From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 14 Apr 2017 18:13:10 +0200
Subject: [refpolicy] [PATCH] systemd init
In-Reply-To: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au>
References: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au>
Message-ID: <20170414161310.GC7980@markus>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, Apr 15, 2017 at 01:58:11AM +1000, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems.  Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
> 
> Allow init_t to do several things that it requires when init is systemd.
> 
> Allow various operations on var_log_t to access var_log_t symlinks too.
> 
> Let auditd setattr it's directory.
> 
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>  
>  kernel_read_kernel_sysctls(mandb_t)
>  kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>  
>  corecmd_exec_bin(mandb_t)
>  corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>  
>  userdom_use_inherited_user_terminals(mandb_t)
>  
> +ifdef(`init_systemd',`
> +	init_search_run(mandb_t)
> +')
> +
>  optional_policy(`
>  	cron_system_entry(mandb_t, mandb_exec_t)
>  ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
>  corecmd_exec_bin(init_t)
>  
>  dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
>  # Early devtmpfs
>  dev_rw_generic_chr_files(init_t)
>  
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>  
>  	seutil_read_file_contexts(init_t)
>  
> +	systemd_manage_lnk_file_passwd_run(init_t)
> +
>  	# udevd is a "systemd kobject uevent socket activated daemon"
>  	udev_create_kobject_uevent_sockets(init_t)
>  
> @@ -402,7 +405,7 @@ optional_policy(`
>  
>  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
>  allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
>  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
>  allow initrc_t self:passwd rootok;
>  allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
>  	allow init_t self:process { getcap setcap };
>  	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> +	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
>  	# Until systemd is fixed
>  	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
>  	allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>  
>  	files_search_var($1)
>  	filetrans_pattern($1, var_log_t, $2, $3, $4)
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>  
>  ########################################
>  ## <summary>
> +##      Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> +	gen_require(`
> +		type devlog_t;
> +	')
> +
> +	allow $1 devlog_t:sock_file manage_sock_file_perms;
> +	dev_filetrans($1, devlog_t, sock_file)
> +	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
>  ##	Read the auditd configuration files.
>  ## </summary>
>  ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>  
>  	files_search_var($1)
>  	allow $1 var_log_t:dir search_dir_perms;
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>  
>  	files_search_var($1)
>  	allow $1 var_log_t:dir list_dir_perms;
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>  
>  	files_search_var($1)
>  	allow $1 var_log_t:dir rw_dir_perms;
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>  
>  	files_search_var($1)
>  	append_files_pattern($1, var_log_t, logfile)
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
>  	files_search_var($1)
>  	allow $1 var_log_t:dir list_dir_perms;
>  	write_files_pattern($1, var_log_t, var_log_t)
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
>  	files_search_var($1)
>  	allow $1 var_log_t:dir list_dir_perms;
>  	rw_files_pattern($1, var_log_t, var_log_t)
> +	allow $1 var_log_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
>  manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
>  allow auditd_t auditd_log_t:dir setattr;
>  manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;

looks duplicate to me

>  allow auditd_t var_log_t:dir search_dir_perms;
>  
>  manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170414/feba9657/attachment-0001.bin