From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 1 Nov 2017 18:50:12 -0400 Subject: [refpolicy] [PATCH 2/5] Add key interfaces and perms In-Reply-To: <20171031053707.6893-2-jason@perfinion.com> References: <20171031053707.6893-1-jason@perfinion.com> <20171031053707.6893-2-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/31/2017 01:37 AM, Jason Zaman wrote: > Mostly taken from the fedora rawhide policy > --- > policy/modules/kernel/kernel.if | 36 ++++++++++++++++++ > policy/modules/services/ssh.if | 2 + > policy/modules/services/ssh.te | 1 + > policy/modules/services/xserver.if | 18 +++++++++ > policy/modules/services/xserver.te | 1 + > policy/modules/system/authlogin.te | 4 ++ > policy/modules/system/locallogin.te | 1 + > policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++ > 8 files changed, 136 insertions(+) > > diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if > index 25467d0a..843b26e3 100644 > --- a/policy/modules/kernel/kernel.if > +++ b/policy/modules/kernel/kernel.if > @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',` > > ######################################## > ## > +## Allow view the kernel key ring. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_view_key',` > + gen_require(` > + type kernel_t; > + ') > + > + allow $1 kernel_t:key view; > +') > + > +######################################## > +## > +## dontaudit view the kernel key ring. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`kernel_dontaudit_view_key',` > + gen_require(` > + type kernel_t; > + ') > + > + dontaudit $1 kernel_t:key view; > +') > + > +######################################## > +## > ## Allows caller to read the ring buffer. > ## > ## > diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if > index aa906680..26c90838 100644 > --- a/policy/modules/services/ssh.if > +++ b/policy/modules/services/ssh.if > @@ -338,6 +338,8 @@ template(`ssh_role_template',` > # for rsync > allow ssh_t $3:unix_stream_socket rw_socket_perms; > allow ssh_t $3:unix_stream_socket connectto; > + allow ssh_t $3:key manage_key_perms; > + allow $3 ssh_t:key { write search read view }; Is this second rule really needed? It doesn't seem like there should be reverse access. > # user can manage the keys and config > manage_files_pattern($3, ssh_home_t, ssh_home_t) > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index 5b939d0c..eaabdcd7 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; > allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; > allow ssh_t self:fd use; > allow ssh_t self:fifo_file rw_fifo_file_perms; > +allow ssh_t self:key manage_key_perms; > allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; > allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; > allow ssh_t self:shm create_shm_perms; > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index e0c5be82..e70046db 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## > +## Manage keys for xdm. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_rw_xdm_keys',` > + gen_require(` > + type xdm_t; > + ') > + > + allow $1 xdm_t:key { read write setattr }; > +') > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 758292be..ef56563c 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t) > kernel_read_kernel_sysctls(xdm_t) > kernel_read_net_sysctls(xdm_t) > kernel_read_network_state(xdm_t) > +kernel_view_key(xdm_t) > > corecmd_exec_shell(xdm_t) > corecmd_exec_bin(xdm_t) > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te > index 11a8ec1c..9b3f3520 100644 > --- a/policy/modules/system/authlogin.te > +++ b/policy/modules/system/authlogin.te > @@ -419,6 +419,8 @@ optional_policy(` > # nsswitch_domain local policy > # > > +allow nsswitch_domain self:key manage_key_perms; > + > files_list_var_lib(nsswitch_domain) > > # read /etc/nsswitch.conf > @@ -426,6 +428,8 @@ files_read_etc_files(nsswitch_domain) > > sysnet_dns_name_resolve(nsswitch_domain) > > +userdom_manage_all_users_keys(nsswitch_domain) This needs explanation. > tunable_policy(`authlogin_nsswitch_use_ldap',` > miscfiles_read_generic_certs(nsswitch_domain) > sysnet_use_ldap(nsswitch_domain) > diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te > index 5a0c508f..269a61e0 100644 > --- a/policy/modules/system/locallogin.te > +++ b/policy/modules/system/locallogin.te > @@ -209,6 +209,7 @@ optional_policy(` > optional_policy(` > xserver_read_xdm_tmp_files(local_login_t) > xserver_rw_xdm_tmp_files(local_login_t) > + xserver_rw_xdm_keys(local_login_t) > ') > > ################################# > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 9d817e32..50035674 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -47,6 +47,7 @@ template(`userdom_base_user_template',` > > allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; > allow $1_t self:fd use; > + allow $1_t self:key manage_key_perms; > allow $1_t self:fifo_file rw_fifo_file_perms; > allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; > allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; > @@ -4018,6 +4019,60 @@ interface(`userdom_sigchld_all_users',` > > ######################################## > ## > +## Read keys for all user domains. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_read_all_users_keys',` > + gen_require(` > + attribute userdomain; > + ') > + > + allow $1 userdomain:key read; > +') > + > +######################################## > +## > +## Write keys for all user domains. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_write_all_users_keys',` > + gen_require(` > + attribute userdomain; > + ') > + > + allow $1 userdomain:key write; > +') > + > +######################################## > +## > +## Read and write keys for all user domains. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_rw_all_users_keys',` > + gen_require(` > + attribute userdomain; > + ') > + > + allow $1 userdomain:key { read view write }; > +') > + > +######################################## > +## > ## Create keys for all user domains. > ## > ## > @@ -4036,6 +4091,24 @@ interface(`userdom_create_all_users_keys',` > > ######################################## > ## > +## Manage keys for all user domains. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_manage_all_users_keys',` > + gen_require(` > + attribute userdomain; > + ') > + > + allow $1 userdomain:key manage_key_perms; > +') > + > +######################################## > +## > ## Send a dbus message to all user domains. > ## > ## > -- Chris PeBenito