Re: [PATCH 1/9] systemd: Add elogind support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 26, 2019 at 12:03:32PM -0500, Chris PeBenito wrote:
> On 12/24/19 5:10 AM, Jason Zaman wrote:
> > Elogind is based off systemd-logind extracted to stand alone.
> 
> I'm not a fan of this.  Systemd is already a big mess of permissions by 
> itself, and I'm relctant to add even more to it to support something else.

I'm not super happy about it either. I tried to make elogind_t
standalone originally. it didnt end up working that well cuz it really
*is* systemd-logind, just without systemd as pid1. The problem is all
the paths are the same, everything in /run and /var and all that gets
used exactly the same, so the fcontexts would conflict. A lot of the
perms I ended up adding seem like things that systemd-logind should be
able to do anyway too (like purging tmp to clean up /run/user when
people logout, or sending audit logs) or do these things end up done by
pid1 instead if its systemd?

It's a similar issue to how tmpfiles works on gentoo. We made a policy
for opentmpfiles (originally in openrc) then later the systemd policy in
upstream refpol added systemd-tmpfiles. I've had to ifndef init_systemd
around those fcontexts and it kind of works but its pretty awkward and
makes switching between openrc/systemd more annoying than it should be.

I'd be up for modularizing systemd.te if it'd make things easier but I'm
not completely sure how. I see a few different parts that need to be
handled carefully: 1) the paths on disk, these should ideally be the
same for all the implementations of things. 2) the daemons themselves,
these could be the same or different domains makes little difference. 3)
how other programs interact with the daemons. I'm not really sure
duplicating perms in every other policy is the right way to go? like
everything would have to call both systemd_logind_foo() and
elogind_foo()?

If you have better ideas how to approach this, I'm all ears :)

-- Jason


> 
> 
> > Signed-off-by: Jason Zaman <jason@xxxxxxxxxxxxx>
> > ---
> >   policy/modules/admin/sudo.if       |  2 ++
> >   policy/modules/system/authlogin.if |  5 +++++
> >   policy/modules/system/systemd.fc   |  5 +++++
> >   policy/modules/system/systemd.te   | 27 ++++++++++++++++++++++++++-
> >   4 files changed, 38 insertions(+), 1 deletion(-)
> > 
> > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> > index c1459364..4f08af28 100644
> > --- a/policy/modules/admin/sudo.if
> > +++ b/policy/modules/admin/sudo.if
> > @@ -159,6 +159,8 @@ template(`sudo_role_template',`
> >   
> >   	optional_policy(`
> >   		dbus_system_bus_client($1_sudo_t)
> > +		systemd_dbus_chat_logind($1_sudo_t)
> > +		systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
> >   
> >   		ifdef(`init_systemd',`
> >   			init_dbus_chat($1_sudo_t)
> > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> > index c16748f2..83837458 100644
> > --- a/policy/modules/system/authlogin.if
> > +++ b/policy/modules/system/authlogin.if
> > @@ -71,6 +71,11 @@ interface(`auth_use_pam',`
> >   		optional_policy(`
> >   			fprintd_dbus_chat($1)
> >   		')
> > +
> > +		optional_policy(`
> > +			systemd_dbus_chat_logind($1)
> > +			systemd_write_inherited_logind_sessions_pipes($1)
> > +		')
> >   	')
> >   
> >   	optional_policy(`
> > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> > index 607b1d88..e6831465 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -16,6 +16,10 @@
> >   /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
> >   /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
> >   
> > +/usr/lib/elogind/elogind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-cgroups-agent	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +/usr/lib/elogind/elogind-uaccess-command	--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> > +
> >   # Systemd generators
> >   /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
> >   
> > @@ -56,6 +60,7 @@
> >   /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
> >   
> >   /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> > +/run/elogind\.pid	--	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
> >   /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
> >   
> >   /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
> > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> > index 1422d8e2..f13b7252 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -99,6 +99,7 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
> >   
> >   type systemd_logind_t;
> >   type systemd_logind_exec_t;
> > +dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
> >   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
> >   
> > @@ -108,6 +109,7 @@ files_pid_file(systemd_logind_inhibit_runtime_t)
> >   type systemd_logind_runtime_t alias systemd_logind_var_run_t;
> >   files_pid_file(systemd_logind_runtime_t)
> >   init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind")
> > +init_daemon_pid_file(systemd_logind_runtime_t, file, "elogind")
> >   
> >   type systemd_logind_var_lib_t;
> >   files_type(systemd_logind_var_lib_t)
> > @@ -427,7 +429,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
> >   # Logind local policy
> >   #
> >   
> > -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> > +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config };
> >   allow systemd_logind_t self:process { getcap setfscreate };
> >   allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> >   allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> > @@ -439,6 +441,9 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
> >   manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
> >   allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
> > +files_pid_filetrans(systemd_logind_t, systemd_logind_runtime_t, file)
> > +
> > +create_dirs_pattern(systemd_logind_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
> >   
> >   manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> >   manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
> > @@ -451,6 +456,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_per
> >   
> >   kernel_read_kernel_sysctls(systemd_logind_t)
> >   
> > +auth_write_login_records(systemd_logind_t)
> > +
> >   dev_getattr_dri_dev(systemd_logind_t)
> >   dev_getattr_generic_usb_dev(systemd_logind_t)
> >   dev_getattr_kvm_dev(systemd_logind_t)
> > @@ -470,10 +477,13 @@ dev_setattr_video_dev(systemd_logind_t)
> >   
> >   domain_obj_id_change_exemption(systemd_logind_t)
> >   
> > +files_purge_tmp(systemd_logind_t)
> >   files_read_etc_files(systemd_logind_t)
> >   files_search_pids(systemd_logind_t)
> >   
> >   fs_getattr_cgroup(systemd_logind_t)
> > +fs_manage_cgroup_dirs(systemd_logind_t)
> > +fs_manage_cgroup_files(systemd_logind_t)
> >   fs_getattr_tmpfs(systemd_logind_t)
> >   fs_getattr_tmpfs_dirs(systemd_logind_t)
> >   fs_list_tmpfs(systemd_logind_t)
> > @@ -483,6 +493,8 @@ fs_read_efivarfs_files(systemd_logind_t)
> >   fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
> >   fs_unmount_tmpfs(systemd_logind_t)
> >   
> > +logging_send_audit_msgs(systemd_logind_t)
> > +
> >   selinux_get_enforce_mode(systemd_logind_t)
> >   
> >   storage_getattr_removable_dev(systemd_logind_t)
> > @@ -495,6 +507,7 @@ term_use_unallocated_ttys(systemd_logind_t)
> >   
> >   auth_manage_faillog(systemd_logind_t)
> >   
> > +init_create_runtime_dirs(systemd_logind_t)
> >   init_dbus_send_script(systemd_logind_t)
> >   init_get_all_units_status(systemd_logind_t)
> >   init_get_system_status(systemd_logind_t)
> > @@ -537,6 +550,14 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> >   userdom_setattr_user_ttys(systemd_logind_t)
> >   userdom_use_user_ttys(systemd_logind_t)
> >   
> > +tunable_policy(`use_nfs_home_dirs',`
> > +       fs_read_nfs_files(systemd_logind_t)
> > +')
> > +
> > +tunable_policy(`use_samba_home_dirs',`
> > +       fs_read_cifs_files(systemd_logind_t)
> > +')
> > +
> >   # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
> >   # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
> >   # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
> > @@ -568,6 +589,10 @@ optional_policy(`
> >   	policykit_dbus_chat(systemd_logind_t)
> >   ')
> >   
> > +optional_policy(`
> > +	shutdown_domtrans(systemd_logind_t)
> > +')
> > +
> >   optional_policy(`
> >   	xserver_read_state(systemd_logind_t)
> >   	xserver_dbus_chat(systemd_logind_t)
> > 
> 
> 
> -- 
> Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux