From f9578cbeae9d060a21c5a393e03e3bc5e6c2b20f Mon Sep 17 00:00:00 2001 From: Mike Palmiotto Date: Wed, 10 Jun 2015 11:49:06 -0400 Subject: [PATCH] Issue #190 - Fix up service-related policy - Move "service" access vector to logical location and add comments - Fix systemd unit service naming schemes and get rid of redundant interfaces - Add some toor policy for starting/stopping services - Let staff_t talk to init through dbus --- .../policy/flask/access_vectors | 24 +-- .../policy/modules/roles/staff.te | 1 + .../policy/modules/roles/toor.te | 6 + .../policy/modules/system/init.if | 20 +++ .../policy/modules/system/init.te | 10 +- .../policy/modules/system/sysnetwork.te | 2 +- .../policy/modules/system/systemd.if | 156 ++++++++---------- .../policy/modules/system/systemd.te | 8 +- 8 files changed, 122 insertions(+), 105 deletions(-) diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/flask/access_vectors b/packages/clip-selinux-policy/clip-selinux-policy/policy/flask/access_vectors index 09a6dff2..4b07dcb8 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/flask/access_vectors +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/flask/access_vectors @@ -331,6 +331,19 @@ class process setsockcreate } +# +# Define the access vector interpretation for service-related objects +# + +class service +{ + start + stop + status + reload + enable + disable +} # # Define the access vector interpretation for ipc-related objects @@ -877,14 +890,3 @@ inherits database implement execute } - -class service -{ - start - stop - status - reload - enable - disable -} - diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/staff.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/staff.te index 61e2cbe3..5c7d0b46 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/staff.te +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/staff.te @@ -78,6 +78,7 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) + init_dbus_chat(staff_t) optional_policy(` gnome_role_template(staff, staff_r, staff_t) diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te index 9468f0ba..79a6928e 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te @@ -462,3 +462,9 @@ ifndef(`distro_redhat',` ') ') +ifdef(`init_systemd',` + optional_policy(` + systemd_start_unit_services(toor_t) + systemd_start_power_unit_services(toor_t) + ') +') diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if index 0c2ab151..275f9d27 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if @@ -2139,3 +2139,23 @@ interface(`init_service_start',` allow $1 init_t:service start; ') +######################################## +## +## Send and receive messages from +## systemd over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_chat',` + gen_require(` + type initrc_t; + class dbus send_msg; + ') + + allow $1 init_t:dbus send_msg; + allow init_t $1:dbus send_msg; +') diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te index a4764422..39b4539f 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te @@ -299,6 +299,7 @@ ifdef(`init_systemd',` term_relabel_pty_dir(init_t) files_search_kernel_modules(init_t) + optional_policy(` modutils_domtrans_insmod(init_t) ') @@ -761,12 +762,11 @@ ifdef(`init_systemd',` # Connect to private bus (/run/systemd/private) init_connect_private_bus(initrc_t) kernel_dgram_send(initrc_t) - systemd_unit_files_service_status(initrc_t) - systemd_unit_files_service_start(initrc_t) - systemd_unit_files_service_stop(initrc_t) - systemd_power_units_service_start(initrc_t) + systemd_status_unit_services(initrc_t) + systemd_stop_unit_services(initrc_t) + systemd_start_power_unit_services(initrc_t) systemd_manage_unit_files(initrc_t) - systemd_create_unit_file_dirs(initrc_t) + systemd_create_unit_dirs(initrc_t) systemd_manage_unit_symlinks(initrc_t) manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) systemd_socket_activated(initrc_t, init_var_run_t) diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/sysnetwork.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/sysnetwork.te index 5c36420e..38d426ce 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/sysnetwork.te +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/sysnetwork.te @@ -243,7 +243,7 @@ optional_policy(` ') optional_policy(` - systemd_services_status(dhcpc_t) + systemd_status_unit_services(dhcpc_t) systemd_search_units(dhcpc_t) ') diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if index 38e50f9b..637ffe4d 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if @@ -59,25 +59,6 @@ interface(`systemd_list_units',` allow $1 systemdunitfile:dir list_dir_perms; ') -###################################### -## -## Allow domain to create systemd unit dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`systemd_create_unit_dirs',` - gen_require(` - attribute systemdunitfile; - ') - - files_search_var_lib($1) - allow $1 systemdunitfile:dir create; -') - ######################################## ## ## Manage systemd unit dirs @@ -361,60 +342,6 @@ interface(`systemd_logind_dbus_send',` allow $1 systemd_logind_t:dbus send_msg; ') -######################################## -## -## Allow the specified domain to start all systemd services. -## -## -## -## Domain allowed access. -## -## -# -interface(`systemd_services_start',` - gen_require(` - attribute systemdunitfile; - ') - - allow $1 systemdunitfile:service start; -') - -######################################## -## -## Allow the specified domain to access status of systemd services. -## -## -## -## Domain allowed access. -## -## -# -interface(`systemd_services_status',` - gen_require(` - attribute systemdunitfile; - ') - - allow $1 systemdunitfile:service status; -') - -####################################### -## -## Allow the specified domain to reload all systemd services. -## -## -## -## Domain allowed access. -## -## -# -interface(`systemd_services_reload',` - gen_require(` - attribute systemdunitfile; - ') - - allow $1 systemdunitfile:service reload; -') - ######################################## ## ## Allow the specified domain to modify the systemd configuration of @@ -446,7 +373,7 @@ interface(`systemd_config_all_services',` ## ## # -interface(`systemd_config_systemd_services',` +interface(`systemd_config_unit_services',` gen_require(` type systemd_unit_file_t; ') @@ -580,7 +507,7 @@ interface(`systemd_relabelto_kmod_files',` ## ## # -interface(`systemd_unit_file_filetrans',` +interface(`systemd_unit_filetrans',` gen_require(` type systemd_unit_file_t; ') @@ -599,7 +526,7 @@ interface(`systemd_unit_file_filetrans',` ## ## # -interface(`systemd_create_unit_file_dirs',` +interface(`systemd_create_unit_dirs',` gen_require(` type systemd_unit_file_t; ') @@ -617,7 +544,7 @@ interface(`systemd_create_unit_file_dirs',` ## ## # -interface(`systemd_create_unit_file_lnk',` +interface(`systemd_create_unit_lnk_files',` gen_require(` type systemd_unit_file_t; ') @@ -812,7 +739,7 @@ interface(`systemd_socket_activated',` ######################################## ## -## Allow specified domain to get status of systemd unit files +## Allow specified domain to get status of all systemd services. ## ## ## @@ -820,9 +747,10 @@ interface(`systemd_socket_activated',` ## ## # -interface(`systemd_unit_files_service_status',` +interface(`systemd_status_unit_services',` gen_require(` attribute systemdunitfile; + class service status; ') allow $1 systemdunitfile:service status; @@ -830,7 +758,7 @@ interface(`systemd_unit_files_service_status',` ######################################## ## -## Allow specified domain to start systemd unit files +## Allow specified domain to start all systemd services. ## ## ## @@ -838,9 +766,10 @@ interface(`systemd_unit_files_service_status',` ## ## # -interface(`systemd_unit_files_service_start',` +interface(`systemd_start_unit_services',` gen_require(` attribute systemdunitfile; + class service start; ') allow $1 systemdunitfile:service start; @@ -848,7 +777,7 @@ interface(`systemd_unit_files_service_start',` ######################################## ## -## Allow specified domain to stop systemd unit files +## Allow specified domain to stop all systemd services. ## ## ## @@ -856,14 +785,34 @@ interface(`systemd_unit_files_service_start',` ## ## # -interface(`systemd_unit_files_service_stop',` +interface(`systemd_stop_unit_services',` gen_require(` attribute systemdunitfile; + class service stop; ') allow $1 systemdunitfile:service stop; ') +####################################### +## +## Allow the specified domain to reload all systemd services. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_reload_unit_services',` + gen_require(` + attribute systemdunitfile; + class service reload; + ') + + allow $1 systemdunitfile:service reload; +') + ######################################## ## ## Allow specified domain to start power units @@ -874,10 +823,49 @@ interface(`systemd_unit_files_service_stop',` ## ## # -interface(`systemd_power_units_service_start',` +interface(`systemd_start_power_unit_services',` gen_require(` type power_unit_file_t; + class service start; ') allow $1 power_unit_file_t:service start; ') + +######################################## +## +## Allow specified domain to stop power units +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_stop_power_unit_services',` + gen_require(` + type power_unit_file_t; + class service stop; + ') + + allow $1 power_unit_file_t:service stop; +') + +######################################## +## +## Allow specified domain to reload power units +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_reload_power_unit_services',` + gen_require(` + type power_unit_file_t; + class service reload; + ') + + allow $1 power_unit_file_t:service reload; +') diff --git a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te index 8fb11eab..e0bc0a0f 100644 --- a/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te +++ b/packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te @@ -413,10 +413,10 @@ optional_policy(` dbus_connect_system_bus(systemd_logind_t) ') -systemd_unit_files_service_status(systemd_logind_t) -systemd_unit_files_service_start(systemd_logind_t) -systemd_unit_files_service_stop(systemd_logind_t) -systemd_power_units_service_start(systemd_logind_t) +systemd_status_unit_services(systemd_logind_t) +systemd_start_unit_services(systemd_logind_t) +systemd_stop_unit_services(systemd_logind_t) +systemd_start_power_unit_services(systemd_logind_t) init_service_status(systemd_logind_t) init_service_start(systemd_logind_t) # This is for reading /proc/1/cgroup