From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E9F7C433EF for ; Sat, 9 Oct 2021 10:17:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 43C2660560 for ; Sat, 9 Oct 2021 10:17:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230478AbhJIKTi (ORCPT ); Sat, 9 Oct 2021 06:19:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230185AbhJIKTh (ORCPT ); Sat, 9 Oct 2021 06:19:37 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 270A6C061570 for ; Sat, 9 Oct 2021 03:17:41 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 16CBFF117; Sat, 9 Oct 2021 21:17:39 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1633774659; bh=Knojctk1uNweAAmxSuxXlH6OlV2/cds5+asFrmNfse8=; l=2682; h=Date:From:To:Cc:Subject:From; b=g5sA76vqyGbzHMJw6EgWg9E24Vcs6O2RYmKlFbIBH8zct4jH6v3jG1PPVqT2wOmWg n8CFwyZu4M00iot1ROp3xTBaOOsJMp9GK295NOX76oo8TxcKZtqnOBPP3bXKiaItBD WWECqY/jHsML1lrInHzxwq3oC5quWXH1Ggo0r5pY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 8CEC715FF051; Sat, 9 Oct 2021 21:17:34 +1100 (AEDT) Date: Sat, 9 Oct 2021 21:17:34 +1100 From: Russell Coker To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] another systemd misc patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote: > > +interface(`systemd_watch_logind_runtime_dir',` > > systemd_watch_logind_runtime_dirs (plural) Done. > > +interface(`systemd_watch_logind_sessions_dir',` > > systemd_watch_logind_sessions_dirs (plural) Done. > > +interface(`systemd_watch_machines_dir',` > > systemd_watch_machines_dirs (plural) Done. > > - domtrans_pattern($1, systemd_passwd_agent_exec_t, > > systemd_passwd_agent_t) > > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, > > systemd_passwd_agent_t) > domtrans_pattern() is the standard pattern. This change has no effect. OK, I'll remove that. > > -allow systemd_coredump_t self:capability { dac_override dac_read_search > > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t > > self:unix_stream_socket connectto; > > +allow systemd_coredump_t self:capability { dac_override dac_read_search > > setgid setuid setpcap net_admin sys_ptrace }; > net_admin? That doesn't seem necessary for core dumping. That's one of the systemd programs that wanted netadmin to set socket buffers. I'll dontaudit it. > > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump > > > > seutil_search_default_contexts(systemd_coredump_t) > > > > +allow systemd_generator_t self:fifo_file rw_file_perms; > > +allow systemd_generator_t self:process setfscreate; > The systemd_generator_t rules need to move to proper places. Done. > > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_ > > > > kernel_read_kernel_sysctls(systemd_logind_t) > > > > +auth_read_shadow(systemd_logind_t) > > If this is necessary, it seems Debian specific. I'll try removing it. > > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t) > > > > term_search_ptys(systemd_nspawn_t) > > term_setattr_generic_ptys(systemd_nspawn_t) > > term_use_ptmx(systemd_nspawn_t) > > > > +term_use_generic_ptys(systemd_nspawn_t) > > Perhaps this should have a pty type? OK. > > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se > > > > # systemd-user-runtime-dir local policy > > # > > > > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin > > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t > > self:capability { chown dac_override dac_read_search dac_override fowner > > sys_admin mknod }; > sys_admin and mknod? What is sys_admin used for; also, I don't see any > rules for creating devices. That's because of something that I hadn't included in that patch. It has to unlink device nodes labelled user_tmp_t. I just sent another patch for this.