crypto_sysctls(systemd_resolved_t) > kernel_read_kernel_sysctls(systemd_resolved_t) > > +auth_use_nsswitch(systemd_resolved_t) > corenet_tcp_bind_generic_node(systemd_resolved_t) > corenet_tcp_bind_llmnr_port(systemd_resolved_t) > corenet_udp_bind_generic_node(systemd_resolved_t) > corenet_udp_bind_llmnr_port(systemd_resolved_t) > > -auth_use_nsswitch(systemd_resolved_t) > - > seutil_read_file_contexts(systemd_resolved_t) > - > systemd_log_parse_environment(systemd_resolved_t) > > optional_policy(` > @@ -613,9 +611,17 @@ optional_policy(` > # Sessions local policy > # > > +allow systemd_sessions_t self:process setfscreate; > + > allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; > files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) > > +selinux_get_enforce_mode(systemd_sessions_t) > +selinux_get_fs_mount(systemd_sessions_t) > +seutil_read_config(systemd_sessions_t) > +seutil_read_default_contexts(systemd_sessions_t) > +seutil_read_file_contexts(systemd_sessions_t) > + > systemd_log_parse_environment(systemd_sessions_t) > > ######################################### > @@ -623,9 +629,14 @@ systemd_log_parse_environment(systemd_se > # Tmpfiles local policy > # > > -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; > +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; > allow systemd_tmpfiles_t self:process { setfscreate getcap }; > > +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; > + > +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; > +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; > + > manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) > manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) > allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; > @@ -635,25 +646,71 @@ allow systemd_tmpfiles_t systemd_tmpfile > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; > > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > +kernel_read_network_state(systemd_tmpfiles_t) > > +auth_manage_faillog(systemd_tmpfiles_t) > +auth_manage_login_records(systemd_tmpfiles_t) > +auth_manage_var_auth(systemd_tmpfiles_t) > +auth_relabel_login_records(systemd_tmpfiles_t) > +auth_setattr_login_records(systemd_tmpfiles_t) > + > +dev_manage_all_dev_nodes(systemd_tmpfiles_t) > +dev_read_urand(systemd_tmpfiles_t) > dev_relabel_all_sysfs(systemd_tmpfiles_t) > dev_read_urand(systemd_tmpfiles_t) > dev_manage_all_dev_nodes(systemd_tmpfiles_t) > > +files_create_lock_dirs(systemd_tmpfiles_t) > +files_manage_all_pid_dirs(systemd_tmpfiles_t) > +files_delete_usr_files(systemd_tmpfiles_t) > +files_list_home(systemd_tmpfiles_t) > +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) > +files_manage_var_dirs(systemd_tmpfiles_t) > +files_manage_var_lib_dir(systemd_tmpfiles_t) > +files_purge_tmp(systemd_tmpfiles_t) > files_read_etc_files(systemd_tmpfiles_t) > files_relabel_all_lock_dirs(systemd_tmpfiles_t) > files_relabel_all_pid_dirs(systemd_tmpfiles_t) > files_relabel_all_tmp_dirs(systemd_tmpfiles_t) > +files_relabel_var_dirs(systemd_tmpfiles_t) > +files_relabel_var_lib_dir(systemd_tmpfiles_t) > > -auth_manage_var_auth(systemd_tmpfiles_t) > -auth_manage_login_records(systemd_tmpfiles_t) > -auth_relabel_login_records(systemd_tmpfiles_t) > -auth_setattr_login_records(systemd_tmpfiles_t) > - > +files_relabelfrom_home(systemd_tmpfiles_t) > +files_relabelto_home(systemd_tmpfiles_t) > +files_relabelto_etc_dirs(systemd_tmpfiles_t) > +# for /etc/mtab > +files_manage_etc_symlinks(systemd_tmpfiles_t) > +fs_getattr_xattr_fs(systemd_tmpfiles_t) > + > +init_manage_utmp(systemd_tmpfiles_t) > +init_manage_var_lib_files(systemd_tmpfiles_t) > +# for /proc/1/environ > +init_read_state(systemd_tmpfiles_t) > + > +init_relabel_utmp(systemd_tmpfiles_t) > +init_relabel_var_lib_dirs(systemd_tmpfiles_t) > +logging_manage_generic_logs(systemd_tmpfiles_t) > +logging_manage_generic_log_dirs(systemd_tmpfiles_t) > +logging_relabel_generic_log_dirs(systemd_tmpfiles_t) > +logging_relabel_syslogd_tmp(systemd_tmpfiles_t) > +logging_relabel_syslogd_tmp_dir(systemd_tmpfiles_t) > +logging_setattr_syslogd_tmp(systemd_tmpfiles_t) > +logging_setattr_syslogd_tmp_dir(systemd_tmpfiles_t) > + > +miscfiles_manage_man_pages(systemd_tmpfiles_t) > +miscfiles_relabel_man_cache(systemd_tmpfiles_t) > + > +selinux_get_fs_mount(systemd_tmpfiles_t) > +selinux_search_fs(systemd_tmpfiles_t) > +seutil_read_config(systemd_tmpfiles_t) > seutil_read_file_contexts(systemd_tmpfiles_t) > > +sysnet_create_config(systemd_tmpfiles_t) > systemd_log_parse_environment(systemd_tmpfiles_t) > > +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) > +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) > + > tunable_policy(`systemd_tmpfiles_manage_all',` > # systemd-tmpfiles can be configured to manage anything. > # have a last-resort option for users to do this. > @@ -662,3 +719,18 @@ tunable_policy(`systemd_tmpfiles_manage_ > files_relabel_non_security_dirs(systemd_tmpfiles_t) > files_relabel_non_security_files(systemd_tmpfiles_t) > ') > + > +optional_policy(` > + dbus_read_lib_files(systemd_tmpfiles_t) > +') > + > +optional_policy(` > + xfs_create_dirs(systemd_tmpfiles_t) > +') > + > +optional_policy(` > + xserver_create_console_pipes(systemd_tmpfiles_t) > + xserver_create_xdm_tmp_dir(systemd_tmpfiles_t) > + xserver_relabel_xconsole_pipes(systemd_tmpfiles_t) > + xserver_setattr_xconsole_pipes(systemd_tmpfiles_t) > +') > Index: refpolicy-2.20170326/policy/modules/contrib/xfs.