Re: [PATCH] another systemd misc patch

[Dominick Grift <dominick.grift@defensec.nl>]

Chris PeBenito <pebenito@ieee.org> writes:

> On 2/2/21 10:31 PM, Russell Coker wrote:
>> Lots of littls changes related to systemd.
>> Signed-off-by: Russell Coker <russell@coker.com.au>
>> 
>
>> @@ -296,6 +298,24 @@ interface(`systemd_write_logind_runtime_
>>     ######################################
>>   ## <summary>
>> +##     Watch systemd-logind runtime dirs
>> +## </summary>
>> +## <param name="domain">
>> +##     <summary>
>> +##     Domain allowed access.
>> +##     </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
>
>> +	gen_require(`
>> +		type systemd_logind_runtime_t;
>> +	')
>> +
>> +	allow $1 systemd_logind_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>>   ##   Use inherited systemd
>>   ##   logind file descriptors.
>>   ## </summary>
>> @@ -356,6 +376,24 @@ interface(`systemd_write_inherited_login
>>     ######################################
>>   ## <summary>
>> +##      Watch logind sessions dirs.
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain allowed access.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
>
>> +	gen_require(`
>> +		type systemd_sessions_runtime_t;
>> +	')
>> +
>> +	allow $1 systemd_sessions_runtime_t:dir watch;
>> +')
>> +
>> +######################################
>> +## <summary>
>>   ##      Write inherited logind inhibit pipes.
>>   ## </summary>
>>   ## <param name="domain">
>> @@ -528,6 +566,24 @@ interface(`systemd_connect_machined',`
>>     ########################################
>>   ## <summary>
>> +##	Allow watching /run/systemd/machines
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain that can watch the machines files
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
>
>> +	gen_require(`
>> +		type systemd_machined_runtime_t;
>> +	')
>> +
>> +	allow $1 systemd_machined_runtime_t:dir watch;
>> +')
>> +
>> +########################################
>> +## <summary>
>>   ##   Send and receive messages from
>>   ##   systemd hostnamed over dbus.
>>   ## </summary>
>> @@ -585,7 +641,7 @@ interface(`systemd_run_passwd_agent',`
>>   		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
>>   	')
>>   -	domtrans_pattern($1, systemd_passwd_agent_exec_t,
>> systemd_passwd_agent_t)
>> +	domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
>
> domtrans_pattern() is the standard pattern.  This change has no effect.
>
>
>
>> Index: refpolicy-2.20210203/policy/modules/system/systemd.te
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/system/systemd.te
>> +++ refpolicy-2.20210203/policy/modules/system/systemd.te
>> @@ -129,6 +129,7 @@ type systemd_logind_t;
>>   type systemd_logind_exec_t;
>>   init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
>>   init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
>> +init_stream_connect(systemd_logind_t)
>>     type systemd_logind_inhibit_runtime_t alias
>> systemd_logind_inhibit_var_run_t;
>>   files_runtime_file(systemd_logind_inhibit_runtime_t)
>> @@ -295,6 +296,8 @@ allow systemd_backlight_t systemd_backli
>>   init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
>>   manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
>>   +kernel_read_kernel_sysctls(systemd_backlight_t)
>> +
>>   systemd_log_parse_environment(systemd_backlight_t)
>>     # Allow systemd-backlight to write to
>> /sys/class/backlight/*/brightness
>> @@ -358,13 +361,15 @@ ifdef(`enable_mls',`
>>   #
>>     allow systemd_coredump_t self:unix_dgram_socket { create write
>> connect getopt setopt };
>> -allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace };
>> +allow systemd_coredump_t self:unix_stream_socket connectto;
>> +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap net_admin sys_ptrace };
>
> net_admin? That doesn't seem necessary for core dumping.
>
>
> [...]
>> @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
>>     seutil_search_default_contexts(systemd_coredump_t)
>>   +allow systemd_generator_t self:fifo_file rw_file_perms;
>> +allow systemd_generator_t self:process setfscreate;
>> +
>> +allow systemd_generator_t self:capability dac_override;
>> +allow systemd_generator_t self:tcp_socket create;
>> +allow systemd_generator_t self:netlink_route_socket { create read bind getattr write nlmsg_read };
>> +
>> +corecmd_exec_bin(systemd_generator_t)
>> +corecmd_exec_shell(systemd_generator_t)
>> +files_exec_etc_files(systemd_generator_t)
>> +fs_getattr_cgroup(systemd_generator_t)
>> +fs_getattr_tmpfs(systemd_generator_t)
>> +fs_rw_tmpfs_files(systemd_generator_t)
>> +miscfiles_read_localization(systemd_generator_t)
>> +
>> +optional_policy(`
>> +	# for /lib/systemd/system-generators/openvpn-generator
>> +	openvpn_read_config(systemd_generator_t)
>> +')
>> +
>> +optional_policy(`
>> +	# it runs postconf
>> +	# maybe /lib/systemd/system-generators/postfix-instance-generator
>> +	postfix_read_config(systemd_generator_t)
>> +')
>
> The systemd_generator_t rules need to move to proper places.
>
>
>
>> @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
>>     kernel_read_kernel_sysctls(systemd_logind_t)
>>   +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.

This also happens on fedora (not sure why)
 
>
> [...]
>> @@ -925,14 +1001,26 @@ allow systemd_nspawn_t systemd_nspawn_tm
>>   # for /run/systemd/nspawn/incoming in chroot
>>   allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
>>   +kernel_getattr_core_if(systemd_nspawn_t)
>> +kernel_getattr_proc(systemd_nspawn_t)
>> +kernel_getattr_unlabeled_dirs(systemd_nspawn_t)
>> +
>>   kernel_mount_proc(systemd_nspawn_t)
>>   kernel_mounton_sysctl_dirs(systemd_nspawn_t)
>>   kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
>>   kernel_mounton_message_if(systemd_nspawn_t)
>>   kernel_mounton_proc(systemd_nspawn_t)
>> +kernel_mounton_sysctl_files(systemd_nspawn_t)
>> +kernel_mounton_unlabeled_dirs(systemd_nspawn_t)
>
> With all of the mounting, perhaps we should consider coalescing on
> allowing it to mount an all init_mountpoint_types.

mounton unlabeled dirs indicates that something is unlabeled/mislabeled
though. Wouldnt allow that.

>
> [..]
>> @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
>>   term_search_ptys(systemd_nspawn_t)
>>   term_setattr_generic_ptys(systemd_nspawn_t)
>>   term_use_ptmx(systemd_nspawn_t)
>> +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?

Agree
>
>
>> @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
>>   # systemd-user-runtime-dir local policy
>>   #
>>   -allow systemd_user_runtime_dir_t self:capability { fowner chown
>> sys_admin dac_read_search dac_override };
>> +allow systemd_user_runtime_dir_t self:capability { chown
>> dac_override dac_read_search dac_override fowner sys_admin mknod };
>
> sys_admin and mknod?  What is sys_admin used for; also,  I don't see
> any rules for creating devices.

its probably old systemd stuff (fixed in more recent version): ie /run/user/UID/inaccessible/blk

should be able to ignore this

>
>>   allow systemd_user_runtime_dir_t self:process setfscreate;
>>     domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
>>   +allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir
>> manage_dir_perms;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file unlink;
>> +allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file unlink;
>> +
>>   files_read_etc_files(systemd_user_runtime_dir_t)
>>     fs_mount_tmpfs(systemd_user_runtime_dir_t)
>> @@ -1543,7 +1655,10 @@ seutil_read_file_contexts(systemd_user_r
>>   seutil_libselinux_linked(systemd_user_runtime_dir_t)
>>     userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_files(systemd_user_runtime_dir_t)
>>   userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t)
>> +userdom_delete_user_tmp_named_sockets(systemd_user_runtime_dir_t)
>> +userdom_list_user_tmp(systemd_user_runtime_dir_t)
>>   userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
>>   userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
>>   userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
>> Index: refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> ===================================================================
>> --- refpolicy-2.20210203.orig/policy/modules/admin/dpkg.if
>> +++ refpolicy-2.20210203/policy/modules/admin/dpkg.if
>> @@ -356,3 +356,40 @@ interface(`dpkg_read_script_tmp_symlinks
>>     	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>>   ')
>> +
>> +########################################
>> +## <summary>
>> +##	send dbus messages to dpkg_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`dpkg_dbus_chat',`
>> +	gen_require(`
>> +		type dpkg_t;
>> +	')
>> +
>> +	allow $1 dpkg_t:dbus send_msg;
>> +')
>
> I'd prefer that the dbus chat interfaces are provided by the server process' domain.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift