2017-12-06 17:06:03

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] Allow domains using sysnet_dns_name_resolve() interface to access NSS mymachines files

From: Laurent Bigonville <[email protected]>

If the machine is using the mymachine NSS module, the domain doing DNS
resolution should be able to access files under /run/systemd/machines/
---
policy/modules/system/sysnetwork.if | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5b8266ca..a53122b1 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -751,6 +751,11 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+
+ # This seems needed when the mymachines NSS module is used
+ optional_policy(`
+ systemd_read_machines($1)
+ ')
')

########################################
--
2.15.1


2017-12-06 17:06:04

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] Add private type for systemd logind inhibit files and pipes

From: Laurent Bigonville <[email protected]>

---
policy/modules/system/systemd.fc | 2 +-
policy/modules/system/systemd.if | 20 ++++++++++++++++++++
policy/modules/system/systemd.te | 9 ++++++++-
3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 56e9bc13..183e0939 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -51,7 +51,7 @@
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8f914837..d875098a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
allow systemd_logind_t $1:process signal;
')

+######################################
+## <summary>
+## Write inherited logind inhibit pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_inhibit_pipes',`
+ gen_require(`
+ type systemd_logind_inhibit_var_run_t;
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
+')
+
########################################
## <summary>
## Send and receive messages from
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5051b87c..9a65b8f6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -101,6 +101,9 @@ type systemd_logind_var_run_t;
files_pid_file(systemd_logind_var_run_t)
init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")

+type systemd_logind_inhibit_var_run_t;
+files_pid_file(systemd_logind_inhibit_var_run_t)
+
type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
@@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
-init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
+
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")

allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;
--
2.15.1

2017-12-07 23:50:58

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] Allow domains using sysnet_dns_name_resolve() interface to access NSS mymachines files

On 12/06/2017 12:06 PM, Laurent Bigonville via refpolicy wrote:
> From: Laurent Bigonville <[email protected]n.be>
>
> If the machine is using the mymachine NSS module, the domain doing DNS
> resolution should be able to access files under /run/systemd/machines/
> ---
> policy/modules/system/sysnetwork.if | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 5b8266ca..a53122b1 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -751,6 +751,11 @@ interface(`sysnet_dns_name_resolve',`
> optional_policy(`
> nscd_use($1)
> ')
> +
> + # This seems needed when the mymachines NSS module is used
> + optional_policy(`
> + systemd_read_machines($1)
> + ')

Merged.

--
Chris PeBenito

2017-12-07 23:51:57

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] Add private type for systemd logind inhibit files and pipes

On 12/06/2017 12:06 PM, Laurent Bigonville via refpolicy wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/system/systemd.fc | 2 +-
> policy/modules/system/systemd.if | 20 ++++++++++++++++++++
> policy/modules/system/systemd.te | 9 ++++++++-
> 3 files changed, 29 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 56e9bc13..183e0939 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -51,7 +51,7 @@
> /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
> /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> -/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> +/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
> /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> /run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8f914837..d875098a 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
> allow systemd_logind_t $1:process signal;
> ')
>
> +######################################
> +## <summary>
> +## Write inherited logind inhibit pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_write_inherited_logind_inhibit_pipes',`
> + gen_require(`
> + type systemd_logind_inhibit_var_run_t;
> + type systemd_logind_t;
> + ')
> +
> + allow $1 systemd_logind_t:fd use;
> + allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
> +')
> +
> ########################################
> ## <summary>
> ## Send and receive messages from
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 5051b87c..9a65b8f6 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -101,6 +101,9 @@ type systemd_logind_var_run_t;
> files_pid_file(systemd_logind_var_run_t)
> init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
>
> +type systemd_logind_inhibit_var_run_t;
> +files_pid_file(systemd_logind_inhibit_var_run_t)
> +
> type systemd_machined_t;
> type systemd_machined_exec_t;
> init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
> @@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
> manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
> allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
> -init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
> +
> +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
> +manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
> +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
> +init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
>
> allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
> allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;

I tend to agree with Dominick that this is probably not needed; however,
I have merged it anyway. If it ends up being a problem, it is easy to
remove.

--
Chris PeBenito