Russell Coker <russell@xxxxxxxxxxxx> writes: > On Friday, 25 December 2020 6:58:41 PM AEDT Dominick Grift wrote: >> Russell Coker <russell@xxxxxxxxxxxx> writes: >> > On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote: >> >> > To enable "machinectl shell" on recent versions of systemd we need >> >> > something like the above policy (which is not complete or ideal, still >> >> > doesn't work so no point polishing it) and something for the below. >> >> > What >> >> > is the below about? >> >> >> >> this should be thoroughly addressed. machined creates a login pty that >> >> gets relabeled on login as per type_change rules. >> > >> > Currently it's not being relabeled on Debian, but that's a separate issue. >> >> Maybe the required type_change rules arent present? > > Here is all the policy to make it work. Maybe we should have a type like > system_dbusd_devpts_t for this. This is not policy for inclusion, this is > policy to discuss before writing that policy. I created a machined_pty_t, and then allowed both systemd (unconfined & user_systemd_t) as well as the various user types to type change from machined_pty_t to user_pty_t [root@brutus ~]# sesearch --type_change | grep machine type_change sys.isid machine.daemon.loginpty:chr_file sys.pty; # unconfined_t and systemd --system are "system" is sys.isid, sys.pty is system/unconfined pty) type_change user.subj machine.daemon.loginpty:chr_file user.pty; # all my confined login user shell domains are "user.subj" type_change user.systemd.subj machine.daemon.loginpty:chr_file user.pty; # this is systemd --user on behalf of confined login users my systemd-machined policy: https://git.defensec.nl/?p=dssp3.git;a=blob_plain;f=policy/systemd/systemd_machine.cil;hb=HEAD > > term_user_pty(user_systemd_t, user_devpts_t) > term_login_pty(devpts_t) > allow user_systemd_t user_devpts_t:chr_file rw_file_perms; > > # for machinectl shell > allow sysadm_t systemd_machined_t:dbus send_msg; > systemd_manage_userdb_runtime_dirs(systemd_machined_t) > systemd_manage_userdb_runtime_sock_files(systemd_machined_t) > term_use_ptmx(systemd_machined_t) > dev_getattr_fs(systemd_machined_t) > term_getattr_pty_fs(systemd_machined_t) > allow systemd_machined_t sysadm_t:dbus send_msg; > allow systemd_machined_t devpts_t:chr_file rw_file_perms; > allow system_dbusd_t systemd_machined_t:fd use; > allow system_dbusd_t devpts_t:chr_file { read write }; > allow system_dbusd_t ptmx_t:chr_file { read write }; > allow sysadm_t systemd_machined_t:fd use; > allow user_systemd_t shell_exec_t:file entrypoint; > allow user_systemd_t systemd_machined_t:fd use; > allow user_systemd_t self:process signal; > allow user_t systemd_machined_t:fd use; > allow user_t user_systemd_t:fifo_file { getattr write }; > allow user_t init_t:process signal; > >> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001 >> > >> > We have work in progress on dbus-broker in Debian. Would it make sense to >> > only support dbus-broker in SE Linux policy? Being forced to use only 1 >> > of >> > the 2 dbus programs (and the newer and faster 1 of the 2) is a very small >> > trade-off, smaller than some of the other trade-offs for running SE Linux. >> >> should probably be able to support both (conditionally) but could get messy > > Currently we have a heap of ifdef systemd in the policy, as probably the only > people not wanting dbus-broker will be the ones not wanting systemd we could > include it in the same ifdef rules. -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift