Re: [PATCH v2] Allow systemd to getattr configfile

[Chris PeBenito <pebenito@xxxxxxxx>]

On 1/21/20 9:22 AM, Sugar, David wrote:
> On 1/21/20 8:42 AM, Chris PeBenito wrote:
> > On 1/13/20 1:27 PM, Sugar, David wrote:
> > > v2 update - rework, creating interface 'init_systemd_conditional'
> > > as suggested.  This grants getattr access to the type provided.
> > >
> > > Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
> > > ---
> > >    policy/modules/services/chronyd.te |  2 ++
> > >    policy/modules/system/init.if      | 26 ++++++++++++++++++++++++++
> > >    2 files changed, 28 insertions(+)
> > >
> > > diff --git a/policy/modules/services/chronyd.te
> > > b/policy/modules/services/chronyd.te
> > > index 5e680d39..7ae8bb5a 100644
> > > --- a/policy/modules/services/chronyd.te
> > > +++ b/policy/modules/services/chronyd.te
> > > @@ -102,6 +102,8 @@ miscfiles_read_localization(chronyd_t)
> > >    chronyd_dgram_send_cli(chronyd_t)
> > >    chronyd_read_config(chronyd_t)
> > > +init_systemd_conditional(chronyd_conf_t)
> > > +
> > >    optional_policy(`
> > >        gpsd_rw_shm(chronyd_t)
> > >    ')
> > > diff --git a/policy/modules/system/init.if
> > > b/policy/modules/system/init.if
> > > index 62ab4da8..5a0a78bf 100644
> > > --- a/policy/modules/system/init.if
> > > +++ b/policy/modules/system/init.if
> > > @@ -3232,6 +3232,32 @@ interface(`init_reload_all_units',`
> > >        allow $1 { init_script_file_type systemdunit }:service reload;
> > >    ')
> > > +
> > > +########################################
> > > +## <summary>
> > > +##      Allow init_t getattr permissions.  Generally
> > > +##      needed for types that are used in a Condition
> > > +##      predicate.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##      <summary>
> > > +##      type accessible by init_t
> > > +##      </summary>
> > > +## </param>
> > > +#
> > > +interface(`init_systemd_conditional',`
> >
> > systemd_ConditionPath is a more preferable name.
>
> I'm a little confused about the suggested name.  I think this interface
> belongs in init.if due to the requiring of init_t.  Due to this, I think
> it should have the init_ prefix.  I also don't think there are any camel
> case interface names.
>
> Is the name 'init_systemd_condition_path' acceptable?  Or are some of my
> assumptions wrong?

No, you're right, my mistake.  However, this makes me reconsider the 
previous discussion on this.  Is it really an issue for systemd to be 
able to getattr all files?  Condition* works in many cases already since 
systemd already has lots of access all over the filesystem.

--
Chris PeBenito