From: krzysztof.a.nowicki@gmail.com (Krzysztof Nowicki)
Date: Thu, 18 May 2017 22:35:29 +0200
Subject: [refpolicy] [PATCH 2/3] Label systemd-tmpfiles static
	configuration files
In-Reply-To: <CAJ2a_DcVNVUQTbgXdF8aBSCLseLGPnHxnr7m0HHBucUss99aKQ@mail.gmail.com>
References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com>
	<20170518193110.27516-3-krzysztof.a.nowicki@gmail.com>
	<CAJ2a_DcVNVUQTbgXdF8aBSCLseLGPnHxnr7m0HHBucUss99aKQ@mail.gmail.com>
Message-ID: <15920749.gtu21uqWR7@cruinn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Dnia czwartek, 18 maja 2017 21:52:09 CEST Christian G?ttsche pisze:
> 2017-05-18 21:31 GMT+02:00 Krzysztof Nowicki via refpolicy
> 
> <refpolicy@oss.tresys.com>:
> > From: Krzysztof Nowicki <krissn@op.pl>
> > 
> > Reuse the label from dynamically created configuration.
> > ---
> > 
> >  policy/modules/system/modutils.te | 2 +-
> >  policy/modules/system/systemd.fc  | 6 ++++++
> >  policy/modules/system/systemd.if  | 4 ++--
> >  policy/modules/system/systemd.te  | 1 +
> >  4 files changed, 10 insertions(+), 3 deletions(-)
> > 
> > diff --git a/policy/modules/system/modutils.te
> > b/policy/modules/system/modutils.te index 1f7bdcd..625129f 100644
> > --- a/policy/modules/system/modutils.te
> > +++ b/policy/modules/system/modutils.te
> > @@ -118,7 +118,7 @@ ifdef(`init_systemd',`
> > 
> >         # for /run/tmpfiles.d/kmod.conf
> >         allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
> >         # kmod needs to create /run/tmpdiles.d
> > 
> > -       systemd_tmpfiles_creator(kmod_t)
> > +       systemd_tmpfiles_config_creator(kmod_t)
> > 
> >         init_rw_stream_sockets(kmod_t)
> >  
> >  ')
> > 
> > diff --git a/policy/modules/system/systemd.fc
> > b/policy/modules/system/systemd.fc index 57944e1..8bff2fa 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -37,10 +37,16 @@
> > 
> >  /usr/lib/systemd/system/systemd-backlight.*    --     
> >  gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> >  /usr/lib/systemd/system/systemd-binfmt.*       --     
> >  gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)> 
> > +# Systemd tmpfiles configuration
> > +/usr/lib/tmpfiles.d(/.*)?             
> > gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) +
> > 
> >  /var/lib/systemd/backlight(/.*)?      
> >  gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> >  /var/lib/systemd/coredump(/.*)?       
> >  gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> >  /var/lib/systemd/linger(/.*)? 
> >  gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)> 
> > +# Systemd tmpfiles configuration factory
> > +/usr/share/factory(/.*)?              
> > gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> What is the benefit of labeling this directory and the
> /usr/lib/tmpfiles.d one with a private type?
> Shouldn't the read-only like usr_t type do the job?
> Also afaik local changes should be made in /etc/tmpfiles.d

The idea was to avoid just that - giving the systemd-tmpfiles access to a 
generic type. I've always felt that types are there to separate access rules.

If you feel that it's not needed then I can go with usr_t instead.

> 
> > +
> > 
> >  /run/\.nologin[^/]*    --     
> >  gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> >  /run/nologin   --     
> >  gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)> 
> > diff --git a/policy/modules/system/systemd.if
> > b/policy/modules/system/systemd.if index 10f75de..4359d74 100644
> > --- a/policy/modules/system/systemd.if
> > +++ b/policy/modules/system/systemd.if
> > @@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
> > 
> >  ##     </summary>
> >  ## </param>
> >  #
> > 
> > -       interface(`systemd_tmpfiles_conf_file',`
> > +interface(`systemd_tmpfiles_conf_file',`
> > 
> >         gen_require(`
> >         
> >                 attribute systemd_tmpfiles_conf_type;
> >         
> >         ')
> > 
> > @@ -418,7 +418,7 @@ interface(`systemd_start_power_units',`
> > 
> >  ##     </summary>
> >  ## </param>
> >  #
> > 
> > -interface(`systemd_tmpfiles_creator',`
> > +interface(`systemd_tmpfiles_config_creator',`
> > 
> >         gen_require(`
> >         
> >                 type systemd_tmpfiles_conf_t;
> >         
> >         ')
> > 
> > diff --git a/policy/modules/system/systemd.te
> > b/policy/modules/system/systemd.te index eb70c77..4535182 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -784,6 +784,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir {
> > relabelfrom relabelto };> 
> >  allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto
> >  };
> >  
> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> > 
> > +allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:file read_file_perms;
> > 
> >  allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
> >  
> >  kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> > 
> > --
> > 2.10.2
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy