Chris PeBenito <pebenito@xxxxxxxx> writes:
> On 2/2/21 10:31 PM, Russell Coker wrote:
>> Lots of littls changes related to systemd.
>> Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
>>
>
>> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>> ######################################
>> ## <summary>
>> +## Watch systemd-logind runtime dirs
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
>
>> + gen_require(`
>> + type systemd_logind_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_logind_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>> ## Use inherited systemd
>> ## logind file descriptors.
>> ## </summary>
>> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>> ######################################
>> ## <summary>
>> +## Watch logind sessions dirs.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
>
>> + gen_require(`
>> + type systemd_sessions_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_sessions_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>> ## Write inherited logind inhibit pipes.
>> ## </summary>
>> ## <param name="domain">
>> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>> ########################################
>> ## <summary>
>> +## Allow watching /run/systemd/machines
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain that can watch the machines files
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
>
>> + gen_require(`
>> + type systemd_machined_runtime_t;
>> + ')
>> +
>> + allow $1 systemd_machined_runtime_t:dir watch;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Send and receive messages from
>> ## systemd hostnamed over dbus.
>> ## </summary>
>> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
>> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
>> ')
>> - domtrans_pattern($1, systemd_passwd_agent_exec_t,
>> systemd_passwd_agent_t)
>> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
>
> domtrans_pattern() is the standard pattern. This change has no effect.
>
>
>
>> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
>> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
>> @@ -129,6 +129,7 @@ type systemd_logind_t;
>> type systemd_logind_exec_t;
>> init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>> init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>> +init_stream_connect(systemd_logind_t)
>> type systemd_logind_inhibit_runtime_t alias
>> systemd_logind_inhibit_var_run_t;
>> files_runtime_file(systemd_logind_inhibit_runtime_t)
>> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
>> init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
>> manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>> +kernel_read_kernel_sysctls(systemd_backlight_t)
>> +
>> systemd_log_parse_environment(systemd_backlight_t)
>> # Allow systemd-backlight to write to
>> /sys/class/backlight/*/brightness
>> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
>> #
>> allow systemd_coredump_t self:unix_dgram_socket { create write
>> connect getopt setopt };
>> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
>> +allow systemd_coredump_t self:unix_stream_socket connectto;
>> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
>
> net_admin? That doesn't seem necessary for core dumping.
>
>
> [...]
>> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>> seutil_search_default_contexts(systemd_coredump_t)
>> +allow systemd_generator_t self:fifo_file rw_file_perms;
>> +allow systemd_generator_t self:process setfscreate;
>> +
>> +allow systemd_generator_t self:capability dac_override;
>> +allow systemd_generator_t self:tcp_socket create;
>> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
>> +
>> +corecmd_exec_bin(systemd_generator_t)
>> +corecmd_exec_shell(systemd_generator_t)
>> +files_exec_etc_files(systemd_generator_t)
>> +fs_getattr_cgroup(systemd_generator_t)
>> +fs_getattr_tmpfs(systemd_generator_t)
>> +fs_rw_tmpfs_files(systemd_generator_t)
>> +miscfiles_read_localization(systemd_generator_t)
>> +
>> +optional_policy(`
>> + # for /lib/systemd/system-generators/openvpn-generator
>> + openvpn_read_config(systemd_generator_t)
>> +')
>> +
>> +optional_policy(`
>> + # it runs postconf
>> + # maybe /lib/systemd/system-generators/postfix-instance-generator
>> + postfix_read_config(systemd_generator_t)
>> +')
>
> The systemd_generator_t rules need to move to proper places.
>
>
>
>> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>> kernel_read_kernel_sysctls(systemd_logind_t)
>> +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.
This also happens on fedora (not sure why)
>
> [...]
>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>> # for /run/systemd/nspawn/incoming in chroot
>> allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>> +kernel_getattr_core_if(systemd_nspawn_t)
>> +kernel_getattr_proc(systemd_nspawn_t)
>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>> +
>> kernel_mount_proc(systemd_nspawn_t)
>> kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>> kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>> kernel_mounton_message_if(systemd_nspawn_t)
>> kernel_mounton_proc(systemd_nspawn_t)
>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>
> With all of the mounting, perhaps we should consider coalescing on
> allowing it to mount an all init_mountpoint_types.
mounton unlabeled dirs indicates that something is unlabeled/mislabeled
though. Wouldnt allow that.
>
> [..]
>> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
>> term_search_ptys(systemd_nspawn_t)
>> term_setattr_generic_ptys(systemd_nspawn_t)
>> term_use_ptmx(systemd_nspawn_t)
>> +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?
Agree
>
>
>> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
>> # systemd-user-runtime-dir local policy
>> #
>> -allow systemd_user_runtime_dir_t self:capability { fowner chown
>> sys_admin dac_read_search dac_override };
>> +allow systemd_user_runtime_dir_t self:capability { chown
>> dac_override dac_read_search dac_override fowner sys_admin mknod };
>
> sys_admin and mknod? What is sys_admin used for; also, I don't see
> any rules for creating devices.
its probably old systemd stuff (fixed in more recent version): ie /run/user/UID/inaccessible/blk
should be able to ignore this
>
>> allow systemd_user_runtime_dir_t self:process setfscreate;
>> domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir
>> manage_dir_perms;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
>> +
>> files_read_etc_files(systemd_user_runtime_dir_t)
>> fs_mount_tmpfs(systemd_user_runtime_dir_t)
>> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
>> seutil_libselinux_linked(systemd_user_runtime_dir_t)
>> userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
>> userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
>> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
>> userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
>> userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
>> userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
>> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
>> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## send dbus messages to dpkg_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`dpkg_dbus_chat',`
>> + gen_require(`
>> + type dpkg_t;
>> + ')
>> +
>> + allow $1 dpkg_t:dbus send_msg;
>> +')
>
> I'd prefer that the dbus chat interfaces are provided by the server process' domain.
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
