From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] systemd init
Date: Sun, 16 Apr 2017 19:09:30 -0400 [thread overview]
Message-ID: <e84f4e29-a384-e1ae-ee04-3eb6fe0b98a5@ieee.org> (raw)
In-Reply-To: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au>
On 04/14/2017 11:58 AM, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
This is merged except for the duplicate rules noted by the others.
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
prev parent reply other threads:[~2017-04-16 23:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-14 15:58 [refpolicy] [PATCH] systemd init Russell Coker
2017-04-14 16:13 ` Dominick Grift
2017-04-14 17:33 ` Christian Göttsche
2017-04-16 23:09 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e84f4e29-a384-e1ae-ee04-3eb6fe0b98a5@ieee.org \
--to=pebenito@ieee.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.