From: dsugar@tresys.com (David Sugar)
Date: Tue, 12 Sep 2017 02:22:51 +0000
Subject: [refpolicy] [PATCH 1/1] Add init_spec_daemon_domtrans interface
In-Reply-To: <49a77346-a04d-ce8f-5a2d-a142602235c6@ieee.org>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4F8B6@Exchange10.columbia.tresys.com>
	<49a77346-a04d-ce8f-5a2d-a142602235c6@ieee.org>
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B58C79@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Monday, September 11, 2017 8:28 PM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Add init_spec_daemon_domtrans
> interface
> 
> On 09/09/2017 10:00 AM, David Sugar via refpolicy wrote:
> >
> > We have a use case on a system where we have a systemd .service unit
> > file that is using the SELinuxContext= [1] option  to specify a
> > context for the service being started.  The same .service file
> > (/lib/systemd/system/foo at .service) is used to start multiple instances
> > of the same executable that are customized with a different drop-in
> > .conf file for each.  The context is customized in
> > /lib/systemd/system/foo at .service file (based on using
> > SELinuxContext=system_u:system_r:foo_%i_t:s0)  [2]
> >
> > We then create /etc/systemd/system/foo at bar.service.d/bar.conf so the
> > final running process is in the domain foo_bar_t
> >
> > We have created the following interface (in init.if) to meet our
> needs.  The interface is very much like init_daemon_domain except for
> the use of spec_domtrans_pattern rather than domtrans_pattern because
> the automatic transition doesn't work in this case.
> >
> > [1] The SELinuxContext option for systemd is explained
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> > [2] The systemd %i (and other specifiers) along with drop-in files are
> > explained
> > https://www.freedesktop.org/software/systemd/man/systemd.unit.html
> >
> > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > ---
> >   policy/modules/system/init.if | 57
> +++++++++++++++++++++++++++++++++++++++++++
> >   1 file changed, 57 insertions(+)
> >
> > diff --git a/policy/modules/system/init.if
> > b/policy/modules/system/init.if index 285a104e..5573c045 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -138,6 +138,63 @@ interface(`init_domain',`
> >
> >   ########################################
> >   ## <summary>
> > +##	Setup a domain which can be manually transitioned to from init.
> > +## </summary>
> > +## <desc>
> > +##	<p>
> > +##	Create a domain used for systemd services where the SELinuxContext
> > +##  option is specified in the .service file.  This allows for the ##
> > +manual transition from systemd into the new domain.  This is used ##
> > +when automatic transitions won't work.  Used for the case where the
> > +##  same binary is used for multiple target domains.
> > +##	</p>
> > +## </desc>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Type to be used as a domain.
> > +##	</summary>
> > +## </param>
> > +## <param name="entry_point">
> > +##	<summary>
> > +##	Type of the program being executed when starting this domain.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`init_spec_daemon_domtrans',`
> 
> I don't like that we need this interface, but I see java as being the
> primary driver of something like this.  The interface name should be
> init_spec_daemon_domain.
> 

I agree that I don't like the fact this interface is needed. But I don't see a better way of doing this due to the way systemd uses setexecon to start the process and doesn't use the domain automatic transition (when using the SELinuxContext option).  

I will resubmit with the suggested interface name shortly.
 
> 
> 
> > +	gen_require(`
> > +		type init_t;
> > +		role system_r;
> > +	')
> > +
> > +	domain_type($1)
> > +	domain_entry_file($1, $2)
> > +
> > +	role system_r types $1;
> > +
> > +	spec_domtrans_pattern(init_t, $2, $1)
> > +
> > +	ifdef(`init_systemd',`
> > +		allow $1 init_t:unix_stream_socket { getattr read write
> ioctl };
> > +
> > +		allow init_t $1:process2 { nnp_transition nosuid_transition
> };
> > +	')
> > +
> > +	# daemons started from init will
> > +	# inherit fds from init for the console
> > +	init_dontaudit_use_fds($1)
> > +	term_dontaudit_use_console($1)
> > +
> > +	# init script ptys are the stdin/out/err
> > +	# when using run_init
> > +	init_use_script_ptys($1)
> > +
> > +	ifdef(`direct_sysadm_daemon',`
> > +		userdom_dontaudit_use_user_terminals($1)
> > +	')
> > +')
> > +
> > +########################################
> > +## <summary>
> >   ##	Create a domain which can be started by init,
> >   ##	with a range transition.
> >   ## </summary>
> >
> 
> 
> --
> Chris PeBenito