2017-04-02 06:45:28

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd related changes

This patch has changes for other daemons that are related to systemd.
Sometimes it's scripts calling systemd interfaces, and some are changes
directly related to systemd (like the udev and lvm ones).


Description: Make systemd work
Author: Russell Coker <[email protected]>

Index: refpolicy-2.20170329/policy/modules/contrib/apache.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/apache.te
+++ refpolicy-2.20170329/policy/modules/contrib/apache.te
@@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)

userdom_use_unpriv_users_fds(httpd_t)

+ifdef(`init_systemd', `
+ systemd_manage_passwd_run(httpd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
Index: refpolicy-2.20170329/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170329/policy/modules/contrib/cron.te
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)

auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,17 @@ optional_policy(`
')

optional_policy(`
+ systemd_use_logind_fds(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')

Index: refpolicy-2.20170329/policy/modules/contrib/networkmanager.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/networkmanager.te
+++ refpolicy-2.20170329/policy/modules/contrib/networkmanager.te
@@ -340,6 +340,11 @@ optional_policy(`
')

optional_policy(`
+ systemd_use_logind_fds(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
Index: refpolicy-2.20170329/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20170329/policy/modules/services/ssh.te
@@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
')

optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
+ systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')

Index: refpolicy-2.20170329/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170329/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`

allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)

init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)

+# for hdparm init script run by udev
+initrc_service_status(udev_t)
+
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
logging_send_audit_msgs(udev_t)
@@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)

+systemd_read_logind_sessions_files(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+
userdom_dontaudit_search_user_home_content(udev_t)

ifdef(`distro_debian',`
Index: refpolicy-2.20170329/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20170329/policy/modules/contrib/logrotate.te
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#

allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)

init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+
+dbus_system_bus_client(logrotate_t)
+init_write_pid_socket(logrotate_t)

logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -126,6 +133,8 @@ ifdef(`distro_debian',`
logging_read_syslog_config(logrotate_t)
')

+init_manage_all_units(logrotate_t)
+
optional_policy(`
abrt_manage_cache(logrotate_t)
')
Index: refpolicy-2.20170329/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170329/policy/modules/system/lvm.te
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)

+kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)

corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)

logging_send_syslog_msg(lvm_t)

Index: refpolicy-2.20170329/policy/modules/contrib/dbus.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.te
+++ refpolicy-2.20170329/policy/modules/contrib/dbus.te
@@ -144,6 +144,14 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)

optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_use_logind_fds(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_login_write_pid_pipe(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')

Index: refpolicy-2.20170329/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20170329/policy/modules/system/unconfined.te
@@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',`
')

optional_policy(`
+ init_get_system_status(unconfined_t)
+ init_reload(unconfined_t)
+ init_manage_script_service(unconfined_t)
+ dev_manage_null_service(unconfined_t)
+ init_get_all_units_status(unconfined_t)
+ init_start_all_units(unconfined_t)
+ init_stop_all_units(unconfined_t)
+ init_reload_all_units(unconfined_t)
+')
+
+optional_policy(`
ada_domtrans(unconfined_t)
')

Index: refpolicy-2.20170329/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170329/policy/modules/system/logging.if
@@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
# will write to the console.
term_write_console($1)
term_dontaudit_read_console($1)
+
+ # because systemd is now using /run/systemd/journal/dev-log
+ init_search_run($1)
')

########################################
Index: refpolicy-2.20170329/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170329/policy/modules/system/locallogin.te
@@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
')
')

+optional_policy(`
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
tunable_policy(`console_login',`
# Able to relabel /dev/console to user tty types.
term_relabel_console(local_login_t)
Index: refpolicy-2.20170329/policy/modules/contrib/policykit.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/policykit.te
+++ refpolicy-2.20170329/policy/modules/contrib/policykit.te
@@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)

+# for /run/systemd/machines
+systemd_read_machines(policykit_t)
+
+# for /run/systemd/seats/seat*
+systemd_read_logind_sessions_files(policykit_t)
+
+# for /run/systemd/users/*
+systemd_read_logind_pids(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)

Index: refpolicy-2.20170329/policy/modules/contrib/dbus.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.if
+++ refpolicy-2.20170329/policy/modules/contrib/dbus.if
@@ -88,6 +88,10 @@ template(`dbus_role_template',`
ifdef(`hide_broken_symptoms',`
dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')

#######################################
Index: refpolicy-2.20170329/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170329/policy/modules/kernel/files.if
@@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')

+########################################
+## <summary>
+## start etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_etc_unit_start',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+## stop etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_etc_unit_stop',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service stop;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
Index: refpolicy-2.20170329/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170329/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
+ class service all_service_perms;
')

# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ files_get_etc_unit_status($1)
+ files_etc_unit_start($1)
+ files_etc_unit_stop($1)

tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
Index: refpolicy-2.20170329/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170329/policy/modules/roles/sysadm.te
@@ -44,9 +44,8 @@ init_enable(sysadm_t)
init_reload(sysadm_t)
init_reboot_system(sysadm_t)
init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_manage_all_units(sysadm_t)
+init_manage_script_service(sysadm_t)

# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20170329/policy/modules/system/lvm.fc
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
+++ refpolicy-2.20170329/policy/modules/system/lvm.fc
@@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`

/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
Index: refpolicy-2.20170329/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170329/policy/modules/contrib/mta.te
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst

init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)

userdom_use_user_terminals(system_mail_t)

Index: refpolicy-2.20170329/policy/modules/kernel/terminal.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te
+++ refpolicy-2.20170329/policy/modules/kernel/terminal.te
@@ -19,6 +19,8 @@ dev_node(bsdpty_device_t)
#
type console_device_t;
dev_node(console_device_t)
+# for /dev/pts/0
+allow console_device_t devpts_t:filesystem associate;

#
# devpts_t is the type of the devpts file system and
Index: refpolicy-2.20170329/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170329/policy/modules/services/xserver.te
@@ -285,6 +285,10 @@ files_search_pids(xauth_t)
fs_getattr_xattr_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)

+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
# cjp: why?
term_use_ptmx(xauth_t)

Index: refpolicy-2.20170329/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if
@@ -413,7 +413,7 @@ interface(`sysnet_create_config',`
')

files_search_etc($1)
- allow $1 net_conf_t:file create_file_perms;
+ allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms };
')

#######################################
Index: refpolicy-2.20170329/policy/modules/contrib/ntp.fc
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.fc
+++ refpolicy-2.20170329/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@

/usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)

/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)

/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)

Index: refpolicy-2.20170329/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170329/policy/modules/contrib/ntp.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
dev_read_sysfs(ntpd_t)
dev_read_urand(ntpd_t)
dev_rw_realtime_clock(ntpd_t)
+clock_read_adjtime(ntpd_t)

domain_use_interactive_fds(ntpd_t)
domain_dontaudit_list_all_domains_state(ntpd_t)
@@ -142,6 +143,26 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)

+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ sysadm_dbus_chat(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pid_dirs(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
Index: refpolicy-2.20170329/policy/modules/roles/sysadm.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if
+++ refpolicy-2.20170329/policy/modules/roles/sysadm.if
@@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',`

allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
+
+########################################
+## <summary>
+## talk to sysadm_t over dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_dbus_chat',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow sysadm_t $1:dbus send_msg;
+ allow $1 sysadm_t:dbus send_msg;
+')
Index: refpolicy-2.20170329/policy/modules/contrib/devicekit.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/contrib/devicekit.te
+++ refpolicy-2.20170329/policy/modules/contrib/devicekit.te
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)

init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)

miscfiles_read_localization(devicekit_power_t)

Index: refpolicy-2.20170329/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/init.if
+++ refpolicy-2.20170329/policy/modules/system/init.if
@@ -1227,6 +1227,24 @@ interface(`init_pid_filetrans',`
filetrans_pattern($1, init_var_run_t, $2, $3, $4)
')

+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Get the attributes of initctl.
@@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')

+#######################################
+## <summary>
+## All perms on all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service all_service_perms;
+ ')
+
+ allow $1 systemdunit:service all_service_perms;
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Start all systemd units.
@@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`

allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`initrc_service_status',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ allow $1 initrc_exec_t:service status;
+')
Index: refpolicy-2.20170329/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170329/policy/modules/system/fstools.te
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)

logging_send_syslog_msg(fsadm_t)

Index: refpolicy-2.20170329/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170329/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip

######################################
## <summary>
+## Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_login_write_pid_pipe',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ init_search_run($1)
+ files_search_pids($1)
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -79,6 +99,26 @@ interface(`systemd_use_logind_fds',`

######################################
## <summary>
+## Read logind sessions files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+ gen_require(`
+ type systemd_sessions_var_run_t;
+ ')
+
+ init_search_run($1)
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
@@ -188,6 +228,29 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')

+#######################################
+## <summary>
+## Send generic signals to systemd_passwd_agent processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_run',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ type systemd_passwd_var_run_t;
+ ')
+
+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
@@ -383,3 +446,22 @@ interface(`systemd_tmpfilesd_managed',`

allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
')
+
+########################################
+## <summary>
+## Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+ gen_require(`
+ type systemd_machined_var_run_t;
+ ')
+
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+ allow $1 systemd_machined_var_run_t:file read_file_perms;
+')


2017-04-03 23:22:24

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd related changes

On 04/02/2017 02:45 AM, Russell Coker via refpolicy wrote:
> This patch has changes for other daemons that are related to systemd.
> Sometimes it's scripts calling systemd interfaces, and some are changes
> directly related to systemd (like the udev and lvm ones).
>
>
> Description: Make systemd work
> Author: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20170329/policy/modules/contrib/apache.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.te
> +++ refpolicy-2.20170329/policy/modules/contrib/apache.te
> @@ -532,6 +532,10 @@ seutil_dontaudit_search_config(httpd_t)
>
> userdom_use_unpriv_users_fds(httpd_t)
>
> +ifdef(`init_systemd', `
> + systemd_manage_passwd_run(httpd_t)
> +')
> +
> ifdef(`TODO',`
> tunable_policy(`allow_httpd_mod_auth_pam',`
> auth_domtrans_chk_passwd(httpd_t)
> Index: refpolicy-2.20170329/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170329/policy/modules/contrib/cron.te
> @@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
> init_read_state(crond_t)
> init_rw_utmp(crond_t)
> init_spec_domtrans_script(crond_t)
> +init_stop_all_units(system_cronjob_t)
> +init_start_all_units(system_cronjob_t)
> +init_get_generic_units_status(system_cronjob_t)
> +init_get_system_status(system_cronjob_t)
>
> auth_domtrans_chk_passwd(crond_t)
> auth_manage_var_auth(crond_t)
> @@ -417,6 +421,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_use_logind_fds(crond_t)
> + systemd_write_inherited_logind_sessions_pipes(crond_t)

It looks like there are several instances of inheriting the logind fds
and writing the inherited pipes. Is there some pattern?


> +')
> +optional_policy(`
> + systemd_dbus_chat_logind(system_cronjob_t)
> + systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> + # so cron jobs can restart daemons
> + init_stream_connect(system_cronjob_t)
> +')
> +
> +optional_policy(`
> udev_read_db(crond_t)
> ')
>
> Index: refpolicy-2.20170329/policy/modules/contrib/networkmanager.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/networkmanager.te
> +++ refpolicy-2.20170329/policy/modules/contrib/networkmanager.te
> @@ -340,6 +340,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_use_logind_fds(NetworkManager_t)
> + systemd_read_logind_sessions_files(NetworkManager_t)
> +')
> +
> +optional_policy(`
> udev_exec(NetworkManager_t)
> udev_read_db(NetworkManager_t)
> udev_read_pid_files(NetworkManager_t)
> Index: refpolicy-2.20170329/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20170329/policy/modules/services/ssh.te
> @@ -290,6 +290,11 @@ tunable_policy(`ssh_sysadm_login',`
> ')
>
> optional_policy(`
> + systemd_write_inherited_logind_sessions_pipes(sshd_t)
> + systemd_dbus_chat_logind(sshd_t)
> +')
> +
> +optional_policy(`
> daemontools_service_domain(sshd_t, sshd_exec_t)
> ')
>
> Index: refpolicy-2.20170329/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170329/policy/modules/system/udev.te
> @@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
>
> allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
> dontaudit udev_t self:capability sys_tty_config;
> -allow udev_t self:capability2 block_suspend;
> +allow udev_t self:capability2 { wake_alarm block_suspend };
> allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> allow udev_t self:process { execmem setfscreate };
> allow udev_t self:fd use;
> @@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev
> files_read_usr_files(udev_t)
> files_read_etc_runtime_files(udev_t)
> files_read_etc_files(udev_t)
> +files_read_kernel_modules(udev_t)
> files_exec_etc_files(udev_t)
> files_getattr_generic_locks(udev_t)
> files_search_mnt(udev_t)
> @@ -148,9 +149,14 @@ auth_domtrans_pam_console(udev_t)
> auth_use_nsswitch(udev_t)
>
> init_read_utmp(udev_t)
> +# systemd-udevd searches /run/systemd
> +init_search_run(udev_t)
> init_dontaudit_write_utmp(udev_t)
> init_getattr_initctl(udev_t)
>
> +# for hdparm init script run by udev
> +initrc_service_status(udev_t)
> +
> logging_search_logs(udev_t)
> logging_send_syslog_msg(udev_t)
> logging_send_audit_msgs(udev_t)
> @@ -177,6 +183,10 @@ sysnet_signal_dhcpc(udev_t)
> sysnet_manage_config(udev_t)
> sysnet_etc_filetrans_config(udev_t)
>
> +systemd_read_logind_sessions_files(udev_t)
> +init_start_all_units(udev_t)
> +init_stop_all_units(udev_t)
> +
> userdom_dontaudit_search_user_home_content(udev_t)
>
> ifdef(`distro_debian',`
> Index: refpolicy-2.20170329/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20170329/policy/modules/contrib/logrotate.te
> @@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
> #
>
> allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> +allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
> allow logrotate_t self:fd use;
> allow logrotate_t self:key manage_key_perms;
> allow logrotate_t self:fifo_file rw_fifo_file_perms;
> @@ -102,6 +102,13 @@ auth_manage_login_records(logrotate_t)
> auth_use_nsswitch(logrotate_t)
>
> init_all_labeled_script_domtrans(logrotate_t)
> +init_get_generic_units_status(logrotate_t)
> +init_get_all_units_status(logrotate_t)
> +init_dbus_chat(logrotate_t)
> +init_stream_connect(logrotate_t)
> +
> +dbus_system_bus_client(logrotate_t)
> +init_write_pid_socket(logrotate_t)
>
> logging_manage_all_logs(logrotate_t)
> logging_send_syslog_msg(logrotate_t)
> @@ -126,6 +133,8 @@ ifdef(`distro_debian',`
> logging_read_syslog_config(logrotate_t)
> ')
>
> +init_manage_all_units(logrotate_t)
> +
> optional_policy(`
> abrt_manage_cache(logrotate_t)
> ')
> Index: refpolicy-2.20170329/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170329/policy/modules/system/lvm.te
> @@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_
> files_etc_filetrans(lvm_t, lvm_metadata_t, file)
> files_search_mnt(lvm_t)
>
> +kernel_request_load_module(lvm_t)
> kernel_get_sysvipc_info(lvm_t)
> kernel_read_system_state(lvm_t)
> # Read system variables in /proc/sys
> @@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
> # it has no reason to need this
> kernel_dontaudit_getattr_core_if(lvm_t)
> kernel_use_fds(lvm_t)
> +# for systemd-cryptsetup
> +kernel_read_crypto_sysctls(lvm_t)
> kernel_search_debugfs(lvm_t)
>
> corecmd_exec_bin(lvm_t)
> @@ -301,6 +304,8 @@ init_use_fds(lvm_t)
> init_dontaudit_getattr_initctl(lvm_t)
> init_use_script_ptys(lvm_t)
> init_read_script_state(lvm_t)
> +# for systemd-cryptsetup to talk to /run/systemd/journal/socket
> +init_stream_connect(lvm_t)
>
> logging_send_syslog_msg(lvm_t)
>
> Index: refpolicy-2.20170329/policy/modules/contrib/dbus.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.te
> +++ refpolicy-2.20170329/policy/modules/contrib/dbus.te
> @@ -144,6 +144,14 @@ userdom_dontaudit_use_unpriv_user_fds(sy
> userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
>
> optional_policy(`
> + # for /run/systemd/users/*
> + systemd_read_logind_pids(system_dbusd_t)
> + systemd_use_logind_fds(system_dbusd_t)
> + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
> + systemd_login_write_pid_pipe(system_dbusd_t)
> +')
> +
> +optional_policy(`
> bluetooth_stream_connect(system_dbusd_t)
> ')
>
> Index: refpolicy-2.20170329/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20170329/policy/modules/system/unconfined.te
> @@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',`
> ')
>
> optional_policy(`
> + init_get_system_status(unconfined_t)
> + init_reload(unconfined_t)
> + init_manage_script_service(unconfined_t)
> + dev_manage_null_service(unconfined_t)
> + init_get_all_units_status(unconfined_t)
> + init_start_all_units(unconfined_t)
> + init_stop_all_units(unconfined_t)
> + init_reload_all_units(unconfined_t)
> +')

Perhaps we should make an init_unconfined() or systemd_unconfined().


> +optional_policy(`
> ada_domtrans(unconfined_t)
> ')
>
> Index: refpolicy-2.20170329/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170329/policy/modules/system/logging.if
> @@ -624,6 +624,9 @@ interface(`logging_send_syslog_msg',`
> # will write to the console.
> term_write_console($1)
> term_dontaudit_read_console($1)
> +
> + # because systemd is now using /run/systemd/journal/dev-log
> + init_search_run($1)
> ')
>
> ########################################
> Index: refpolicy-2.20170329/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170329/policy/modules/system/locallogin.te
> @@ -147,6 +147,11 @@ ifdef(`distro_ubuntu',`
> ')
> ')
>
> +optional_policy(`
> + systemd_dbus_chat_logind(local_login_t)
> + systemd_write_inherited_logind_sessions_pipes(local_login_t)
> +')
> +
> tunable_policy(`console_login',`
> # Able to relabel /dev/console to user tty types.
> term_relabel_console(local_login_t)
> Index: refpolicy-2.20170329/policy/modules/contrib/policykit.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/policykit.te
> +++ refpolicy-2.20170329/policy/modules/contrib/policykit.te
> @@ -102,6 +102,15 @@ auth_use_nsswitch(policykit_t)
> userdom_getattr_all_users(policykit_t)
> userdom_read_all_users_state(policykit_t)
>
> +# for /run/systemd/machines
> +systemd_read_machines(policykit_t)
> +
> +# for /run/systemd/seats/seat*
> +systemd_read_logind_sessions_files(policykit_t)
> +
> +# for /run/systemd/users/*
> +systemd_read_logind_pids(policykit_t)
> +
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
>
> Index: refpolicy-2.20170329/policy/modules/contrib/dbus.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/dbus.if
> +++ refpolicy-2.20170329/policy/modules/contrib/dbus.if
> @@ -88,6 +88,10 @@ template(`dbus_role_template',`
> ifdef(`hide_broken_symptoms',`
> dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
> ')
> +
> + optional_policy(`
> + systemd_read_logind_pids($1_dbusd_t)
> + ')
> ')
>
> #######################################
> Index: refpolicy-2.20170329/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170329/policy/modules/kernel/files.if
> @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
> allow $1 etc_t:service status;
> ')
>
> +########################################
> +## <summary>
> +## start etc_t service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_etc_unit_start',`

Here (and below): files_start_etc_service() and files_stop_...

> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## stop etc_t service
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_etc_unit_stop',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:service stop;
> +')
> +
> #######################################
> ## <summary>
> ## Relabel from and to generic files in /etc.
> Index: refpolicy-2.20170329/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170329/policy/modules/system/unconfined.if
> @@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
> class dbus all_dbus_perms;
> class nscd all_nscd_perms;
> class passwd all_passwd_perms;
> + class service all_service_perms;
> ')
>
> # Use most Linux capabilities
> @@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
> files_unconfined($1)
> fs_unconfined($1)
> selinux_unconfined($1)
> + files_get_etc_unit_status($1)
> + files_etc_unit_start($1)
> + files_etc_unit_stop($1)
>
> tunable_policy(`allow_execheap',`
> # Allow making the stack executable via mprotect.
> Index: refpolicy-2.20170329/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20170329/policy/modules/roles/sysadm.te
> @@ -44,9 +44,8 @@ init_enable(sysadm_t)
> init_reload(sysadm_t)
> init_reboot_system(sysadm_t)
> init_shutdown_system(sysadm_t)
> -init_start_generic_units(sysadm_t)
> -init_stop_generic_units(sysadm_t)
> -init_reload_generic_units(sysadm_t)
> +init_manage_all_units(sysadm_t)
> +init_manage_script_service(sysadm_t)
>
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
> Index: refpolicy-2.20170329/policy/modules/system/lvm.fc
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc
> +++ refpolicy-2.20170329/policy/modules/system/lvm.fc
> @@ -24,6 +24,7 @@ ifdef(`distro_gentoo',`
>
> /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> /usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> +/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
> /usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> /usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> /usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
> Index: refpolicy-2.20170329/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170329/policy/modules/contrib/mta.te
> @@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(syst
>
> init_use_script_ptys(system_mail_t)
> init_use_fds(system_mail_t)
> +init_rw_stream_sockets(system_mail_t)
>
> userdom_use_user_terminals(system_mail_t)
>
> Index: refpolicy-2.20170329/policy/modules/kernel/terminal.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te
> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.te
> @@ -19,6 +19,8 @@ dev_node(bsdpty_device_t)
> #
> type console_device_t;
> dev_node(console_device_t)
> +# for /dev/pts/0
> +allow console_device_t devpts_t:filesystem associate;

This doesn't seem right. Why would a pty be the console?


> #
> # devpts_t is the type of the devpts file system and
> Index: refpolicy-2.20170329/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20170329/policy/modules/services/xserver.te
> @@ -285,6 +285,10 @@ files_search_pids(xauth_t)
> fs_getattr_xattr_fs(xauth_t)
> fs_search_auto_mountpoints(xauth_t)
>
> +allow xauth_t xdm_t:fd use;
> +allow xauth_t xdm_t:fifo_file { getattr read };
> +allow xauth_t xdm_t:unix_stream_socket { read write };
> +
> # cjp: why?
> term_use_ptmx(xauth_t)
>
> Index: refpolicy-2.20170329/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if
> @@ -413,7 +413,7 @@ interface(`sysnet_create_config',`
> ')
>
> files_search_etc($1)
> - allow $1 net_conf_t:file create_file_perms;
> + allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms };

This should be two new interfaces instead (sysnet_relabel_config() and
sysnet_manage_config())

> ')
>
> #######################################
> Index: refpolicy-2.20170329/policy/modules/contrib/ntp.fc
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.fc
> +++ refpolicy-2.20170329/policy/modules/contrib/ntp.fc
> @@ -15,6 +15,8 @@
>
> /usr/lib/systemd/ntp-units\.d/.* -- gen_context(system_u:object_r:ntpd_unit_t,s0)
> /usr/lib/systemd/system/ntpd.*\.service -- gen_context(system_u:object_r:ntpd_unit_t,s0)
> +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:ntpd_exec_t,s0)
> +/usr/lib/systemd/systemd-timesyncd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
>
> /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
> /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
> @@ -23,6 +25,7 @@
> /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
>
> /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
>
> Index: refpolicy-2.20170329/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170329/policy/modules/contrib/ntp.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(ntpd_t)
> dev_read_sysfs(ntpd_t)
> dev_read_urand(ntpd_t)
> dev_rw_realtime_clock(ntpd_t)
> +clock_read_adjtime(ntpd_t)
>
> domain_use_interactive_fds(ntpd_t)
> domain_dontaudit_list_all_domains_state(ntpd_t)
> @@ -142,6 +143,26 @@ miscfiles_read_localization(ntpd_t)
> userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
> userdom_list_user_home_dirs(ntpd_t)
>
> +ifdef(`init_systemd',`
> + dbus_system_bus_client(ntpd_t)
> + dbus_connect_system_bus(ntpd_t)
> + init_dbus_chat(ntpd_t)
> + init_get_system_status(ntpd_t)
> + sysadm_dbus_chat(ntpd_t)
> + allow ntpd_t self:capability { fowner setpcap };
> + init_reload(ntpd_t)
> +
> + # for /var/lib/systemd/clock
> + init_list_var_lib_dirs(ntpd_t)
> +
> + # for /run/systemd/netif/links
> + init_list_pid_dirs(ntpd_t)
> +
> + optional_policy(`
> + unconfined_dbus_send(ntpd_t)
> + ')
> +')
> +
> optional_policy(`
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
> Index: refpolicy-2.20170329/policy/modules/roles/sysadm.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if
> +++ refpolicy-2.20170329/policy/modules/roles/sysadm.if
> @@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',`
>
> allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## talk to sysadm_t over dbus
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysadm_dbus_chat',`
> + gen_require(`
> + type sysadm_t;
> + ')
> +
> + allow sysadm_t $1:dbus send_msg;
> + allow $1 sysadm_t:dbus send_msg;
> +')

There is no hard rule, but typically my preference is for the server
side to provide the interface. That doesn't seem to fit sysadm.

> Index: refpolicy-2.20170329/policy/modules/contrib/devicekit.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/contrib/devicekit.te
> +++ refpolicy-2.20170329/policy/modules/contrib/devicekit.te
> @@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
>
> init_all_labeled_script_domtrans(devicekit_power_t)
> init_read_utmp(devicekit_power_t)
> +init_search_run(devicekit_power_t)
>
> miscfiles_read_localization(devicekit_power_t)
>
> Index: refpolicy-2.20170329/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170329/policy/modules/system/init.if
> @@ -1227,6 +1227,24 @@ interface(`init_pid_filetrans',`
> filetrans_pattern($1, init_var_run_t, $2, $3, $4)
> ')
>
> +######################################
> +## <summary>
> +## Allow listing of the /run/systemd directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_list_pid_dirs',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:dir list_dir_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Get the attributes of initctl.
> @@ -2823,6 +2841,26 @@ interface(`init_get_all_units_status',`
> allow $1 { init_script_file_type systemdunit }:service status;
> ')
>
> +#######################################
> +## <summary>
> +## All perms on all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_manage_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + class service all_service_perms;
> + ')
> +
> + allow $1 systemdunit:service all_service_perms;
> + allow $1 systemdunit:file getattr;
> +')
> +
> ########################################
> ## <summary>
> ## Start all systemd units.
> @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`
>
> allow $1 { init_script_file_type systemdunit }:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## Allow getting service status of initrc_exec_t scripts
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Target domain
> +## </summary>
> +## </param>
> +#
> +interface(`initrc_service_status',`

I think this was merged in the last patch but renamed
init_get_script_status().


> + gen_require(`
> + type initrc_exec_t;
> + class service status;
> + ')
> +
> + allow $1 initrc_exec_t:service status;
> +')
> Index: refpolicy-2.20170329/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170329/policy/modules/system/fstools.te
> @@ -146,6 +146,7 @@ term_use_console(fsadm_t)
> init_use_fds(fsadm_t)
> init_use_script_ptys(fsadm_t)
> init_dontaudit_getattr_initctl(fsadm_t)
> +init_rw_script_stream_sockets(fsadm_t)
>
> logging_send_syslog_msg(fsadm_t)
>
> Index: refpolicy-2.20170329/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170329/policy/modules/system/systemd.if
> @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
>
> ######################################
> ## <summary>
> +## Write systemd_login named pipe.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_login_write_pid_pipe',`

systemd_write_logind_pid_pipes()

> + gen_require(`
> + type systemd_logind_var_run_t;
> + ')
> +
> + init_search_run($1)
> + files_search_pids($1)
> + allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
> +')
> +
> +######################################
> +## <summary>
> ## Use inherited systemd
> ## logind file descriptors.
> ## </summary>
> @@ -79,6 +99,26 @@ interface(`systemd_use_logind_fds',`
>
> ######################################
> ## <summary>
> +## Read logind sessions files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_logind_sessions_files',`
> + gen_require(`
> + type systemd_sessions_var_run_t;
> + ')
> +
> + init_search_run($1)
> + allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
> + read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t)
> +')
> +
> +######################################
> +## <summary>
> ## Write inherited logind sessions pipes.
> ## </summary>
> ## <param name="domain">
> @@ -188,6 +228,29 @@ interface(`systemd_use_passwd_agent_fds'
> allow systemd_passwd_agent_t $1:fd use;
> ')
>
> +#######################################
> +## <summary>
> +## Send generic signals to systemd_passwd_agent processes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_passwd_run',`
> + gen_require(`
> + type systemd_passwd_agent_t;
> + type systemd_passwd_var_run_t;
> + ')
> +
> + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
> + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
> +
> + allow systemd_passwd_agent_t $1:process signull;
> + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;

This looks like it should be 2-4 interfaces, but I'm not sure how many.


> +')
> +
> ########################################
> ## <summary>
> ## Transition to systemd_passwd_var_run_t when creating dirs
> @@ -383,3 +446,22 @@ interface(`systemd_tmpfilesd_managed',`
>
> allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
> ')
> +
> +########################################
> +## <summary>
> +## Allow reading /run/systemd/machines
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that can access the machines files
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_machines',`
> + gen_require(`
> + type systemd_machined_var_run_t;
> + ')
> +
> + allow $1 systemd_machined_var_run_t:dir list_dir_perms;
> + allow $1 systemd_machined_var_run_t:file read_file_perms;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito

2017-04-04 06:52:32

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd related changes

On Tue, 4 Apr 2017 09:22:24 AM Chris PeBenito via refpolicy wrote:
> > optional_policy(`
> >
> > + systemd_use_logind_fds(crond_t)
> > + systemd_write_inherited_logind_sessions_pipes(crond_t)
>
> It looks like there are several instances of inheriting the logind fds
> and writing the inherited pipes. Is there some pattern?

systemd_write_inherited_logind_sessions_pipes() already allowed inheriting the
fd, so I removed those needless systemd_use_logind_fds() lines.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/unconfined.te
> > +++ refpolicy-2.20170329/policy/modules/system/unconfined.te
> > @@ -59,6 +59,17 @@ ifdef(`direct_sysadm_daemon',`
> >
> > ')
> >
> > optional_policy(`
> >
> > + init_get_system_status(unconfined_t)
> > + init_reload(unconfined_t)
> > + init_manage_script_service(unconfined_t)
> > + dev_manage_null_service(unconfined_t)
> > + init_get_all_units_status(unconfined_t)
> > + init_start_all_units(unconfined_t)
> > + init_stop_all_units(unconfined_t)
> > + init_reload_all_units(unconfined_t)
> > +')
>
> Perhaps we should make an init_unconfined() or systemd_unconfined().

OK, done that.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/kernel/files.if
> > +++ refpolicy-2.20170329/policy/modules/kernel/files.if
> > @@ -3019,6 +3019,42 @@ interface(`files_get_etc_unit_status',`
> >
> > allow $1 etc_t:service status;
> >
> > ')
> >
> > +########################################
> > +## <summary>
> > +## start etc_t service
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_etc_unit_start',`
>
> Here (and below): files_start_etc_service() and files_stop_...

Done,

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.te
> > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.te
> > @@ -19,6 +19,8 @@ dev_node(bsdpty_device_t)
> >
> > #
> > type console_device_t;
> > dev_node(console_device_t)
> >
> > +# for /dev/pts/0
> > +allow console_device_t devpts_t:filesystem associate;
>
> This doesn't seem right. Why would a pty be the console?

Not sure. I'll remove that and try and reproduce the issue.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/sysnetwork.if
> > +++ refpolicy-2.20170329/policy/modules/system/sysnetwork.if
> > @@ -413,7 +413,7 @@ interface(`sysnet_create_config',`
> >
> > ')
> >
> > files_search_etc($1)
> >
> > - allow $1 net_conf_t:file create_file_perms;
> > + allow $1 net_conf_t:file { relabelfrom relabelto manage_file_perms };
>
> This should be two new interfaces instead (sysnet_relabel_config() and
> sysnet_manage_config())

OK.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/roles/sysadm.if
> > +++ refpolicy-2.20170329/policy/modules/roles/sysadm.if
> > @@ -236,3 +236,22 @@ interface(`sysadm_rw_pipes',`
> >
> > allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
> >
> > ')
> >
> > +
> > +########################################
> > +## <summary>
> > +## talk to sysadm_t over dbus
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`sysadm_dbus_chat',`
> > + gen_require(`
> > + type sysadm_t;
> > + ')
> > +
> > + allow sysadm_t $1:dbus send_msg;
> > + allow $1 sysadm_t:dbus send_msg;
> > +')
>
> There is no hard rule, but typically my preference is for the server
> side to provide the interface. That doesn't seem to fit sysadm.

OK.

> > ########################################
> > ## <summary>
> > ## Start all systemd units.
> >
> > @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`
> >
> > allow $1 { init_script_file_type systemdunit }:service reload;
> >
> > ')
> >
> > +
> > +########################################
> > +## <summary>
> > +## Allow getting service status of initrc_exec_t scripts
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Target domain
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`initrc_service_status',`
>
> I think this was merged in the last patch but renamed
> init_get_script_status().

A grep of the source doesn't turn up a match for init_get_script_status.

===================================================================
> > --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
> > +++ refpolicy-2.20170329/policy/modules/system/systemd.if
> > @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
> >
> > ######################################
> > ## <summary>
> >
> > +## Write systemd_login named pipe.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_login_write_pid_pipe',`
>
> systemd_write_logind_pid_pipes()

OK.

> > +#######################################
> > +## <summary>
> > +## Send generic signals to systemd_passwd_agent processes.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`systemd_manage_passwd_run',`
> > + gen_require(`
> > + type systemd_passwd_agent_t;
> > + type systemd_passwd_var_run_t;
> > + ')
> > +
> > + manage_files_pattern($1, systemd_passwd_var_run_t,
> > systemd_passwd_var_run_t) + manage_sock_files_pattern($1,
> > systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
> > + allow systemd_passwd_agent_t $1:process signull;
> > + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
>
> This looks like it should be 2-4 interfaces, but I'm not sure how many.

It's all for a single purpose, using systemd to get a password. So far the
only users of it are httpd_t (for getting passwords for locked SSL certificate
files) and init_t (for a "strict" configuration).

I don't think it makes sense to split it. A better name and description would
make sense, do you have a suggestion for a new name?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-04 23:10:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd related changes

On 04/04/2017 02:52 AM, Russell Coker wrote:
> On Tue, 4 Apr 2017 09:22:24 AM Chris PeBenito via refpolicy wrote:
>>> @@ -2879,3 +2917,22 @@ interface(`init_reload_all_units',`
>>>
>>> allow $1 { init_script_file_type systemdunit }:service reload;
>>>
>>> ')
>>>
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Allow getting service status of initrc_exec_t scripts
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Target domain
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`initrc_service_status',`
>>
>> I think this was merged in the last patch but renamed
>> init_get_script_status().
>
> A grep of the source doesn't turn up a match for init_get_script_status.

Ok, then that's what the interface should be called :)


> ===================================================================
>>> --- refpolicy-2.20170329.orig/policy/modules/system/systemd.if
>>> +++ refpolicy-2.20170329/policy/modules/system/systemd.if
>>> @@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pip
>>>
>>> ######################################
>>> ## <summary>
>>>
>>> +## Write systemd_login named pipe.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`systemd_login_write_pid_pipe',`
>>
>> systemd_write_logind_pid_pipes()
>
> OK.
>
>>> +#######################################
>>> +## <summary>
>>> +## Send generic signals to systemd_passwd_agent processes.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`systemd_manage_passwd_run',`
>>> + gen_require(`
>>> + type systemd_passwd_agent_t;
>>> + type systemd_passwd_var_run_t;
>>> + ')
>>> +
>>> + manage_files_pattern($1, systemd_passwd_var_run_t,
>>> systemd_passwd_var_run_t) + manage_sock_files_pattern($1,
>>> systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
>>> + allow systemd_passwd_agent_t $1:process signull;
>>> + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
>>
>> This looks like it should be 2-4 interfaces, but I'm not sure how many.
>
> It's all for a single purpose, using systemd to get a password. So far the
> only users of it are httpd_t (for getting passwords for locked SSL certificate
> files) and init_t (for a "strict" configuration).
>
> I don't think it makes sense to split it. A better name and description would
> make sense, do you have a suggestion for a new name?

That seems very peculiar having that large amount of file access in
addition to the unix socket use. But if that's the case, then I think
I'd go with something like systemd_use_passwd_agent() since that gets
the concept across and abstracts away any details about unix sockets and
file access.

--
Chris PeBenito

2017-04-05 04:44:44

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd related changes

On Wed, 5 Apr 2017 09:10:05 AM Chris PeBenito via refpolicy wrote:
> >> I think this was merged in the last patch but renamed
> >> init_get_script_status().
> >
> > A grep of the source doesn't turn up a match for init_get_script_status.
>
> Ok, then that's what the interface should be called :)

OK.

> >>> +#######################################
> >>> +## <summary>
> >>> +## Send generic signals to systemd_passwd_agent processes.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +## <summary>
> >>> +## Domain allowed access.
> >>> +## </summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`systemd_manage_passwd_run',`
> >>> + gen_require(`
> >>> + type systemd_passwd_agent_t;
> >>> + type systemd_passwd_var_run_t;
> >>> + ')
> >>> +
> >>> + manage_files_pattern($1, systemd_passwd_var_run_t,
> >>> systemd_passwd_var_run_t) + manage_sock_files_pattern($1,
> >>> systemd_passwd_var_run_t, systemd_passwd_var_run_t) +
> >>> + allow systemd_passwd_agent_t $1:process signull;
> >>> + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> >>
> >> This looks like it should be 2-4 interfaces, but I'm not sure how many.
> >
> > It's all for a single purpose, using systemd to get a password. So far
> > the only users of it are httpd_t (for getting passwords for locked SSL
> > certificate files) and init_t (for a "strict" configuration).
> >
> > I don't think it makes sense to split it. A better name and description
> > would make sense, do you have a suggestion for a new name?
>
> That seems very peculiar having that large amount of file access in
> addition to the unix socket use. But if that's the case, then I think
> I'd go with something like systemd_use_passwd_agent() since that gets
> the concept across and abstracts away any details about unix sockets and
> file access.

OK.

I'll send another patch

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/