From: russell@coker.com.au (Russell Coker)
Date: Tue, 4 Apr 2017 16:52:32 +1000
Subject: [refpolicy] [PATCH] systemd related changes
In-Reply-To: <6949cff0-2ae0-0e95-0bfd-b2d6edab0ea1@ieee.org>
References: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au>
	<6949cff0-2ae0-0e95-0bfd-b2d6edab0ea1@ieee.org>
Message-ID: <201704041652.32469.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 4 Apr 2017 09:22:24 AM Chris PeBenito via refpolicy wrote:
> >  optional_policy(`
> > 
> > +	systemd_use_logind_fds(crond_t)
> > +	systemd_write_inherited_logind_sessions_pipes(crond_t)
> 
> It looks like there are several instances of inheriting the logind fds
> and writing the inherited pipes.  Is there some pattern?

systemd_write_inherited_logind_sessions_pipes() already allowed inheriting the 
fd, so I removed those needless systemd_use_logind_fds() lines.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te
> > +++ refpolicy-2.20170329/policy/modules/system/unconfined.te
> > @@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',`
> > 
> >  ')
> >  
> >  optional_policy(`
> > 
> > +	init_get_system_status(unconfined_t)
> > +	init_reload(unconfined_t)
> > +	init_manage_script_service(unconfined_t)
> > +	dev_manage_null_service(unconfined_t)
> > +	init_get_all_units_status(unconfined_t)
> > +	init_start_all_units(unconfined_t)
> > +	init_stop_all_units(unconfined_t)
> > +	init_reload_all_units(unconfined_t)
> > +')
> 
> Perhaps we should make an init_unconfined() or systemd_unconfined().

OK, done that.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/kernel/files.if
> > +++ refpolicy-2.20170329/policy/modules/kernel/files.if
> > @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
> > 
> >  	allow $1 etc_t:service status;
> >  
> >  ')
> > 
> > +########################################
> > +## <summary>
> > +##	start etc_t service
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_etc_unit_start',`
> 
> Here (and below): files_start_etc_service() and files_stop_...

Done,

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te
> > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.te
> > @@ -19,6 +19,8 @@ dev_node(bsdpty_device_t)
> > 
> >  #
> >  type console_device_t;
> >  dev_node(console_device_t)
> > 
> > +# for /dev/pts/0
> > +allow console_device_t devpts_t:filesystem associate;
> 
> This doesn't seem right.  Why would a pty be the console?

Not sure.  I'll remove that and try and reproduce the issue.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if
> > +++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if
> > @@ -413,7 +413,7 @@ interface(`sysnet_create_config',`
> > 
> >  	')
> >  	
> >  	files_search_etc($1)
> > 
> > -	allow $1 net_conf_t:file create_file_perms;
> > +	allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms };
> 
> This should be two new interfaces instead (sysnet_relabel_config() and
> sysnet_manage_config())

OK.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if
> > +++ refpolicy-2.20170329/policy/modules/roles/sysadm.if
> > @@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',`
> > 
> >  	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
> >  
> >  ')
> > 
> > +
> > +########################################
> > +## <summary>
> > +##	talk to sysadm_t over dbus
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`sysadm_dbus_chat',`
> > +	gen_require(`
> > +		type sysadm_t;
> > +	')
> > +
> > +	allow sysadm_t $1:dbus send_msg;
> > +	allow $1 sysadm_t:dbus send_msg;
> > +')
> 
> There is no hard rule, but typically my preference is for the server
> side to provide the interface.  That doesn't seem to fit sysadm.

OK.

> >  ########################################
> >  ## <summary>
> >  ##	Start all systemd units.
> > 
> > @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`
> > 
> >  	allow $1 { init_script_file_type systemdunit }:service reload;
> >  
> >  ')
> > 
> > +
> > +########################################
> > +## <summary>
> > +##      Allow getting service status of initrc_exec_t scripts
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Target domain
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`initrc_service_status',`
> 
> I think this was merged in the last patch but renamed
> init_get_script_status().

A grep of the source doesn't turn up a match for init_get_script_status.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
> > +++ refpolicy-2.20170329/policy/modules/system/systemd.if
> > @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
> > 
> >  ######################################
> >  ## <summary>
> > 
> > +##     Write systemd_login named pipe.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`systemd_login_write_pid_pipe',`
> 
> systemd_write_logind_pid_pipes()

OK.

> > +#######################################
> > +## <summary>
> > +##  Send generic signals to systemd_passwd_agent processes.
> > +## </summary>
> > +## <param name="domain">
> > +##  <summary>
> > +##  Domain allowed access.
> > +##  </summary>
> > +## </param>
> > +#
> > +interface(`systemd_manage_passwd_run',`
> > +	gen_require(`
> > +		type systemd_passwd_agent_t;
> > +		type systemd_passwd_var_run_t;
> > +	')
> > +
> > +	manage_files_pattern($1, systemd_passwd_var_run_t,
> > systemd_passwd_var_run_t) +	manage_sock_files_pattern($1,
> > systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
> > +	allow systemd_passwd_agent_t $1:process signull;
> > +	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> 
> This looks like it should be 2-4 interfaces, but I'm not sure how many.

It's all for a single purpose, using systemd to get a password.  So far the 
only users of it are httpd_t (for getting passwords for locked SSL certificate 
files) and init_t (for a "strict" configuration).

I don't think it makes sense to split it.  A better name and description would 
make sense, do you have a suggestion for a new name?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/