From: russell@coker.com.au (Russell Coker) Date: Tue, 4 Apr 2017 17:42:40 +1000 Subject: [refpolicy] [PATCH] systemd related changes second attempt Message-ID: <20170404074240.pegx4y7w265ntv6b@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here's the second attempt at this patch. I addressed all issues Chris raised apart from init_get_script_status(), and renaming systemd_manage_passwd_run(). Chris please rename systemd_manage_passwd_run() while applying this. Description: App changes related to systemd Author: Russell Coker Last-Update: 2017-04-04 Index: refpolicy-2.20170402/policy/modules/contrib/apache.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/apache.te +++ refpolicy-2.20170402/policy/modules/contrib/apache.te @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) +ifdef(`init_systemd', ` + systemd_manage_passwd_run(httpd_t) +') + ifdef(`TODO',` tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) Index: refpolicy-2.20170402/policy/modules/contrib/cron.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/cron.te +++ refpolicy-2.20170402/policy/modules/contrib/cron.te @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t) init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) +init_stop_all_units(system_cronjob_t) +init_start_all_units(system_cronjob_t) +init_get_generic_units_status(system_cronjob_t) +init_get_system_status(system_cronjob_t) auth_domtrans_chk_passwd(crond_t) auth_manage_var_auth(crond_t) @@ -417,6 +421,16 @@ optional_policy(` ') optional_policy(` + systemd_write_inherited_logind_sessions_pipes(crond_t) +') +optional_policy(` + systemd_dbus_chat_logind(system_cronjob_t) + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # so cron jobs can restart daemons + init_stream_connect(system_cronjob_t) +') + +optional_policy(` udev_read_db(crond_t) ') Index: refpolicy-2.20170402/policy/modules/contrib/networkmanager.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/networkmanager.te +++ refpolicy-2.20170402/policy/modules/contrib/networkmanager.te @@ -340,6 +340,10 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_sessions_files(NetworkManager_t) +') + +optional_policy(` udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) udev_read_pid_files(NetworkManager_t) Index: refpolicy-2.20170402/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/services/ssh.te +++ refpolicy-2.20170402/policy/modules/services/ssh.te @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',` ') optional_policy(` + systemd_write_inherited_logind_sessions_pipes(sshd_t) + systemd_dbus_chat_logind(sshd_t) +') + +optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') Index: refpolicy-2.20170402/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/udev.te +++ refpolicy-2.20170402/policy/modules/system/udev.te @@ -40,7 +40,7 @@ ifdef(`enable_mcs',` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; +allow udev_t self:capability2 { wake_alarm block_suspend }; allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) +files_read_kernel_modules(udev_t) files_exec_etc_files(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t) auth_use_nsswitch(udev_t) init_read_utmp(udev_t) +# systemd-udevd searches /run/systemd +init_search_run(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) +# for hdparm init script run by udev +initrc_service_status(udev_t) + logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) logging_send_audit_msgs(udev_t) @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) +systemd_read_logind_sessions_files(udev_t) +init_start_all_units(udev_t) +init_stop_all_units(udev_t) + userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_debian',` Index: refpolicy-2.20170402/policy/modules/contrib/logrotate.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/logrotate.te +++ refpolicy-2.20170402/policy/modules/contrib/logrotate.te @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t; # allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) init_all_labeled_script_domtrans(logrotate_t) +init_get_generic_units_status(logrotate_t) +init_get_all_units_status(logrotate_t) +init_dbus_chat(logrotate_t) +init_stream_connect(logrotate_t) + +dbus_system_bus_client(logrotate_t) +init_write_pid_socket(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -126,6 +133,8 @@ ifdef(`distro_debian',` logging_read_syslog_config(logrotate_t) ') +init_manage_all_units(logrotate_t) + optional_policy(` abrt_manage_cache(logrotate_t) ') Index: refpolicy-2.20170402/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/lvm.te +++ refpolicy-2.20170402/policy/modules/system/lvm.te @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_ files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) +kernel_request_load_module(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) # Read system variables in /proc/sys @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) +# for systemd-cryptsetup +kernel_read_crypto_sysctls(lvm_t) kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) @@ -301,6 +304,8 @@ init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) +# for systemd-cryptsetup to talk to /run/systemd/journal/socket +init_stream_connect(lvm_t) logging_send_syslog_msg(lvm_t) Index: refpolicy-2.20170402/policy/modules/contrib/dbus.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.te +++ refpolicy-2.20170402/policy/modules/contrib/dbus.te @@ -144,6 +144,13 @@ userdom_dontaudit_use_unpriv_user_fds(sy userdom_dontaudit_search_user_home_dirs(system_dbusd_t) optional_policy(` + # for /run/systemd/users/* + systemd_read_logind_pids(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_logind_pid_pipes(system_dbusd_t) +') + +optional_policy(` bluetooth_stream_connect(system_dbusd_t) ') Index: refpolicy-2.20170402/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20170402/policy/modules/system/unconfined.te @@ -59,6 +59,10 @@ ifdef(`direct_sysadm_daemon',` ') optional_policy(` + init_unconfined(unconfined_t) +') + +optional_policy(` ada_domtrans(unconfined_t) ') Index: refpolicy-2.20170402/policy/modules/system/logging.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/logging.if +++ refpolicy-2.20170402/policy/modules/system/logging.if @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',` # will write to the console. term_write_console($1) term_dontaudit_read_console($1) + + # because systemd is now using /run/systemd/journal/dev-log + init_search_run($1) ') ######################################## Index: refpolicy-2.20170402/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20170402/policy/modules/system/locallogin.te @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',` ') ') +optional_policy(` + systemd_dbus_chat_logind(local_login_t) + systemd_write_inherited_logind_sessions_pipes(local_login_t) +') + tunable_policy(`console_login',` # Able to relabel /dev/console to user tty types. term_relabel_console(local_login_t) Index: refpolicy-2.20170402/policy/modules/contrib/policykit.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/policykit.te +++ refpolicy-2.20170402/policy/modules/contrib/policykit.te @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t) userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) +# for /run/systemd/machines +systemd_read_machines(policykit_t) + +# for /run/systemd/seats/seat* +systemd_read_logind_sessions_files(policykit_t) + +# for /run/systemd/users/* +systemd_read_logind_pids(policykit_t) + optional_policy(` dbus_system_domain(policykit_t, policykit_exec_t) Index: refpolicy-2.20170402/policy/modules/contrib/dbus.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/dbus.if +++ refpolicy-2.20170402/policy/modules/contrib/dbus.if @@ -88,6 +88,10 @@ template(`dbus_role_template',` ifdef(`hide_broken_symptoms',` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') + + optional_policy(` + systemd_read_logind_pids($1_dbusd_t) + ') ') ####################################### Index: refpolicy-2.20170402/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170402/policy/modules/kernel/files.if @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',` allow $1 etc_t:service status; ') +######################################## +## +## start etc_t service +## +## +## +## Domain allowed access. +## +## +# +interface(`files_start_etc_service',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service start; +') + +######################################## +## +## stop etc_t service +## +## +## +## Domain allowed access. +## +## +# +interface(`files_stop_etc_service',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service stop; +') + ####################################### ## ## Relabel from and to generic files in /etc. Index: refpolicy-2.20170402/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20170402/policy/modules/system/unconfined.if @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; + class service all_service_perms; ') # Use most Linux capabilities @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',` files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) + files_get_etc_unit_status($1) + files_start_etc_service($1) + files_stop_etc_service($1) tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. Index: refpolicy-2.20170402/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20170402/policy/modules/roles/sysadm.te @@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) -init_get_system_status(sysadm_t) -init_disable(sysadm_t) -init_enable(sysadm_t) -init_reload(sysadm_t) -init_reboot_system(sysadm_t) -init_shutdown_system(sysadm_t) -init_start_generic_units(sysadm_t) -init_stop_generic_units(sysadm_t) -init_reload_generic_units(sysadm_t) +init_unconfined(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) Index: refpolicy-2.20170402/policy/modules/system/lvm.fc =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/lvm.fc +++ refpolicy-2.20170402/policy/modules/system/lvm.fc @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',` /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0) /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0) /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0) Index: refpolicy-2.20170402/policy/modules/contrib/mta.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/mta.te +++ refpolicy-2.20170402/policy/modules/contrib/mta.te @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst init_use_script_ptys(system_mail_t) init_use_fds(system_mail_t) +init_rw_stream_sockets(system_mail_t) userdom_use_user_terminals(system_mail_t) Index: refpolicy-2.20170402/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/services/xserver.te +++ refpolicy-2.20170402/policy/modules/services/xserver.te @@ -285,6 +285,10 @@ files_search_pids(xauth_t) fs_getattr_xattr_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) +allow xauth_t xdm_t:fd use; +allow xauth_t xdm_t:fifo_file { getattr read }; +allow xauth_t xdm_t:unix_stream_socket { read write }; + # cjp: why? term_use_ptmx(xauth_t) Index: refpolicy-2.20170402/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20170402/policy/modules/system/sysnetwork.if @@ -399,7 +399,7 @@ interface(`sysnet_write_config',` ####################################### ## -## Create network config files. +## relabel network config files. ## ## ## @@ -407,13 +407,13 @@ interface(`sysnet_write_config',` ## ## # -interface(`sysnet_create_config',` +interface(`sysnet_relabel_config',` gen_require(` type net_conf_t; ') files_search_etc($1) - allow $1 net_conf_t:file create_file_perms; + allow $1 net_conf_t:file { relabelfrom relabelto }; ') ####################################### @@ -455,6 +455,7 @@ interface(`sysnet_manage_config',` type net_conf_t; ') + files_search_etc($1) allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_debian',` Index: refpolicy-2.20170402/policy/modules/contrib/ntp.fc =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.fc +++ refpolicy-2.20170402/policy/modules/contrib/ntp.fc @@ -15,6 +15,8 @@ /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0) /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0) +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) @@ -23,6 +25,7 @@ /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0) Index: refpolicy-2.20170402/policy/modules/contrib/ntp.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.te +++ refpolicy-2.20170402/policy/modules/contrib/ntp.te @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t) dev_read_sysfs(ntpd_t) dev_read_urand(ntpd_t) dev_rw_realtime_clock(ntpd_t) +clock_read_adjtime(ntpd_t) domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) @@ -142,6 +143,25 @@ miscfiles_read_localization(ntpd_t) userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) +ifdef(`init_systemd',` + dbus_system_bus_client(ntpd_t) + dbus_connect_system_bus(ntpd_t) + init_dbus_chat(ntpd_t) + init_get_system_status(ntpd_t) + allow ntpd_t self:capability { fowner setpcap }; + init_reload(ntpd_t) + + # for /var/lib/systemd/clock + init_list_var_lib_dirs(ntpd_t) + + # for /run/systemd/netif/links + init_list_pid_dirs(ntpd_t) + + optional_policy(` + unconfined_dbus_send(ntpd_t) + ') +') + optional_policy(` cron_system_entry(ntpd_t, ntpdate_exec_t) ') Index: refpolicy-2.20170402/policy/modules/contrib/devicekit.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/devicekit.te +++ refpolicy-2.20170402/policy/modules/contrib/devicekit.te @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t) init_all_labeled_script_domtrans(devicekit_power_t) init_read_utmp(devicekit_power_t) +init_search_run(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) Index: refpolicy-2.20170402/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/init.if +++ refpolicy-2.20170402/policy/modules/system/init.if @@ -1209,6 +1209,24 @@ interface(`init_pid_filetrans',` filetrans_pattern($1, init_var_run_t, $2, $3, $4) ') +###################################### +## +## Allow listing of the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_list_pid_dirs',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:dir list_dir_perms; +') + ######################################## ## ## Get the attributes of initctl. @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',` allow $1 { init_script_file_type systemdunit }:service status; ') +####################################### +## +## All perms on all systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_all_units',` + gen_require(` + attribute systemdunit; + class service all_service_perms; + ') + + allow $1 systemdunit:service all_service_perms; + allow $1 systemdunit:file getattr; +') + ######################################## ## ## Start all systemd units. @@ -2879,3 +2917,58 @@ interface(`init_reload_all_units',` allow $1 { init_script_file_type systemdunit }:service reload; ') + +######################################## +## +## Allow getting service status of initrc_exec_t scripts +## +## +## +## Target domain +## +## +# +interface(`initrc_service_status',` + gen_require(` + type initrc_exec_t; + class service status; + ') + + allow $1 initrc_exec_t:service status; +') + +######################################## +## +## Allow unconfined access to send instructions to init +## +## +## +## Target domain +## +## +# +interface(`init_unconfined',` + gen_require(` + type initrc_exec_t; + class service status; + ') + + dev_manage_null_service($1) + init_disable($1) + init_enable($1) + init_get_all_units_status($1) + init_get_generic_units_status($1) + init_get_system_status($1) + init_manage_all_units($1) + init_manage_script_service($1) + init_reboot_system($1) + init_reload($1) + init_reload_all_units($1) + init_shutdown_system($1) + init_start_all_units($1) + init_start_generic_units($1) + init_stop_all_units($1) + init_stop_generic_units($1) + init_stop_system($1) + init_telinit($1) +') Index: refpolicy-2.20170402/policy/modules/system/fstools.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/fstools.te +++ refpolicy-2.20170402/policy/modules/system/fstools.te @@ -146,6 +146,7 @@ term_use_console(fsadm_t) init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +init_rw_script_stream_sockets(fsadm_t) logging_send_syslog_msg(fsadm_t) Index: refpolicy-2.20170402/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/systemd.if +++ refpolicy-2.20170402/policy/modules/system/systemd.if @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip ###################################### ## +## Write systemd_login named pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_write_logind_pid_pipes',` + gen_require(` + type systemd_logind_var_run_t; + ') + + init_search_run($1) + files_search_pids($1) + allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; +') + +###################################### +## ## Use inherited systemd ## logind file descriptors. ## @@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',` ###################################### ## +## Read logind sessions files. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_read_logind_sessions_files',` + gen_require(` + type systemd_sessions_var_run_t, systemd_logind_t; + ') + + allow $1 systemd_logind_t:fd use; + init_search_run($1) + allow $1 systemd_sessions_var_run_t:dir list_dir_perms; + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) +') + +###################################### +## ## Write inherited logind sessions pipes. ## ## @@ -188,6 +229,30 @@ interface(`systemd_use_passwd_agent_fds' allow systemd_passwd_agent_t $1:fd use; ') +####################################### +## +## Allow a systemd_passwd_agent_t process to interact with a daemon +## that needs a password from the sysadmin. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_passwd_run',` + gen_require(` + type systemd_passwd_agent_t; + type systemd_passwd_var_run_t; + ') + + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + + allow systemd_passwd_agent_t $1:process signull; + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; +') + ######################################## ## ## Transition to systemd_passwd_var_run_t when creating dirs @@ -383,3 +448,22 @@ interface(`systemd_tmpfilesd_managed',` allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; ') + +######################################## +## +## Allow reading /run/systemd/machines +## +## +## +## Domain that can access the machines files +## +## +# +interface(`systemd_read_machines',` + gen_require(` + type systemd_machined_var_run_t; + ') + + allow $1 systemd_machined_var_run_t:dir list_dir_perms; + allow $1 systemd_machined_var_run_t:file read_file_perms; +') Index: refpolicy-2.20170402/policy/modules/contrib/dpkg.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/dpkg.te +++ refpolicy-2.20170402/policy/modules/contrib/dpkg.te @@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t) corecmd_exec_all_executables(dpkg_script_t) -dev_manage_null_service(dpkg_script_t) dev_list_sysfs(dpkg_script_t) # Use named file transition to fix this # dev_manage_generic_blk_files(dpkg_script_t) @@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_ auth_manage_shadow(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) -init_get_generic_units_status(dpkg_script_t) init_use_script_fds(dpkg_script_t) -init_get_system_status(dpkg_script_t) -init_start_generic_units(dpkg_script_t) -init_stop_generic_units(dpkg_script_t) -init_reload(dpkg_script_t) -init_stop_system(dpkg_script_t) -init_telinit(dpkg_script_t) init_manage_script_service(dpkg_script_t) init_startstop_all_script_services(dpkg_script_t) +init_unconfined(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) Index: refpolicy-2.20170402/policy/modules/system/init.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/init.te +++ refpolicy-2.20170402/policy/modules/system/init.te @@ -697,9 +697,7 @@ ifdef(`distro_gentoo',` seutil_read_default_contexts(initrc_t) # /lib/rcscripts/net/system.sh rewrites resolv.conf :( - sysnet_create_config(initrc_t) - sysnet_write_config(initrc_t) - sysnet_setattr_config(initrc_t) + sysnet_manage_config(initrc_t) optional_policy(` abrt_manage_pid_files(initrc_t) Index: refpolicy-2.20170402/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170402.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170402/policy/modules/system/systemd.te @@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpf seutil_read_config(systemd_tmpfiles_t) seutil_read_file_contexts(systemd_tmpfiles_t) -sysnet_create_config(systemd_tmpfiles_t) +sysnet_manage_config(systemd_tmpfiles_t) +sysnet_relabel_config(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_tmpfiles_t) Index: refpolicy-2.20170402/policy/modules/contrib/ntp.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/contrib/ntp.if +++ refpolicy-2.20170402/policy/modules/contrib/ntp.if @@ -200,6 +200,9 @@ interface(`ntp_admin',` type ntpd_key_t, ntpd_pid_t, ntp_conf_t; type ntpd_initrc_exec_t, ntp_drift_t; type ntpd_unit_t; + ifdef(`init_systemd',` + class dbus send_msg; + ') ') allow $1 ntpd_t:process { ptrace signal_perms }; @@ -223,4 +226,9 @@ interface(`ntp_admin',` admin_pattern($1, ntpd_pid_t) ntp_run($1, $2) + + ifdef(`init_systemd',` + allow $1 ntpd_t:dbus send_msg; + allow ntpd_t $1:dbus send_msg; + ') ') Index: refpolicy-2.20170402/policy/modules/services/ssh.if =================================================================== --- refpolicy-2.20170402.orig/policy/modules/services/ssh.if +++ refpolicy-2.20170402/policy/modules/services/ssh.if @@ -271,6 +271,10 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') + + optional_policy(` + systemd_read_logind_sessions_files($1_t) + ') ') ########################################