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/contrib/xfs.if > +++ refpolicy-2.20170326/policy/modules/contrib/xfs.if > @@ -21,6 +21,25 @@ interface(`xfs_read_sockets',` > > ######################################## > ## > +## Create xfs temporary dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xfs_create_dirs',` > + gen_require(` > + type xfs_tmp_t; > + ') > + > + files_search_tmp($1) > + allow $1 xfs_tmp_t:dir create; > +') > + > +######################################## > +## > ## Connect to xfs with a unix > ## domain stream socket. > ## > Index: refpolicy-2.20170326/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170326/policy/modules/kernel/files.if > @@ -2760,6 +2760,24 @@ interface(`files_setattr_etc_dirs',` > > ######################################## > ## > +## relabel directories to etc_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabelto_etc_dirs',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:dir relabelto; > +') > + > +######################################## > +## > ## List the contents of /etc directories. > ## > ## > @@ -3811,6 +3829,24 @@ interface(`files_relabelto_home',` > > ######################################## > ## > +## Relabel from user home root (/home). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabelfrom_home',` > + gen_require(` > + type home_root_t; > + ') > + > + allow $1 home_root_t:dir relabelfrom; > +') > + > +######################################## > +## > ## Create objects in /home. > ## > ## > @@ -5498,6 +5534,24 @@ interface(`files_manage_var_dirs',` > > ######################################## > ## > +## relabelto/from var directories > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabel_var_dirs',` > + gen_require(` > + type var_t; > + ') > + > + allow $1 var_t:dir { relabelfrom relabelto }; > +') > + > +######################################## > +## > ## Read files in the /var directory. > ## > ## > @@ -5839,6 +5893,44 @@ interface(`files_read_var_lib_symlinks', > > ######################################## > ## > +## manage var_lib_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_manage_var_lib_dir',` > + gen_require(` > + type var_t, var_lib_t; > + ') > + > + allow $1 var_t:dir search_dir_perms; > + allow $1 var_lib_t:dir manage_dir_perms; > +') > + > +######################################## > +## > +## relabel var_lib_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabel_var_lib_dir',` > + gen_require(` > + type var_t, var_lib_t; > + ') > + > + allow $1 var_t:dir search_dir_perms; > + allow $1 var_lib_t:dir { relabelfrom relabelto }; > +') > + > +######################################## > +## > ## Create, read, write, and delete the > ## pseudorandom number generator seed. > ## > Index: refpolicy-2.20170326/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/init.if > +++ refpolicy-2.20170326/policy/modules/system/init.if > @@ -1120,6 +1120,24 @@ interface(`init_manage_var_lib_files',` > > ######################################## > ## > +## relabel dirs in /var/lib/systemd/. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_relabel_var_lib_dirs',` > + gen_require(` > + type init_var_lib_t; > + ') > + > + allow $1 init_var_lib_t:dir { relabelfrom relabelto }; > +') > + > +######################################## > +## > ## Create files in /var/lib/systemd > ## with an automatic type transition. > ## > @@ -2518,6 +2536,24 @@ interface(`init_manage_utmp',` > ') > > ######################################## > +## > +## relabel from/to utmp > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_relabel_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + allow $1 initrc_var_run_t:file { relabelfrom relabelto }; > +') > + > +######################################## > ## > ## Create files in /var/run with the > ## utmp file type. > Index: refpolicy-2.20170326/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/logging.if > +++ refpolicy-2.20170326/policy/modules/system/logging.if > @@ -1022,6 +1022,46 @@ interface(`logging_manage_generic_logs', > > ######################################## > ## > +## manage generic log dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_manage_generic_log_dirs',` > + gen_require(` > + type var_log_t; > + ') > + > + files_search_var($1) > + allow $1 var_log_t:dir manage_dir_perms; > +') > + > +######################################## > +## > +## relabel generic log dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_relabel_generic_log_dirs',` > + gen_require(` > + type var_log_t; > + ') > + > + files_search_var($1) > + allow $1 var_log_t:dir { relabelfrom relabelto }; > +') > + > +######################################## > +## > ## All of the rules required to administrate > ## the audit environment > ## > @@ -1137,3 +1177,79 @@ interface(`logging_admin',` > logging_admin_audit($1, $2) > logging_admin_syslog($1, $2) > ') > + > +######################################## > +## > +## setattr for syslogd_tmp_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_setattr_syslogd_tmp',` > + gen_require(` > + type syslogd_tmp_t; > + ') > + > + allow $1 syslogd_tmp_t:file setattr; > +') > + > +######################################## > +## > +## setattr for syslogd_tmp_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_setattr_syslogd_tmp_dir',` > + gen_require(` > + type syslogd_tmp_t; > + ') > + > + allow $1 syslogd_tmp_t:dir setattr; > +') > + > +######################################## > +## > +## relabel syslogd_tmp_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_relabel_syslogd_tmp',` > + gen_require(` > + type syslogd_tmp_t; > + ') > + > + allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; > +') > + > +######################################## > +## > +## relabel syslogd_tmp_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`logging_relabel_syslogd_tmp_dir',` > + gen_require(` > + type syslogd_tmp_t; > + ') > + > + allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; > +') > Index: refpolicy-2.20170326/policy/modules/system/miscfiles.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/miscfiles.if > +++ refpolicy-2.20170326/policy/modules/system/miscfiles.if > @@ -558,6 +558,25 @@ interface(`miscfiles_delete_man_pages',` > > ######################################## > ## > +## relabel man cache > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`miscfiles_relabel_man_cache',` > + gen_require(` > + type man_cache_t; > + ') > + > + relabel_dirs_pattern($1, man_cache_t, man_cache_t) > + relabel_files_pattern($1, man_cache_t, man_cache_t) > +') > + > +######################################## > +## > ## Create, read, write, and delete man pages > ## > ## > Index: refpolicy-2.20170326/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170326/policy/modules/system/userdomain.if > @@ -2921,6 +2921,24 @@ interface(`userdom_manage_user_runtime_r > > ######################################## > ## > +## relabel to/from user_runtime_root_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_relabel_user_runtime_root_dirs',` > + gen_require(` > + type user_runtime_root_t; > + ') > + > + allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; > +') > + > +######################################## > +## > ## Create, read, write, and delete user > ## runtime dirs. > ## > Index: refpolicy-2.20170326/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20170326/policy/modules/services/xserver.if > @@ -682,6 +682,42 @@ interface(`xserver_setattr_console_pipes > > ######################################## > ## > +## relabel the X windows console named pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_relabel_xconsole_pipes',` > + gen_require(` > + type xconsole_device_t; > + ') > + > + allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; > +') > + > +######################################## > +## > +## setattr the X windows console named pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_setattr_xconsole_pipes',` > + gen_require(` > + type xconsole_device_t; > + ') > + > + allow $1 xconsole_device_t:fifo_file { getattr setattr }; > +') > + > +######################################## > +## > ## Read and write the X windows console named pipe. > ## > ## > @@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',` > gen_require(` > type xdm_t; > class dbus send_msg; > - ') > + ') > > allow $1 xdm_t:dbus send_msg; > allow xdm_t $1:dbus send_msg; > @@ -1507,3 +1543,40 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > + > +######################################## > +## > +## Create the X windows console named pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_create_console_pipes',` > + gen_require(` > + type xconsole_device_t; > + ') > + > + allow $1 xconsole_device_t:fifo_file create; > +') > + > +######################################## > +## > +## Create xdm_tmp_t directories > +## > +## > +## > +## Domain to allow > +## > +## > +# > +interface(`xserver_create_xdm_tmp_dir',` > + gen_require(` > + type xdm_tmp_t; > + ') > + > + allow $1 xdm_tmp_t:dir create; > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito