From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E510C433E0 for ; Mon, 4 Jan 2021 15:07:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 46CB02076D for ; Mon, 4 Jan 2021 15:07:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725840AbhADPHH (ORCPT ); Mon, 4 Jan 2021 10:07:07 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:57718 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727192AbhADPHH (ORCPT ); Mon, 4 Jan 2021 10:07:07 -0500 Received: from brutus (brutus.defensec.nl [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 8900F2A12B1; Mon, 4 Jan 2021 16:06:25 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 8900F2A12B1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1609772785; bh=VR/+xY3/rfUQDn1PdO3gh/SdlYMRETC4UnkXO4tEjGs=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=k6kniLw+E9Y2MJAdfNKk0NLqf16CyYIkKOgOI/Z/Q8dq13YPD1x5SHzms12Y907eZ ToqDM7ND5oLiWi+wxLrRnjr+GB2FUO76mKeo2UQAc0w7Zmd+0LJ+J79q8QOdY3BU4J MYO1uYQJ7IPrcxueOvmo+BnsbdeowfuV9LZUAsDU= From: Dominick Grift To: Chris PeBenito Cc: Russell Coker , selinux-refpolicy@vger.kernel.org Subject: Re: machinectl shell policy References: <8322849.62pqQp6Oog@liv> <1723812.Y751QtlBzf@liv> <5735537.jZnottUgFY@liv> Date: Mon, 04 Jan 2021 16:06:22 +0100 In-Reply-To: (Dominick Grift's message of "Mon, 04 Jan 2021 16:00:52 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Dominick Grift writes: > Chris PeBenito writes: > >> On 12/25/20 4:16 AM, Russell Coker wrote: >>> On Friday, 25 December 2020 6:58:41 PM AEDT Dominick Grift wrote: >>>> Russell Coker writes: >>>>> On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote: >>>>>>> To enable "machinectl shell" on recent versions of systemd we need >>>>>>> something like the above policy (which is not complete or ideal, still >>>>>>> doesn't work so no point polishing it) and something for the below. >>>>>>> What >>>>>>> is the below about? >>>>>> >>>>>> this should be thoroughly addressed. machined creates a login pty that >>>>>> gets relabeled on login as per type_change rules. >>>>> >>>>> Currently it's not being relabeled on Debian, but that's a separate issue. >>>> >>>> Maybe the required type_change rules arent present? >>> Here is all the policy to make it work. Maybe we should have a type >>> like >>> system_dbusd_devpts_t for this. This is not policy for inclusion, this is >>> policy to discuss before writing that policy. >>> term_user_pty(user_systemd_t, user_devpts_t) >>> term_login_pty(devpts_t) >>> allow user_systemd_t user_devpts_t:chr_file rw_file_perms; >>> # for machinectl shell >>> allow sysadm_t systemd_machined_t:dbus send_msg; >>> systemd_manage_userdb_runtime_dirs(systemd_machined_t) >>> systemd_manage_userdb_runtime_sock_files(systemd_machined_t) >>> term_use_ptmx(systemd_machined_t) >>> dev_getattr_fs(systemd_machined_t) >>> term_getattr_pty_fs(systemd_machined_t) >>> allow systemd_machined_t sysadm_t:dbus send_msg; >>> allow systemd_machined_t devpts_t:chr_file rw_file_perms; >>> allow system_dbusd_t systemd_machined_t:fd use; >>> allow system_dbusd_t devpts_t:chr_file { read write }; >>> allow system_dbusd_t ptmx_t:chr_file { read write }; >>> allow sysadm_t systemd_machined_t:fd use; >>> allow user_systemd_t shell_exec_t:file entrypoint; >> >> The pty stuff seems to make sense, but I'm curious why there is a >> transition into user_systemd_t for the shell. > > The policy above is referencing "devpts_t", that is sub-optimal. there > shouldnt be any pty chr files with the devpts_t filesystem type And I agree that then user_systemd_t shell_exec_t entrypoint should be there. > > >> >>> allow user_systemd_t systemd_machined_t:fd use; >>> allow user_systemd_t self:process signal; >>> allow user_t systemd_machined_t:fd use; >>> allow user_t user_systemd_t:fifo_file { getattr write }; >>> allow user_t init_t:process signal; >> >> >> >>>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001 >>>>> >>>>> We have work in progress on dbus-broker in Debian. Would it make sense to >>>>> only support dbus-broker in SE Linux policy? Being forced to use only 1 >>>>> of >>>>> the 2 dbus programs (and the newer and faster 1 of the 2) is a very small >>>>> trade-off, smaller than some of the other trade-offs for running SE Linux. >> >> I'd prefer to keep both unless it becomes onerous. >> >> >>>> should probably be able to support both (conditionally) but could get messy >>> Currently we have a heap of ifdef systemd in the policy, as probably >>> the only >>> people not wanting dbus-broker will be the ones not wanting systemd we could >>> include it in the same ifdef rules. >> >> The "else" of the ifdef can work. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift