Re: [PATCH] machined

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/2/21 10:07 AM, Russell Coker wrote:
This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

Index: refpolicy-2.20210203/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210203/policy/modules/services/ssh.te
@@ -265,9 +265,10 @@ ifdef(`distro_debian',`
  ')
ifdef(`init_systemd',`
+	auth_use_pam_systemd(sshd_t)
  	init_dbus_chat(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
  	init_rw_stream_sockets(sshd_t)
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
  ')
tunable_policy(`ssh_sysadm_login',`
@@ -310,11 +311,6 @@ optional_policy(`
  ')
optional_policy(`
-	systemd_write_inherited_logind_sessions_pipes(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
-')
-
-optional_policy(`
  	xserver_domtrans_xauth(sshd_t)
  	xserver_link_xdm_keys(sshd_t)
  ')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210203/policy/modules/system/authlogin.if
@@ -91,6 +91,7 @@ interface(`auth_use_pam',`
  #
  interface(`auth_use_pam_systemd',`
  	dbus_system_bus_client($1)
+	systemd_connect_machined($1)
  	systemd_dbus_chat_logind($1)
  ')
Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -151,6 +151,9 @@ type systemd_machined_runtime_t alias sy
  files_runtime_file(systemd_machined_runtime_t)
  init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
  type systemd_modules_load_t;
  type systemd_modules_load_exec_t;
  init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -562,6 +565,9 @@ allow systemd_logind_t self:fifo_file rw
  allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
  init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
  manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
  manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
  allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -737,6 +743,8 @@ allow systemd_machined_t systemd_machine
  kernel_read_kernel_sysctls(systemd_machined_t)
  kernel_read_system_state(systemd_machined_t)
+dev_getattr_fs(systemd_machined_t)
+
  files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
@@ -760,6 +768,10 @@ logging_send_syslog_msg(systemd_machined
seutil_search_default_contexts(systemd_machined_t) +term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+term_getattr_pty_fs(systemd_machined_t)
+
  optional_policy(`
  	init_dbus_chat(systemd_machined_t)
  	init_dbus_send_script(systemd_machined_t)
Index: refpolicy-2.20210203/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210203/policy/modules/system/systemd.if
@@ -19,12 +19,18 @@
  ##	The user domain for the role.
  ##	</summary>
  ## </param>
+## <param name="pty_type">
+##	<summary>
+##	The type for the user pty
+##	</summary>
+## </param>
  #
  template(`systemd_role_template',`
  	gen_require(`
  		attribute systemd_user_session_type, systemd_log_parse_env_type;
  		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-		type systemd_run_exec_t, systemd_analyze_exec_t;
+		type systemd_run_exec_t, systemd_analyze_exec_t, user_devpts_t;
+		type systemd_machined_t;
  	')
#################################
@@ -56,9 +62,20 @@ template(`systemd_role_template',`
  	allow $1_systemd_t $3:process { setsched rlimitinh };
  	corecmd_shell_domtrans($1_systemd_t, $3)
  	corecmd_bin_domtrans($1_systemd_t, $3)
+	corecmd_shell_entry_type($1_systemd_t)
+	allow $1_systemd_t self:process signal;
+
+	files_search_home($1_systemd_t)
# Allow using file descriptors for user environment generators
  	allow $3 $1_systemd_t:fd use;
+	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
+
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;

I merged most of this except for this machinectl shell part.

  	# systemctl --user
  	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +83,14 @@ template(`systemd_role_template',`
  	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
dbus_system_bus_client($1_systemd_t)
+
+	selinux_use_status_page($1_systemd_t)
+	seutil_read_file_contexts($1_systemd_t)
+	seutil_search_default_contexts($1_systemd_t)
+
+	# for machinectl shell
+	term_user_pty($1_systemd_t, user_devpts_t)
+	allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
  ')
######################################
@@ -489,6 +514,24 @@ interface(`systemd_read_machines',`
########################################
  ## <summary>
+##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain that can access the socket
+##     </summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
  ##   Send and receive messages from
  ##   systemd hostnamed over dbus.
  ## </summary>
@@ -1300,3 +1343,23 @@ interface(`systemd_run_sysusers', `
  	systemd_domtrans_sysusers($1)
  	roleattribute $2 systemd_sysusers_roles;
  ')
+
+########################################
+## <summary>
+##  receive and use a systemd_machined_devpts_t file handle
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_use_machined_devpts', `
+	gen_require(`
+		type systemd_machined_t, systemd_machined_devpts_t;
+	')
+
+	allow $1 systemd_machined_t:fd use;
+	allow $1 systemd_machined_devpts_t:chr_file { read write };
+')
Index: refpolicy-2.20210203/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20210203/policy/modules/system/locallogin.te
@@ -142,6 +142,7 @@ ifdef(`init_systemd',`
  	auth_manage_faillog(local_login_t)
init_dbus_chat(local_login_t)
+	systemd_connect_machined(local_login_t)
  	systemd_dbus_chat_logind(local_login_t)
  	systemd_use_logind_fds(local_login_t)
  	systemd_manage_logind_runtime_pipes(local_login_t)
Index: refpolicy-2.20210203/policy/modules/services/dbus.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dbus.te
+++ refpolicy-2.20210203/policy/modules/services/dbus.te
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbus
  seutil_read_config(system_dbusd_t)
  seutil_read_default_contexts(system_dbusd_t)
+# for machinectl shell
+term_use_ptmx(system_dbusd_t)
+
  userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
  userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
  # read a file in ~/.local/share
@@ -184,6 +187,9 @@ optional_policy(`
  	systemd_read_logind_runtime_files(system_dbusd_t)
  	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
  	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+
+	# for passing around terminal file handles for machinectl shell
+	systemd_use_machined_devpts(system_dbusd_t)
  ')
optional_policy(`



--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux