From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Fri, 14 Apr 2017 19:38:06 +0200 Subject: [refpolicy] [PATCH] more systemd stuff In-Reply-To: <20170414154120.4eefcnfen2do2tsx@athena.coker.com.au> References: <20170414154120.4eefcnfen2do2tsx@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2017-04-14 17:41 GMT+02:00 Russell Coker via refpolicy : > This patch adds an interface to manage systemd_passwd_var_run_t symlinks that > I'll add another patch to use shortly. > > It has a number of changes needed by systemd_logind_t to set permissions for > local logins. > > It has some more permissions that systemd_machined_t needs, I don't think it's > everything that systemd_machined_t needs but it's a start. > > It has some changes for udev_t for systemd-udevd. > > Index: refpolicy-2.20170410/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20170410/policy/modules/system/systemd.if > @@ -467,3 +467,21 @@ interface(`systemd_tmpfilesd_managed',` > > allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; > ') > + > +###################################### > +## > +## Allow to domain to create systemd-passwd symlink > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`systemd_manage_lnk_file_passwd_run',` > + gen_require(` > + type systemd_passwd_var_run_t; > + ') > + > + allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms; > +') > Index: refpolicy-2.20170410/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170410/policy/modules/system/systemd.te > @@ -342,20 +342,25 @@ allow systemd_logind_t systemd_sessions_ > kernel_read_kernel_sysctls(systemd_logind_t) > > dev_getattr_dri_dev(systemd_logind_t) > +dev_getattr_generic_usb_dev(systemd_logind_t) > dev_getattr_kvm_dev(systemd_logind_t) > dev_getattr_sound_dev(systemd_logind_t) > +dev_getattr_video_dev(systemd_logind_t) > dev_manage_wireless(systemd_logind_t) > dev_read_urand(systemd_logind_t) > dev_rw_dri(systemd_logind_t) > dev_rw_input_dev(systemd_logind_t) > dev_rw_sysfs(systemd_logind_t) > dev_setattr_dri_dev(systemd_logind_t) > +dev_setattr_generic_usb_dev(systemd_logind_t) > dev_setattr_kvm_dev(systemd_logind_t) > dev_setattr_sound_dev(systemd_logind_t) > +dev_setattr_video_dev(systemd_logind_t) > > domain_obj_id_change_exemption(systemd_logind_t) > > files_read_etc_files(systemd_logind_t) > +files_dontaudit_getattr_tmpfs_file(systemd_logind_t) do we want to dontaudit this? i think it is related to https://www.freedesktop.org/software/systemd/man/logind.conf.html#RemoveIPC= > files_search_pids(systemd_logind_t) > > fs_getattr_cgroup(systemd_logind_t) > @@ -448,7 +453,7 @@ optional_policy(` > # machined local policy > # > > -allow systemd_machined_t self:capability sys_ptrace; > +allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace }; > allow systemd_machined_t self:process setfscreate; > allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; > > @@ -462,6 +467,7 @@ files_read_etc_files(systemd_machined_t) > > fs_getattr_cgroup(systemd_machined_t) > fs_getattr_tmpfs(systemd_machined_t) > +fs_read_nsfs_files(systemd_machined_t) > > selinux_getattr_fs(systemd_machined_t) > > Index: refpolicy-2.20170410/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/udev.te > +++ refpolicy-2.20170410/policy/modules/system/udev.te > @@ -15,6 +15,8 @@ domain_interactive_fd(udev_t) > init_daemon_domain(udev_t, udev_exec_t) > init_named_socket_activation(udev_t, udev_var_run_t) > > +init_domtrans_script(udev_t) > + > type udev_etc_t alias etc_udev_t; > files_config_file(udev_etc_t) > > @@ -27,6 +29,7 @@ files_type(udev_rules_t) > type udev_var_run_t; > files_pid_file(udev_var_run_t) > init_daemon_pid_file(udev_var_run_t, dir, "udev") > +files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup") > > ifdef(`enable_mcs',` > kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) > @@ -57,6 +60,9 @@ allow udev_t self:netlink_kobject_uevent > allow udev_t self:netlink_generic_socket create_socket_perms; > allow udev_t self:rawip_socket create_socket_perms; > > +# for systemd-udevd to rename interfaces > +allow udev_t self:netlink_route_socket nlmsg_write; > + > allow udev_t udev_exec_t:file write; > can_exec(udev_t, udev_exec_t) > > @@ -128,6 +134,7 @@ fs_getattr_all_fs(udev_t) > fs_list_inotifyfs(udev_t) > fs_read_cgroup_files(udev_t) > fs_rw_anon_inodefs_files(udev_t) > +fs_search_tracefs_dirs(udev_t) > > mcs_ptrace_all(udev_t) > > @@ -183,10 +190,14 @@ sysnet_delete_dhcpc_pid(udev_t) > sysnet_signal_dhcpc(udev_t) > sysnet_manage_config(udev_t) > sysnet_etc_filetrans_config(udev_t) > +sysnet_var_run_dirtrans_config(udev_t, "network") > > userdom_dontaudit_search_user_home_content(udev_t) > > ifdef(`distro_debian',` > + # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933 > + files_read_default_files(udev_t) > + > files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") > > optional_policy(` > @@ -202,6 +213,11 @@ ifdef(`distro_debian',` > ') > ') > > +optional_policy(` > + # for systemd-udevd when starting xen domu > + virt_read_config(udev_t) > +') > + > ifdef(`distro_gentoo',` > # during boot, init scripts use /dev/.rcsysinit > # existence to determine if we are in early booting > @@ -344,6 +360,7 @@ optional_policy(` > kernel_read_xen_state(udev_t) > xen_manage_log(udev_t) > xen_read_image_files(udev_t) > + fs_manage_xenfs_files(udev_t) > ') > > optional_policy(` > Index: refpolicy-2.20170410/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170410/policy/modules/kernel/files.if > @@ -433,6 +433,24 @@ interface(`files_tmpfs_file',` > > ######################################## > ## > +## Do not audit getattr of /dev/shm files > +## > +## > +## > +## Domain to not audit > +## > +## > +# > +interface(`files_dontaudit_getattr_tmpfs_file',` > + gen_require(` > + attribute tmpfsfile; > + ') > + > + dontaudit $1 tmpfsfile:file getattr; > +') > + > +######################################## > +## > ## Get the attributes of all directories. > ## > ## > Index: refpolicy-2.20170410/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170410/policy/modules/kernel/filesystem.if > @@ -4695,6 +4713,24 @@ interface(`fs_getattr_tracefs',` > ') > > ######################################## > +## > +## search directories on a tracefs filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_search_tracefs_dirs',` > + gen_require(` > + type tracefs_t; > + ') > + > + allow $1 tracefs_t:dir search; > +') > + > +######################################## > ## > ## Get the attributes of files > ## on a trace filesystem. > Index: refpolicy-2.20170410/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20170410/policy/modules/system/sysnetwork.if > @@ -461,6 +461,31 @@ interface(`sysnet_etc_filetrans_config', > > ####################################### > ## > +## Create directories in /var/run with the type used for > +## the network config files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`sysnet_var_run_dirtrans_config',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_pid_filetrans($1, net_conf_t, dir, $2) > + allow $1 net_conf_t:dir create_dir_perms; > +') > + > +####################################### > +## > ## Create, read, write, and delete network config files. > ## > ## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy