From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 16 Apr 2017 19:09:30 -0400 Subject: [refpolicy] [PATCH] systemd init In-Reply-To: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au> References: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/14/2017 11:58 AM, Russell Coker via refpolicy wrote: > This patch lets mandb_t search init_var_run_t dirs which it needs when running > with systems. Also allows it to fs_getattr_xattr_fs() because it seemed > pointless to put that in a separate patch. > > Allow init_t to do several things that it requires when init is systemd. > > Allow various operations on var_log_t to access var_log_t symlinks too. > > Let auditd setattr it's directory. This is merged except for the duplicate rules noted by the others. > Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te > +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te > @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr > > kernel_read_kernel_sysctls(mandb_t) > kernel_read_system_state(mandb_t) > +fs_getattr_xattr_fs(mandb_t) > > corecmd_exec_bin(mandb_t) > corecmd_exec_shell(mandb_t) > @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t) > > userdom_use_inherited_user_terminals(mandb_t) > > +ifdef(`init_systemd',` > + init_search_run(mandb_t) > +') > + > optional_policy(` > cron_system_entry(mandb_t, mandb_exec_t) > ') > Index: refpolicy-2.20170410/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/init.te > +++ refpolicy-2.20170410/policy/modules/system/init.te > @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t) > corecmd_exec_bin(init_t) > > dev_read_sysfs(init_t) > +logging_create_devlog_dev(init_t) > # Early devtmpfs > dev_rw_generic_chr_files(init_t) > > @@ -316,6 +317,8 @@ ifdef(`init_systemd',` > > seutil_read_file_contexts(init_t) > > + systemd_manage_lnk_file_passwd_run(init_t) > + > # udevd is a "systemd kobject uevent socket activated daemon" > udev_create_kobject_uevent_sockets(init_t) > > @@ -402,7 +405,7 @@ optional_policy(` > > allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; > allow initrc_t self:capability ~{ sys_admin sys_module }; > -allow initrc_t self:capability2 block_suspend; > +allow initrc_t self:capability2 { wake_alarm block_suspend }; > dontaudit initrc_t self:capability sys_module; # sysctl is triggering this > allow initrc_t self:passwd rootok; > allow initrc_t self:key manage_key_perms; > @@ -830,6 +833,7 @@ ifdef(`init_systemd',` > allow init_t self:process { getcap setcap }; > allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; > # Until systemd is fixed > allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; > allow init_t self:udp_socket create_socket_perms; > Index: refpolicy-2.20170410/policy/modules/system/logging.if > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/logging.if > +++ refpolicy-2.20170410/policy/modules/system/logging.if > @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',` > > files_search_var($1) > filetrans_pattern($1, var_log_t, $2, $3, $4) > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ######################################## > @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock > > ######################################## > ## > +## Connect to the syslog control unix stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`logging_create_devlog_dev',` > + gen_require(` > + type devlog_t; > + ') > + > + allow $1 devlog_t:sock_file manage_sock_file_perms; > + dev_filetrans($1, devlog_t, sock_file) > + init_pid_filetrans($1, devlog_t, sock_file, "syslog") > +') > + > +######################################## > +## > ## Read the auditd configuration files. > ## > ## > @@ -742,6 +763,7 @@ interface(`logging_search_logs',` > > files_search_var($1) > allow $1 var_log_t:dir search_dir_perms; > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ####################################### > @@ -779,6 +801,7 @@ interface(`logging_list_logs',` > > files_search_var($1) > allow $1 var_log_t:dir list_dir_perms; > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ####################################### > @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs', > > files_search_var($1) > allow $1 var_log_t:dir rw_dir_perms; > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ####################################### > @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',` > > files_search_var($1) > append_files_pattern($1, var_log_t, logfile) > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ######################################## > @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',` > files_search_var($1) > allow $1 var_log_t:dir list_dir_perms; > write_files_pattern($1, var_log_t, var_log_t) > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ######################################## > @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',` > files_search_var($1) > allow $1 var_log_t:dir list_dir_perms; > rw_files_pattern($1, var_log_t, var_log_t) > + allow $1 var_log_t:lnk_file read_lnk_file_perms; > ') > > ######################################## > Index: refpolicy-2.20170410/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20170410.orig/policy/modules/system/logging.te > +++ refpolicy-2.20170410/policy/modules/system/logging.te > @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi > manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) > allow auditd_t auditd_log_t:dir setattr; > manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) > +allow auditd_t auditd_log_t:dir setattr; > allow auditd_t var_log_t:dir search_dir_perms; > > manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito