Re: [PATCH] another systemd misc patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/2/21 10:31 PM, Russell Coker wrote:
Lots of littls changes related to systemd.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>


@@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
######################################
  ## <summary>
+##     Watch systemd-logind runtime dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dir',`

systemd_watch_logind_runtime_dirs (plural)

+	gen_require(`
+		type systemd_logind_runtime_t;
+	')
+
+	allow $1 systemd_logind_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
  ##   Use inherited systemd
  ##   logind file descriptors.
  ## </summary>
@@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
######################################
  ## <summary>
+##      Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dir',`

systemd_watch_logind_sessions_dirs (plural)

+	gen_require(`
+		type systemd_sessions_runtime_t;
+	')
+
+	allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
+######################################
+## <summary>
  ##      Write inherited logind inhibit pipes.
  ## </summary>
  ## <param name="domain">
@@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
########################################
  ## <summary>
+##	Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can watch the machines files
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_machines_dir',`

systemd_watch_machines_dirs (plural)

+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
+########################################
+## <summary>
  ##   Send and receive messages from
  ##   systemd hostnamed over dbus.
  ## </summary>
@@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
  		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
  	')
- domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+	domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)

domtrans_pattern() is the standard pattern.  This change has no effect.



Index: refpolicy-2.20210203/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210203/policy/modules/system/systemd.te
@@ -129,6 +129,7 @@ type systemd_logind_t;
  type systemd_logind_exec_t;
  init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
  init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
+init_stream_connect(systemd_logind_t)
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
  files_runtime_file(systemd_logind_inhibit_runtime_t)
@@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
  init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
  manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
+
  systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
@@ -358,13 +361,15 @@ ifdef(`enable_mls',`
  #
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
-allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
+allow systemd_coredump_t self:unix_stream_socket connectto;
+allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };

net_admin? That doesn't seem necessary for core dumping.


[...]
@@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
seutil_search_default_contexts(systemd_coredump_t) +allow systemd_generator_t self:fifo_file rw_file_perms;
+allow systemd_generator_t self:process setfscreate;
+
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:tcp_socket create;
+allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
+
+corecmd_exec_bin(systemd_generator_t)
+corecmd_exec_shell(systemd_generator_t)
+files_exec_etc_files(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
+fs_rw_tmpfs_files(systemd_generator_t)
+miscfiles_read_localization(systemd_generator_t)
+
+optional_policy(`
+	# for /lib/systemd/system-generators/openvpn-generator
+	openvpn_read_config(systemd_generator_t)
+')
+
+optional_policy(`
+	# it runs postconf
+	# maybe /lib/systemd/system-generators/postfix-instance-generator
+	postfix_read_config(systemd_generator_t)
+')

The systemd_generator_t rules need to move to proper places.



@@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
kernel_read_kernel_sysctls(systemd_logind_t) +auth_read_shadow(systemd_logind_t)

If this is necessary, it seems Debian specific.

[...]
@@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
  # for /run/systemd/nspawn/incoming in chroot
  allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
+kernel_getattr_core_if(systemd_nspawn_t)
+kernel_getattr_proc(systemd_nspawn_t)
+kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
+
  kernel_mount_proc(systemd_nspawn_t)
  kernel_mounton_sysctl_dirs(systemd_nspawn_t)
  kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
  kernel_mounton_message_if(systemd_nspawn_t)
  kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_files(systemd_nspawn_t)
+kernel_mounton_unlabeled_dirs(systemd_nspawn_t)

With all of the mounting, perhaps we should consider coalescing on allowing it to mount an all init_mountpoint_types.

[..]
@@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
  term_search_ptys(systemd_nspawn_t)
  term_setattr_generic_ptys(systemd_nspawn_t)
  term_use_ptmx(systemd_nspawn_t)
+term_use_generic_ptys(systemd_nspawn_t)

Perhaps this should have a pty type?


@@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
  # systemd-user-runtime-dir local policy
  #
-allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
+allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search dac_override fowner sys_admin mknod };

sys_admin and mknod? What is sys_admin used for; also, I don't see any rules for creating devices.

  allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t) +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir manage_dir_perms;
+allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
+allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
+
  files_read_etc_files(systemd_user_runtime_dir_t)
fs_mount_tmpfs(systemd_user_runtime_dir_t)
@@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
  seutil_libselinux_linked(systemd_user_runtime_dir_t)
userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
  userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
+userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
+userdom_list_user_tmp(systemd_user_runtime_dir_t)
  userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
  userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
  userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
@@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
  ')
+
+########################################
+## <summary>
+##	send dbus messages to dpkg_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_dbus_chat',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:dbus send_msg;
+')

I'd prefer that the dbus chat interfaces are provided by the server process' domain.


--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux