From: russell@coker.com.au (Russell Coker)
Date: Sat, 15 Apr 2017 01:41:20 +1000
Subject: [refpolicy] [PATCH] more systemd stuff
Message-ID: <20170414154120.4eefcnfen2do2tsx@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.
It has a number of changes needed by systemd_logind_t to set permissions for
local logins.
It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.
It has some changes for udev_t for systemd-udevd.
Index: refpolicy-2.20170410/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170410/policy/modules/system/systemd.if
@@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',`
allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+######################################
+##
+## Allow to domain to create systemd-passwd symlink
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_manage_lnk_file_passwd_run',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ ')
+
+ allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
Index: refpolicy-2.20170410/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170410/policy/modules/system/systemd.te
@@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_
kernel_read_kernel_sysctls(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
+dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
+dev_getattr_video_dev(systemd_logind_t)
dev_manage_wireless(systemd_logind_t)
dev_read_urand(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
files_read_etc_files(systemd_logind_t)
+files_dontaudit_getattr_tmpfs_file(systemd_logind_t)
files_search_pids(systemd_logind_t)
fs_getattr_cgroup(systemd_logind_t)
@@ -448,7 +453,7 @@ optional_policy(`
# machined local policy
#
-allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
@@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
+fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
Index: refpolicy-2.20170410/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170410/policy/modules/system/udev.te
@@ -15,6 +15,8 @@ domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+init_domtrans_script(udev_t)
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -27,6 +29,7 @@ files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
init_daemon_pid_file(udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent
allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+fs_search_tracefs_dirs(udev_t)
mcs_ptrace_all(udev_t)
@@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+sysnet_var_run_dirtrans_config(udev_t, "network")
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
+ # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
+ files_read_default_files(udev_t)
+
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
optional_policy(`
@@ -202,6 +213,11 @@ ifdef(`distro_debian',`
')
')
+optional_policy(`
+ # for systemd-udevd when starting xen domu
+ virt_read_config(udev_t)
+')
+
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
# existence to determine if we are in early booting
@@ -344,6 +360,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
+ fs_manage_xenfs_files(udev_t)
')
optional_policy(`
Index: refpolicy-2.20170410/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170410/policy/modules/kernel/files.if
@@ -433,6 +433,24 @@ interface(`files_tmpfs_file',`
########################################
##
+## Do not audit getattr of /dev/shm files
+##
+##
+##
+## Domain to not audit
+##
+##
+#
+interface(`files_dontaudit_getattr_tmpfs_file',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+##
## Get the attributes of all directories.
##
##
Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if
@@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',`
')
########################################
+##
+## search directories on a tracefs filesystem
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_search_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir search;
+')
+
+########################################
##
## Get the attributes of files
## on a trace filesystem.
Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if
@@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config',
#######################################
##
+## Create directories in /var/run with the type used for
+## the network config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`sysnet_var_run_dirtrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_pid_filetrans($1, net_conf_t, dir, $2)
+ allow $1 net_conf_t:dir create_dir_perms;
+')
+
+#######################################
+##
## Create, read, write, and delete network config files.
##
##