From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 4 Nov 2017 14:09:53 -0400
Subject: [refpolicy] [PATCH 2/3] Add key interfaces and perms
In-Reply-To: <20171102173047.21952-2-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
	<20171102173047.21952-2-jason@perfinion.com>
Message-ID: <4d8fa1c4-12f5-f75f-8fb7-4a5e8470ecc9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Mostly taken from the fedora rawhide policy
> ---
>   policy/modules/kernel/kernel.if     | 36 ++++++++++++++++++
>   policy/modules/services/ssh.if      |  1 +
>   policy/modules/services/ssh.te      |  1 +
>   policy/modules/services/xserver.if  | 18 +++++++++
>   policy/modules/services/xserver.te  |  1 +
>   policy/modules/system/authlogin.te  |  2 +
>   policy/modules/system/locallogin.te |  1 +
>   policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
>   8 files changed, 133 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 25467d0a..843b26e3 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
>   
>   ########################################
>   ## <summary>
> +##	Allow view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_view_key',`
> +	gen_require(`
> +		type kernel_t;
> +	')
> +
> +	allow $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> +##	dontaudit view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_view_key',`
> +	gen_require(`
> +		type kernel_t;
> +	')
> +
> +	dontaudit $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
>   ##	Allows caller to read the ring buffer.
>   ## </summary>
>   ## <param name="domain">
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index aa906680..4f20137a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -338,6 +338,7 @@ template(`ssh_role_template',`
>   	# for rsync
>   	allow ssh_t $3:unix_stream_socket rw_socket_perms;
>   	allow ssh_t $3:unix_stream_socket connectto;
> +	allow ssh_t $3:key manage_key_perms;
>   
>   	# user can manage the keys and config
>   	manage_files_pattern($3, ssh_home_t, ssh_home_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 5b939d0c..eaabdcd7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
>   allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>   allow ssh_t self:fd use;
>   allow ssh_t self:fifo_file rw_fifo_file_perms;
> +allow ssh_t self:key manage_key_perms;
>   allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
>   allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
>   allow ssh_t self:shm create_shm_perms;
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e0c5be82..e70046db 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
>   	typeattribute $1 x_domain;
>   	typeattribute $1 xserver_unconfined_type;
>   ')
> +
> +########################################
> +## <summary>
> +##	Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_rw_xdm_keys',`
> +	gen_require(`
> +		type xdm_t;
> +	')
> +
> +	allow $1 xdm_t:key { read write setattr };
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 758292be..ef56563c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
>   kernel_read_kernel_sysctls(xdm_t)
>   kernel_read_net_sysctls(xdm_t)
>   kernel_read_network_state(xdm_t)
> +kernel_view_key(xdm_t)
>   
>   corecmd_exec_shell(xdm_t)
>   corecmd_exec_bin(xdm_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 11a8ec1c..0f4ee19f 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -419,6 +419,8 @@ optional_policy(`
>   # nsswitch_domain local policy
>   #
>   
> +allow nsswitch_domain self:key manage_key_perms;
> +
>   files_list_var_lib(nsswitch_domain)
>   
>   # read /etc/nsswitch.conf
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 5a0c508f..269a61e0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -209,6 +209,7 @@ optional_policy(`
>   optional_policy(`
>   	xserver_read_xdm_tmp_files(local_login_t)
>   	xserver_rw_xdm_tmp_files(local_login_t)
> +	xserver_rw_xdm_keys(local_login_t)
>   ')
>   
>   #################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 750bc722..efb31d0a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
>   
>   	allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
>   	allow $1_t self:fd use;
> +	allow $1_t self:key manage_key_perms;
>   	allow $1_t self:fifo_file rw_fifo_file_perms;
>   	allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
>   	allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
>   
>   ########################################
>   ## <summary>
> +##	Read keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_read_all_users_keys',`
> +	gen_require(`
> +		attribute userdomain;
> +	')
> +
> +	allow $1 userdomain:key read;
> +')
> +
> +########################################
> +## <summary>
> +##	Write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> +	gen_require(`
> +		attribute userdomain;
> +	')
> +
> +	allow $1 userdomain:key write;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_rw_all_users_keys',`
> +	gen_require(`
> +		attribute userdomain;
> +	')
> +
> +	allow $1 userdomain:key { read view write };
> +')
> +
> +########################################
> +## <summary>
>   ##	Create keys for all user domains.
>   ## </summary>
>   ## <param name="domain">
> @@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
>   
>   ########################################
>   ## <summary>
> +##	Manage keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_manage_all_users_keys',`
> +	gen_require(`
> +		attribute userdomain;
> +	')
> +
> +	allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Send a dbus message to all user domains.
>   ## </summary>
>   ## <param name="domain">

Merged.

-- 
Chris PeBenito