From: dsugar@tresys.com (David Sugar) Date: Fri, 10 Nov 2017 15:57:46 +0000 Subject: [refpolicy] Refpolicy and gdm/gnome? In-Reply-To: <20171110152719.GA25635@julius.enp8s0.d30> References: <20171110152719.GA25635@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy- > bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy > Sent: Friday, November 10, 2017 10:27 AM > To: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] Refpolicy and gdm/gnome? > > On Fri, Nov 10, 2017 at 03:04:56PM +0000, David Sugar via refpolicy > wrote: > > I'm slowly working my way through this stuff. For the transitions for > wm_exec_t and dbusd_exec_t I used the wm_role_template and > dbus_role_template which deal with the transitions but lead to other > denials (due to the newly created types). > > > > One of the issues with files not being labeled properly is > /run/user/ which is created by systemd-logind. systemd-logind > is mounting a tmpfs for each user as they login (and removing at > logout). But this is getting the type tmpfs_t rather than > user_runtime_t (thus the complaint about running restorecon). Anyway, > the following seems to work, but is this the correct way? Is there > something else that controls the label of this mount point? > > If i recall correctly Nicolas Iooss indicated that he fixed that logind > labeling issue in systemd (i might be wrong and/or you might still be > using a systemd/logind without that fix), but to effectively use this > you still probably want to use the %{USERID} libsemanage functionality > to specify contexts for user runtime dirs and that might also not be > available > > Example: > /run/user/%{USERID} -d system_u:object_r:user_runtime_t:s0 > > Point is that logind should create these user runtime dirs with the > context that is generated by genhomedircon for that particular users > runtime dir i believe. You have a good memory. I looked through the systemd git repo and indeed Nicolas Iooss made a change that claims to fix this problem (in February 2016). It appears to be in systemd v229. Unfortunately RHEL/CentOS is still distributing systemd v219 and even though they are back porting some patches this doesn't appear to be one of them (though I have not actually reviewed the source, just the changelog). > > I will submit this as a formal patch. I'm sure the name of the new > interface 'userdom_user_run_filetrans_user_runtime' needs to be changed. > I'm open to suggestions of what might be correct. > > > > The complaint I'm getting is this: > > !!!! The file '/run/user/42' is mislabeled on your system. > > !!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t > > user_runtime_root_t:dir mounton; > > > > The patch to resolve is this: > > --- > > policy/modules/system/systemd.te | 1 + > > policy/modules/system/userdomain.if | 30 > > ++++++++++++++++++++++++++++++ > > 2 files changed, 31 insertions(+) > > > > diff --git a/policy/modules/system/systemd.te > > b/policy/modules/system/systemd.te > > index 2d0393a3..1498ca32 100644 > > --- a/policy/modules/system/systemd.te > > +++ b/policy/modules/system/systemd.te > > @@ -448,6 +448,7 @@ > > userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) > > userdom_relabelto_user_runtime_dirs(systemd_logind_t) > > userdom_setattr_user_ttys(systemd_logind_t) > > userdom_delete_user_runtime_files(systemd_logind_t) > > +userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir) > > userdom_use_user_ttys(systemd_logind_t) > > > > optional_policy(` > > diff --git a/policy/modules/system/userdomain.if > > b/policy/modules/system/userdomain.if > > index 49eff3a6..e5fa98fa 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -3231,6 +3231,36 @@ > > interface(`userdom_user_runtime_root_filetrans_user_runtime',` > > > > ######################################## > > ## > > +## Create objects in the user runtime root > > +## directory with an automatic type transition > > +## to the user runtime dir type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## The class of the object to be created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`userdom_user_run_filetrans_user_runtime',` > > + gen_require(` > > + type user_runtime_t; > > + ') > > + > > + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3) > > +') > > + > > +######################################## > > +## > > ## Read and write user tmpfs files. > > ## > > ## > > -- > > 2.13.6 > > > > > > ________________________________________ > > From: refpolicy-bounces at oss.tresys.com > > on behalf of Guido Trentalancia via > > refpolicy > > Sent: Wednesday, November 8, 2017 3:33:52 PM > > To: refpolicy at oss.tresys.com > > Subject: Re: [refpolicy] Refpolicy and gdm/gnome? > > > > In order of importance (and, to some degree, decreasing safety), the > permissions are probably as follows: > > > > #============= init_t ============== > > allow init_t xdm_t:dbus send_msg; > > > > #============= initrc_t ============== allow initrc_t xdm_t:dbus > > send_msg; allow initrc_t xdm_t:process getsched; > > > > plus the systemd ones, plus the following ones: > > > > #============= xdm_t ============== > > allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read }; > > allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open > > read }; allow xdm_t xkb_var_lib_t:dir search; allow xdm_t > > xkb_var_lib_t:file { getattr open read }; allow xdm_t init_t:dbus > > send_msg; allow xdm_t init_t:system status; allow xdm_t initrc_t:dbus > > send_msg; > > > > allow xdm_t self:process setcap; > > allow xdm_t sound_device_t:chr_file { ioctl open read write }; > > > > allow xdm_t systemd_locale_t:dbus send_msg; allow xdm_t > > systemd_logind_var_run_t:dir read; allow xdm_t > > systemd_logind_var_run_t:fifo_file write; allow xdm_t > > systemd_machined_var_run_t:dir read; allow xdm_t > > systemd_sessions_var_run_t:dir { open read }; allow xdm_t > > systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t > > udev_var_run_t:file { getattr open read }; > > > > #============= xserver_t ============== allow xserver_t xdm_t:file { > > open read }; allow xserver_t xdm_t:lnk_file read; > > > > Then, at the second position, we probably have: > > > > #============= xdm_t ============== > > allow xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t > > self:netlink_kobject_uevent_socket { bind create getattr read setopt > > }; allow xdm_t self:netlink_selinux_socket { bind create }; > > > > Then, at the third position: > > > > #============= colord_t ============== allow colord_t > > systemd_sessions_var_run_t:file { getattr open read }; allow colord_t > > xdm_t:dir search; allow colord_t xdm_t:file { getattr open read }; > > > > #============= xdm_t ============== > > allow xdm_t sysctl_vm_overcommit_t:file { open read }; allow xdm_t > > sysctl_vm_t:dir search; > > > > At the fourth position, we probably have the following permissions (if > it hasn't started yet): > > > > #============= xdm_t ============== > > allow xdm_t sysctl_crypto_t:dir search; allow xdm_t > > sysctl_crypto_t:file { getattr open read }; > > > > At the fifth position, we probably have (increasingly dangerous): > > > > #============= xdm_t ============== > > allow xdm_t staff_t:key { link search write }; > > > > #============= xserver_t ============== allow xserver_t > > self:capability sys_ptrace; allow xserver_t staff_t:file { open read > > }; allow xserver_t staff_t:lnk_file read; > > > > The remaining ones are probably just dangerous and risky (commented > out), in particular the following two: > > > > #============= xdm_t ============== > > #allow xdm_t xdm_tmp_t:file execute; > > #allow xdm_t self:capability net_admin; #allow xdm_t > > user_home_dir_t:dir create; #allow xdm_t user_home_dir_t:file { append > > create open read setattr write }; > > > > #============= xserver_t ============== #allow xserver_t staff_t:file > > { open read }; #allow xserver_t staff_t:lnk_file read; > > > > So, after relabeling, I suggest you start implementing supplemental > policy from the top of the list and stop as soon as you achieve the > desired (or minimum) level of functionality. > > > > I hope it helps. > > > > Regards, > > > > Guido > > > > On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy > wrote: > > >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy > > >and trying to start GDM/Gnome. While in permissive I'm seeing a > > >bunch of denials related to xdm_t (enforcing the greeter never > > >starts). I'm happy to go through and fix these things to get stuff > > >working. I just want to make sure that before I begin adding > > >additional rules to allow the items I'm seeing that I'm not just > > >missing something (a boolean set incorrectly or a missing module or > > >something else?). I was kind of assuming that this would just work > but maybe that isn't the case. > > > > > >Here are the denials I'm seeing. Any thoughts? > > > > > >#============= colord_t ============== allow colord_t > > >systemd_sessions_var_run_t:file { getattr open read }; allow colord_t > > >xdm_t:dir search; allow colord_t xdm_t:file { getattr open read }; > > > > > >#============= init_t ============== > > >allow init_t xdm_t:dbus send_msg; > > > > > >#============= initrc_t ============== allow initrc_t xdm_t:dbus > > >send_msg; allow initrc_t xdm_t:process getsched; > > > > > >#============= systemd_locale_t ============== allow systemd_locale_t > > >xdm_t:dbus send_msg; > > > > > >#============= systemd_logind_t ============== allow systemd_logind_t > > >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search; > > >allow systemd_logind_t crond_t:file { getattr open read }; allow > > >systemd_logind_t init_t:service stop; allow systemd_logind_t > > >init_var_run_t:service { start status }; allow systemd_logind_t > > >tmpfs_t:dir { remove_name write }; > > > > > >#!!!! The file '/run/user/42' is mislabeled on your system. > > >#!!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t > > >user_runtime_root_t:dir mounton; allow systemd_logind_t > > >user_tmpfs_t:dir { remove_name rmdir write }; allow systemd_logind_t > > >user_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:dir { > > >getattr open read remove_name rmdir write }; allow systemd_logind_t > > >xdm_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:sock_file > > >unlink; > > > > > >#============= systemd_sessions_t ============== > > > > > >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your > > >system. > > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow > > >systemd_sessions_t kernel_t:unix_dgram_socket sendto; > > > > > >#============= xdm_t ============== > > >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read }; > > >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status; > > >allow xdm_t initrc_t:dbus send_msg; > > > > > >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your > > >system. > > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow > > >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t > > >self:capability net_admin; allow xdm_t > > >self:netlink_kobject_uevent_socket { bind create getattr read setopt > > >}; allow xdm_t self:netlink_selinux_socket { bind create }; allow > > >xdm_t self:process setcap; allow xdm_t sound_device_t:chr_file { > > >ioctl open read write }; allow xdm_t staff_t:key { link search write > > >}; allow xdm_t sysctl_crypto_t:dir search; allow xdm_t > > >sysctl_crypto_t:file { getattr open read }; allow xdm_t > > >sysctl_vm_overcommit_t:file { open read }; allow xdm_t > > >sysctl_vm_t:dir search; allow xdm_t systemd_locale_t:dbus send_msg; > > >allow xdm_t systemd_logind_var_run_t:dir read; allow xdm_t > > >systemd_logind_var_run_t:fifo_file write; allow xdm_t > > >systemd_machined_var_run_t:dir read; allow xdm_t > > >systemd_sessions_var_run_t:dir { open read }; allow xdm_t > > >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t > > >udev_var_run_t:file { getattr open read }; > > > > > >#!!!! This avc can be allowed using the boolean > > >'allow_polyinstantiation' > > >allow xdm_t user_home_dir_t:dir create; allow xdm_t > > >user_home_dir_t:file { append create open read setattr write }; allow > > >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read }; > > >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir > > >search; allow xdm_t xkb_var_lib_t:file { getattr open read }; > > > > > >#============= xserver_t ============== allow xserver_t > > >self:capability sys_ptrace; allow xserver_t staff_t:file { open read > > >}; allow xserver_t staff_t:lnk_file read; allow xserver_t xdm_t:file > > >{ open read }; allow xserver_t xdm_t:lnk_file read; > > > > > > > > >Thanks, > > >Dave Syugar > > >dsugar at tresys.com > > >_______________________________________________ > > >refpolicy mailing list > > >refpolicy at oss.tresys.com > > >http://oss.tresys.com/mailman/listinfo/refpolicy > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift