From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 10 Nov 2017 16:27:19 +0100
Subject: [refpolicy] Refpolicy and gdm/gnome?
In-Reply-To: <CO1PR15MB103235E0EC79F93E845EA877B9540@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032F98F7BE5F4DAE573010AB9560@CO1PR15MB1032.namprd15.prod.outlook.com>
	<C9F2C847-3A5B-4014-8E13-B624717C9E35@trentalancia.com>
	<CO1PR15MB103235E0EC79F93E845EA877B9540@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <20171110152719.GA25635@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Nov 10, 2017 at 03:04:56PM +0000, David Sugar via refpolicy wrote:
> I'm slowly working my way through this stuff.  For the transitions for wm_exec_t and dbusd_exec_t I used the wm_role_template and dbus_role_template which deal with the transitions but lead to other denials (due to the newly created types).
> 
> One of the issues with files not being labeled properly is /run/user/<userid> which is created by systemd-logind.  systemd-logind is mounting a tmpfs for each user as they login (and removing at logout).  But this is getting the type tmpfs_t rather than user_runtime_t (thus the complaint about running restorecon).  Anyway, the following seems to work, but is this the correct way?  Is there something else that controls the label of this mount point?

If i recall correctly Nicolas Iooss indicated that he fixed that logind labeling issue in systemd (i might be wrong and/or you might still be using a systemd/logind without that fix), but to effectively use this you still probably want to use the %{USERID} libsemanage functionality to specify contexts for user runtime dirs and that might also not be available

Example:
/run/user/%{USERID} -d system_u:object_r:user_runtime_t:s0

Point is that logind should create these user runtime dirs with the context that is generated by genhomedircon for that particular users runtime dir i believe.

> 
> I will submit this as a formal patch.  I'm sure the name of the new interface 'userdom_user_run_filetrans_user_runtime' needs to be changed.  I'm open to suggestions of what might be correct.
> 
> The complaint I'm getting is this:
> !!!! The file '/run/user/42' is mislabeled on your system.
> !!!! Fix with $ restorecon -R -v /run/user/42
> allow systemd_logind_t user_runtime_root_t:dir mounton;
> 
> The patch to resolve is this:
> ---
>  policy/modules/system/systemd.te    |  1 +
>  policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
>  2 files changed, 31 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 2d0393a3..1498ca32 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -448,6 +448,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
>  userdom_relabelto_user_runtime_dirs(systemd_logind_t)
>  userdom_setattr_user_ttys(systemd_logind_t)
>  userdom_delete_user_runtime_files(systemd_logind_t)
> +userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
>  userdom_use_user_ttys(systemd_logind_t)
> 
>  optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 49eff3a6..e5fa98fa 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -3231,6 +3231,36 @@ interface(`userdom_user_runtime_root_filetrans_user_runtime',`
> 
>  ########################################
>  ## <summary>
> +##     Create objects in the user runtime root
> +##     directory with an automatic type transition
> +##     to the user runtime dir type.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="object_class">
> +##     <summary>
> +##     The class of the object to be created.
> +##     </summary>
> +## </param>
> +## <param name="name" optional="true">
> +##     <summary>
> +##     The name of the object being created.
> +##     </summary>
> +## </param>
> +#
> +interface(`userdom_user_run_filetrans_user_runtime',`
> +       gen_require(`
> +               type user_runtime_t;
> +       ')
> +
> +       fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>  ##     Read and write user tmpfs files.
>  ## </summary>
>  ## <param name="domain">
> --
> 2.13.6
> 
> 
> ________________________________________
> From: refpolicy-bounces at oss.tresys.com <refpolicy-bounces@oss.tresys.com> on behalf of Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com>
> Sent: Wednesday, November 8, 2017 3:33:52 PM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
> 
> In order of importance (and, to some degree, decreasing safety), the permissions are probably as follows:
> 
> #============= init_t ==============
> allow init_t xdm_t:dbus send_msg;
> 
> #============= initrc_t ==============
> allow initrc_t xdm_t:dbus send_msg;
> allow initrc_t xdm_t:process getsched;
> 
> plus the systemd ones, plus the following ones:
> 
> #============= xdm_t ==============
> allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> allow xdm_t xkb_var_lib_t:dir search;
> allow xdm_t xkb_var_lib_t:file { getattr open read };
> allow xdm_t init_t:dbus send_msg;
> allow xdm_t init_t:system status;
> allow xdm_t initrc_t:dbus send_msg;
> 
> allow xdm_t self:process setcap;
> allow xdm_t sound_device_t:chr_file { ioctl open read write };
> 
> allow xdm_t systemd_locale_t:dbus send_msg;
> allow xdm_t systemd_logind_var_run_t:dir read;
> allow xdm_t systemd_logind_var_run_t:fifo_file write;
> allow xdm_t systemd_machined_var_run_t:dir read;
> allow xdm_t systemd_sessions_var_run_t:dir { open read };
> allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
> allow xdm_t udev_var_run_t:file { getattr open read };
> 
> #============= xserver_t ==============
> allow xserver_t xdm_t:file { open read };
> allow xserver_t xdm_t:lnk_file read;
> 
> Then, at the second position, we probably have:
> 
> #============= xdm_t ==============
> allow xdm_t kernel_t:unix_stream_socket connectto;
> allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
> allow xdm_t self:netlink_selinux_socket { bind create };
> 
> Then, at the third position:
> 
> #============= colord_t ==============
> allow colord_t systemd_sessions_var_run_t:file { getattr open read };
> allow colord_t xdm_t:dir search;
> allow colord_t xdm_t:file { getattr open read };
> 
> #============= xdm_t ==============
> allow xdm_t sysctl_vm_overcommit_t:file { open read };
> allow xdm_t sysctl_vm_t:dir search;
> 
> At the fourth position, we probably have the following permissions (if it hasn't started yet):
> 
> #============= xdm_t ==============
> allow xdm_t sysctl_crypto_t:dir search;
> allow xdm_t sysctl_crypto_t:file { getattr open read };
> 
> At the fifth position, we probably have (increasingly dangerous):
> 
> #============= xdm_t ==============
> allow xdm_t staff_t:key { link search write };
> 
> #============= xserver_t ==============
> allow xserver_t self:capability sys_ptrace;
> allow xserver_t staff_t:file { open read };
> allow xserver_t staff_t:lnk_file read;
> 
> The remaining ones are probably just dangerous and risky (commented out), in particular the following two:
> 
> #============= xdm_t ==============
> #allow xdm_t xdm_tmp_t:file execute;
> #allow xdm_t self:capability net_admin;
> #allow xdm_t user_home_dir_t:dir create;
> #allow xdm_t user_home_dir_t:file { append create open read setattr write };
> 
> #============= xserver_t ==============
> #allow xserver_t staff_t:file { open read };
> #allow xserver_t staff_t:lnk_file read;
> 
> So, after relabeling, I suggest you start implementing supplemental policy from the top of the list and stop as soon as you achieve the desired (or minimum) level of functionality.
> 
> I hope it helps.
> 
> Regards,
> 
> Guido
> 
> On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy <refpolicy@oss.tresys.com> wrote:
> >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
> >trying to start GDM/Gnome.  While in permissive I'm seeing a bunch of
> >denials related to xdm_t (enforcing the greeter never starts).  I'm
> >happy to go through and fix these things to get stuff working.  I just
> >want to make sure that before I begin adding additional rules to allow
> >the items I'm seeing that I'm not just missing something (a boolean set
> >incorrectly or a missing module or something else?).  I was kind of
> >assuming that this would just work but maybe that isn't the case.
> >
> >Here are the denials I'm seeing.  Any thoughts?
> >
> >#============= colord_t ==============
> >allow colord_t systemd_sessions_var_run_t:file { getattr open read };
> >allow colord_t xdm_t:dir search;
> >allow colord_t xdm_t:file { getattr open read };
> >
> >#============= init_t ==============
> >allow init_t xdm_t:dbus send_msg;
> >
> >#============= initrc_t ==============
> >allow initrc_t xdm_t:dbus send_msg;
> >allow initrc_t xdm_t:process getsched;
> >
> >#============= systemd_locale_t ==============
> >allow systemd_locale_t xdm_t:dbus send_msg;
> >
> >#============= systemd_logind_t ==============
> >allow systemd_logind_t crond_t:dbus send_msg;
> >allow systemd_logind_t crond_t:dir search;
> >allow systemd_logind_t crond_t:file { getattr open read };
> >allow systemd_logind_t init_t:service stop;
> >allow systemd_logind_t init_var_run_t:service { start status };
> >allow systemd_logind_t tmpfs_t:dir { remove_name write };
> >
> >#!!!! The file '/run/user/42' is mislabeled on your system.
> >#!!!! Fix with $ restorecon -R -v /run/user/42
> >allow systemd_logind_t user_runtime_root_t:dir mounton;
> >allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
> >allow systemd_logind_t user_tmpfs_t:file unlink;
> >allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
> >rmdir write };
> >allow systemd_logind_t xdm_tmpfs_t:file unlink;
> >allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
> >
> >#============= systemd_sessions_t ==============
> >
> >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
> >allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> >
> >#============= xdm_t ==============
> >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> >allow xdm_t init_t:dbus send_msg;
> >allow xdm_t init_t:system status;
> >allow xdm_t initrc_t:dbus send_msg;
> >
> >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> >system.
> >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
> >allow xdm_t kernel_t:unix_stream_socket connectto;
> >allow xdm_t self:capability net_admin;
> >allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
> >read setopt };
> >allow xdm_t self:netlink_selinux_socket { bind create };
> >allow xdm_t self:process setcap;
> >allow xdm_t sound_device_t:chr_file { ioctl open read write };
> >allow xdm_t staff_t:key { link search write };
> >allow xdm_t sysctl_crypto_t:dir search;
> >allow xdm_t sysctl_crypto_t:file { getattr open read };
> >allow xdm_t sysctl_vm_overcommit_t:file { open read };
> >allow xdm_t sysctl_vm_t:dir search;
> >allow xdm_t systemd_locale_t:dbus send_msg;
> >allow xdm_t systemd_logind_var_run_t:dir read;
> >allow xdm_t systemd_logind_var_run_t:fifo_file write;
> >allow xdm_t systemd_machined_var_run_t:dir read;
> >allow xdm_t systemd_sessions_var_run_t:dir { open read };
> >allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
> >allow xdm_t udev_var_run_t:file { getattr open read };
> >
> >#!!!! This avc can be allowed using the boolean
> >'allow_polyinstantiation'
> >allow xdm_t user_home_dir_t:dir create;
> >allow xdm_t user_home_dir_t:file { append create open read setattr
> >write };
> >allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
> >};
> >allow xdm_t xdm_tmp_t:file execute;
> >allow xdm_t xkb_var_lib_t:dir search;
> >allow xdm_t xkb_var_lib_t:file { getattr open read };
> >
> >#============= xserver_t ==============
> >allow xserver_t self:capability sys_ptrace;
> >allow xserver_t staff_t:file { open read };
> >allow xserver_t staff_t:lnk_file read;
> >allow xserver_t xdm_t:file { open read };
> >allow xserver_t xdm_t:lnk_file read;
> >
> >
> >Thanks,
> >Dave Syugar
> >dsugar at tresys.com
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171110/7726e632/attachment-0001.bin