From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 19 Apr 2017 13:51:14 +0200
Subject: [refpolicy] [PATCH] second strict patch
In-Reply-To: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au>
References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au>
Message-ID: <1B3399CF-E91A-47A3-8C02-80FCAD532262@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello. 

I believe it is very important to move *all* permission required by systemd within the appropriate ifdef block (init_systemd).

Not everybody is using systemd and many people believe it is, amongst other things, a waste of resources and SELinux permissions. 

Thanks, 

Guido 

On the 19th of April 2017 13:00:59 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>This is the rest of my policy that was developed on "strict" systems. 
>It also
>has no inter-dependencies with other patches.  I included the interface
>xdm_sigchld() in this patch as well so it can be applied on it's own,
>this
>means that it conflicts with the login patch.
>
>Chris, maybe even if you don't apply this patch or the login patch in
>the
>near future you could add the xdm_sigchld() interface so that both
>patches
>can be complete and working and not conflict.
>
>Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/gnome.if
>+++ refpolicy-2.20170419/policy/modules/contrib/gnome.if
>@@ -76,6 +76,8 @@ template(`gnome_role_template',`
> 
>	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms
>relabel_dir_perms };
>	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms
>relabel_file_perms };
>+	allow $3 gconfd_t:dbus send_msg;
>+	allow gconfd_t $3:dbus send_msg;
> 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
> 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
> 
>Index: refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/corecommands.fc
>+++ refpolicy-2.20170419/policy/modules/kernel/corecommands.fc
>@@ -324,6 +324,7 @@ ifdef(`distro_debian',`
> /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gdm3/.*		--	gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/udisks/.*		--	gen_context(system_u:object_r:bin_t,s0)
>+/usr/share/bug/.*		--	gen_context(system_u:object_r:bin_t,s0)
> ')
> 
> ifdef(`distro_gentoo', `
>Index: refpolicy-2.20170419/policy/modules/kernel/devices.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/devices.if
>+++ refpolicy-2.20170419/policy/modules/kernel/devices.if
>@@ -5249,3 +5249,22 @@ interface(`dev_unconfined',`
> 
> 	typeattribute $1 devices_unconfined_type;
> ')
>+
>+########################################
>+## <summary>
>+##      Create subdir of /dev
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`dev_create_subdir',`
>+	gen_require(`
>+		type device_t;
>+	')
>+
>+	allow $1 device_t:dir { add_entry_dir_perms create };
>+	allow $1 device_t:dir search_dir_perms;
>+')
>Index: refpolicy-2.20170419/policy/modules/kernel/files.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/files.if
>+++ refpolicy-2.20170419/policy/modules/kernel/files.if
>@@ -3379,6 +3379,26 @@ interface(`files_manage_etc_runtime_file
> 
> ########################################
> ## <summary>
>+##	Relabel files and dirs to etc_runtime_t
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+## <rolecap/>
>+#
>+interface(`files_relabelto_etc_runtime',`
>+	gen_require(`
>+		type etc_runtime_t;
>+	')
>+
>+	allow $1 etc_runtime_t:file relabelto;
>+	allow $1 etc_runtime_t:dir relabelto;
>+')
>+
>+########################################
>+## <summary>
> ##	Create, etc runtime objects with an automatic
> ##	type transition.
> ## </summary>
>@@ -6410,6 +6430,24 @@ interface(`files_setattr_pid_dirs',`
> ')
> 
> ########################################
>+## <summary>
>+##	Create a /var/run directory.
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`files_create_pid_dir',`
>+	gen_require(`
>+		type var_run_t;
>+	')
>+
>+	allow $1 var_run_t:dir create_dir_perms;
>+')
>+
>+########################################
> ## <summary>
> ##	Search the contents of runtime process
> ##	ID directories (/var/run).
>Index: refpolicy-2.20170419/policy/modules/kernel/filesystem.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/kernel/filesystem.if
>+++ refpolicy-2.20170419/policy/modules/kernel/filesystem.if
>@@ -769,6 +769,42 @@ interface(`fs_manage_cgroup_dirs',`
> 
> ########################################
> ## <summary>
>+##     Relabel pstore directories.
>+## </summary>
>+## <param name="domain">
>+##     <summary>
>+##     Domain allowed access.
>+##     </summary>
>+## </param>
>+#
>+interface(`fs_relabel_pstore_dirs',`
>+	gen_require(`
>+		type pstore_t;
>+	')
>+
>+	relabel_dirs_pattern($1, pstore_t, pstore_t)
>+')
>+
>+########################################
>+## <summary>
>+##      Get the attributes of a pstore filesystem.
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain allowed access.
>+##      </summary>
>+## </param>
>+#
>+interface(`ZZZfs_getattr_pstorefs',`
>+	gen_require(`
>+		type pstore_t;
>+	')
>+
>+allow $1 pstore_t:filesystem getattr;
>+')
>+
>+########################################
>+## <summary>
> ##	Relabel cgroup directories.
> ## </summary>
> ## <param name="domain">
>@@ -828,6 +864,26 @@ interface(`fs_read_cgroup_files',`
> 
> ########################################
> ## <summary>
>+##     Create cgroup lnk_files.
>+## </summary>
>+## <param name="domain">
>+##     <summary>
>+##     Domain allowed access.
>+##     </summary>
>+## </param>
>+#
>+interface(`fs_create_cgroup_links',`
>+	gen_require(`
>+		type cgroup_t;
>+	')
>+
>+	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
>+	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
>+	dev_search_sysfs($1)
>+')
>+
>+########################################
>+## <summary>
> ##	Write cgroup files.
> ## </summary>
> ## <param name="domain">
>@@ -858,7 +914,6 @@ interface(`fs_write_cgroup_files', `
> interface(`fs_rw_cgroup_files',`
> 	gen_require(`
> 		type cgroup_t;
>-
> 	')
> 
> 	rw_files_pattern($1, cgroup_t, cgroup_t)
>@@ -4505,6 +4560,24 @@ interface(`fs_read_tmpfs_symlinks',`
> ')
> 
> ########################################
>+## <summary>
>+##	Relabelfrom tmpfs link files.
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`fs_relabelfrom_tmpfs_symlinks',`
>+	gen_require(`
>+		type tmpfs_t;
>+	')
>+
>+	allow $1 tmpfs_t:lnk_file { getattr relabelfrom };
>+')
>+
>+########################################
> ## <summary>
> ##	Read and write character nodes on tmpfs filesystems.
> ## </summary>
>Index: refpolicy-2.20170419/policy/modules/services/ssh.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/services/ssh.if
>+++ refpolicy-2.20170419/policy/modules/services/ssh.if
>@@ -353,6 +353,8 @@ template(`ssh_role_template',`
> 	allow $1_ssh_agent_t self:process { setrlimit signal };
> 	allow $1_ssh_agent_t self:capability setgid;
> 
>+	allow $1_ssh_agent_t self:fifo_file rw_file_perms;
>+
> 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
> 
>	allow $1_ssh_agent_t self:unix_stream_socket {
>create_stream_socket_perms connectto };
>@@ -436,6 +438,7 @@ template(`ssh_role_template',`
> 	optional_policy(`
> 		xserver_use_xdm_fds($1_ssh_agent_t)
> 		xserver_rw_xdm_pipes($1_ssh_agent_t)
>+		xdm_sigchld($1_ssh_agent_t)
> 	')
> ')
> 
>Index: refpolicy-2.20170419/policy/modules/system/fstools.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/fstools.if
>+++ refpolicy-2.20170419/policy/modules/system/fstools.if
>@@ -191,3 +191,21 @@ interface(`fstools_getattr_swap_files',`
> 
> 	allow $1 swapfile_t:file getattr;
> ')
>+
>+########################################
>+## <summary>
>+##	Write to fsadm_log_t
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`fstools_write_log',`
>+	gen_require(`
>+		type fsadm_log_t;
>+	')
>+
>+	allow $1 fsadm_log_t:file write_file_perms;
>+')
>Index: refpolicy-2.20170419/policy/modules/system/init.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/init.if
>+++ refpolicy-2.20170419/policy/modules/system/init.if
>@@ -2966,6 +2966,7 @@ interface(`init_admin',`
> 	init_reload($1)
> 	init_reload_all_units($1)
> 	init_shutdown_system($1)
>+	init_start_system($1)
> 	init_start_all_units($1)
> 	init_start_generic_units($1)
> 	init_stop_all_units($1)
>Index: refpolicy-2.20170419/policy/modules/system/init.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/init.te
>+++ refpolicy-2.20170419/policy/modules/system/init.te
>@@ -135,9 +135,19 @@ can_exec(init_t, init_exec_t)
> allow init_t initrc_t:unix_stream_socket connectto;
> 
> # For /var/run/shutdown.pid.
>+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
> 
>+# for /run/systemd/inaccessible/{chr,blk}
>+allow init_t init_var_run_t:blk_file { create getattr };
>+allow init_t init_var_run_t:chr_file { create getattr };
>+
>+# for /run/initctl
>+allow init_t init_var_run_t:fifo_file manage_fifo_file_perms;
>+
>+allow init_t init_var_run_t:lnk_file manage_lnk_file_perms;
>+
> # for systemd to manage service file symlinks
> allow init_t init_var_run_t:file manage_lnk_file_perms;
> 
>@@ -157,6 +167,7 @@ corecmd_exec_bin(init_t)
> dev_read_sysfs(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>+dev_relabel_generic_symlinks(init_t)
> 
> domain_getpgid_all_domains(init_t)
> domain_kill_all_domains(init_t)
>@@ -170,6 +181,9 @@ files_read_etc_files(init_t)
> files_rw_generic_pids(init_t)
> files_manage_etc_runtime_files(init_t)
> files_etc_filetrans_etc_runtime(init_t, file)
>+files_relabelto_etc_runtime(init_t)
>+files_list_usr(init_t)
>+
> # Run /etc/X11/prefdm:
> files_exec_etc_files(init_t)
> # file descriptors inherited from the rootfs:
>@@ -178,6 +192,7 @@ files_dontaudit_rw_root_chr_files(init_t
> 
> fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
>+fs_relabel_pstore_dirs(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
> 
>@@ -225,6 +240,8 @@ ifdef(`init_systemd',`
> 	allow init_t self:netlink_selinux_socket create_socket_perms;
> 	allow init_t self:unix_dgram_socket lock;
> 
>+	allow init_t init_var_run_t:sock_file manage_sock_file_perms;
>+
> 	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> 	allow init_t daemon:unix_dgram_socket create_socket_perms;
> 	allow init_t daemon:tcp_socket create_stream_socket_perms;
>@@ -257,6 +274,7 @@ ifdef(`init_systemd',`
> 	kernel_getattr_proc(init_t)
> 	kernel_read_fs_sysctls(init_t)
> 
>+	auth_manage_var_auth(init_t)
> 	dev_rw_autofs(init_t)
> 	dev_create_generic_dirs(init_t)
> 	dev_manage_input_dev(init_t)
>@@ -318,10 +336,14 @@ ifdef(`init_systemd',`
> 	seutil_read_file_contexts(init_t)
> 
> 	systemd_manage_passwd_runtime_symlinks(init_t)
>+	systemd_use_passwd_agent(init_t)
> 
> 	# udevd is a "systemd kobject uevent socket activated daemon"
> 	udev_create_kobject_uevent_sockets(init_t)
> 
>+	# for systemd to read udev status
>+	udev_read_pid_files(init_t)
>+
> 	optional_policy(`
> 		clock_read_adjtime(init_t)
> 	')
>@@ -350,11 +372,19 @@ ifdef(`init_systemd',`
> 	')
> ')
> 
>+fs_relabelfrom_tmpfs_symlinks(init_t)
>+
> ifdef(`distro_debian',`
> 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> 
> 	allow init_t initrc_var_run_t:file manage_file_perms;
> 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
>+	fs_manage_tmpfs_files(initrc_t)
>+	sysnet_manage_config(initrc_t)
>+
>+	optional_policy(`
>+		postfix_read_config(initrc_t)
>+	')
> ')
> 
> ifdef(`distro_gentoo',`
>@@ -370,6 +400,12 @@ ifdef(`distro_redhat',`
> ')
> 
> optional_policy(`
>+	modutils_read_module_config(init_t)
>+	modutils_read_module_deps(init_t)
>+	modutils_read_module_objects(init_t)
>+')
>+
>+optional_policy(`
> 	auth_rw_login_records(init_t)
> ')
> 
>@@ -423,6 +459,9 @@ term_create_pty(initrc_t, initrc_devpts_
> # Going to single user mode
> init_telinit(initrc_t)
> 
>+# for logsave in strict configuration
>+fstools_write_log(initrc_t)
>+
> can_exec(initrc_t, init_script_file_type)
> 
> create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
>@@ -442,6 +481,8 @@ manage_fifo_files_pattern(initrc_t, init
> 
> allow initrc_t initrc_var_run_t:file manage_file_perms;
> files_pid_filetrans(initrc_t, initrc_var_run_t, file)
>+files_create_pid_dir(initrc_t)
>+files_setattr_pid_dirs(initrc_t)
> 
> allow initrc_t daemon:process siginh;
> 
>@@ -491,6 +532,7 @@ corenet_udp_sendrecv_all_ports(initrc_t)
> corenet_tcp_connect_all_ports(initrc_t)
> corenet_sendrecv_all_client_packets(initrc_t)
> 
>+dev_create_subdir(initrc_t)
> dev_read_rand(initrc_t)
> dev_read_urand(initrc_t)
> dev_dontaudit_read_kmsg(initrc_t)
>@@ -825,26 +867,33 @@ ifdef(`enabled_mls',`
> 	')
> ')
> 
>+# for systemd
>+kernel_load_module(init_t)
>+
> ifdef(`init_systemd',`
> 	allow init_t self:system { status reboot halt reload };
> 
> 	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> 	allow init_t self:process { setsockcreate setfscreate setrlimit };
>-	allow init_t self:process { getcap setcap };
>+	allow init_t self:process { getcap setcap getsched setsched };
>	allow init_t self:unix_stream_socket { create_stream_socket_perms
>connectto };
> 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>	allow init_t self:netlink_audit_socket { nlmsg_relay
>create_socket_perms };
>+	allow init_t self:netlink_selinux_socket create_socket_perms;
> 	# Until systemd is fixed
>	allow daemon init_t:socket_class_set { getopt read getattr ioctl
>setopt write };
> 	allow init_t self:udp_socket create_socket_perms;
> 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
> 	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
>-	allow initrc_t init_t:system { status reboot halt reload };
>+	allow initrc_t init_t:system { start status reboot halt reload };
> 	allow init_t self:capability2 audit_read;
> 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
> 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
> 
> 	manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
>+	allow initrc_t init_var_run_t:file create_file_perms;
>+	allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms;
>+	allow initrc_t init_var_run_t:service { start status };
> 
> 	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
>	manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
>@@ -868,6 +917,7 @@ ifdef(`init_systemd',`
> 	kernel_read_software_raid_state(init_t)
> 	kernel_unmount_debugfs(init_t)
> 	kernel_setsched(init_t)
>+	kernel_rw_unix_sysctls(init_t)
> 
> 	auth_relabel_login_records(init_t)
> 	auth_relabel_pam_console_data_dirs(init_t)
>@@ -926,6 +976,7 @@ ifdef(`init_systemd',`
> 	fs_list_auto_mountpoints(init_t)
> 	fs_manage_cgroup_dirs(init_t)
> 	fs_manage_cgroup_files(init_t)
>+	fs_create_cgroup_links(init_t)
> 	fs_manage_hugetlbfs_dirs(init_t)
> 	fs_manage_tmpfs_dirs(init_t)
> 	fs_mount_all_fs(init_t)
>Index: refpolicy-2.20170419/policy/modules/system/modutils.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/modutils.if
>+++ refpolicy-2.20170419/policy/modules/system/modutils.if
>@@ -39,6 +39,25 @@ interface(`modutils_read_module_deps',`
> 
> ########################################
> ## <summary>
>+##	Read the kernel modules.
