From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 4 Apr 2017 19:10:05 -0400
Subject: [refpolicy] [PATCH] systemd related changes
In-Reply-To: <201704041652.32469.russell@coker.com.au>
References: <20170402064528.anw6vkdlmcd6ftwj@athena.coker.com.au>
	<6949cff0-2ae0-0e95-0bfd-b2d6edab0ea1@ieee.org>
	<201704041652.32469.russell@coker.com.au>
Message-ID: <71065d33-6158-49f9-923b-44eae092e97f@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/04/2017 02:52 AM, Russell Coker wrote:
> On Tue, 4 Apr 2017 09:22:24 AM Chris PeBenito via refpolicy wrote:
>>> @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`
>>>
>>>  	allow $1 { init_script_file_type systemdunit }:service reload;
>>>
>>>  ')
>>>
>>> +
>>> +########################################
>>> +## <summary>
>>> +##      Allow getting service status of initrc_exec_t scripts
>>> +## </summary>
>>> +## <param name="domain">
>>> +##      <summary>
>>> +##      Target domain
>>> +##      </summary>
>>> +## </param>
>>> +#
>>> +interface(`initrc_service_status',`
>>
>> I think this was merged in the last patch but renamed
>> init_get_script_status().
>
> A grep of the source doesn't turn up a match for init_get_script_status.

Ok, then that's what the interface should be called :)


> ===================================================================
>>> --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
>>> +++ refpolicy-2.20170329/policy/modules/system/systemd.if
>>> @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
>>>
>>>  ######################################
>>>  ## <summary>
>>>
>>> +##     Write systemd_login named pipe.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##     <summary>
>>> +##     Domain allowed access.
>>> +##     </summary>
>>> +## </param>
>>> +#
>>> +interface(`systemd_login_write_pid_pipe',`
>>
>> systemd_write_logind_pid_pipes()
>
> OK.
>
>>> +#######################################
>>> +## <summary>
>>> +##  Send generic signals to systemd_passwd_agent processes.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##  <summary>
>>> +##  Domain allowed access.
>>> +##  </summary>
>>> +## </param>
>>> +#
>>> +interface(`systemd_manage_passwd_run',`
>>> +	gen_require(`
>>> +		type systemd_passwd_agent_t;
>>> +		type systemd_passwd_var_run_t;
>>> +	')
>>> +
>>> +	manage_files_pattern($1, systemd_passwd_var_run_t,
>>> systemd_passwd_var_run_t) +	manage_sock_files_pattern($1,
>>> systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
>>> +	allow systemd_passwd_agent_t $1:process signull;
>>> +	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
>>
>> This looks like it should be 2-4 interfaces, but I'm not sure how many.
>
> It's all for a single purpose, using systemd to get a password.  So far the
> only users of it are httpd_t (for getting passwords for locked SSL certificate
> files) and init_t (for a "strict" configuration).
>
> I don't think it makes sense to split it.  A better name and description would
> make sense, do you have a suggestion for a new name?

That seems very peculiar having that large amount of file access in 
addition to the unix socket use.  But if that's the case, then I think 
I'd go with something like systemd_use_passwd_agent() since that gets 
the concept across and abstracts away any details about unix sockets and 
file access.

-- 
Chris PeBenito