2017-02-20 05:35:25

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] yet another draft of systemd patch 1

Here's another version of that patch against today's git repository and with
changes suggested by Nicolas Iooss.

Index: refpolicy-2.20170220/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170220/policy/modules/system/udev.if
@@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',`

########################################
## <summary>
+## Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+ allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
## Read udev pid files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170220/policy/modules/kernel/devices.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/devices.te
+++ refpolicy-2.20170220/policy/modules/kernel/devices.te
@@ -21,6 +21,9 @@ files_mountpoint(device_t)
files_associate_tmp(device_t)
fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+optional_policy(`
+ systemd_tmpfiles_manage_object(device_t, fifo_file)
+')

#
# Type for /dev/agpgart
Index: refpolicy-2.20170220/policy/modules/kernel/files.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/files.te
+++ refpolicy-2.20170220/policy/modules/kernel/files.te
@@ -174,6 +174,10 @@ type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)

+optional_policy(`
+ systemd_tmpfiles_manage_object(var_run_t, lnk_file)
+')
+
#
# var_spool_t is the type of /var/spool
#
Index: refpolicy-2.20170220/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20170220/policy/modules/kernel/kernel.te
@@ -361,6 +361,8 @@ optional_policy(`

optional_policy(`
init_sigchld(kernel_t)
+ init_dyntrans(kernel_t)
+ domain_dyntrans_type(kernel_t)
')

optional_policy(`
Index: refpolicy-2.20170220/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20170220/policy/modules/system/authlogin.te
@@ -30,6 +30,9 @@ role system_r types chkpwd_t;

type faillog_t;
logging_log_file(faillog_t)
+optional_policy(`
+ systemd_tmpfiles_manage_object(faillog_t, file)
+')

type lastlog_t;
logging_log_file(lastlog_t)
@@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_
#
type var_auth_t;
files_type(var_auth_t)
+optional_policy(`
+ systemd_tmpfiles_manage_object(var_auth_t, dir)
+')

type wtmp_t;
logging_log_file(wtmp_t)
Index: refpolicy-2.20170220/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170220/policy/modules/system/init.fc
@@ -57,6 +57,8 @@ ifdef(`distro_gentoo', `
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)

ifdef(`distro_debian',`
Index: refpolicy-2.20170220/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/init.if
+++ refpolicy-2.20170220/policy/modules/system/init.if
@@ -127,7 +127,11 @@ interface(`init_domain',`

role system_r types $1;

- domtrans_pattern(init_t, $2, $1)
+ ifdef(`init_systemd', `
+ domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')

ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
@@ -164,10 +168,12 @@ interface(`init_ranged_domain',`

ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
+ range_transition initrc_t $2:process $3;
')

ifdef(`enable_mls',`
range_transition init_t $2:process $3;
+ range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
@@ -210,8 +216,10 @@ interface(`init_ranged_domain',`
interface(`init_daemon_domain',`
gen_require(`
type initrc_t;
+ type init_t;
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
')

typeattribute $1 daemon;
@@ -223,6 +231,12 @@ interface(`init_daemon_domain',`

domtrans_pattern(initrc_t, $2, $1)

+ ifdef(`init_systemd', `
+ domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
@@ -292,6 +306,7 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
+ type init_t;
')

ifdef(`init_systemd',`
@@ -301,11 +316,13 @@ interface(`init_ranged_daemon_domain',`

ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
')

ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
+ range_transition init_t $2:process $3;
')
')
')
@@ -400,8 +417,10 @@ interface(`init_system_domain',`
gen_require(`
type initrc_t;
role system_r;
+ attribute systemprocess;
')

+ typeattribute $1 systemprocess;
application_domain($1, $2)

role system_r types $1;
@@ -459,6 +478,7 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
+ type init_t;
')

ifdef(`init_systemd',`
@@ -468,15 +488,35 @@ interface(`init_ranged_system_domain',`

ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
')

ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
')
')

+######################################
+## <summary>
+## Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dyntrans_pattern($1, init_t)
+')
+
########################################
## <summary>
## Mark the file type as a daemon pid file, allowing initrc_t
@@ -675,6 +715,7 @@ interface(`init_stream_connect',`

stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')

########################################
@@ -1195,19 +1236,25 @@ interface(`init_telinit',`
type initctl_t;
')

+ corecmd_exec_bin($1)
+
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;

init_exec($1)

- tunable_policy(`init_upstart',`
+ ifdef(`init_systemd',`
gen_require(`
type init_t;
')

+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
+ #576913
+ allow $1 init_t:unix_stream_socket connectto;
')
')

@@ -1217,7 +1264,7 @@ interface(`init_telinit',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -1315,18 +1362,21 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
- type initrc_t, initrc_exec_t;
+ type initrc_t;
+ attribute init_script_file_type;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;

files_list_etc($1)
- domtrans_pattern($1, initrc_exec_t, initrc_t)
+ domtrans_pattern($1, init_script_file_type, initrc_t)

ifdef(`enable_mcs',`
- range_transition $1 initrc_exec_t:process s0;
+ range_transition $1 init_script_file_type:process s0;
')

ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')

@@ -1402,9 +1452,14 @@ interface(`init_manage_script_service',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')

+ typeattribute $1 initrc_transition_domain;
+ # service script searches all filesystems via mountpoint
+ fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
+ allow $1 $2:file ioctl;
files_search_etc($1)
')

@@ -1536,9 +1591,10 @@ interface(`init_run_daemon',`
interface(`init_startstop_all_script_services',`
gen_require(`
attribute init_script_file_type;
+ class service { start status stop reload };
')

- allow $1 init_script_file_type:service { start status stop };
+ allow $1 init_script_file_type:service { start status stop reload };
')

########################################
@@ -1746,12 +1802,7 @@ interface(`init_read_script_state',`
')

kernel_search_proc($1)
- read_files_pattern($1, initrc_t, initrc_t)
- read_lnk_files_pattern($1, initrc_t, initrc_t)
- list_dirs_pattern($1, initrc_t, initrc_t)
-
- # should move this to separate interface
- allow $1 initrc_t:process getattr;
+ ps_process_pattern($1, initrc_t)
')

########################################
@@ -2335,7 +2386,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')

- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')

########################################
@@ -2376,6 +2427,25 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')

+#######################################
+## <summary>
+## Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
@@ -2550,6 +2620,43 @@ interface(`init_start_all_units',`
allow $1 systemdunit:service start;
')

+#######################################
+## <summary>
+## Allow the specified domain to write to
+## init sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_pipes',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
########################################
## <summary>
## Stop all systemd units.
@@ -2587,3 +2694,21 @@ interface(`init_reload_all_units',`

allow $1 systemdunit:service reload;
')
+
+########################################
+## <summary>
+## Rename and unlink init_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`rename_unlink_init_var_run',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:file { rename getattr unlink };
+')
Index: refpolicy-2.20170220/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/init.te
+++ refpolicy-2.20170220/policy/modules/system/init.te
@@ -16,13 +16,29 @@ gen_require(`
## </desc>
gen_tunable(init_upstart, false)

+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
attribute systemdunit;
+attribute initrc_transition_domain;

# Mark process types as daemons
attribute daemon;
+attribute systemprocess;

# Mark file type as a daemon pid file
attribute daemonpidfile;
@@ -33,7 +49,7 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -66,6 +82,7 @@ type initrc_exec_t, init_script_file_typ
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
init_named_socket_activation(initrc_t, init_var_run_t)
+allow init_run_all_scripts_domain systemdunit:service { status start stop };
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -110,6 +127,7 @@ ifdef(`enable_mls',`

# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -128,6 +146,9 @@ allow init_t initrc_t:unix_stream_socket
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)

+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)

@@ -147,6 +168,7 @@ dev_rw_generic_chr_files(init_t)

domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -355,6 +377,11 @@ optional_policy(`
')

optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')

@@ -408,6 +435,7 @@ manage_files_pattern(initrc_t, initrc_tm
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;

manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +478,7 @@ corenet_sendrecv_all_client_packets(init

dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
@@ -460,8 +489,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -469,17 +500,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)

domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -487,6 +517,7 @@ domain_dontaudit_getattr_all_udp_sockets
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)

files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -494,8 +525,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -509,8 +542,12 @@ files_manage_generic_spool(initrc_t)
# cjp: not sure why these are here; should use mount policy
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)

-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -520,9 +557,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)

# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)

@@ -532,6 +573,7 @@ mls_process_read_all_levels(initrc_t)
mls_process_write_all_levels(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)

selinux_get_enforce_mode(initrc_t)

@@ -563,7 +605,11 @@ logging_read_audit_config(initrc_t)

miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
+
+optional_policy(`
+ init_get_system_status(initrc_t)
+')

seutil_read_config(initrc_t)

@@ -571,7 +617,7 @@ userdom_read_user_home_content_files(ini
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)

ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
@@ -643,6 +689,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)

optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
alsa_read_lib(initrc_t)
')

@@ -663,7 +713,7 @@ ifdef(`distro_redhat',`

# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
+ kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)

# These seem to be from the initrd
@@ -698,6 +748,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
+ miscfiles_filetrans_named_content(initrc_t)

miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -707,8 +758,35 @@ ifdef(`distro_redhat',`
')

optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
+ bind_manage_config(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ devicekit_append_inherited_log_files(initrc_t)
+ ')
+
+ optional_policy(`
+ dirsrvadmin_read_config(initrc_t)
+ dirsrv_manage_var_run(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
+ ')
+
+ optional_policy(`
+ ldap_read_db_files(initrc_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
')

optional_policy(`
@@ -716,14 +794,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
+ optional_policy(`
+ rpcbind_stream_connect(initrc_t)
+ ')

optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
+ sysnet_manage_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
+ sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
+ wdmd_manage_pid_files(initrc_t)
')

optional_policy(`
xserver_delete_log(initrc_t)
+ xserver_manage_user_fonts_dir(initrc_t)
')
')

@@ -746,9 +837,11 @@ ifdef(`init_systemd',`
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)

create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+ allow initrc_t systemd_unit_t:service reload;

manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+ allow initrc_t systemdunit:service reload;

kernel_dgram_send(initrc_t)

@@ -781,6 +874,8 @@ ifdef(`init_systemd',`
seutil_read_file_contexts(initrc_t)

systemd_start_power_units(initrc_t)
+ allow initrc_t init_t:system { status reboot halt reload };
+ dev_manage_null_service(initrc_t)

optional_policy(`
# create /var/lock/lvm/
@@ -788,6 +883,32 @@ ifdef(`init_systemd',`
')
')

+domain_dontaudit_use_interactive_fds(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_ttys(daemon)
+ term_use_all_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_ttys(daemon)
+ term_dontaudit_use_all_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_manage_root_files(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
+ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -800,6 +921,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
')

optional_policy(`
@@ -821,6 +944,7 @@ optional_policy(`

optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
')

optional_policy(`
@@ -837,6 +961,12 @@ optional_policy(`
')

optional_policy(`
+ cron_read_pipes(initrc_t)
+ # managing /etc/cron.d/mailman content
+ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)

cups_read_log(initrc_t)
@@ -853,9 +983,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)

optional_policy(`
consolekit_dbus_chat(initrc_t)
+ consolekit_manage_log(initrc_t)
')

optional_policy(`
@@ -897,6 +1031,11 @@ optional_policy(`
')

optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
inn_exec_config(initrc_t)
')

@@ -937,6 +1076,7 @@ optional_policy(`
lpd_list_spool(initrc_t)

lpd_read_config(initrc_t)
+ lpd_manage_spool(init_t)
')

optional_policy(`
@@ -960,6 +1100,7 @@ optional_policy(`

optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')

@@ -982,6 +1123,10 @@ optional_policy(`
')

optional_policy(`
+ plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -994,6 +1139,7 @@ optional_policy(`
puppet_rw_tmp(initrc_t)
')

+
optional_policy(`
quota_manage_flags(initrc_t)
')
@@ -1024,8 +1170,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)

- # why is this needed:
- rpm_manage_db(initrc_t)
')

optional_policy(`
@@ -1043,10 +1187,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')

+ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc, initrc_t, system_r)
')
+')

optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -1062,7 +1208,6 @@ optional_policy(`
')

optional_policy(`
- udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
@@ -1079,6 +1224,10 @@ optional_policy(`

optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
+ mcs_file_read_all(initrc_t)
+ mcs_file_write_all(initrc_t)
+ mcs_killall(initrc_t)

ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -1088,6 +1237,15 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
+
+optional_policy(`
+ rpm_read_db(initrc_t)
+ rpm_delete_db(initrc_t)
')

optional_policy(`
@@ -1113,3 +1271,265 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
+
+userdom_dontaudit_rw_stream(daemon)
+
+logging_inherit_append_all_logs(daemon)
+
+optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+ abrt_stream_connect(daemon)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
+
+storage_raw_rw_fixed_disk(init_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+')
+
+optional_policy(`
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
+')
+
+ifdef(`init_systemd',`
+ allow init_t self:system { status reboot halt reload };
+
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+ allow init_t self:capability2 audit_read;
+
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_kernel_sysctl(init_t)
+ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
+ kernel_setsched(init_t)
+
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+ # systemd writes to /dev/watchdog on shutdown
+ dev_write_watchdog(init_t)
+
+ files_search_all(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_delete_all_pids(init_t)
+ files_exec_generic_pid_files(init_t)
+ files_create_all_pid_pipes(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_list_var(init_t)
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
+
+ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_unmount_all_fs(init_t)
+ fs_remount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
+
+ storage_getattr_removable_dev(init_t)
+
+ term_relabel_ptys_dirs(init_t)
+
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
+
+
+ systemd_manage_unit_dirs_files(init_t)
+
+ allow initrc_t init_script_file_type:service { stop start status reload };
+
+
+')
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
+optional_policy(`
+ systemd_filetrans_named_content(init_t)
+')
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
+')
+
+ifdef(`init_systemd',`
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow init_t daemon:udp_socket create_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+# daemons started from init will
+# inherit fds from init for the console
+init_dontaudit_use_fds(daemon)
+term_dontaudit_use_console(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+allow init_t daemon:process siginh;
+
+ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds(daemon)
+ ')
+
+ dontaudit daemon init_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ nscd_socket_use(daemon)
+')
+
+optional_policy(`
+ puppet_rw_tmp(daemon)
+')
+
+allow initrc_t systemprocess:process siginh;
+allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow systemprocess initrc_transition_domain:fd use;
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+
+ifdef(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+')
+
+ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds(systemprocess)
+ ')
+')
+
+userdom_dontaudit_search_user_home_dirs(systemprocess)
+userdom_dontaudit_rw_stream(systemprocess)
+userdom_dontaudit_write_user_tmp_files(systemprocess)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_ttys(systemprocess)
+ term_use_all_ptys(systemprocess)
+',`
+ term_dontaudit_use_all_ttys(systemprocess)
+ term_dontaudit_use_all_ptys(systemprocess)
+')
+
+# these apps are often redirect output to random log files
+logging_inherit_append_all_logs(systemprocess)
+
+optional_policy(`
+ abrt_stream_connect(systemprocess)
+')
+
+optional_policy(`
+ cron_rw_pipes(systemprocess)
+')
+
+optional_policy(`
+ puppet_rw_tmp(systemprocess)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(systemprocess)
+ unconfined_dontaudit_rw_stream(systemprocess)
+ userdom_dontaudit_read_user_tmp_files(systemprocess)
+')
+
+init_rw_script_stream_sockets(systemprocess)
+
+role system_r types systemprocess;
+role system_r types daemon;
+
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
+
Index: refpolicy-2.20170220/policy/modules/system/logging.fc
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/logging.fc
+++ refpolicy-2.20170220/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)

/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -80,3 +81,10 @@ ifdef(`distro_redhat',`
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)

/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
Index: refpolicy-2.20170220/policy/modules/system/miscfiles.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/miscfiles.te
+++ refpolicy-2.20170220/policy/modules/system/miscfiles.te
@@ -40,6 +40,9 @@ files_type(locale_t)
#
type man_t alias catman_t;
files_type(man_t)
+optional_policy(`
+ systemd_tmpfiles_manage_object(man_t, dir)
+')

type man_cache_t;
files_type(man_cache_t)
Index: refpolicy-2.20170220/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170220/policy/modules/system/logging.te
@@ -94,6 +94,26 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')

+ifdef(`init_systemd', `
+ dev_read_kmsg(syslogd_t)
+ dev_write_kmsg(syslogd_t)
+ allow syslogd_t self:capability sys_ptrace;
+ init_read_pipes(syslogd_t)
+ init_read_state(syslogd_t)
+ allow syslogd_t init_var_run_t:file { read write create open };
+ allow syslogd_t var_run_t:dir create;
+ init_create_pid_dirs(syslogd_t)
+ kernel_read_ring_buffer(syslogd_t)
+ dev_read_urand(syslogd_t)
+ domain_read_all_domains_state(syslogd_t)
+ systemd_manage_journal_files(syslogd_t)
+
+ # for systemd-journal
+ allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ allow syslogd_t self:capability2 audit_read;
+ rename_unlink_init_var_run(syslogd_t)
+')
+
########################################
#
# Auditctl local policy
@@ -230,6 +250,9 @@ optional_policy(`
udev_read_db(auditd_t)
')

+# for systemd but can not be conditional
+filetrans_pattern(syslogd_t, var_run_t, syslogd_tmp_t, dir, "log")
+
########################################
#
# audit dispatcher local policy
@@ -396,6 +419,9 @@ allow syslogd_t syslog_conf_t:file read_
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
+
+seutil_read_config(syslogd_t)

# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -416,6 +442,7 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;

kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
Index: refpolicy-2.20170220/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170220/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`

########################################
## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
@@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',`
')

########################################
+## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
## <summary>
## Read and write the TPM device.
## </summary>
Index: refpolicy-2.20170220/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170220/policy/modules/system/logging.if
@@ -822,6 +822,24 @@ interface(`logging_append_all_logs',`

########################################
## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
## Read all log files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170220/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170220/policy/modules/system/userdomain.if
@@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template',
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_t)
+ ')
')

#######################################
@@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',`

########################################
## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
## Read and write a user TTYs and PTYs.
## </summary>
## <desc>
@@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users',

allow $1 userdomain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
Index: refpolicy-2.20170220/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20170220/policy/modules/system/authlogin.if
@@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)

+ userdom_search_user_runtime($1)
+ userdom_read_user_tmpfs_files($1)
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
+
+ optional_policy(`
+ systemd_read_logind_state($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ systemd_passwd_agent_inherits_fd($1)
+ ')
')

########################################
Index: refpolicy-2.20170220/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20170220/policy/modules/kernel/terminal.if
@@ -500,6 +500,24 @@ interface(`term_list_ptys',`

########################################
## <summary>
+## Relabel the /dev/pts directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_ptys_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
Index: refpolicy-2.20170220/policy/modules/system/lvm.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/lvm.if
+++ refpolicy-2.20170220/policy/modules/system/lvm.if
@@ -187,3 +187,21 @@ interface(`lvm_admin',`
files_search_tmp($1)
admin_pattern($1, lvm_tmp_t)
')
+
+########################################
+## <summary>
+## Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_pipes',`
+ gen_require(`
+ type lvm_var_run_t;
+ ')
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
Index: refpolicy-2.20170220/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170220/policy/modules/kernel/files.if
@@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid

########################################
## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
## Read all process ID files.
## </summary>
## <param name="domain">
@@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',`

########################################
## <summary>
+## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Delete all process IDs.
## </summary>
## <param name="domain">
@@ -6898,3 +6953,100 @@ interface(`files_unconfined',`

typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
Index: refpolicy-2.20170220/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170220/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
')

files_search_pids($1)
- read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+ allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+ allow $1 systemd_logind_var_run_t:file read_file_perms;
')

######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
allow $1 systemd_logind_t:fd use;
')

+######################################
+## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_t, systemd_sessions_var_run_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_sessions_var_run_t:fifo_file write;
+ allow systemd_logind_t $1:process signal;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
')

+#######################################
+## <summary>
+## Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+## type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_manage_object',`
+ gen_require(`
+ type systemd_tmpfiles_t;
+ ')
+
+ allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
########################################
## <summary>
## Allow process to relabel to systemd_kmod_conf_t.
@@ -137,6 +181,83 @@ interface(`systemd_relabelto_kmod_files'

########################################
## <summary>
+## allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that owns the fds
+## </summary>
+## </param>
+#
+interface(`systemd_passwd_agent_inherits_fd',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+## Transition to systemd named content
+## need a better name for this
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_filetrans_named_content',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ ')
+
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+## manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_unit_dirs_files',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ manage_dirs_pattern($1, systemdunit, systemdunit)
+ manage_files_pattern($1, systemdunit, systemdunit)
+ manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+## Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+ manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
@@ -209,3 +330,4 @@ interface(`systemd_start_power_units',`

allow $1 power_unit_t:service start;
')
+
Index: refpolicy-2.20170220/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170220/policy/modules/system/systemd.te
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.3)
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)

+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
attribute systemd_log_parse_env_type;

type systemd_activate_t;
@@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t)
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
role system_r types systemd_cgroups_t;

+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
+type systemd_journal_t;
+files_type(systemd_journal_t)
+
type systemd_cgroups_var_run_t;
files_pid_file(systemd_cgroups_var_run_t)
init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
@@ -57,6 +72,9 @@ type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)

+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -85,9 +103,18 @@ type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)

+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+kernel_unconfined(systemd_nspawn_t)
+
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)

type systemd_resolved_t;
type systemd_resolved_exec_t;
@@ -108,6 +135,9 @@ type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)

+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -122,6 +152,12 @@ type systemd_kmod_conf_t;
files_config_file(systemd_kmod_conf_t)
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)

+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+logging_log_file(systemd_journal_t)
+
#
# Unit file types
#
@@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel
kernel_read_system_state(systemd_log_parse_env_type)

dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
init_read_state(systemd_log_parse_env_type)
-
logging_send_syslog_msg(systemd_log_parse_env_type)
+term_use_console(systemd_log_parse_env_type)

######################################
#
# Backlight local policy
#

+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
-init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
-
systemd_log_parse_environment(systemd_backlight_t)

# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
-
+# for udev.conf
files_read_etc_files(systemd_backlight_t)

+init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
+# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)

#######################################
@@ -304,7 +339,6 @@ init_pid_filetrans(systemd_resolved_t, s

kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)

corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
Index: refpolicy-2.20170220/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20170220/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)

/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,14 +33,20 @@
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)

/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
Index: refpolicy-2.20170220/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170220/policy/modules/system/unconfined.if
@@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',`

allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
+++ refpolicy-2.20170220/policy/modules/contrib/cron.if
@@ -891,3 +891,22 @@ interface(`cron_admin',`
files_search_spool($1)
admin_pattern($1, cron_spool_type)
')
+
+########################################
+## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')


2017-02-20 15:07:42

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] yet another draft of systemd patch 1

On 02/20/17 00:35, Russell Coker via refpolicy wrote:
> Here's another version of that patch against today's git repository and with
> changes suggested by Nicolas Iooss.

I have some further comments.


> Index: refpolicy-2.20170220/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170220/policy/modules/system/udev.if
> @@ -282,6 +282,26 @@ interface(`udev_manage_pid_dirs',`
>
> ########################################
> ## <summary>
> +## Allow process to relabelto udev database
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_relabelto_db',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 udev_var_run_t:file relabelto_file_perms;
> + allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read udev pid files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170220/policy/modules/kernel/devices.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/devices.te
> +++ refpolicy-2.20170220/policy/modules/kernel/devices.te
> @@ -21,6 +21,9 @@ files_mountpoint(device_t)
> files_associate_tmp(device_t)
> fs_xattr_type(device_t)
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> +optional_policy(`
> + systemd_tmpfiles_manage_object(device_t, fifo_file)
> +')
>
> #
> # Type for /dev/agpgart
> Index: refpolicy-2.20170220/policy/modules/kernel/files.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/files.te
> +++ refpolicy-2.20170220/policy/modules/kernel/files.te
> @@ -174,6 +174,10 @@ type var_run_t;
> files_pid_file(var_run_t)
> files_mountpoint(var_run_t)
>
> +optional_policy(`
> + systemd_tmpfiles_manage_object(var_run_t, lnk_file)
> +')
> +
> #
> # var_spool_t is the type of /var/spool
> #
> Index: refpolicy-2.20170220/policy/modules/kernel/kernel.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/kernel.te
> +++ refpolicy-2.20170220/policy/modules/kernel/kernel.te
> @@ -361,6 +361,8 @@ optional_policy(`
>
> optional_policy(`
> init_sigchld(kernel_t)
> + init_dyntrans(kernel_t)
> + domain_dyntrans_type(kernel_t)
> ')

I think these are redundant, otherwise systemd wouldn't work at all.


> optional_policy(`
> Index: refpolicy-2.20170220/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20170220/policy/modules/system/authlogin.te
> @@ -30,6 +30,9 @@ role system_r types chkpwd_t;
>
> type faillog_t;
> logging_log_file(faillog_t)
> +optional_policy(`
> + systemd_tmpfiles_manage_object(faillog_t, file)
> +')
>
> type lastlog_t;
> logging_log_file(lastlog_t)
> @@ -81,6 +84,9 @@ application_domain(utempter_t, utempter_
> #
> type var_auth_t;
> files_type(var_auth_t)
> +optional_policy(`
> + systemd_tmpfiles_manage_object(var_auth_t, dir)
> +')
>
> type wtmp_t;
> logging_log_file(wtmp_t)
> Index: refpolicy-2.20170220/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170220/policy/modules/system/init.fc
> @@ -57,6 +57,8 @@ ifdef(`distro_gentoo', `
> /run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20170220/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170220/policy/modules/system/init.if
> @@ -127,7 +127,11 @@ interface(`init_domain',`
>
> role system_r types $1;
>
> - domtrans_pattern(init_t, $2, $1)
> + ifdef(`init_systemd', `
> + domtrans_pattern(init_t, $2, $1)
> + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> + allow $1 init_t:unix_dgram_socket sendto;
> + ')

This would break sysvinit.



> @@ -164,10 +168,12 @@ interface(`init_ranged_domain',`
>
> ifdef(`enable_mcs',`
> range_transition init_t $2:process $3;
> + range_transition initrc_t $2:process $3;
> ')
>
> ifdef(`enable_mls',`
> range_transition init_t $2:process $3;
> + range_transition initrc_t $2:process $3;
> mls_rangetrans_target($1)
> ')
> ')
> @@ -210,8 +216,10 @@ interface(`init_ranged_domain',`
> interface(`init_daemon_domain',`
> gen_require(`
> type initrc_t;
> + type init_t;
> role system_r;
> attribute daemon;
> + attribute initrc_transition_domain;
> ')
>
> typeattribute $1 daemon;
> @@ -223,6 +231,12 @@ interface(`init_daemon_domain',`
>
> domtrans_pattern(initrc_t, $2, $1)
>
> + ifdef(`init_systemd', `
> + domtrans_pattern(init_t, $2, $1)
> + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> + allow $1 init_t:unix_dgram_socket sendto;
> + ')
> +
> # daemons started from init will
> # inherit fds from init for the console
> init_dontaudit_use_fds($1)
> @@ -292,6 +306,7 @@ interface(`init_daemon_domain',`
> interface(`init_ranged_daemon_domain',`
> gen_require(`
> type initrc_t;
> + type init_t;
> ')
>
> ifdef(`init_systemd',`
> @@ -301,11 +316,13 @@ interface(`init_ranged_daemon_domain',`
>
> ifdef(`enable_mcs',`
> range_transition initrc_t $2:process $3;
> + range_transition init_t $2:process $3;
> ')
>
> ifdef(`enable_mls',`
> range_transition initrc_t $2:process $3;
> mls_rangetrans_target($1)
> + range_transition init_t $2:process $3;
> ')
> ')
> ')
> @@ -400,8 +417,10 @@ interface(`init_system_domain',`
> gen_require(`
> type initrc_t;
> role system_r;
> + attribute systemprocess;
> ')
>
> + typeattribute $1 systemprocess;
> application_domain($1, $2)
>
> role system_r types $1;
> @@ -459,6 +478,7 @@ interface(`init_system_domain',`
> interface(`init_ranged_system_domain',`
> gen_require(`
> type initrc_t;
> + type init_t;
> ')
>
> ifdef(`init_systemd',`
> @@ -468,15 +488,35 @@ interface(`init_ranged_system_domain',`
>
> ifdef(`enable_mcs',`
> range_transition initrc_t $2:process $3;
> + range_transition init_t $2:process $3;
> ')
>
> ifdef(`enable_mls',`
> range_transition initrc_t $2:process $3;
> + range_transition init_t $2:process $3;
> mls_rangetrans_target($1)
> ')
> ')
> ')

These above range_transitions don't look relevant to systemd as they're
in the else portion of the init_systemd blocks.



> +######################################
> +## <summary>
> +## Allow domain dyntransition to init_t domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dyntrans',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + dyntrans_pattern($1, init_t)
> +')
> +
> ########################################
> ## <summary>
> ## Mark the file type as a daemon pid file, allowing initrc_t
> @@ -675,6 +715,7 @@ interface(`init_stream_connect',`
>
> stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
> files_search_pids($1)
> + allow $1 init_t:unix_stream_socket getattr;

I'm reluctant to overload this interface. Are you sure this applies to
all processes that connect to init_t?em


> ')
>
> ########################################
> @@ -1195,19 +1236,25 @@ interface(`init_telinit',`
> type initctl_t;
> ')
>
> + corecmd_exec_bin($1)
> +
> dev_list_all_dev_nodes($1)
> allow $1 initctl_t:fifo_file rw_fifo_file_perms;
>
> init_exec($1)
>
> - tunable_policy(`init_upstart',`
> + ifdef(`init_systemd',`
> gen_require(`
> type init_t;
> ')
>
> + ps_process_pattern($1, init_t)
> + allow $1 init_t:process signal;
> # upstart uses a datagram socket instead of initctl pipe
> allow $1 self:unix_dgram_socket create_socket_perms;
> allow $1 init_t:unix_dgram_socket sendto;
> + #576913
> + allow $1 init_t:unix_stream_socket connectto;
> ')
> ')

I think making this block unconditional is probably called for because
of the tunable/ifdef "conflict" (should be enabled if systemd or upstart
but can't create a single expression for that). Even though sysvinit
doesn't use them, the perms aren't that bad.


> @@ -1217,7 +1264,7 @@ interface(`init_telinit',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> @@ -1315,18 +1362,21 @@ interface(`init_spec_domtrans_script',`
> #
> interface(`init_domtrans_script',`
> gen_require(`
> - type initrc_t, initrc_exec_t;
> + type initrc_t;
> + attribute init_script_file_type;
> + attribute initrc_transition_domain;
> ')
> + typeattribute $1 initrc_transition_domain;
>
> files_list_etc($1)
> - domtrans_pattern($1, initrc_exec_t, initrc_t)
> + domtrans_pattern($1, init_script_file_type, initrc_t)
>
> ifdef(`enable_mcs',`
> - range_transition $1 initrc_exec_t:process s0;
> + range_transition $1 init_script_file_type:process s0;
> ')
>
> ifdef(`enable_mls',`
> - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
> + range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
> ')
> ')

I'd prefer to split this out to a init_spec_domtrans_labeled_scripts(),
so there is differentiation between the *_initrc_exec_t and initrc_exec_t.


> @@ -1402,9 +1452,14 @@ interface(`init_manage_script_service',`
> interface(`init_labeled_script_domtrans',`
> gen_require(`
> type initrc_t;
> + attribute initrc_transition_domain;
> ')
>
> + typeattribute $1 initrc_transition_domain;
> + # service script searches all filesystems via mountpoint
> + fs_search_all($1)

Can you elaborate on this? There has to be a way to limit it to
something reasonable.


> domtrans_pattern($1, $2, initrc_t)
> + allow $1 $2:file ioctl;

This looks like a rule that should be in the caller's policy.


> files_search_etc($1)
> ')
>
> @@ -1536,9 +1591,10 @@ interface(`init_run_daemon',`
> interface(`init_startstop_all_script_services',`
> gen_require(`
> attribute init_script_file_type;
> + class service { start status stop reload };
> ')
>
> - allow $1 init_script_file_type:service { start status stop };
> + allow $1 init_script_file_type:service { start status stop reload };
> ')

I'd prefer to split this into a separate interface.


> ########################################
> @@ -1746,12 +1802,7 @@ interface(`init_read_script_state',`
> ')
>
> kernel_search_proc($1)
> - read_files_pattern($1, initrc_t, initrc_t)
> - read_lnk_files_pattern($1, initrc_t, initrc_t)
> - list_dirs_pattern($1, initrc_t, initrc_t)
> -
> - # should move this to separate interface
> - allow $1 initrc_t:process getattr;
> + ps_process_pattern($1, initrc_t)
> ')
>
> ########################################
> @@ -2335,7 +2386,7 @@ interface(`init_dontaudit_rw_utmp',`
> type initrc_var_run_t;
> ')
>
> - dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
> + dontaudit $1 initrc_var_run_t:file rw_file_perms;
> ')
>
> ########################################
> @@ -2376,6 +2427,25 @@ interface(`init_pid_filetrans_utmp',`
> files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
> ')
>
> +#######################################
> +## <summary>
> +## Create a directory in the /run/systemd directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_create_pid_dirs',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:dir list_dir_perms;
> + create_dirs_pattern($1, init_var_run_t, init_var_run_t)
> +')
> +
> ########################################
> ## <summary>
> ## Allow the specified domain to connect to daemon with a tcp socket
> @@ -2550,6 +2620,43 @@ interface(`init_start_all_units',`
> allow $1 systemdunit:service start;
> ')
>
> +#######################################
> +## <summary>
> +## Allow the specified domain to write to
> +## init sock file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_write_pid_socket',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:sock_file write;

Is this unreleated to init_stream_connect()? I would think this is a
process trying to do a unix socket tonnect to init.


> +')
> +
> +########################################
> +## <summary>
> +## Read init unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_pipes',`

init_read_pid_pipes()

> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
> +')
> +
> ########################################
> ## <summary>
> ## Stop all systemd units.
> @@ -2587,3 +2694,21 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## Rename and unlink init_var_run_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain
> +## </summary>
> +## </param>
> +#
> +interface(`rename_unlink_init_var_run',`

init_delete_pid_files(). Also please move after the init_create_pid_dirs()

> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:file { rename getattr unlink };

Please use a delete_files_pattern


> +')
> Index: refpolicy-2.20170220/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170220/policy/modules/system/init.te
> @@ -16,13 +16,29 @@ gen_require(`
> ## </desc>
> gen_tunable(init_upstart, false)
>
> +## <desc>
> +## <p>
> +## Allow all daemons the ability to read/write terminals
> +## </p>
> +## </desc>
> +gen_tunable(allow_daemons_use_tty, false)
> +
> +## <desc>
> +## <p>
> +## Allow all daemons to write corefiles to /
> +## </p>
> +## </desc>
> +gen_tunable(allow_daemons_dump_core, false)

I'd prefer to have new tunables to be prefixed with the module name, so
init_daemons_dump_core, etc.


> attribute init_script_domain_type;
> attribute init_script_file_type;
> attribute init_run_all_scripts_domain;
> attribute systemdunit;
> +attribute initrc_transition_domain;
>
> # Mark process types as daemons
> attribute daemon;
> +attribute systemprocess;
>
> # Mark file type as a daemon pid file
> attribute daemonpidfile;
> @@ -33,7 +49,7 @@ attribute daemonrundir;
> #
> # init_t is the domain of the init process.
> #
> -type init_t;
> +type init_t, initrc_transition_domain;
> type init_exec_t;
> domain_type(init_t)
> domain_entry_file(init_t, init_exec_t)
> @@ -66,6 +82,7 @@ type initrc_exec_t, init_script_file_typ
> domain_type(initrc_t)
> domain_entry_file(initrc_t, initrc_exec_t)
> init_named_socket_activation(initrc_t, init_var_run_t)
> +allow init_run_all_scripts_domain systemdunit:service { status start stop };
> role system_r types initrc_t;
> # should be part of the true block
> # of the below init_upstart tunable
> @@ -110,6 +127,7 @@ ifdef(`enable_mls',`
>
> # Use capabilities. old rule:
> allow init_t self:capability ~sys_module;
> +allow init_t self:capability2 { wake_alarm block_suspend };
> # is ~sys_module really needed? observed:
> # sys_boot
> # sys_tty_config
> @@ -128,6 +146,9 @@ allow init_t initrc_t:unix_stream_socket
> allow init_t init_var_run_t:file manage_file_perms;
> files_pid_filetrans(init_t, init_var_run_t, file)
>
> +# for systemd to manage service file symlinks
> +allow init_t init_var_run_t:file manage_lnk_file_perms;
> +
> allow init_t initctl_t:fifo_file manage_fifo_file_perms;
> dev_filetrans(init_t, initctl_t, fifo_file)
>
> @@ -147,6 +168,7 @@ dev_rw_generic_chr_files(init_t)
>
> domain_getpgid_all_domains(init_t)
> domain_kill_all_domains(init_t)
> +domain_getattr_all_domains(init_t)
> domain_signal_all_domains(init_t)
> domain_signull_all_domains(init_t)
> domain_sigstop_all_domains(init_t)
> @@ -355,6 +377,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + udev_read_db(init_t)
> + udev_relabelto_db(init_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(init_t)
> ')
>
> @@ -408,6 +435,7 @@ manage_files_pattern(initrc_t, initrc_tm
> manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
> manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
> files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
> +allow initrc_t initrc_tmp_t:dir relabelfrom;
>
> manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
> manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
> @@ -450,6 +478,7 @@ corenet_sendrecv_all_client_packets(init
>
> dev_read_rand(initrc_t)
> dev_read_urand(initrc_t)
> +dev_dontaudit_read_kmsg(initrc_t)
> dev_write_kmsg(initrc_t)
> dev_write_rand(initrc_t)
> dev_write_urand(initrc_t)
> @@ -460,8 +489,10 @@ dev_write_framebuffer(initrc_t)
> dev_read_realtime_clock(initrc_t)
> dev_read_sound_mixer(initrc_t)
> dev_write_sound_mixer(initrc_t)
> +dev_setattr_generic_dirs(initrc_t)
> dev_setattr_all_chr_files(initrc_t)
> dev_rw_lvm_control(initrc_t)
> +dev_rw_generic_chr_files(initrc_t)
> dev_delete_lvm_control_dev(initrc_t)
> dev_manage_generic_symlinks(initrc_t)
> dev_manage_generic_files(initrc_t)
> @@ -469,17 +500,16 @@ dev_manage_generic_files(initrc_t)
> dev_delete_generic_symlinks(initrc_t)
> dev_getattr_all_blk_files(initrc_t)
> dev_getattr_all_chr_files(initrc_t)
> -# Early devtmpfs
> -dev_rw_generic_chr_files(initrc_t)
> +dev_rw_xserver_misc(initrc_t)
>
> domain_kill_all_domains(initrc_t)
> domain_signal_all_domains(initrc_t)
> domain_signull_all_domains(initrc_t)
> domain_sigstop_all_domains(initrc_t)
> +domain_sigstop_all_domains(initrc_t)
> domain_sigchld_all_domains(initrc_t)
> domain_read_all_domains_state(initrc_t)
> domain_getattr_all_domains(initrc_t)
> -domain_dontaudit_ptrace_all_domains(initrc_t)
> domain_getsession_all_domains(initrc_t)
> domain_use_interactive_fds(initrc_t)
> # for lsof which is used by alsa shutdown:
> @@ -487,6 +517,7 @@ domain_dontaudit_getattr_all_udp_sockets
> domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
> domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
> domain_dontaudit_getattr_all_pipes(initrc_t)
> +domain_obj_id_change_exemption(initrc_t)
>
> files_getattr_all_dirs(initrc_t)
> files_getattr_all_files(initrc_t)
> @@ -494,8 +525,10 @@ files_getattr_all_symlinks(initrc_t)
> files_getattr_all_pipes(initrc_t)
> files_getattr_all_sockets(initrc_t)
> files_purge_tmp(initrc_t)
> -files_delete_all_locks(initrc_t)
> +files_manage_all_locks(initrc_t)
> +files_manage_boot_files(initrc_t)
> files_read_all_pids(initrc_t)
> +files_delete_root_files(initrc_t)
> files_delete_all_pids(initrc_t)
> files_delete_all_pid_dirs(initrc_t)
> files_read_etc_files(initrc_t)
> @@ -509,8 +542,12 @@ files_manage_generic_spool(initrc_t)
> # cjp: not sure why these are here; should use mount policy
> files_list_default(initrc_t)
> files_mounton_default(initrc_t)
> +files_manage_mnt_dirs(initrc_t)
> +files_manage_mnt_files(initrc_t)
>
> -fs_write_cgroup_files(initrc_t)
> +fs_delete_cgroup_dirs(initrc_t)
> +fs_list_cgroup_dirs(initrc_t)
> +fs_rw_cgroup_files(initrc_t)
> fs_list_inotifyfs(initrc_t)
> fs_register_binary_executable_type(initrc_t)
> # rhgb-console writes to ramfs
> @@ -520,9 +557,13 @@ fs_mount_all_fs(initrc_t)
> fs_unmount_all_fs(initrc_t)
> fs_remount_all_fs(initrc_t)
> fs_getattr_all_fs(initrc_t)
> +fs_search_all(initrc_t)
> +fs_getattr_nfsd_files(initrc_t)
>
> # initrc_t needs to do a pidof which requires ptrace
> mcs_ptrace_all(initrc_t)
> +mcs_file_read_all(initrc_t)
> +mcs_file_write_all(initrc_t)
> mcs_killall(initrc_t)
> mcs_process_set_categories(initrc_t)
>
> @@ -532,6 +573,7 @@ mls_process_read_all_levels(initrc_t)
> mls_process_write_all_levels(initrc_t)
> mls_rangetrans_source(initrc_t)
> mls_fd_share_all_levels(initrc_t)
> +mls_socket_write_to_clearance(initrc_t)
>
> selinux_get_enforce_mode(initrc_t)
>
> @@ -563,7 +605,11 @@ logging_read_audit_config(initrc_t)
>
> miscfiles_read_localization(initrc_t)
> # slapd needs to read cert files from its initscript
> -miscfiles_read_generic_certs(initrc_t)
> +miscfiles_manage_generic_cert_files(initrc_t)
> +
> +optional_policy(`
> + init_get_system_status(initrc_t)
> +')

Making this optional should have no effect as all the types are in the
same module.

> seutil_read_config(initrc_t)
>
> @@ -571,7 +617,7 @@ userdom_read_user_home_content_files(ini
> # Allow access to the sysadm TTYs. Note that this will give access to the
> # TTYs to any process in the initrc_t domain. Therefore, daemons and such
> # started from init should be placed in their own domain.
> -userdom_use_user_terminals(initrc_t)
> +userdom_use_inherited_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> kernel_getattr_core_if(initrc_t)
> @@ -643,6 +689,10 @@ ifdef(`distro_gentoo',`
> sysnet_setattr_config(initrc_t)
>
> optional_policy(`
> + abrt_manage_pid_files(initrc_t)
> + ')
> +
> + optional_policy(`
> alsa_read_lib(initrc_t)
> ')
>
> @@ -663,7 +713,7 @@ ifdef(`distro_redhat',`
>
> # Red Hat systems seem to have a stray
> # fd open from the initrd
> - kernel_dontaudit_use_fds(initrc_t)
> + kernel_use_fds(initrc_t)
> files_dontaudit_read_root_files(initrc_t)
>
> # These seem to be from the initrd
> @@ -698,6 +748,7 @@ ifdef(`distro_redhat',`
> miscfiles_rw_localization(initrc_t)
> miscfiles_setattr_localization(initrc_t)
> miscfiles_relabel_localization(initrc_t)
> + miscfiles_filetrans_named_content(initrc_t)
>
> miscfiles_read_fonts(initrc_t)
> miscfiles_read_hwdata(initrc_t)
> @@ -707,8 +758,35 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
> + abrt_manage_pid_files(initrc_t)
> + ')
> +
> + optional_policy(`
> bind_manage_config_dirs(initrc_t)
> + bind_manage_config(initrc_t)
> bind_write_config(initrc_t)
> + bind_setattr_zone_dirs(initrc_t)
> + ')
> +
> + optional_policy(`
> + devicekit_append_inherited_log_files(initrc_t)
> + ')
> +
> + optional_policy(`
> + dirsrvadmin_read_config(initrc_t)
> + dirsrv_manage_var_run(initrc_t)
> + ')
> +
> + optional_policy(`
> + gnome_manage_gconf_config(initrc_t)
> + ')
> +
> + optional_policy(`
> + ldap_read_db_files(initrc_t)
> + ')
> +
> + optional_policy(`
> + pulseaudio_stream_connect(initrc_t)
> ')
>
> optional_policy(`
> @@ -716,14 +794,27 @@ ifdef(`distro_redhat',`
> rpc_write_exports(initrc_t)
> rpc_manage_nfs_state_data(initrc_t)
> ')
> + optional_policy(`
> + rpcbind_stream_connect(initrc_t)
> + ')
>
> optional_policy(`
> sysnet_rw_dhcp_config(initrc_t)
> sysnet_manage_config(initrc_t)
> + sysnet_manage_dhcpc_state(initrc_t)
> + sysnet_relabelfrom_dhcpc_state(initrc_t)
> + sysnet_relabelfrom_net_conf(initrc_t)
> + sysnet_relabelto_net_conf(initrc_t)
> + sysnet_filetrans_named_content(initrc_t)
> + ')
> +
> + optional_policy(`
> + wdmd_manage_pid_files(initrc_t)
> ')
>
> optional_policy(`
> xserver_delete_log(initrc_t)
> + xserver_manage_user_fonts_dir(initrc_t)
> ')
> ')
>
> @@ -746,9 +837,11 @@ ifdef(`init_systemd',`
> files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
>
> create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
> + allow initrc_t systemd_unit_t:service reload;
>
> manage_files_pattern(initrc_t, systemdunit, systemdunit)
> manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
> + allow initrc_t systemdunit:service reload;
>
> kernel_dgram_send(initrc_t)
>
> @@ -781,6 +874,8 @@ ifdef(`init_systemd',`
> seutil_read_file_contexts(initrc_t)
>
> systemd_start_power_units(initrc_t)
> + allow initrc_t init_t:system { status reboot halt reload };
> + dev_manage_null_service(initrc_t)
>
> optional_policy(`
> # create /var/lock/lvm/
> @@ -788,6 +883,32 @@ ifdef(`init_systemd',`
> ')
> ')

The below should have a new section header for "Rules applied to all
daemons." and also moving the initrc_t stuff up with the other initrc_t
rules.

However, I'm also very concerned about how many rules are a being
blanketed onto all daemons. It seems extremely excessive.


> +domain_dontaudit_use_interactive_fds(daemon)
> +
> +tunable_policy(`allow_daemons_use_tty',`
> + term_use_unallocated_ttys(daemon)
> + term_use_generic_ptys(daemon)
> + term_use_all_ttys(daemon)
> + term_use_all_ptys(daemon)
> +',`
> + term_dontaudit_use_unallocated_ttys(daemon)
> + term_dontaudit_use_generic_ptys(daemon)
> + term_dontaudit_use_all_ttys(daemon)
> + term_dontaudit_use_all_ptys(daemon)
> + ')
> +
> +# system-config-services causes avc messages that should be dontaudited
> +tunable_policy(`allow_daemons_dump_core',`
> + files_manage_root_files(daemon)
> +')
> +
> +optional_policy(`
> + unconfined_dontaudit_rw_pipes(daemon)
> + unconfined_dontaudit_rw_stream(daemon)
> + userdom_dontaudit_read_user_tmp_files(daemon)
> + userdom_dontaudit_write_user_tmp_files(daemon)
> +')

This looks like it should be split up into separate optionals

> optional_policy(`
> amavis_search_lib(initrc_t)
> amavis_setattr_pid_files(initrc_t)
> @@ -800,6 +921,8 @@ optional_policy(`
> optional_policy(`
> apache_read_config(initrc_t)
> apache_list_modules(initrc_t)
> + # webmin seems to cause this.
> + apache_search_sys_content(daemon)
> ')
>
> optional_policy(`
> @@ -821,6 +944,7 @@ optional_policy(`
>
> optional_policy(`
> cgroup_stream_connect_cgred(initrc_t)
> + domain_setpriority_all_domains(initrc_t)
> ')
>
> optional_policy(`
> @@ -837,6 +961,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_read_pipes(initrc_t)
> + # managing /etc/cron.d/mailman content
> + cron_manage_system_spool(initrc_t)
> +')
> +
> +optional_policy(`
> dev_getattr_printer_dev(initrc_t)
>
> cups_read_log(initrc_t)
> @@ -853,9 +983,13 @@ optional_policy(`
> dbus_connect_system_bus(initrc_t)
> dbus_system_bus_client(initrc_t)
> dbus_read_config(initrc_t)
> + dbus_manage_lib_files(initrc_t)
> +
> + init_dbus_chat(initrc_t)
>
> optional_policy(`
> consolekit_dbus_chat(initrc_t)
> + consolekit_manage_log(initrc_t)
> ')
>
> optional_policy(`
> @@ -897,6 +1031,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_read_module_config(initrc_t)
> + modutils_domtrans_insmod(initrc_t)
> +')
> +
> +optional_policy(`
> inn_exec_config(initrc_t)
> ')
>
> @@ -937,6 +1076,7 @@ optional_policy(`
> lpd_list_spool(initrc_t)
>
> lpd_read_config(initrc_t)
> + lpd_manage_spool(init_t)
> ')
>
> optional_policy(`
> @@ -960,6 +1100,7 @@ optional_policy(`
>
> optional_policy(`
> mta_read_config(initrc_t)
> + mta_write_config(initrc_t)
> mta_dontaudit_read_spool_symlinks(initrc_t)
> ')
>
> @@ -982,6 +1123,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + plymouthd_stream_connect(initrc_t)
> +')
> +
> +optional_policy(`
> postgresql_manage_db(initrc_t)
> postgresql_read_config(initrc_t)
> ')
> @@ -994,6 +1139,7 @@ optional_policy(`
> puppet_rw_tmp(initrc_t)
> ')
>
> +
> optional_policy(`
> quota_manage_flags(initrc_t)
> ')
> @@ -1024,8 +1170,6 @@ optional_policy(`
> # bash tries ioctl for some reason
> files_dontaudit_ioctl_all_pids(initrc_t)
>
> - # why is this needed:
> - rpm_manage_db(initrc_t)
> ')
>
> optional_policy(`
> @@ -1043,10 +1187,12 @@ optional_policy(`
> squid_manage_logs(initrc_t)
> ')
>
> +ifdef(`enabled_mls',`
> optional_policy(`
> # allow init scripts to su
> su_restricted_domain_template(initrc, initrc_t, system_r)
> ')
> +')
>
> optional_policy(`
> ssh_dontaudit_read_server_keys(initrc_t)
> @@ -1062,7 +1208,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - udev_rw_db(initrc_t)
> udev_manage_pid_files(initrc_t)
> udev_manage_pid_dirs(initrc_t)
> udev_manage_rules_files(initrc_t)
> @@ -1079,6 +1224,10 @@ optional_policy(`
>
> optional_policy(`
> unconfined_domain(initrc_t)
> + domain_role_change_exemption(initrc_t)
> + mcs_file_read_all(initrc_t)
> + mcs_file_write_all(initrc_t)
> + mcs_killall(initrc_t)
>
> ifdef(`distro_redhat',`
> # system-config-services causes avc messages that should be dontaudited
> @@ -1088,6 +1237,15 @@ optional_policy(`
> optional_policy(`
> mono_domtrans(initrc_t)
> ')
> +
> + optional_policy(`
> + rtkit_scheduled(initrc_t)
> + ')
> +')
> +
> +optional_policy(`
> + rpm_read_db(initrc_t)
> + rpm_delete_db(initrc_t)
> ')
>
> optional_policy(`
> @@ -1113,3 +1271,265 @@ optional_policy(`
> optional_policy(`
> zebra_read_config(initrc_t)
> ')

From this point on, the patch for this file gets more confusing, maybe
from the mixed types/attrs being used.

> +
> +userdom_dontaudit_rw_stream(daemon)
> +
> +logging_inherit_append_all_logs(daemon)
> +
> +optional_policy(`
> + # sudo service restart causes this
> + unconfined_signull(daemon)
> +')
> +
> +
> +optional_policy(`
> + tunable_policy(`use_nfs_home_dirs',`
> + fs_dontaudit_rw_nfs_files(daemon)
> + ')
> + tunable_policy(`use_samba_home_dirs',`
> + fs_dontaudit_rw_cifs_files(daemon)
> + ')
> +')
> +
> +init_rw_script_stream_sockets(daemon)
> +
> +optional_policy(`
> + abrt_stream_connect(daemon)
> +')
> +
> +optional_policy(`
> + fail2ban_read_lib_files(daemon)
> +')
> +
> +init_rw_stream_sockets(daemon)
> +
> +allow init_t var_run_t:dir relabelto;
> +
> +init_stream_connect(initrc_t)
> +init_start_all_units(initrc_t)
> +init_stop_all_units(initrc_t)
> +
> +allow initrc_t daemon:process siginh;
> +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
> +allow daemon initrc_transition_domain:fd use;
> +
> +storage_raw_rw_fixed_disk(init_t)
> +
> +optional_policy(`
> + modutils_domtrans_insmod(init_t)
> +')
> +
> +optional_policy(`
> + postfix_list_spool(init_t)
> + mta_read_aliases(init_t)
> +')
> +

There is already an init_systemd block for these to be put in.

> +ifdef(`init_systemd',`
> + allow init_t self:system { status reboot halt reload };
> +
> + allow init_t self:unix_dgram_socket { create_socket_perms sendto };
> + allow init_t self:process { setsockcreate setfscreate setrlimit };
> + allow init_t self:process { getcap setcap };
> + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> + allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + # Until systemd is fixed
> + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> + allow init_t self:udp_socket create_socket_perms;
> + allow init_t self:netlink_route_socket create_netlink_socket_perms;
> + allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> + allow init_t self:capability2 audit_read;
> +
> + kernel_list_unlabeled(init_t)
> + kernel_read_network_state(init_t)
> + kernel_rw_kernel_sysctl(init_t)
> + kernel_rw_net_sysctls(init_t)
> + kernel_read_all_sysctls(init_t)
> + kernel_read_software_raid_state(init_t)
> + kernel_unmount_debugfs(init_t)
> + kernel_setsched(init_t)
> +
> + dev_write_kmsg(init_t)
> + dev_write_urand(init_t)
> + dev_rw_lvm_control(init_t)
> + dev_rw_autofs(init_t)
> + dev_manage_generic_symlinks(init_t)
> + dev_manage_generic_dirs(init_t)
> + dev_manage_generic_files(init_t)
> + dev_read_generic_chr_files(init_t)
> + dev_relabel_generic_dev_dirs(init_t)
> + dev_relabel_all_dev_nodes(init_t)
> + dev_relabel_all_dev_files(init_t)
> + dev_manage_sysfs_dirs(init_t)
> + dev_relabel_sysfs_dirs(init_t)
> + # systemd writes to /dev/watchdog on shutdown
> + dev_write_watchdog(init_t)
> +
> + files_search_all(init_t)
> + files_mounton_all_mountpoints(init_t)
> + files_unmount_all_file_type_fs(init_t)
> + files_manage_all_pid_dirs(init_t)
> + files_manage_generic_tmp_dirs(init_t)
> + files_relabel_all_pid_dirs(init_t)
> + files_relabel_all_pid_files(init_t)
> + files_create_all_pid_sockets(init_t)
> + files_delete_all_pids(init_t)
> + files_exec_generic_pid_files(init_t)
> + files_create_all_pid_pipes(init_t)
> + files_create_all_spool_sockets(init_t)
> + files_delete_all_spool_sockets(init_t)
> + files_manage_urandom_seed(init_t)
> + files_list_locks(init_t)
> + files_list_spool(init_t)
> + files_list_var(init_t)
> + files_create_lock_dirs(init_t)
> + files_relabel_all_lock_dirs(init_t)
> +
> + fs_getattr_all_fs(init_t)
> + fs_manage_cgroup_dirs(init_t)
> + fs_manage_cgroup_files(init_t)
> + fs_manage_hugetlbfs_dirs(init_t)
> + fs_manage_tmpfs_dirs(init_t)
> + fs_mount_all_fs(init_t)
> + fs_unmount_all_fs(init_t)
> + fs_remount_all_fs(init_t)
> + fs_list_auto_mountpoints(init_t)
> + fs_search_cgroup_dirs(daemon)
> +
> + selinux_compute_create_context(init_t)
> + selinux_validate_context(init_t)
> + selinux_unmount_fs(init_t)
> +
> + storage_getattr_removable_dev(init_t)
> +
> + term_relabel_ptys_dirs(init_t)
> +
> + auth_relabel_login_records(init_t)
> + auth_relabel_pam_console_data_dirs(init_t)
> +
> + init_read_script_state(init_t)
> +
> + seutil_read_file_contexts(init_t)
> +
> +
> + systemd_manage_unit_dirs_files(init_t)
> +
> + allow initrc_t init_script_file_type:service { stop start status reload };
> +
> +
> +')
> +auth_use_nsswitch(init_t)
> +auth_rw_login_records(init_t)
> +
> +optional_policy(`
> + systemd_filetrans_named_content(init_t)
> +')
> +
> +optional_policy(`
> + lvm_rw_pipes(init_t)
> +')
> +
> +ifdef(`init_systemd',`
> + allow init_t daemon:unix_stream_socket create_stream_socket_perms;
> + allow init_t daemon:unix_dgram_socket create_socket_perms;
> + allow init_t daemon:tcp_socket create_stream_socket_perms;
> + allow init_t daemon:udp_socket create_socket_perms;
> + allow daemon init_t:unix_dgram_socket sendto;
> + # need write to /var/run/systemd/notify
> + init_write_pid_socket(daemon)
> + allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
> +')
> +
> +# daemons started from init will
> +# inherit fds from init for the console
> +init_dontaudit_use_fds(daemon)
> +term_dontaudit_use_console(daemon)
> +# init script ptys are the stdin/out/err
> +# when using run_init
> +init_use_script_ptys(daemon)
> +
> +allow init_t daemon:process siginh;
> +
> +ifdef(`hide_broken_symptoms',`
> + # RHEL4 systems seem to have a stray
> + # fds open from the initrd
> + ifdef(`distro_rhel4',`
> + kernel_dontaudit_use_fds(daemon)
> + ')
> +
> + dontaudit daemon init_t:dir search_dir_perms;
> +')
> +
> +optional_policy(`
> + nscd_socket_use(daemon)
> +')
> +
> +optional_policy(`
> + puppet_rw_tmp(daemon)
> +')
> +
> +allow initrc_t systemprocess:process siginh;
> +allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
> +allow systemprocess initrc_transition_domain:fd use;
> +
> +dontaudit systemprocess init_t:unix_stream_socket getattr;
> +
> +
> +ifdef(`init_systemd',`
> + # Handle upstart/systemd direct transition to a executable
> + allow init_t systemprocess:process { dyntransition siginh };
> + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
> + allow init_t systemprocess:unix_dgram_socket create_socket_perms;
> + allow systemprocess init_t:unix_dgram_socket sendto;
> + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
> +')
> +
> +ifdef(`hide_broken_symptoms',`
> + # RHEL4 systems seem to have a stray
> + # fds open from the initrd
> + ifdef(`distro_rhel4',`
> + kernel_dontaudit_use_fds(systemprocess)
> + ')
> +')
> +
> +userdom_dontaudit_search_user_home_dirs(systemprocess)
> +userdom_dontaudit_rw_stream(systemprocess)
> +userdom_dontaudit_write_user_tmp_files(systemprocess)
> +
> +tunable_policy(`allow_daemons_use_tty',`
> + term_use_all_ttys(systemprocess)
> + term_use_all_ptys(systemprocess)
> +',`
> + term_dontaudit_use_all_ttys(systemprocess)
> + term_dontaudit_use_all_ptys(systemprocess)
> +')
> +
> +# these apps are often redirect output to random log files
> +logging_inherit_append_all_logs(systemprocess)
> +
> +optional_policy(`
> + abrt_stream_connect(systemprocess)
> +')
> +
> +optional_policy(`
> + cron_rw_pipes(systemprocess)
> +')
> +
> +optional_policy(`
> + puppet_rw_tmp(systemprocess)
> +')
> +
> +optional_policy(`
> + unconfined_dontaudit_rw_pipes(systemprocess)
> + unconfined_dontaudit_rw_stream(systemprocess)
> + userdom_dontaudit_read_user_tmp_files(systemprocess)
> +')
> +
> +init_rw_script_stream_sockets(systemprocess)
> +
> +role system_r types systemprocess;
> +role system_r types daemon;
> +
> +#ifdef(`enable_mls',`
> +# mls_rangetrans_target(systemprocess)
> +#')
> +
> Index: refpolicy-2.20170220/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/logging.fc
> +++ refpolicy-2.20170220/policy/modules/system/logging.fc
> @@ -1,4 +1,5 @@
> /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> +/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>
> /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> @@ -80,3 +81,10 @@ ifdef(`distro_redhat',`
> /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
>
> /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +
> +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> +
> +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
> +
> +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> Index: refpolicy-2.20170220/policy/modules/system/miscfiles.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/miscfiles.te
> +++ refpolicy-2.20170220/policy/modules/system/miscfiles.te
> @@ -40,6 +40,9 @@ files_type(locale_t)
> #
> type man_t alias catman_t;
> files_type(man_t)
> +optional_policy(`
> + systemd_tmpfiles_manage_object(man_t, dir)
> +')
>
> type man_cache_t;
> files_type(man_cache_t)
> Index: refpolicy-2.20170220/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170220/policy/modules/system/logging.te
> @@ -94,6 +94,26 @@ ifdef(`enable_mls',`
> init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
> ')
>
> +ifdef(`init_systemd', `
> + dev_read_kmsg(syslogd_t)
> + dev_write_kmsg(syslogd_t)
> + allow syslogd_t self:capability sys_ptrace;
> + init_read_pipes(syslogd_t)
> + init_read_state(syslogd_t)
> + allow syslogd_t init_var_run_t:file { read write create open };
> + allow syslogd_t var_run_t:dir create;
> + init_create_pid_dirs(syslogd_t)
> + kernel_read_ring_buffer(syslogd_t)
> + dev_read_urand(syslogd_t)
> + domain_read_all_domains_state(syslogd_t)
> + systemd_manage_journal_files(syslogd_t)
> +
> + # for systemd-journal
> + allow syslogd_t self:netlink_audit_socket connected_socket_perms;
> + allow syslogd_t self:capability2 audit_read;
> + rename_unlink_init_var_run(syslogd_t)
> +')

These should be moved down into the existing init_systemd


> ########################################
> #
> # Auditctl local policy
> @@ -230,6 +250,9 @@ optional_policy(`
> udev_read_db(auditd_t)
> ')
>
> +# for systemd but can not be conditional
> +filetrans_pattern(syslogd_t, var_run_t, syslogd_tmp_t, dir, "log")

Neeeds to use interfaces and move down with the syslogd_t->syslogd_tmp_t
rules.

> ########################################
> #
> # audit dispatcher local policy
> @@ -396,6 +419,9 @@ allow syslogd_t syslog_conf_t:file read_
> # Create and bind to /dev/log or /var/run/log.
> allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
> files_pid_filetrans(syslogd_t, devlog_t, sock_file)
> +init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
> +
> +seutil_read_config(syslogd_t)
>
> # create/append log files.
> manage_files_pattern(syslogd_t, var_log_t, var_log_t)
> @@ -416,6 +442,7 @@ files_search_var_lib(syslogd_t)
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
> +allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
>
> kernel_read_system_state(syslogd_t)
> kernel_read_network_state(syslogd_t)
> Index: refpolicy-2.20170220/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170220/policy/modules/kernel/devices.if
> @@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
>
> ########################################
> ## <summary>
> +## Allow full relabeling (to and from) of all device files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`dev_relabel_all_dev_files',`
> + gen_require(`
> + type device_t;
> + ')
> +
> + relabel_files_pattern($1, device_t, device_t)
> +')
> +
> +########################################
> +## <summary>
> ## List all of the device nodes in a device directory.
> ## </summary>
> ## <param name="domain">
> @@ -4225,6 +4244,24 @@ interface(`dev_relabel_all_sysfs',`
> ')
>
> ########################################
> +## <summary>
> +## Relabel hardware state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_relabel_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + relabel_dirs_pattern($1, sysfs_t, sysfs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read and write the TPM device.
> ## </summary>
> Index: refpolicy-2.20170220/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170220/policy/modules/system/logging.if
> @@ -822,6 +822,24 @@ interface(`logging_append_all_logs',`
>
> ########################################
> ## <summary>
> +## Append to all log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_inherit_append_all_logs',`

logging_append_all_inherited_logs()

> + gen_require(`
> + attribute logfile;
> + ')
> +
> + allow $1 logfile:file { getattr append ioctl lock };
> +')
> +
> +########################################
> +## <summary>
> ## Read all log files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170220/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170220/policy/modules/system/userdomain.if
> @@ -1111,6 +1111,10 @@ template(`userdom_unpriv_user_template',
> optional_policy(`
> setroubleshoot_stream_connect($1_t)
> ')
> +
> + optional_policy(`
> + systemd_dbus_chat_logind($1_t)
> + ')
> ')
>
> #######################################
> @@ -3231,6 +3235,35 @@ interface(`userdom_use_user_ptys',`
>
> ########################################
> ## <summary>
> +## Read and write a inherited user TTYs and PTYs.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read and write inherited user
> +## TTYs and PTYs. This will allow the domain to
> +## interact with the user via the terminal. Typically
> +## all interactive applications will require this
> +## access.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`userdom_use_inherited_user_terminals',`
> + gen_require(`
> + type user_tty_device_t, user_devpts_t;
> + ')
> +
> + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
> + allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read and write a user TTYs and PTYs.
> ## </summary>
> ## <desc>
> @@ -3835,3 +3868,41 @@ interface(`userdom_dbus_send_all_users',
>
> allow $1 userdomain:dbus send_msg;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to write users
> +## temporary files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dontaudit_write_user_tmp_files',`
> + gen_require(`
> + type user_tmp_t;
> + ')
> +
> + dontaudit $1 user_tmp_t:file write;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write
> +## unserdomain stream.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dontaudit_rw_stream',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
> +')
> Index: refpolicy-2.20170220/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20170220/policy/modules/system/authlogin.if
> @@ -155,9 +155,18 @@ interface(`auth_login_pgm_domain',`
> seutil_read_config($1)
> seutil_read_default_contexts($1)
>
> + userdom_search_user_runtime($1)
> + userdom_read_user_tmpfs_files($1)
> +
> tunable_policy(`allow_polyinstantiation',`
> files_polyinstantiate_all($1)
> ')
> +
> + optional_policy(`
> + systemd_read_logind_state($1)
> + systemd_write_inherited_logind_sessions_pipes($1)
> + systemd_passwd_agent_inherits_fd($1)
> + ')
> ')
>
> ########################################
> Index: refpolicy-2.20170220/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/terminal.if
> +++ refpolicy-2.20170220/policy/modules/kernel/terminal.if
> @@ -500,6 +500,24 @@ interface(`term_list_ptys',`
>
> ########################################
> ## <summary>
> +## Relabel the /dev/pts directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`term_relabel_ptys_dirs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir relabel_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to read the
> ## /dev/pts directory.
> ## </summary>
> Index: refpolicy-2.20170220/policy/modules/system/lvm.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/lvm.if
> +++ refpolicy-2.20170220/policy/modules/system/lvm.if
> @@ -187,3 +187,21 @@ interface(`lvm_admin',`
> files_search_tmp($1)
> admin_pattern($1, lvm_tmp_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read and write a lvm unnamed pipe.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lvm_rw_pipes',`
> + gen_require(`
> + type lvm_var_run_t;
> + ')
> +
> + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> +')

lvm_rw_inherited_runtime_pipes()

> Index: refpolicy-2.20170220/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170220/policy/modules/kernel/files.if
> @@ -6529,6 +6529,25 @@ interface(`files_dontaudit_ioctl_all_pid
>
> ########################################
> ## <summary>
> +## manage all pidfile directories
> +## in the /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_manage_all_pid_dirs',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + manage_dirs_pattern($1,pidfile,pidfile)
> +')
> +
> +########################################
> +## <summary>
> ## Read all process ID files.
> ## </summary>
> ## <param name="domain">
> @@ -6551,6 +6570,42 @@ interface(`files_read_all_pids',`
>
> ########################################
> ## <summary>
> +## Execute generic programs in /var/run in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_generic_pid_files',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + exec_files_pattern($1, var_run_t, var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Relable all pid files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_relabel_all_pid_files',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + relabel_files_pattern($1, pidfile, pidfile)
> +')
> +
> +########################################
> +## <summary>
> ## Delete all process IDs.
> ## </summary>
> ## <param name="domain">
> @@ -6898,3 +6953,100 @@ interface(`files_unconfined',`
>
> typeattribute $1 files_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Create a core files in /
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a core file in /,
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_manage_root_files',`
> + gen_require(`
> + type root_t;
> + ')
> +
> + manage_files_pattern($1, root_t, root_t)
> +')

I'm wondering if it makes sense to have a new type, so root_t can stay
for / only.


> +########################################
> +## <summary>
> +## Create all pid sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_pid_sockets',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + allow $1 pidfile:sock_file create_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create all pid named pipes
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_pid_pipes',`
> + gen_require(`
> + attribute pidfile;
> + ')
> +
> + allow $1 pidfile:fifo_file create_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create all spool sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_create_all_spool_sockets',`
> + gen_require(`
> + attribute spoolfile;
> + ')
> +
> + allow $1 spoolfile:sock_file create_sock_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Delete all spool sockets
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_delete_all_spool_sockets',`
> + gen_require(`
> + attribute spoolfile;
> + ')
> +
> + allow $1 spoolfile:sock_file delete_sock_file_perms;
> +')
> +
> Index: refpolicy-2.20170220/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170220/policy/modules/system/systemd.if
> @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
> ')
>
> files_search_pids($1)
> - read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
> + allow $1 systemd_logind_var_run_t:dir list_dir_perms;
> + allow $1 systemd_logind_var_run_t:file read_file_perms;

This second rule is redundant.

> ')
>
> ######################################
> @@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
> allow $1 systemd_logind_t:fd use;
> ')
>
> +######################################
> +## <summary>
> +## Write inherited logind sessions pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_write_inherited_logind_sessions_pipes',`
> + gen_require(`
> + type systemd_logind_t, systemd_sessions_var_run_t;
> + ')
> +
> + allow $1 systemd_logind_t:fd use;
> + allow $1 systemd_sessions_var_run_t:fifo_file write;
> + allow systemd_logind_t $1:process signal;
> +')
> +
> ########################################
> ## <summary>
> ## Send and receive messages from
> @@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
> write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
> ')
>
> +#######################################
> +## <summary>
> +## Allow systemd_tmpfiles_t to manage filesystem objects
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## type of object to manage
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## object class to manage
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_tmpfiles_manage_object',`

systemd_tmpfilesd_managed()

> + gen_require(`
> + type systemd_tmpfiles_t;
> + ')
> +
> + allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> +')
> +
> ########################################
> ## <summary>
> ## Allow process to relabel to systemd_kmod_conf_t.
> @@ -137,6 +181,83 @@ interface(`systemd_relabelto_kmod_files'
>
> ########################################
> ## <summary>
> +## allow systemd_passwd_agent to inherit fds
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that owns the fds
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_passwd_agent_inherits_fd',`

systemd_use_passwd_agent_fds

> + gen_require(`
> + type systemd_passwd_agent_t;
> + ')
> +
> + allow systemd_passwd_agent_t $1:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Transition to systemd named content
> +## need a better name for this
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_filetrans_named_content',`

I'm struggling on the naming for this too, though I don't think
named_content fits, but something like systemd_passd_pid_dirs or
systemd_passwd_runtime_dirs

> + gen_require(`
> + type systemd_passwd_var_run_t;
> + ')
> +
> + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
> + init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
> +')
> +
> +########################################
> +## <summary>
> +## manage systemd unit dirs and the files in them
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_unit_dirs_files',`

systemd_manage_all_units

> + gen_require(`
> + attribute systemdunit;
> + ')
> +
> + manage_dirs_pattern($1, systemdunit, systemdunit)
> + manage_files_pattern($1, systemdunit, systemdunit)
> + manage_lnk_files_pattern($1, systemdunit, systemdunit)
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to create/manage systemd_journal_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_journal_files',`
> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> + manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
> +')
> +
> +########################################
> +## <summary>
> ## Allow systemd_logind_t to read process state for cgroup file
> ## </summary>
> ## <param name="domain">
> @@ -209,3 +330,4 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> Index: refpolicy-2.20170220/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170220/policy/modules/system/systemd.te
> @@ -12,6 +12,14 @@ policy_module(systemd, 1.3.3)
> ## </desc>
> gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +## <desc>
> +## <p>
> +## Allow systemd-nspawn to create a labelled namespace with the same types
> +## as parent environment
> +## </p>
> +## </desc>
> +gen_tunable(systemd_nspawn_labeled_namespace, false)
> +
> attribute systemd_log_parse_env_type;
>
> type systemd_activate_t;
> @@ -45,6 +53,13 @@ domain_type(systemd_cgroups_t)
> domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
> role system_r types systemd_cgroups_t;
>
> +type systemd_notify_t;
> +type systemd_notify_exec_t;
> +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
> +
> +type systemd_journal_t;
> +files_type(systemd_journal_t)
> +
> type systemd_cgroups_var_run_t;
> files_pid_file(systemd_cgroups_var_run_t)
> init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
> @@ -57,6 +72,9 @@ type systemd_coredump_t;
> type systemd_coredump_exec_t;
> init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
>
> +type systemd_coredump_var_lib_t;
> +files_type(systemd_coredump_var_lib_t)
> +
> type systemd_detect_virt_t;
> type systemd_detect_virt_exec_t;
> init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
> @@ -85,9 +103,18 @@ type systemd_machined_t;
> type systemd_machined_exec_t;
> init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
>
> +type systemd_machined_var_run_t;
> +files_pid_file(systemd_machined_var_run_t)
> +init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
> +
> type systemd_nspawn_t;
> type systemd_nspawn_exec_t;
> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
> +kernel_unconfined(systemd_nspawn_t)
> +
> +type systemd_nspawn_var_run_t;
> +files_pid_file(systemd_nspawn_var_run_t)
> +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> type systemd_resolved_t;
> type systemd_resolved_exec_t;
> @@ -108,6 +135,9 @@ type systemd_passwd_agent_t;
> type systemd_passwd_agent_exec_t;
> init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
>
> +type systemd_passwd_var_run_t;
> +files_pid_file(systemd_passwd_var_run_t)
> +
> type systemd_sessions_t;
> type systemd_sessions_exec_t;
> init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
> @@ -122,6 +152,12 @@ type systemd_kmod_conf_t;
> files_config_file(systemd_kmod_conf_t)
> init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
>
> +manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> +manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
> +allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
> +allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
> +logging_log_file(systemd_journal_t)
> +
> #
> # Unit file types
> #
> @@ -140,29 +176,28 @@ dontaudit systemd_log_parse_env_type sel
> kernel_read_system_state(systemd_log_parse_env_type)
>
> dev_write_kmsg(systemd_log_parse_env_type)
> -
> -term_use_console(systemd_log_parse_env_type)
> -
> init_read_state(systemd_log_parse_env_type)
> -
> logging_send_syslog_msg(systemd_log_parse_env_type)
> +term_use_console(systemd_log_parse_env_type)
>
> ######################################
> #
> # Backlight local policy
> #
>
> +allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
> +
> allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
> -init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
> -
> systemd_log_parse_environment(systemd_backlight_t)
>
> # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
> dev_rw_sysfs(systemd_backlight_t)
> -
> +# for udev.conf
> files_read_etc_files(systemd_backlight_t)
>
> +init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
> +# for /run/udev/data/+backlight*
> udev_read_pid_files(systemd_backlight_t)
>
> #######################################
> @@ -304,7 +339,6 @@ init_pid_filetrans(systemd_resolved_t, s
>
> kernel_read_crypto_sysctls(systemd_resolved_t)
> kernel_read_kernel_sysctls(systemd_resolved_t)
> -kernel_read_system_state(systemd_resolved_t)
>
> corenet_tcp_bind_generic_node(systemd_resolved_t)
> corenet_tcp_bind_llmnr_port(systemd_resolved_t)
> Index: refpolicy-2.20170220/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20170220/policy/modules/system/systemd.fc
> @@ -7,6 +7,7 @@
> /usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
> /usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
> /usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
>
> /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
> /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
> @@ -32,14 +33,20 @@
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
>
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> +/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
>
> /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
>
> /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
> -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> +/var/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> +/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> /run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
> +
> +/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
> +/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
> Index: refpolicy-2.20170220/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170220/policy/modules/system/unconfined.if
> @@ -587,3 +587,22 @@ interface(`unconfined_dbus_connect',`
>
> allow $1 unconfined_t:dbus acquire_svc;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write
> +## unconfined domain stream.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`unconfined_dontaudit_rw_stream',`
unconfined_dontaudit_rw_stream_sockets()

> + gen_require(`
> + type unconfined_t;
> + ')
> +
> + dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
> +')
> Index: refpolicy-2.20170220/policy/modules/contrib/cron.if
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/cron.if
> +++ refpolicy-2.20170220/policy/modules/contrib/cron.if
> @@ -891,3 +891,22 @@ interface(`cron_admin',`
> files_search_spool($1)
> admin_pattern($1, cron_spool_type)
> ')
> +
> +########################################
> +## <summary>
> +## Search the directory containing user cron tables.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cron_manage_system_spool',`
> + gen_require(`
> + type cron_system_spool_t;
> + ')
> +
> + files_search_spool($1)
> + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
> +')


--
Chris PeBenito

2017-02-21 06:31:23

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] yet another draft of systemd patch 1

On Tue, 21 Feb 2017 02:07:42 AM Chris PeBenito wrote:
===================================================================
> > --- refpolicy-2.20170220.orig/policy/modules/kernel/kernel.te
> > +++ refpolicy-2.20170220/policy/modules/kernel/kernel.te
> > @@ -361,6 +361,8 @@ optional_policy(`
> >
> > optional_policy(`
> >
> > init_sigchld(kernel_t)
> >
> > + init_dyntrans(kernel_t)
> > + domain_dyntrans_type(kernel_t)
> >
> > ')
>
> I think these are redundant, otherwise systemd wouldn't work at all.

Well it wasn't working when I first tried it. ;)

But I've tested and found that it works without them now. Maybe it was
mislabelled when I wrote that policy.

===================================================================
> > --- refpolicy-2.20170220.orig/policy/modules/system/init.if
> > +++ refpolicy-2.20170220/policy/modules/system/init.if
> > @@ -127,7 +127,11 @@ interface(`init_domain',`
> >
> > role system_r types $1;
> >
> > - domtrans_pattern(init_t, $2, $1)
> > + ifdef(`init_systemd', `
> > + domtrans_pattern(init_t, $2, $1)
> > + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> > + allow $1 init_t:unix_dgram_socket sendto;
> > + ')
>
> This would break sysvinit.

I'll put that into my "hacks" patch and review it again later.

> > @@ -468,15 +488,35 @@ interface(`init_ranged_system_domain',`
> >
> > ifdef(`enable_mcs',`
> >
> > range_transition initrc_t $2:process $3;
> >
> > + range_transition init_t $2:process $3;
> >
> > ')
> >
> > ifdef(`enable_mls',`
> >
> > range_transition initrc_t $2:process $3;
> >
> > + range_transition init_t $2:process $3;
> >
> > mls_rangetrans_target($1)
> >
> > ')
> >
> > ')
> >
> > ')
>
> These above range_transitions don't look relevant to systemd as they're
> in the else portion of the init_systemd blocks.

OK I'll remove them. I don't test the non-systemd case.

> > +######################################
> > +## <summary>
> > +## Allow domain dyntransition to init_t domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`init_dyntrans',`
> > + gen_require(`
> > + type init_t;
> > + ')
> > +
> > + dyntrans_pattern($1, init_t)
> > +')
> > +
> >
> > ########################################
> > ## <summary>
> > ## Mark the file type as a daemon pid file, allowing initrc_t
> >
> > @@ -675,6 +715,7 @@ interface(`init_stream_connect',`
> >
> > stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
> > files_search_pids($1)
> >
> > + allow $1 init_t:unix_stream_socket getattr;
>
> I'm reluctant to overload this interface. Are you sure this applies to
> all processes that connect to init_t?em

I'm not sure about all. But most processes that connect use systemd code and
work in the same way. As most do it and getattr isn't a dangerous access I
think it's the reasonable thing to do.

> > ')
> >
> > ########################################
> >
> > @@ -1195,19 +1236,25 @@ interface(`init_telinit',`
> >
> > type initctl_t;
> >
> > ')
> >
> > + corecmd_exec_bin($1)
> > +
> >
> > dev_list_all_dev_nodes($1)
> > allow $1 initctl_t:fifo_file rw_fifo_file_perms;
> >
> > init_exec($1)
> >
> > - tunable_policy(`init_upstart',`
> > + ifdef(`init_systemd',`
> >
> > gen_require(`
> >
> > type init_t;
> >
> > ')
> >
> > + ps_process_pattern($1, init_t)
> > + allow $1 init_t:process signal;
> >
> > # upstart uses a datagram socket instead of initctl pipe
> > allow $1 self:unix_dgram_socket create_socket_perms;
> > allow $1 init_t:unix_dgram_socket sendto;
> >
> > + #576913
> > + allow $1 init_t:unix_stream_socket connectto;
> >
> > ')
> >
> > ')
>
> I think making this block unconditional is probably called for because
> of the tunable/ifdef "conflict" (should be enabled if systemd or upstart
> but can't create a single expression for that). Even though sysvinit
> doesn't use them, the perms aren't that bad.

OK

> > @@ -1315,18 +1362,21 @@ interface(`init_spec_domtrans_script',`
> >
> > #
> > interface(`init_domtrans_script',`
> >
> > gen_require(`
> >
> > - type initrc_t, initrc_exec_t;
> > + type initrc_t;
> > + attribute init_script_file_type;
> > + attribute initrc_transition_domain;
> >
> > ')
> >
> > + typeattribute $1 initrc_transition_domain;
> >
> > files_list_etc($1)
> >
> > - domtrans_pattern($1, initrc_exec_t, initrc_t)
> > + domtrans_pattern($1, init_script_file_type, initrc_t)
> >
> > ifdef(`enable_mcs',`
> >
> > - range_transition $1 initrc_exec_t:process s0;
> > + range_transition $1 init_script_file_type:process s0;
> >
> > ')
> >
> > ifdef(`enable_mls',`
> >
> > - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
> > + range_transition $1 init_script_file_type:process s0 -
mls_systemhigh;
> >
> > ')
> >
> > ')
>
> I'd prefer to split this out to a init_spec_domtrans_labeled_scripts(),
> so there is differentiation between the *_initrc_exec_t and initrc_exec_t.

I've created a new init_domtrans_labelled_script().

> > @@ -1402,9 +1452,14 @@ interface(`init_manage_script_service',`
> >
> > interface(`init_labeled_script_domtrans',`
> >
> > gen_require(`
> >
> > type initrc_t;
> >
> > + attribute initrc_transition_domain;
> >
> > ')
> >
> > + typeattribute $1 initrc_transition_domain;
> > + # service script searches all filesystems via mountpoint
> > + fs_search_all($1)
>
> Can you elaborate on this? There has to be a way to limit it to
> something reasonable.

I'll try removing it and see if I can come up with something more restrictive.
But those scripts do lots of wild stuff. :(

> > domtrans_pattern($1, $2, initrc_t)
> >
> > + allow $1 $2:file ioctl;
>
> This looks like a rule that should be in the caller's policy.

OK, I'll remove that and investigate other options.

> > files_search_etc($1)
> >
> > ')
> >
> > @@ -1536,9 +1591,10 @@ interface(`init_run_daemon',`
> >
> > interface(`init_startstop_all_script_services',`
> >
> > gen_require(`
> >
> > attribute init_script_file_type;
> >
> > + class service { start status stop reload };
> >
> > ')
> >
> > - allow $1 init_script_file_type:service { start status stop };
> > + allow $1 init_script_file_type:service { start status stop reload };
> >
> > ')
>
> I'd prefer to split this into a separate interface.

There's no reason not to have separate interfaces for all the options, but
it's easier to have a single rule to do all of them as that will be the most
common requirement.

> > +#######################################
> > +## <summary>
> > +## Allow the specified domain to write to
> > +## init sock file.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`init_write_pid_socket',`
> > + gen_require(`
> > + type init_var_run_t;
> > + ')
> > +
> > + allow $1 init_var_run_t:sock_file write;
>
> Is this unreleated to init_stream_connect()? I would think this is a
> process trying to do a unix socket tonnect to init.

It looks like it. Currently I have lots of domains having
init_stream_connect_script() explicitely in their policy and also
init_write_pid_socket(daemon).

Should we have a single interface for both accesses and allow daemon to do it?

> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read init unnamed pipes.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`init_read_pipes',`
>
> init_read_pid_pipes()

OK.

> > +########################################
> > +## <summary>
> > +## Rename and unlink init_var_run_t files
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## domain
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`rename_unlink_init_var_run',`
>
> init_delete_pid_files(). Also please move after the init_create_pid_dirs()
>

OK.

> > + gen_require(`
> > + type init_var_run_t;
> > + ')
> > +
> > + allow $1 init_var_run_t:file { rename getattr unlink };
>
> Please use a delete_files_pattern

OK.

> > +')
> > Index: refpolicy-2.20170220/policy/modules/system/init.te
> >
===================================================================
> > --- refpolicy-2.20170220.orig/policy/modules/system/init.te
> > +++ refpolicy-2.20170220/policy/modules/system/init.te
> > @@ -16,13 +16,29 @@ gen_require(`
> >
> > ## </desc>
> > gen_tunable(init_upstart, false)
> >
> > +## <desc>
> > +## <p>
> > +## Allow all daemons the ability to read/write terminals
> > +## </p>
> > +## </desc>
> > +gen_tunable(allow_daemons_use_tty, false)
> > +
> > +## <desc>
> > +## <p>
> > +## Allow all daemons to write corefiles to /
> > +## </p>
> > +## </desc>
> > +gen_tunable(allow_daemons_dump_core, false)
>
> I'd prefer to have new tunables to be prefixed with the module name, so
> init_daemons_dump_core, etc.

OK

> > # slapd needs to read cert files from its initscript
> >
> > -miscfiles_read_generic_certs(initrc_t)
> > +miscfiles_manage_generic_cert_files(initrc_t)
> > +
> > +optional_policy(`
> > + init_get_system_status(initrc_t)
> > +')
>
> Making this optional should have no effect as all the types are in the
> same module.

ok

> The below should have a new section header for "Rules applied to all
> daemons." and also moving the initrc_t stuff up with the other initrc_t
> rules.

OK.

> However, I'm also very concerned about how many rules are a being
> blanketed onto all daemons. It seems extremely excessive.

Well there's not much change really and the biggest change is one that
defaults to off.

> > +optional_policy(`
> > + unconfined_dontaudit_rw_pipes(daemon)
> > + unconfined_dontaudit_rw_stream(daemon)
> > + userdom_dontaudit_read_user_tmp_files(daemon)
> > + userdom_dontaudit_write_user_tmp_files(daemon)
> > +')
>
> This looks like it should be split up into separate optionals

ok

> There is already an init_systemd block for these to be put in.
>
> > +ifdef(`init_systemd',`
> > + allow init_t self:system { status reboot halt reload };
> > +
> > + allow init_t self:unix_dgram_socket { create_socket_perms sendto };

OK.

> > +ifdef(`init_systemd', `
> > + dev_read_kmsg(syslogd_t)
> > + dev_write_kmsg(syslogd_t)
> > + allow syslogd_t self:capability sys_ptrace;
>
> These should be moved down into the existing init_systemd

ok

> > ########################################
> > #
> > # Auditctl local policy
> >
> > @@ -230,6 +250,9 @@ optional_policy(`
> >
> > udev_read_db(auditd_t)
> >
> > ')
> >
> > +# for systemd but can not be conditional
> > +filetrans_pattern(syslogd_t, var_run_t, syslogd_tmp_t, dir, "log")
>
> Neeeds to use interfaces and move down with the syslogd_t->syslogd_tmp_t
> rules.

ok

> > +## Append to all log files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`logging_inherit_append_all_logs',`
>
> logging_append_all_inherited_logs()

ok

> > +
> > +########################################
> > +## <summary>
> > +## Read and write a lvm unnamed pipe.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lvm_rw_pipes',`
> > + gen_require(`
> > + type lvm_var_run_t;
> > + ')
> > +
> > + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> > +')
>
> lvm_rw_inherited_runtime_pipes()

ok

> > +interface(`files_manage_root_files',`
> > + gen_require(`
> > + type root_t;
> > + ')
> > +
> > + manage_files_pattern($1, root_t, root_t)
> > +')
>
> I'm wondering if it makes sense to have a new type, so root_t can stay
> for / only.

I've deleted it from my policy.

The kernel has had the ability to support dumping core in other directories
for a long time. So you could create a mode 1733 directory somewhere to store
core files. Also systemd now manages them.

I was dubious about this policy all along and have now decided that it's
generally a bad idea. It just makes audit2allow prompt users to allowing this
whenever a daemon tries to do something inappropriate.

> > --- refpolicy-2.20170220.orig/policy/modules/system/systemd.if
> > +++ refpolicy-2.20170220/policy/modules/system/systemd.if
> > @@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
> >
> > ')
> >
> > files_search_pids($1)
> >
> > - read_files_pattern($1, systemd_logind_var_run_t,
> > systemd_logind_var_run_t) + allow $1 systemd_logind_var_run_t:dir
> > list_dir_perms;
> > + allow $1 systemd_logind_var_run_t:file read_file_perms;
>
> This second rule is redundant.

Not when you remove the read_files_pattern line.

> > +#######################################
> > +## <summary>
> > +## Allow systemd_tmpfiles_t to manage filesystem objects
> > +## </summary>
> > +## <param name="type">
> > +## <summary>
> > +## type of object to manage
> > +## </summary>
> > +## </param>
> > +## <param name="class">
> > +## <summary>
> > +## object class to manage
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_tmpfiles_manage_object',`
>
> systemd_tmpfilesd_managed()

ok

> > +## allow systemd_passwd_agent to inherit fds
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain that owns the fds
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_passwd_agent_inherits_fd',`
>
> systemd_use_passwd_agent_fds

ok

> > +########################################
> > +## <summary>
> > +## Transition to systemd named content
> > +## need a better name for this
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_filetrans_named_content',`
>
> I'm struggling on the naming for this too, though I don't think
> named_content fits, but something like systemd_passd_pid_dirs or
> systemd_passwd_runtime_dirs

I've changed it to the latter.

> > +########################################
> > +## <summary>
> > +## manage systemd unit dirs and the files in them
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_manage_unit_dirs_files',`
>
> systemd_manage_all_units

ok

> > +########################################
> > +## <summary>
> > +## Do not audit attempts to read and write
> > +## unconfined domain stream.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`unconfined_dontaudit_rw_stream',`
>
> unconfined_dontaudit_rw_stream_sockets()

ok

I'll send you a new patch shortly.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/