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`modutils_read_module_objects',`
>+	gen_require(`
>+		type modules_object_t;
>+	')
>+
>+	files_list_kernel_modules($1)
>+	allow $1 modules_object_t:file read_file_perms;
>+')
>+
>+########################################
>+## <summary>
> ##	Read the configuration options used when
> ##	loading modules.
> ## </summary>
>Index: refpolicy-2.20170419/policy/modules/system/userdomain.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/userdomain.if
>+++ refpolicy-2.20170419/policy/modules/system/userdomain.if
>@@ -67,6 +67,7 @@ template(`userdom_base_user_template',`
> 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
> 
> 	kernel_read_kernel_sysctls($1_t)
>+	kernel_read_vm_sysctls($1_t)
> 	kernel_dontaudit_list_unlabeled($1_t)
> 	kernel_dontaudit_getattr_unlabeled_files($1_t)
> 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
>@@ -78,6 +79,12 @@ template(`userdom_base_user_template',`
> 	dev_dontaudit_getattr_all_blk_files($1_t)
> 	dev_dontaudit_getattr_all_chr_files($1_t)
> 
>+	# for X session unlock
>+	allow $1_t self:netlink_audit_socket { create_socket_perms
>nlmsg_relay };
>+
>+	# for KDE
>+	allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms;
>+
> 	# When the user domain runs ps, there will be a number of access
> 	# denials when ps tries to search /proc. Do not audit these denials.
> 	domain_dontaudit_read_all_domains_state($1_t)
>@@ -108,6 +115,14 @@ template(`userdom_base_user_template',`
> 
> 	sysnet_read_config($1_t)
> 
>+	# kdeinit wants systemd status
>+	init_get_system_status($1_t)
>+
>+	optional_policy(`
>+		apt_read_cache($1_t)
>+		apt_read_db($1_t)
>+	')
>+
> 	tunable_policy(`allow_execmem',`
> 		# Allow loading DSOs that require executable stack.
> 		allow $1_t self:process execmem;
>Index: refpolicy-2.20170419/policy/support/file_patterns.spt
>===================================================================
>--- refpolicy-2.20170419.orig/policy/support/file_patterns.spt
>+++ refpolicy-2.20170419/policy/support/file_patterns.spt
>@@ -489,7 +489,7 @@ define(`rw_chr_files_pattern',`
> define(`create_chr_files_pattern',`
> 	allow $1 self:capability mknod;
> 	allow $1 $2:dir add_entry_dir_perms;
>-	allow $1 $3:chr_file create_chr_file_perms;
>+	allow $1 $3:chr_file { create_chr_file_perms setattr };
> ')
> 
> define(`delete_chr_files_pattern',`
>Index: refpolicy-2.20170419/policy/modules/services/xserver.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/services/xserver.if
>+++ refpolicy-2.20170419/policy/modules/services/xserver.if
>@@ -1561,3 +1561,21 @@ interface(`xserver_unconfined',`
> 	typeattribute $1 x_domain;
> 	typeattribute $1 xserver_unconfined_type;
> ')
>+
>+########################################
>+## <summary>
>+##	Allow domain to send sigchld to xdm_t
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`xdm_sigchld',`
>+	gen_require(`
>+		type xdm_t;
>+	')
>+
>+	allow $1 xdm_t:process sigchld;
>+')
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy