Re: [PATCH] strict policy patches

SELinux-Refpolicy Archive mirror
 help / color / mirror / Atom feed

From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] strict policy patches
Date: Wed, 27 Oct 2021 09:09:40 -0400	[thread overview]
Message-ID: <6973a9dc-c7e9-e995-6853-6b4bc192dd66@ieee.org> (raw)
In-Reply-To: <YWFpTPHEZiydqBOq@xev.coker.com.au>

On 10/9/21 06:05, Russell Coker wrote:
> Allow user domains to read kernel sysctls and crypto sysctls.
> 
> Add userdom_write_all_user_runtime_named_sockets interface (for pulseaudio_t).
> 
> Give sysadm_t more access.
> 
> Give dbus domains a little more access.
> 
> Allow ssh agent to write to an inherited log file from the X server.
> 
> Make systemd_analyze_exec_t an alias for bin_t and remove systemd_analyze_t
> omain.
> 
> Allow system cronjobs to read fs sysctls.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>

[...]
> Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210908/policy/modules/roles/sysadm.te
> @@ -33,11 +33,22 @@ ifndef(`enable_mls',`
>   # Local policy
>   #
>   
> +allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
> +
> +# for ptrace
> +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };
> +
> +allow sysadm_t self:capability audit_write;
> +allow sysadm_t self:system status;

This seems a bit odd.  I would have expected sysadm_systemd_t would be the 
target.  Was the sysadm systemd --user session running in sysadm_t?


>   corecmd_exec_shell(sysadm_t)
>   
>   corenet_ib_access_unlabeled_pkeys(sysadm_t)
>   corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
>   
> +domain_getsched_all_domains(sysadm_t)
> +
> +dev_read_cpuid(sysadm_t)
>   dev_read_kmsg(sysadm_t)
>   
>   logging_watch_all_logs(sysadm_t)
> @@ -58,6 +69,9 @@ init_admin(sysadm_t)
>   userdom_manage_user_home_dirs(sysadm_t)
>   userdom_home_filetrans_user_home_dir(sysadm_t)
>   
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)
> +
>   ifdef(`direct_sysadm_daemon',`
>   	optional_policy(`
>   		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1033,6 +1047,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
>   	tboot_run_txtstat(sysadm_t, sysadm_r)
>   ')
>   
> @@ -1100,6 +1118,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)

Is this related to usbmodules?

>   	usbmodules_run(sysadm_t, sysadm_r)
>   ')
>   
> Index: refpolicy-2.20210908/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210908/policy/modules/services/xserver.if
> @@ -100,6 +100,7 @@ interface(`xserver_restricted_role',`
>   	xserver_xsession_entry_type($2)
>   	xserver_dontaudit_write_log($2)
>   	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>   	# certain apps want to read xdm.pid file
>   	xserver_read_xdm_runtime_files($2)
>   	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -141,7 +142,7 @@ interface(`xserver_role',`
>   	gen_require(`
>   		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>   		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>   	')
>   
>   	xserver_restricted_role($1, $2)
> @@ -184,6 +185,8 @@ interface(`xserver_role',`
>   
>   	xserver_read_xkb_libs($2)
>   
> +	allow $2 xdm_t:unix_stream_socket accept;

Do you have any context on this?  Userdomains don't have read/write xdm_t 
unix_stream_socket access, so they wouldn't be able to do anything with it.


> +
>   	optional_policy(`
>   		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
>   	')
> @@ -1224,6 +1227,7 @@ interface(`xserver_read_xkb_libs',`
>   	allow $1 xkb_var_lib_t:dir list_dir_perms;
>   	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>   	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>   ')
>   
>   ########################################
> Index: refpolicy-2.20210908/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20210908.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20210908/policy/modules/services/dbus.if
> @@ -85,6 +85,7 @@ template(`dbus_role_template',`
>   
>   	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>   	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;
>   	allow $3 $1_dbusd_t:fd use;
>   
>   	dontaudit $1_dbusd_t self:process getcap;
> @@ -103,9 +104,13 @@ template(`dbus_role_template',`
>   
>   	allow $1_dbusd_t $3:process sigkill;
>   
> +	allow $1_dbusd_t self:process getcap;
> +
>   	corecmd_bin_domtrans($1_dbusd_t, $3)
>   	corecmd_shell_domtrans($1_dbusd_t, $3)
>   
> +	dev_read_sysfs($1_dbusd_t)
> +
>   	auth_use_nsswitch($1_dbusd_t)
>   
>   	ifdef(`hide_broken_symptoms',`
> @@ -117,6 +122,15 @@ template(`dbus_role_template',`
>   		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
>   		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
>   	')
> +
> +	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)

This opens up bridging the user session busses to the system bus. I don't think 
we want this.

> +	')
> +
> +	optional_policy(`
> +		xdg_read_data_files($1_dbusd_t)
> +	')
>   ')


-- 
Chris PeBenito

     prev parent reply	other threads:[~2021-10-27 13:11 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-09 10:05 [PATCH] strict policy patches Russell Coker
2021-10-11 16:12 ` Daniel Burgener
2021-10-11 16:32   ` Dominick Grift
2021-10-27 13:09 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6973a9dc-c7e9-e995-6853-6b4bc192dd66@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).