[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
Date:	Sun, 07 Feb 2021 03:20:49
Message-Id:	`1612646109.e3b92a0ef1585d742839a59a365a122eb000fb8e.perfinion@gentoo`

1

commit:     e3b92a0ef1585d742839a59a365a122eb000fb8e

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Tue Feb  2 15:07:12 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 21:15:09 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e

7

8

machined

9

10

This patch is for systemd-machined.  Some of it will probably need

11

discussion but some is obviously good, so Chris maybe you could take

12

the bits you like for this release?

13

14

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

15

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

16

17

 policy/modules/services/dbus.te     |  6 +++++

18

 policy/modules/services/ssh.te      |  8 ++----

19

 policy/modules/system/authlogin.if  |  1 +

20

 policy/modules/system/locallogin.te |  1 +

21

 policy/modules/system/systemd.if    | 52 +++++++++++++++++++++++++++++++++++++

22

 policy/modules/system/systemd.te    | 12 +++++++++

23

 6 files changed, 74 insertions(+), 6 deletions(-)

24

25

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te

26

index 26ffe456..cbbbd45b 100644

27

--- a/policy/modules/services/dbus.te

28

+++ b/policy/modules/services/dbus.te

29

@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t)

30

 seutil_read_config(system_dbusd_t)

31

 seutil_read_default_contexts(system_dbusd_t)

32

33

+# for machinectl shell

34

+term_use_ptmx(system_dbusd_t)

35

+

36

 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)

37

 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)

38

 # read a file in ~/.local/share

39

@@ -190,6 +193,9 @@ optional_policy(`

40

 	systemd_read_logind_runtime_files(system_dbusd_t)

41

 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)

42

 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)

43

+

44

+	# for passing around terminal file handles for machinectl shell

45

+	systemd_use_machined_devpts(system_dbusd_t)

46

')

47

48

 optional_policy(`

49

50

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te

51

index 63a0d824..c5749682 100644

52

--- a/policy/modules/services/ssh.te

53

+++ b/policy/modules/services/ssh.te

54

@@ -267,9 +267,10 @@ ifdef(`distro_debian',`

55

')

56

57

 ifdef(`init_systemd',`

58

+	auth_use_pam_systemd(sshd_t)

59

 	init_dbus_chat(sshd_t)

60

-	systemd_dbus_chat_logind(sshd_t)

61

 	init_rw_stream_sockets(sshd_t)

62

+	systemd_write_inherited_logind_sessions_pipes(sshd_t)

63

')

64

65

 tunable_policy(`ssh_sysadm_login',`

66

@@ -311,11 +312,6 @@ optional_policy(`

67

 	rssh_read_ro_content(sshd_t)

68

')

69

70

-optional_policy(`

71

-	systemd_write_inherited_logind_sessions_pipes(sshd_t)

72

-	systemd_dbus_chat_logind(sshd_t)

73

-')

74

-

75

 optional_policy(`

76

 	xserver_domtrans_xauth(sshd_t)

77

 	xserver_link_xdm_keys(sshd_t)

78

79

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if

80

index 08361bb5..753a7735 100644

81

--- a/policy/modules/system/authlogin.if

82

+++ b/policy/modules/system/authlogin.if

83

@@ -98,6 +98,7 @@ interface(`auth_use_pam',`

84

#

85

 interface(`auth_use_pam_systemd',`

86

 	dbus_system_bus_client($1)

87

+	systemd_connect_machined($1)

88

 	systemd_dbus_chat_logind($1)

89

')

90

91

92

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te

93

index 0f710243..ed004fb8 100644

94

--- a/policy/modules/system/locallogin.te

95

+++ b/policy/modules/system/locallogin.te

96

@@ -141,6 +141,7 @@ ifdef(`init_systemd',`

97

 	auth_manage_faillog(local_login_t)

98

99

 	init_dbus_chat(local_login_t)

100

+	systemd_connect_machined(local_login_t)

101

 	systemd_dbus_chat_logind(local_login_t)

102

 	systemd_use_logind_fds(local_login_t)

103

 	systemd_manage_logind_runtime_pipes(local_login_t)

104

105

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

106

index 29a561c7..642d58e2 100644

107

--- a/policy/modules/system/systemd.if

108

+++ b/policy/modules/system/systemd.if

109

@@ -19,12 +19,18 @@

110

 ##	The user domain for the role.

111

 ##	</summary>

112

 ## </param>

113

+## <param name="pty_type">

114

+##	<summary>

115

+##	The type for the user pty

116

+##	</summary>

117

+## </param>

118

#

119

 template(`systemd_role_template',`

120

 	gen_require(`

121

 		attribute systemd_user_session_type, systemd_log_parse_env_type;

122

 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;

123

 		type systemd_run_exec_t, systemd_analyze_exec_t;

124

+		type systemd_machined_t;

125

')

126

127

 	#################################

128

@@ -56,9 +62,13 @@ template(`systemd_role_template',`

129

 	allow $1_systemd_t $3:process { setsched rlimitinh };

130

 	corecmd_shell_domtrans($1_systemd_t, $3)

131

 	corecmd_bin_domtrans($1_systemd_t, $3)

132

+	allow $1_systemd_t self:process signal;

133

+

134

+	files_search_home($1_systemd_t)

135

136

 	# Allow using file descriptors for user environment generators

137

 	allow $3 $1_systemd_t:fd use;

138

+	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;

139

140

 	# systemctl --user

141

 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)

142

@@ -66,6 +76,10 @@ template(`systemd_role_template',`

143

 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })

144

145

 	dbus_system_bus_client($1_systemd_t)

146

+

147

+	selinux_use_status_page($1_systemd_t)

148

+	seutil_read_file_contexts($1_systemd_t)

149

+	seutil_search_default_contexts($1_systemd_t)

150

')

151

152

 ######################################

153

@@ -487,6 +501,24 @@ interface(`systemd_read_machines',`

154

 	allow $1 systemd_machined_runtime_t:file read_file_perms;

155

')

156

157

+########################################

158

+## <summary>

159

+##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket

160

+## </summary>

161

+## <param name="domain">

162

+##     <summary>

163

+##     Domain that can access the socket

164

+##     </summary>

165

+## </param>

166

+#

167

+interface(`systemd_connect_machined',`

168

+	gen_require(`

169

+		type systemd_machined_t;

170

+	')

171

+

172

+	allow $1 systemd_machined_t:unix_stream_socket connectto;

173

+')

174

+

175

 ########################################

176

 ## <summary>

177

 ##   Send and receive messages from

178

@@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', `

179

 	systemd_domtrans_sysusers($1)

180

 	roleattribute $2 systemd_sysusers_roles;

181

')

182

+

183

+########################################

184

+## <summary>

185

+##  receive and use a systemd_machined_devpts_t file handle

186

+## </summary>

187

+## <param name="domain">

188

+##	<summary>

189

+##	Domain allowed access.

190

+##	</summary>

191

+## </param>

192

+## <rolecap/>

193

+#

194

+interface(`systemd_use_machined_devpts', `

195

+	gen_require(`

196

+		type systemd_machined_t, systemd_machined_devpts_t;

197

+	')

198

+

199

+	allow $1 systemd_machined_t:fd use;

200

+	allow $1 systemd_machined_devpts_t:chr_file { read write };

201

+')

202

203

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

204

index 9e68824e..39c37ac1 100644

205

--- a/policy/modules/system/systemd.te

206

+++ b/policy/modules/system/systemd.te

207

@@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t;

208

 files_runtime_file(systemd_machined_runtime_t)

209

 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")

210

211

+type systemd_machined_devpts_t;

212

+term_login_pty(systemd_machined_devpts_t)

213

+

214

 type systemd_modules_load_t;

215

 type systemd_modules_load_exec_t;

216

 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)

217

@@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;

218

 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;

219

 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)

220

221

+# for /run/systemd/userdb/io.systemd.Machine

222

+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;

223

+

224

 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)

225

 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)

226

 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;

227

@@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per

228

 kernel_read_kernel_sysctls(systemd_machined_t)

229

 kernel_read_system_state(systemd_machined_t)

230

231

+dev_getattr_fs(systemd_machined_t)

232

+

233

 files_read_etc_files(systemd_machined_t)

234

235

 fs_getattr_cgroup(systemd_machined_t)

236

@@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t)

237

238

 seutil_search_default_contexts(systemd_machined_t)

239

240

+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)

241

+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;

242

+term_getattr_pty_fs(systemd_machined_t)

243

+

244

 optional_policy(`

245

 	init_dbus_chat(systemd_machined_t)

246

 	init_dbus_send_script(systemd_machined_t)

1	commit: e3b92a0ef1585d742839a59a365a122eb000fb8e
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Tue Feb 2 15:07:12 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 21:15:09 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e
7
8	machined
9
10	This patch is for systemd-machined. Some of it will probably need
11	discussion but some is obviously good, so Chris maybe you could take
12	the bits you like for this release?
13
14	Signed-off-by: Russell Coker <russell <AT> coker.com.au>
15	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
16
17	policy/modules/services/dbus.te \| 6 +++++
18	policy/modules/services/ssh.te \| 8 ++----
19	policy/modules/system/authlogin.if \| 1 +
20	policy/modules/system/locallogin.te \| 1 +
21	policy/modules/system/systemd.if \| 52 +++++++++++++++++++++++++++++++++++++
22	policy/modules/system/systemd.te \| 12 +++++++++
23	6 files changed, 74 insertions(+), 6 deletions(-)
24
25	diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
26	index 26ffe456..cbbbd45b 100644
27	--- a/policy/modules/services/dbus.te
28	+++ b/policy/modules/services/dbus.te
29	@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t)
30	seutil_read_config(system_dbusd_t)
31	seutil_read_default_contexts(system_dbusd_t)
32
33	+# for machinectl shell
34	+term_use_ptmx(system_dbusd_t)
35	+
36	userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
37	userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
38	# read a file in ~/.local/share
39	@@ -190,6 +193,9 @@ optional_policy(`
40	systemd_read_logind_runtime_files(system_dbusd_t)
41	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
42	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
43	+
44	+ # for passing around terminal file handles for machinectl shell
45	+ systemd_use_machined_devpts(system_dbusd_t)
46	')
47
48	optional_policy(`
49
50	diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
51	index 63a0d824..c5749682 100644
52	--- a/policy/modules/services/ssh.te
53	+++ b/policy/modules/services/ssh.te
54	@@ -267,9 +267,10 @@ ifdef(`distro_debian',`
55	')
56
57	ifdef(`init_systemd',`
58	+ auth_use_pam_systemd(sshd_t)
59	init_dbus_chat(sshd_t)
60	- systemd_dbus_chat_logind(sshd_t)
61	init_rw_stream_sockets(sshd_t)
62	+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
63	')
64
65	tunable_policy(`ssh_sysadm_login',`
66	@@ -311,11 +312,6 @@ optional_policy(`
67	rssh_read_ro_content(sshd_t)
68	')
69
70	-optional_policy(`
71	- systemd_write_inherited_logind_sessions_pipes(sshd_t)
72	- systemd_dbus_chat_logind(sshd_t)
73	-')
74	-
75	optional_policy(`
76	xserver_domtrans_xauth(sshd_t)
77	xserver_link_xdm_keys(sshd_t)
78
79	diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
80	index 08361bb5..753a7735 100644
81	--- a/policy/modules/system/authlogin.if
82	+++ b/policy/modules/system/authlogin.if
83	@@ -98,6 +98,7 @@ interface(`auth_use_pam',`
84	#
85	interface(`auth_use_pam_systemd',`
86	dbus_system_bus_client($1)
87	+ systemd_connect_machined($1)
88	systemd_dbus_chat_logind($1)
89	')
90
91
92	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
93	index 0f710243..ed004fb8 100644
94	--- a/policy/modules/system/locallogin.te
95	+++ b/policy/modules/system/locallogin.te
96	@@ -141,6 +141,7 @@ ifdef(`init_systemd',`
97	auth_manage_faillog(local_login_t)
98
99	init_dbus_chat(local_login_t)
100	+ systemd_connect_machined(local_login_t)
101	systemd_dbus_chat_logind(local_login_t)
102	systemd_use_logind_fds(local_login_t)
103	systemd_manage_logind_runtime_pipes(local_login_t)
104
105	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
106	index 29a561c7..642d58e2 100644
107	--- a/policy/modules/system/systemd.if
108	+++ b/policy/modules/system/systemd.if
109	@@ -19,12 +19,18 @@
110	## The user domain for the role.
111	## </summary>
112	## </param>
113	+## <param name="pty_type">
114	+## <summary>
115	+## The type for the user pty
116	+## </summary>
117	+## </param>
118	#
119	template(`systemd_role_template',`
120	gen_require(`
121	attribute systemd_user_session_type, systemd_log_parse_env_type;
122	type systemd_user_runtime_t, systemd_user_runtime_notify_t;
123	type systemd_run_exec_t, systemd_analyze_exec_t;
124	+ type systemd_machined_t;
125	')
126
127	#################################
128	@@ -56,9 +62,13 @@ template(`systemd_role_template',`
129	allow $1_systemd_t $3:process { setsched rlimitinh };
130	corecmd_shell_domtrans($1_systemd_t, $3)
131	corecmd_bin_domtrans($1_systemd_t, $3)
132	+ allow $1_systemd_t self:process signal;
133	+
134	+ files_search_home($1_systemd_t)
135
136	# Allow using file descriptors for user environment generators
137	allow $3 $1_systemd_t:fd use;
138	+ allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
139
140	# systemctl --user
141	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
142	@@ -66,6 +76,10 @@ template(`systemd_role_template',`
143	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
144
145	dbus_system_bus_client($1_systemd_t)
146	+
147	+ selinux_use_status_page($1_systemd_t)
148	+ seutil_read_file_contexts($1_systemd_t)
149	+ seutil_search_default_contexts($1_systemd_t)
150	')
151
152	######################################
153	@@ -487,6 +501,24 @@ interface(`systemd_read_machines',`
154	allow $1 systemd_machined_runtime_t:file read_file_perms;
155	')
156
157	+########################################
158	+## <summary>
159	+## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
160	+## </summary>
161	+## <param name="domain">
162	+## <summary>
163	+## Domain that can access the socket
164	+## </summary>
165	+## </param>
166	+#
167	+interface(`systemd_connect_machined',`
168	+ gen_require(`
169	+ type systemd_machined_t;
170	+ ')
171	+
172	+ allow $1 systemd_machined_t:unix_stream_socket connectto;
173	+')
174	+
175	########################################
176	## <summary>
177	## Send and receive messages from
178	@@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', `
179	systemd_domtrans_sysusers($1)
180	roleattribute $2 systemd_sysusers_roles;
181	')
182	+
183	+########################################
184	+## <summary>
185	+## receive and use a systemd_machined_devpts_t file handle
186	+## </summary>
187	+## <param name="domain">
188	+## <summary>
189	+## Domain allowed access.
190	+## </summary>
191	+## </param>
192	+## <rolecap/>
193	+#
194	+interface(`systemd_use_machined_devpts', `
195	+ gen_require(`
196	+ type systemd_machined_t, systemd_machined_devpts_t;
197	+ ')
198	+
199	+ allow $1 systemd_machined_t:fd use;
200	+ allow $1 systemd_machined_devpts_t:chr_file { read write };
201	+')
202
203	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
204	index 9e68824e..39c37ac1 100644
205	--- a/policy/modules/system/systemd.te
206	+++ b/policy/modules/system/systemd.te
207	@@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t;
208	files_runtime_file(systemd_machined_runtime_t)
209	init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
210
211	+type systemd_machined_devpts_t;
212	+term_login_pty(systemd_machined_devpts_t)
213	+
214	type systemd_modules_load_t;
215	type systemd_modules_load_exec_t;
216	init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
217	@@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
218	allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
219	init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
220
221	+# for /run/systemd/userdb/io.systemd.Machine
222	+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
223	+
224	manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
225	manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
226	allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
227	@@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
228	kernel_read_kernel_sysctls(systemd_machined_t)
229	kernel_read_system_state(systemd_machined_t)
230
231	+dev_getattr_fs(systemd_machined_t)
232	+
233	files_read_etc_files(systemd_machined_t)
234
235	fs_getattr_cgroup(systemd_machined_t)
236	@@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t)
237
238	seutil_search_default_contexts(systemd_machined_t)
239
240	+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
241	+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
242	+term_getattr_pty_fs(systemd_machined_t)
243	+
244	optional_policy(`
245	init_dbus_chat(systemd_machined_t)
246	init_dbus_send_script(systemd_machined_t)

Gentoo Archives: gentoo-commits