From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 7 Nov 2017 20:43:55 -0500
Subject: [refpolicy] [PATCH] map permission and systemd_tmpfiles_t stuff
In-Reply-To: <20171106064227.5c42aucs5pqnqxqv@xev>
References: <20171106064227.5c42aucs5pqnqxqv@xev>
Message-ID: <1f7aaeac-e6fe-8fd3-73be-64fde928a900@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 11/06/2017 01:42 AM, Russell Coker via refpolicy wrote:
> This patch allows some map permissions and allows systemd_tmpfiles_t to
> stat some things it wants to stat and append and relabel the lastlog.
>
> Index: refpolicy-2.20171105/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20171105/policy/modules/system/logging.te
> @@ -257,7 +257,7 @@ corecmd_exec_shell(audisp_t)
>
> domain_use_interactive_fds(audisp_t)
>
> -files_read_etc_files(audisp_t)
> +files_map_etc_files(audisp_t)
> files_read_etc_runtime_files(audisp_t)
>
> mls_file_write_all_levels(audisp_t)
> @@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
> # manage temporary files
> manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> +allow syslogd_t syslogd_tmp_t:file map;
> +
> files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>
> manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> @@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
>
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> +allow syslogd_t syslogd_var_run_t:file map;
I get the impression that these maps are all for journald. If so, they
should be in the init_systemd block.
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
> allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
>
> Index: refpolicy-2.20171105/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20171105/policy/modules/system/lvm.te
> @@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
> files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
>
> read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> +allow lvm_t lvm_etc_t:file map;
> +
> read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
> manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
> Index: refpolicy-2.20171105/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20171105/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ##
> +## relabel the last logins log.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +##
> ## Read and write to the last logins log.
> ##
> ##
> Index: refpolicy-2.20171105/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20171105/policy/modules/system/systemd.if
> @@ -346,6 +346,7 @@ interface(`systemd_manage_journal_files'
>
> manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
> + allow $1 systemd_journal_t:file map;
> ')
>
>
> Index: refpolicy-2.20171105/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20171105/policy/modules/system/systemd.te
> @@ -868,9 +868,11 @@ allow systemd_tmpfiles_t systemd_journal
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> +kernel_getattr_proc(systemd_tmpfiles_t)
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> kernel_read_network_state(systemd_tmpfiles_t)
>
> +dev_getattr_fs(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> @@ -897,14 +899,17 @@ files_relabelto_etc_dirs(systemd_tmpfile
> # for /etc/mtab
> files_manage_etc_symlinks(systemd_tmpfiles_t)
>
> +fs_getattr_tmpfs(systemd_tmpfiles_t)
> fs_getattr_xattr_fs(systemd_tmpfiles_t)
>
> selinux_get_fs_mount(systemd_tmpfiles_t)
> selinux_search_fs(systemd_tmpfiles_t)
>
> +auth_append_lastlog(systemd_tmpfiles_t)
> auth_manage_faillog(systemd_tmpfiles_t)
> auth_manage_login_records(systemd_tmpfiles_t)
> auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_lastlog(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> Index: refpolicy-2.20171105/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20171105/policy/modules/kernel/files.if
> @@ -2944,6 +2944,38 @@ interface(`files_read_etc_files',`
>
> ########################################
> ##
> +## Read and map generic files in /etc.
> +##
> +##
> +##
> +## Allow the specified domain to read and map generic
> +## files in /etc.
> +##
> +##
> +## Related interfaces:
> +##
> +##
> +## - files_read_etc_files()
> +##
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`files_map_etc_files',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + files_read_etc_files($1)
> + allow $1 etc_t:file map;
The map should be an interface by itself, without the read, since etc_t
is such a wide variety of files.
--
Chris PeBenito