[refpolicy] system_r transition in _admin interfaces

[refpolicy] system_r transition in _admin interfaces

[Jason Zaman]

Hi all,

In basically all of the foo_admin() interfaces there are the following
exact same rules:

init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;

Do these even work anymore? They dont work on OpenRC and as far as I
know SystemD doesnt work like that either. I dont really like having the
system_r transition around if it doesnt even work as it should.

>From what I understand they are used so that if another role wants to
admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
then be allowed to start/stop ntp.

If I pull those lines out of all the _admin interfaces and make a
separate interface that calls those, would the patch be accepted? Then
inside that interface it would be easy to ifdef systemd, or ifdef
openrc or whatever kind of init is being used and needs special rules.

Thoughts?
-- Jason

[refpolicy] system_r transition in _admin interfaces

[Dominick Grift]

On Tue, May 12, 2015 at 08:19:13PM +0400, Jason Zaman wrote:
> Hi all,
> 
> In basically all of the foo_admin() interfaces there are the following
> exact same rules:
> 
> init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
> domain_system_change_exemption($1)
> role_transition $2 ntpd_initrc_exec_t system_r;
> allow $2 system_r;
> 
> Do these even work anymore? They dont work on OpenRC and as far as I
> know SystemD doesnt work like that either. I dont really like having the
> system_r transition around if it doesnt even work as it should.

They work and are required on < RHEL 6.*

> 
> >From what I understand they are used so that if another role wants to
> admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
> then be allowed to start/stop ntp.
> 

Yes

> If I pull those lines out of all the _admin interfaces and make a
> separate interface that calls those, would the patch be accepted? Then
> inside that interface it would be easy to ifdef systemd, or ifdef
> openrc or whatever kind of init is being used and needs special rules.
> 
> Thoughts?

Not my call to make

However, i noticed today that recently you did a little work in gentoo trying to call all the admin interfaces in sysadm.te

Please make sure that you build test it thoroughly (also test build monolithic, direct_sysadmin etc)

Not because you may want to support monolithic build in gentoo but because you want to make sure you at least stay to some extend compliant with refpolicy

I would be a shame if you spent a lot of time on some feature and much later determine that its not upstreamable becuause upstream 
needs to support functionality that gentoo does not need to support and thereby neglected to test.

I am saying this because i vaguely recall my trying to call all those admin() interfaces in sysadm.te in refpolicy but it failed to pass the build test then.

I might be wrong i am just giving you an heads-up in advance

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150512/f5e911ef/attachment.bin 

[refpolicy] system_r transition in _admin interfaces

[Jason Zaman]

On Tue, May 12, 2015 at 06:31:56PM +0200, Dominick Grift wrote:
> On Tue, May 12, 2015 at 08:19:13PM +0400, Jason Zaman wrote:
> > Hi all,
> > 
> > In basically all of the foo_admin() interfaces there are the following
> > exact same rules:
> > 
> > init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
> > domain_system_change_exemption($1)
> > role_transition $2 ntpd_initrc_exec_t system_r;
> > allow $2 system_r;
> > 
> > Do these even work anymore? They dont work on OpenRC and as far as I
> > know SystemD doesnt work like that either. I dont really like having the
> > system_r transition around if it doesnt even work as it should.
> 
> They work and are required on < RHEL 6.*
> 
> > 
> > >From what I understand they are used so that if another role wants to
> > admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
> > then be allowed to start/stop ntp.
> > 
> 
> Yes
> 
> > If I pull those lines out of all the _admin interfaces and make a
> > separate interface that calls those, would the patch be accepted? Then
> > inside that interface it would be easy to ifdef systemd, or ifdef
> > openrc or whatever kind of init is being used and needs special rules.
> > 
> > Thoughts?
> 
> Not my call to make
> 
> However, i noticed today that recently you did a little work in gentoo trying to call all the admin interfaces in sysadm.te
> 
> Please make sure that you build test it thoroughly (also test build monolithic, direct_sysadmin etc)
> 
> Not because you may want to support monolithic build in gentoo but because you want to make sure you at least stay to some extend compliant with refpolicy
> 
> I would be a shame if you spent a lot of time on some feature and much later determine that its not upstreamable becuause upstream 
> needs to support functionality that gentoo does not need to support and thereby neglected to test.
> 
> I am saying this because i vaguely recall my trying to call all those admin() interfaces in sysadm.te in refpolicy but it failed to pass the build test then.
> 
> I might be wrong i am just giving you an heads-up in advance

Yes, I was trying to fix stuff in gentoo but its a rather huge patch. So
what I am aiming to do is to refactor this in refpol then in gentoo we
only have to have a small modification to the interface and I dont have
to touch all million files in contrib/.

The aim is for the interface to just call those lines exactly so no
functionality will change at first. Then later adding an ifdef or
tunable can be done for other inits.

Ive been playing with adding all of them for a while now and its been
passing the quick build tests ive done. But I will definitely run all
the tests thoroughly before sending.

-- Jason

[refpolicy] system_r transition in _admin interfaces

[Christopher J. PeBenito]

On 5/12/2015 12:19 PM, Jason Zaman wrote:
> Hi all,
> 
> In basically all of the foo_admin() interfaces there are the following
> exact same rules:
> 
> init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
> domain_system_change_exemption($1)
> role_transition $2 ntpd_initrc_exec_t system_r;
> allow $2 system_r;
> 
> Do these even work anymore? They dont work on OpenRC and as far as I
> know SystemD doesnt work like that either. I dont really like having the
> system_r transition around if it doesnt even work as it should.
> 
>>From what I understand they are used so that if another role wants to
> admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
> then be allowed to start/stop ntp.
> 
> If I pull those lines out of all the _admin interfaces and make a
> separate interface that calls those, would the patch be accepted? Then
> inside that interface it would be easy to ifdef systemd, or ifdef
> openrc or whatever kind of init is being used and needs special rules.

I think what we're getting at is actually a more abstract interface: the
perms to start/stop a daemon.  The above rules are what it takes for
traditional sysvinit-like services, while systemd and openrc have their
own behaviors.  So I think we should replace the above lines in the
admin interfaces with calls to interfaces that look like (pseudocode):

in init.if:

define init_start_service_template
	ifdef init_systemd:
		allow $caller $domain:service start;
	else ifdef init_sysvinit or init_upstart:
		init_labeled_script_domtrans($caller, $entrypoint)
		domain_system_change_exemption($caller)
		...
	else ifdef init_openrc
		...
	endif


in ntp.if:

template ntp_start_service
	init_start_service_template($caller, $role, ntpd_t, ntpd_initrc_exec_t)


Then with these in place, it should hopefully work right without much
effort, and the individual modules don't know or care about the details
of start/stop a service.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] system_r transition in _admin interfaces

[Jason Zaman]

On Tue, May 12, 2015 at 01:04:29PM -0400, Christopher J. PeBenito wrote:
> On 5/12/2015 12:19 PM, Jason Zaman wrote:
> > Hi all,
> > 
> > In basically all of the foo_admin() interfaces there are the following
> > exact same rules:
> > 
> > init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
> > domain_system_change_exemption($1)
> > role_transition $2 ntpd_initrc_exec_t system_r;
> > allow $2 system_r;
> > 
> > Do these even work anymore? They dont work on OpenRC and as far as I
> > know SystemD doesnt work like that either. I dont really like having the
> > system_r transition around if it doesnt even work as it should.
> > 
> >>From what I understand they are used so that if another role wants to
> > admin the service you just add ntp_admin(ntpadm_t, ntpadm_r) and it will
> > then be allowed to start/stop ntp.
> > 
> > If I pull those lines out of all the _admin interfaces and make a
> > separate interface that calls those, would the patch be accepted? Then
> > inside that interface it would be easy to ifdef systemd, or ifdef
> > openrc or whatever kind of init is being used and needs special rules.
> 
> I think what we're getting at is actually a more abstract interface: the
> perms to start/stop a daemon.  The above rules are what it takes for
> traditional sysvinit-like services, while systemd and openrc have their
> own behaviors.  So I think we should replace the above lines in the
> admin interfaces with calls to interfaces that look like (pseudocode):
> 
> in init.if:
> 
> define init_start_service_template
> 	ifdef init_systemd:
> 		allow $caller $domain:service start;
> 	else ifdef init_sysvinit or init_upstart:
> 		init_labeled_script_domtrans($caller, $entrypoint)
> 		domain_system_change_exemption($caller)
> 		...
> 	else ifdef init_openrc
> 		...
> 	endif
> 
> 
> in ntp.if:
> 
> template ntp_start_service
> 	init_start_service_template($caller, $role, ntpd_t, ntpd_initrc_exec_t)
> 
> 
> Then with these in place, it should hopefully work right without much
> effort, and the individual modules don't know or care about the details
> of start/stop a service.

This is exactly what I was aiming for. great we're all on the same page.
I will prepare some patches then and send soon. That looks like a decent
list of parameters on the interface, should cover all the different
inits. I'll make the interface without the ifdef's first so nothing
changes. We can add in systemd and openrc after the rest is done.

-- Jason