commit:     e3b92a0ef1585d742839a59a365a122eb000fb8e
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Feb  2 15:07:12 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e

machined

This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te     |  6 +++++
 policy/modules/services/ssh.te      |  8 ++----
 policy/modules/system/authlogin.if  |  1 +
 policy/modules/system/locallogin.te |  1 +
 policy/modules/system/systemd.if    | 52 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    | 12 +++++++++
 6 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 26ffe456..cbbbd45b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t)
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
 
+# for machinectl shell
+term_use_ptmx(system_dbusd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 # read a file in ~/.local/share
@@ -190,6 +193,9 @@ optional_policy(`
        systemd_read_logind_runtime_files(system_dbusd_t)
        systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
        systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+
+       # for passing around terminal file handles for machinectl shell
+       systemd_use_machined_devpts(system_dbusd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 63a0d824..c5749682 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -267,9 +267,10 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`init_systemd',`
+       auth_use_pam_systemd(sshd_t)
        init_dbus_chat(sshd_t)
-       systemd_dbus_chat_logind(sshd_t)
        init_rw_stream_sockets(sshd_t)
+       systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 
 tunable_policy(`ssh_sysadm_login',`
@@ -311,11 +312,6 @@ optional_policy(`
        rssh_read_ro_content(sshd_t)
 ')
 
-optional_policy(`
-       systemd_write_inherited_logind_sessions_pipes(sshd_t)
-       systemd_dbus_chat_logind(sshd_t)
-')
-
 optional_policy(`
        xserver_domtrans_xauth(sshd_t)
        xserver_link_xdm_keys(sshd_t)

diff --git a/policy/modules/system/authlogin.if 
b/policy/modules/system/authlogin.if
index 08361bb5..753a7735 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -98,6 +98,7 @@ interface(`auth_use_pam',`
 #
 interface(`auth_use_pam_systemd',`
        dbus_system_bus_client($1)
+       systemd_connect_machined($1)
        systemd_dbus_chat_logind($1)
 ')
 

diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
index 0f710243..ed004fb8 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -141,6 +141,7 @@ ifdef(`init_systemd',`
        auth_manage_faillog(local_login_t)
 
        init_dbus_chat(local_login_t)
+       systemd_connect_machined(local_login_t)
        systemd_dbus_chat_logind(local_login_t)
        systemd_use_logind_fds(local_login_t)
        systemd_manage_logind_runtime_pipes(local_login_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 29a561c7..642d58e2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,12 +19,18 @@
 ##     The user domain for the role.
 ##     </summary>
 ## </param>
+## <param name="pty_type">
+##     <summary>
+##     The type for the user pty
+##     </summary>
+## </param>
 #
 template(`systemd_role_template',`
        gen_require(`
                attribute systemd_user_session_type, systemd_log_parse_env_type;
                type systemd_user_runtime_t, systemd_user_runtime_notify_t;
                type systemd_run_exec_t, systemd_analyze_exec_t;
+               type systemd_machined_t;
        ')
 
        #################################
@@ -56,9 +62,13 @@ template(`systemd_role_template',`
        allow $1_systemd_t $3:process { setsched rlimitinh };
        corecmd_shell_domtrans($1_systemd_t, $3)
        corecmd_bin_domtrans($1_systemd_t, $3)
+       allow $1_systemd_t self:process signal;
+
+       files_search_home($1_systemd_t)
 
        # Allow using file descriptors for user environment generators
        allow $3 $1_systemd_t:fd use;
+       allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
 
        # systemctl --user
        stream_connect_pattern($3, systemd_user_runtime_t, 
systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +76,10 @@ template(`systemd_role_template',`
        can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
        dbus_system_bus_client($1_systemd_t)
+
+       selinux_use_status_page($1_systemd_t)
+       seutil_read_file_contexts($1_systemd_t)
+       seutil_search_default_contexts($1_systemd_t)
 ')
 
 ######################################
@@ -487,6 +501,24 @@ interface(`systemd_read_machines',`
        allow $1 systemd_machined_runtime_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain that can access the socket
+##     </summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+       gen_require(`
+               type systemd_machined_t;
+       ')
+
+       allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', `
        systemd_domtrans_sysusers($1)
        roleattribute $2 systemd_sysusers_roles;
 ')
+
+########################################
+## <summary>
+##  receive and use a systemd_machined_devpts_t file handle
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_use_machined_devpts', `
+       gen_require(`
+               type systemd_machined_t, systemd_machined_devpts_t;
+       ')
+
+       allow $1 systemd_machined_t:fd use;
+       allow $1 systemd_machined_devpts_t:chr_file { read write };
+')

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9e68824e..39c37ac1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias 
systemd_machined_var_run_t;
 files_runtime_file(systemd_machined_runtime_t)
 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
 
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
 type systemd_modules_load_t;
 type systemd_modules_load_exec_t;
 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, 
systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, 
systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -730,6 +736,8 @@ allow systemd_machined_t 
systemd_machined_runtime_t:lnk_file manage_lnk_file_per
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
+dev_getattr_fs(systemd_machined_t)
+
 files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
@@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t)
 
 seutil_search_default_contexts(systemd_machined_t)
 
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+term_getattr_pty_fs(systemd_machined_t)
+
 optional_policy(`
        init_dbus_chat(systemd_machined_t)
        init_dbus_send_script(systemd_machined_t)

Reply via email to