1 |
commit: e3b92a0ef1585d742839a59a365a122eb000fb8e |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Tue Feb 2 15:07:12 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:15:09 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e |
7 |
|
8 |
machined |
9 |
|
10 |
This patch is for systemd-machined. Some of it will probably need |
11 |
discussion but some is obviously good, so Chris maybe you could take |
12 |
the bits you like for this release? |
13 |
|
14 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
16 |
|
17 |
policy/modules/services/dbus.te | 6 +++++ |
18 |
policy/modules/services/ssh.te | 8 ++---- |
19 |
policy/modules/system/authlogin.if | 1 + |
20 |
policy/modules/system/locallogin.te | 1 + |
21 |
policy/modules/system/systemd.if | 52 +++++++++++++++++++++++++++++++++++++ |
22 |
policy/modules/system/systemd.te | 12 +++++++++ |
23 |
6 files changed, 74 insertions(+), 6 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te |
26 |
index 26ffe456..cbbbd45b 100644 |
27 |
--- a/policy/modules/services/dbus.te |
28 |
+++ b/policy/modules/services/dbus.te |
29 |
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t) |
30 |
seutil_read_config(system_dbusd_t) |
31 |
seutil_read_default_contexts(system_dbusd_t) |
32 |
|
33 |
+# for machinectl shell |
34 |
+term_use_ptmx(system_dbusd_t) |
35 |
+ |
36 |
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) |
37 |
userdom_dontaudit_search_user_home_dirs(system_dbusd_t) |
38 |
# read a file in ~/.local/share |
39 |
@@ -190,6 +193,9 @@ optional_policy(` |
40 |
systemd_read_logind_runtime_files(system_dbusd_t) |
41 |
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t) |
42 |
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) |
43 |
+ |
44 |
+ # for passing around terminal file handles for machinectl shell |
45 |
+ systemd_use_machined_devpts(system_dbusd_t) |
46 |
') |
47 |
|
48 |
optional_policy(` |
49 |
|
50 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
51 |
index 63a0d824..c5749682 100644 |
52 |
--- a/policy/modules/services/ssh.te |
53 |
+++ b/policy/modules/services/ssh.te |
54 |
@@ -267,9 +267,10 @@ ifdef(`distro_debian',` |
55 |
') |
56 |
|
57 |
ifdef(`init_systemd',` |
58 |
+ auth_use_pam_systemd(sshd_t) |
59 |
init_dbus_chat(sshd_t) |
60 |
- systemd_dbus_chat_logind(sshd_t) |
61 |
init_rw_stream_sockets(sshd_t) |
62 |
+ systemd_write_inherited_logind_sessions_pipes(sshd_t) |
63 |
') |
64 |
|
65 |
tunable_policy(`ssh_sysadm_login',` |
66 |
@@ -311,11 +312,6 @@ optional_policy(` |
67 |
rssh_read_ro_content(sshd_t) |
68 |
') |
69 |
|
70 |
-optional_policy(` |
71 |
- systemd_write_inherited_logind_sessions_pipes(sshd_t) |
72 |
- systemd_dbus_chat_logind(sshd_t) |
73 |
-') |
74 |
- |
75 |
optional_policy(` |
76 |
xserver_domtrans_xauth(sshd_t) |
77 |
xserver_link_xdm_keys(sshd_t) |
78 |
|
79 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
80 |
index 08361bb5..753a7735 100644 |
81 |
--- a/policy/modules/system/authlogin.if |
82 |
+++ b/policy/modules/system/authlogin.if |
83 |
@@ -98,6 +98,7 @@ interface(`auth_use_pam',` |
84 |
# |
85 |
interface(`auth_use_pam_systemd',` |
86 |
dbus_system_bus_client($1) |
87 |
+ systemd_connect_machined($1) |
88 |
systemd_dbus_chat_logind($1) |
89 |
') |
90 |
|
91 |
|
92 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
93 |
index 0f710243..ed004fb8 100644 |
94 |
--- a/policy/modules/system/locallogin.te |
95 |
+++ b/policy/modules/system/locallogin.te |
96 |
@@ -141,6 +141,7 @@ ifdef(`init_systemd',` |
97 |
auth_manage_faillog(local_login_t) |
98 |
|
99 |
init_dbus_chat(local_login_t) |
100 |
+ systemd_connect_machined(local_login_t) |
101 |
systemd_dbus_chat_logind(local_login_t) |
102 |
systemd_use_logind_fds(local_login_t) |
103 |
systemd_manage_logind_runtime_pipes(local_login_t) |
104 |
|
105 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
106 |
index 29a561c7..642d58e2 100644 |
107 |
--- a/policy/modules/system/systemd.if |
108 |
+++ b/policy/modules/system/systemd.if |
109 |
@@ -19,12 +19,18 @@ |
110 |
## The user domain for the role. |
111 |
## </summary> |
112 |
## </param> |
113 |
+## <param name="pty_type"> |
114 |
+## <summary> |
115 |
+## The type for the user pty |
116 |
+## </summary> |
117 |
+## </param> |
118 |
# |
119 |
template(`systemd_role_template',` |
120 |
gen_require(` |
121 |
attribute systemd_user_session_type, systemd_log_parse_env_type; |
122 |
type systemd_user_runtime_t, systemd_user_runtime_notify_t; |
123 |
type systemd_run_exec_t, systemd_analyze_exec_t; |
124 |
+ type systemd_machined_t; |
125 |
') |
126 |
|
127 |
################################# |
128 |
@@ -56,9 +62,13 @@ template(`systemd_role_template',` |
129 |
allow $1_systemd_t $3:process { setsched rlimitinh }; |
130 |
corecmd_shell_domtrans($1_systemd_t, $3) |
131 |
corecmd_bin_domtrans($1_systemd_t, $3) |
132 |
+ allow $1_systemd_t self:process signal; |
133 |
+ |
134 |
+ files_search_home($1_systemd_t) |
135 |
|
136 |
# Allow using file descriptors for user environment generators |
137 |
allow $3 $1_systemd_t:fd use; |
138 |
+ allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms; |
139 |
|
140 |
# systemctl --user |
141 |
stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) |
142 |
@@ -66,6 +76,10 @@ template(`systemd_role_template',` |
143 |
can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) |
144 |
|
145 |
dbus_system_bus_client($1_systemd_t) |
146 |
+ |
147 |
+ selinux_use_status_page($1_systemd_t) |
148 |
+ seutil_read_file_contexts($1_systemd_t) |
149 |
+ seutil_search_default_contexts($1_systemd_t) |
150 |
') |
151 |
|
152 |
###################################### |
153 |
@@ -487,6 +501,24 @@ interface(`systemd_read_machines',` |
154 |
allow $1 systemd_machined_runtime_t:file read_file_perms; |
155 |
') |
156 |
|
157 |
+######################################## |
158 |
+## <summary> |
159 |
+## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket |
160 |
+## </summary> |
161 |
+## <param name="domain"> |
162 |
+## <summary> |
163 |
+## Domain that can access the socket |
164 |
+## </summary> |
165 |
+## </param> |
166 |
+# |
167 |
+interface(`systemd_connect_machined',` |
168 |
+ gen_require(` |
169 |
+ type systemd_machined_t; |
170 |
+ ') |
171 |
+ |
172 |
+ allow $1 systemd_machined_t:unix_stream_socket connectto; |
173 |
+') |
174 |
+ |
175 |
######################################## |
176 |
## <summary> |
177 |
## Send and receive messages from |
178 |
@@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', ` |
179 |
systemd_domtrans_sysusers($1) |
180 |
roleattribute $2 systemd_sysusers_roles; |
181 |
') |
182 |
+ |
183 |
+######################################## |
184 |
+## <summary> |
185 |
+## receive and use a systemd_machined_devpts_t file handle |
186 |
+## </summary> |
187 |
+## <param name="domain"> |
188 |
+## <summary> |
189 |
+## Domain allowed access. |
190 |
+## </summary> |
191 |
+## </param> |
192 |
+## <rolecap/> |
193 |
+# |
194 |
+interface(`systemd_use_machined_devpts', ` |
195 |
+ gen_require(` |
196 |
+ type systemd_machined_t, systemd_machined_devpts_t; |
197 |
+ ') |
198 |
+ |
199 |
+ allow $1 systemd_machined_t:fd use; |
200 |
+ allow $1 systemd_machined_devpts_t:chr_file { read write }; |
201 |
+') |
202 |
|
203 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
204 |
index 9e68824e..39c37ac1 100644 |
205 |
--- a/policy/modules/system/systemd.te |
206 |
+++ b/policy/modules/system/systemd.te |
207 |
@@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t; |
208 |
files_runtime_file(systemd_machined_runtime_t) |
209 |
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") |
210 |
|
211 |
+type systemd_machined_devpts_t; |
212 |
+term_login_pty(systemd_machined_devpts_t) |
213 |
+ |
214 |
type systemd_modules_load_t; |
215 |
type systemd_modules_load_exec_t; |
216 |
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) |
217 |
@@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms; |
218 |
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; |
219 |
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) |
220 |
|
221 |
+# for /run/systemd/userdb/io.systemd.Machine |
222 |
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; |
223 |
+ |
224 |
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) |
225 |
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) |
226 |
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; |
227 |
@@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per |
228 |
kernel_read_kernel_sysctls(systemd_machined_t) |
229 |
kernel_read_system_state(systemd_machined_t) |
230 |
|
231 |
+dev_getattr_fs(systemd_machined_t) |
232 |
+ |
233 |
files_read_etc_files(systemd_machined_t) |
234 |
|
235 |
fs_getattr_cgroup(systemd_machined_t) |
236 |
@@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t) |
237 |
|
238 |
seutil_search_default_contexts(systemd_machined_t) |
239 |
|
240 |
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t) |
241 |
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; |
242 |
+term_getattr_pty_fs(systemd_machined_t) |
243 |
+ |
244 |
optional_policy(` |
245 |
init_dbus_chat(systemd_machined_t) |
246 |
init_dbus_send_script(systemd_machined_t) |