Re: [PATCH] systemd misc

Chris PeBenito <pebenito@xxxxxxxx> · Sun, 6 Jan 2019 13:18:16 -0500

On 1/5/19 9:34 PM, Russell Coker wrote:
I'm not sure.  If this is a problem then skip the Postfix bit and merge the
rest, I can investigate Postfix more later.

I've merged this, though I'd still prefer to hear more about the Postfix 
change, if possible.


On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote:
On 1/4/19 2:54 AM, Russell Coker wrote:
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing,
but it all came at the same time.

Is all the postfix dbus usage due to a postfix change or something else?
   I want to look for a pattern if this is not due to postfix code changes.

I don't think I have any issues with anything else in the patch, but
will wait for the above answer to try to merge in one shot.

Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================

--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;

   #
   
   allow logrotate_t self:capability { chown dac_override dac_read_search
   fowner fsetid kill setgid setuid sys_nice sys_resource };>
+# systemctl asks for net_admin
+dontaudit logrotate_t self:capability net_admin;

   allow logrotate_t self:process { transition signal_perms getsched
   setsched getsession getpgid setpgid getcap setcap share getattr
   setfscreate noatsecure siginh setrlimit rlimitinh dyntransition
   setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use;
   allow logrotate_t self:key manage_key_perms;

Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -378,6 +378,10 @@ optional_policy(`

   	')
   	
   	optional_policy(`

+		init_dbus_chat(crond_t)
+	')
+
+	optional_policy(`

   		unconfined_dbus_send(crond_t)
   	
   	')
   
   ')

Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)

   domain_use_interactive_fds(NetworkManager_t)
   domain_read_all_domains_state(NetworkManager_t)

+# /etc/resolv.conf is a symlink written by NM
+files_manage_etc_symlinks(NetworkManager_t)

   files_read_etc_runtime_files(NetworkManager_t)
   files_read_usr_files(NetworkManager_t)
   files_read_usr_src_files(NetworkManager_t)

@@ -346,6 +348,7 @@ optional_policy(`

   ')
   
   optional_policy(`

+	systemd_read_logind_pids(NetworkManager_t)

   	systemd_read_logind_sessions_files(NetworkManager_t)
   	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
   
   ')

Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
+++ refpolicy-2.20180701/policy/modules/services/ntp.fc
@@ -13,6 +13,7 @@

   /etc/rc\.d/init\.d/ntpd?
   		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
   
   /run/ntpd\.pid				--	gen_context(system_u:object_r:ntpd_pid_t,s0)

+/run/systemd/timesync(/.*)?			
gen_context(system_u:object_r:ntpd_pid_t,s0
)

   /usr/bin/ntpd				--	
gen_context(system_u:object_r:ntpd_exec_t,s0)
   /usr/bin/ntpdate			--	
gen_context(system_u:object_r:ntpdate_exec_t,s0)

@@ -31,6 +32,7 @@

   /var/lib/ntp(/.*)?				
gen_context(system_u:object_r:ntp_drift_t,s0)
   /var/lib/sntp-kod(/.*)?				
gen_context(system_u:object_r:ntp_drift_t,s0)
   /var/lib/systemd/clock			--	
gen_context(system_u:object_r:ntp_drift_t,s0
   )

+/var/lib/private/systemd/timesync(/.*)?
--	gen_context(system_u:object_r:ntp_drift_t,s0)>
   /var/lock/ntpdate                       --
   gen_context(system_u:object_r:ntpd_lock_t,s0)>
Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20180701/policy/modules/services/openvpn.te
@@ -175,3 +175,7 @@ optional_policy(`

   		networkmanager_dbus_chat(openvpn_t)
   	
   	')
   
   ')

+
+optional_policy(`
+	systemd_use_passwd_agent(openvpn_t)
+')
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -347,6 +347,12 @@ optional_policy(`

   ')
   
   optional_policy(`

+	dbus_send_system_bus(postfix_master_t)
+	dbus_system_bus_client(postfix_master_t)
+	init_dbus_chat(postfix_master_t)
+')
+
+optional_policy(`

   	sendmail_signal(postfix_master_t)
   
   ')

@@ -376,6 +382,10 @@ optional_policy(`

   	init_dbus_chat(postfix_bounce_t)
   
   ')

+optional_policy(`
+	dbus_system_bus_client(postfix_bounce_t)
+')
+

   ########################################
   #
   # Cleanup local policy

@@ -420,6 +430,12 @@ optional_policy(`

   	mailman_read_data_files(postfix_cleanup_t)
   
   ')

+optional_policy(`
+	dbus_send_system_bus(postfix_cleanup_t)
+	dbus_system_bus_client(postfix_cleanup_t)
+	init_dbus_chat(postfix_cleanup_t)
+')
+

   ########################################
   #
   # Local local policy

@@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p

   mcs_file_read_all(postfix_pickup_t)
   mcs_file_write_all(postfix_pickup_t)

+optional_policy(`
+	dbus_system_bus_client(postfix_pickup_t)
+	init_dbus_chat(postfix_pickup_t)
+')
+

   ########################################
   #
   # Pipe local policy

@@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po

   corecmd_exec_bin(postfix_qmgr_t)

+optional_policy(`
+	dbus_send_system_bus(postfix_qmgr_t)
+	dbus_system_bus_client(postfix_qmgr_t)
+	init_dbus_chat(postfix_qmgr_t)
+')
+

   ########################################
   #
   # Showq local policy

@@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)

   mta_map_aliases(postfix_smtpd_t)
   
   optional_policy(`

+	dbus_send_system_bus(postfix_smtp_t)
+	dbus_system_bus_client(postfix_smtp_t)
+	init_dbus_chat(postfix_smtp_t)
+')
+
+optional_policy(`

   	dovecot_stream_connect_auth(postfix_smtpd_t)
   	dovecot_stream_connect(postfix_smtpd_t)
   
   ')

Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -278,6 +278,7 @@ ifdef(`distro_debian',`

   ')
   
   ifdef(`init_systemd',`

+	init_dbus_chat(sshd_t)

   	systemd_dbus_chat_logind(sshd_t)
   	init_rw_stream_sockets(sshd_t)
   
   ')

Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)

   files_read_usr_files(tor_t)
   
   fs_search_tmpfs(tor_t)

+# for log symlink on a tmpfs filesystem systemd creates for it
+fs_read_tmpfs_symlinks(tor_t)

   auth_use_nsswitch(tor_t)

Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20180701/policy/modules/system/systemd.fc
@@ -50,6 +50,8 @@

   /run/\.nologin[^/]*	--	
gen_context(system_u:object_r:systemd_sessions_va
   r_run_t,s0)
   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_
   t,s0)>
+/run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_pas
swd_var_run_t,s0)
+/run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:syst
emd_passwd_var_run_t,s0)>
   /run/systemd/resolve(/.*)?
   gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
   /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions
   _var_run_t,s0)
   /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessi
   ons_var_run_t,s0)>
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys

   type systemd_nspawn_t;
   type systemd_nspawn_exec_t;
   init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)

+mcs_killall(systemd_nspawn_t)

   type systemd_nspawn_var_run_t;
   files_pid_file(systemd_nspawn_var_run_t)

@@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste

   #
   
   dev_read_sysfs(systemd_gpt_generator_t)

+files_list_usr(systemd_gpt_generator_t)

   files_read_etc_files(systemd_gpt_generator_t)
   fs_getattr_xattr_fs(systemd_gpt_generator_t)
   storage_raw_read_fixed_disk(systemd_gpt_generator_t)

@@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars

   # Logind local policy
   #

-allow systemd_logind_t self:capability { chown dac_override fowner
sys_admin sys_tty_config }; +allow systemd_logind_t self:capability {
chown dac_override dac_read_search fowner sys_admin sys_tty_config };>
   allow systemd_logind_t self:process { getcap setfscreate };
   allow systemd_logind_t self:netlink_kobject_uevent_socket
   create_socket_perms; allow systemd_logind_t self:unix_dgram_socket
   create_socket_perms;>
@@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti

   # Nspawn local policy
   #

-allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill
};
-allow systemd_nspawn_t self:capability { dac_override fsetid mknod
net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow
systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit
sigkill }; +allow systemd_nspawn_t self:capability { dac_override
dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin
sys_chroot };>
   allow systemd_nspawn_t self:capability2 wake_alarm;
   allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;

@@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va

   allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
   init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)

-files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
+files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })

   allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
   allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;

+# for /tmp/.#inaccessible*
+allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;

   # for /run/systemd/nspawn/incoming in chroot
   allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;

@@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)

   files_mounton_mnt(systemd_nspawn_t)
   files_mounton_root(systemd_nspawn_t)
   files_mounton_tmp(systemd_nspawn_t)

+files_read_kernel_symbol_table(systemd_nspawn_t)

   files_setattr_pid_dirs(systemd_nspawn_t)
   
   fs_getattr_tmpfs(systemd_nspawn_t)

@@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)

   userdom_manage_user_home_dirs(systemd_nspawn_t)
   
   tunable_policy(`systemd_nspawn_labeled_namespace',`

+	corecmd_exec_bin(systemd_nspawn_t)

   	corecmd_exec_shell(systemd_nspawn_t)
   	
   	dev_mounton(systemd_nspawn_t)

@@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n

   	fs_write_cgroup_files(systemd_nspawn_t)
   	
   	selinux_getattr_fs(systemd_nspawn_t)

+	selinux_remount_fs(systemd_nspawn_t)

   	selinux_search_fs(systemd_nspawn_t)
   	
   	init_domtrans(systemd_nspawn_t)

@@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass

   seutil_search_default_contexts(systemd_passwd_agent_t)

+userdom_use_user_ttys(systemd_passwd_agent_t)

   userdom_use_user_ptys(systemd_passwd_agent_t)
   
   optional_policy(`

@@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se

   # Tmpfiles local policy
   #

-allow systemd_tmpfiles_t self:capability { chown dac_override fowner
fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t
self:capability { chown dac_override dac_read_search fowner fsetid mknod
net_admin sys_admin };>
   allow systemd_tmpfiles_t self:process { setfscreate getcap };
   
   allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
   relabelto manage_dir_perms };>
@@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal

   allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
   allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
   read_file_perms;

+kernel_getattr_proc(systemd_tmpfiles_t)

   kernel_read_kernel_sysctls(systemd_tmpfiles_t)
   kernel_read_network_state(systemd_tmpfiles_t)

+dev_getattr_fs(systemd_tmpfiles_t)

   dev_manage_all_dev_nodes(systemd_tmpfiles_t)
   dev_read_urand(systemd_tmpfiles_t)
   dev_relabel_all_sysfs(systemd_tmpfiles_t)

@@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t

   files_manage_var_lib_dirs(systemd_tmpfiles_t)
   files_purge_tmp(systemd_tmpfiles_t)
   files_read_etc_files(systemd_tmpfiles_t)

+files_read_etc_runtime_files(systemd_tmpfiles_t)

   files_relabel_all_lock_dirs(systemd_tmpfiles_t)
   files_relabel_all_pid_dirs(systemd_tmpfiles_t)
   files_relabel_all_tmp_dirs(systemd_tmpfiles_t)




--
Chris PeBenito






