* [refpolicy] [PATCH] systemd init
2017-04-14 15:58 [refpolicy] [PATCH] systemd init Russell Coker
@ 2017-04-14 16:13 ` Dominick Grift
2017-04-14 17:33 ` Christian Göttsche
2017-04-16 23:09 ` Chris PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2017-04-14 16:13 UTC (permalink / raw)
To: refpolicy
On Sat, Apr 15, 2017 at 01:58:11AM +1000, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
>
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
looks duplicate to me
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170414/feba9657/attachment-0001.bin
^ permalink raw reply [flat|nested] 4+ messages in thread* [refpolicy] [PATCH] systemd init
2017-04-14 15:58 [refpolicy] [PATCH] systemd init Russell Coker
2017-04-14 16:13 ` Dominick Grift
@ 2017-04-14 17:33 ` Christian Göttsche
2017-04-16 23:09 ` Chris PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Christian Göttsche @ 2017-04-14 17:33 UTC (permalink / raw)
To: refpolicy
2017-04-14 17:58 GMT+02:00 Russell Coker via refpolicy
<refpolicy@oss.tresys.com>:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
>
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
seems to be a dublicate for me
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/mandb.te#L46
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
one question about this:
I saw this once on my systems, but it was caused by the cron script
checking for systemd presence
(https://sources.debian.net/src/man-db/2.7.6.1-2/debian/cron.daily/#L20)
After the label change of the cron script file to bin_t, it
disappeared (https://github.com/TresysTechnology/refpolicy-contrib/commit/563c9eee33e9c7f47d0c61f35005d8a9d6ac46d6#diff-0d233c2fa4a6b85be493bceaf52eab01).
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 4+ messages in thread* [refpolicy] [PATCH] systemd init
2017-04-14 15:58 [refpolicy] [PATCH] systemd init Russell Coker
2017-04-14 16:13 ` Dominick Grift
2017-04-14 17:33 ` Christian Göttsche
@ 2017-04-16 23:09 ` Chris PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2017-04-16 23:09 UTC (permalink / raw)
To: refpolicy
On 04/14/2017 11:58 AM, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
This is merged except for the duplicate rules noted by the others.
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread