From 8b1028672bf92b391687b4ea5358155d913edbde Mon Sep 17 00:00:00 2001 From: richiedaze Date: Wed, 11 Sep 2024 20:46:59 -0400 Subject: [PATCH] Correct policy structure --- policy/modules/contrib/dbus.te | 2 +- policy/modules/services/xserver.te | 4 +- policy/modules/system/fstools.if | 2 - policy/modules/system/init.te | 2 +- policy/modules/system/systemd-homed.fc | 8 --- policy/modules/system/systemd-homed.if | 4 +- policy/modules/system/systemd-homed.te | 94 ++++++++++++++++---------- 7 files changed, 63 insertions(+), 53 deletions(-) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index 49867d68b1..b12ce7b587 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -229,11 +229,11 @@ optional_policy(` ') optional_policy(` + systemd_homed_write_pipes(system_dbusd_t) systemd_status_systemd_services(system_dbusd_t) systemd_use_fds_logind(system_dbusd_t) systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) systemd_write_inhibit_pipes(system_dbusd_t) - systemd_write_homed_pipes(system_dbusd_t) # These are caused by broken systemd patch systemd_start_power_services(system_dbusd_t) systemd_config_all_services(system_dbusd_t) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 37d8bd7013..38127f2fc5 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1154,8 +1154,8 @@ optional_policy(` ') optional_policy(` - systemd_write_homed_pid_sock_files(xdm_t) - systemd_write_homed_pipes(xdm_t) + systemd_homed_write_pid_sock_files(xdm_t) + systemd_homed_write_pipes(xdm_t) ') optional_policy(` diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index 7ed01422f4..48eed8406d 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -33,8 +33,6 @@ interface(`fstools_nnp_domtrans',` gen_require(` type fsadm_t; ') - - fstools_domtrans($1) allow $1 fsadm_t:process2 nnp_transition; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a164ac059d..725ed0207a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -880,7 +880,7 @@ optional_policy(` optional_policy(` systemd_homed_dbus_chat(init_t) - systemd_write_homed_pipes(init_t) + systemd_homed_write_pipes(init_t) ') optional_policy(` diff --git a/policy/modules/system/systemd-homed.fc b/policy/modules/system/systemd-homed.fc index 2cbb6b620b..a939a315c7 100644 --- a/policy/modules/system/systemd-homed.fc +++ b/policy/modules/system/systemd-homed.fc @@ -16,12 +16,4 @@ /var/lib/systemd/home/local\.public -- gen_context(system_u:object_r:systemd_homed_record_t,s0) /var/lib/systemd/home -d gen_context(system_u:object_r:systemd_homed_library_dir_t,s0) -/var/run/cryptsetup -d gen_context(system_u:object_r:systemd_homed_cryptsetup_dir_t,s0) - -/var/run/systemd/home/(.+)\.dont-suspend -p gen_context(system_u:object_r:systemd_homed_runtime_pipe_t,s0) -/var/run/systemd/home/notify -s gen_context(system_u:object_r:systemd_homed_runtime_socket_t,s0) -/var/run/systemd/home -d gen_context(system_u:object_r:systemd_homed_runtime_dir_t,s0) -/var/run/systemd/user-home-mount -d gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0) -/var/run/systemd/userdb/io.systemd.Home -s gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0) - HOME_DIR/\.identity -- gen_context(system_u:object_r:systemd_homed_record_t,s0) diff --git a/policy/modules/system/systemd-homed.if b/policy/modules/system/systemd-homed.if index bdd12487f6..c54361b8a7 100644 --- a/policy/modules/system/systemd-homed.if +++ b/policy/modules/system/systemd-homed.if @@ -50,7 +50,7 @@ interface(`systemd_homed_stream_connect',` ## ## # -interface(`systemd_write_homed_pid_sock_files',` +interface(`systemd_homed_write_pid_sock_files',` gen_require(` type systemd_homed_runtime_dir_t; type systemd_homed_runtime_socket_t; @@ -69,7 +69,7 @@ interface(`systemd_write_homed_pid_sock_files',` ## ## # -interface(`systemd_write_homed_pipes',` +interface(`systemd_homed_write_pipes',` gen_require(` type systemd_homed_runtime_dir_t; type systemd_homed_runtime_pipe_t; diff --git a/policy/modules/system/systemd-homed.te b/policy/modules/system/systemd-homed.te index c997959bca..77307365c1 100644 --- a/policy/modules/system/systemd-homed.te +++ b/policy/modules/system/systemd-homed.te @@ -52,8 +52,7 @@ systemd_unit_file(systemd_homed_unit_file_t) # systemd_homed local policy # -allow systemd_homed_t self:capability { sys_admin sys_resource }; -allow systemd_homed_t self:capability { dac_override dac_read_search setuid setgid }; +allow systemd_homed_t self:capability { sys_admin sys_resource dac_override dac_read_search setuid setgid }; allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_homed_t self:unix_dgram_socket create_socket_perms; @@ -69,10 +68,6 @@ libs_read_lib_files(systemd_homed_t) files_watch_home(systemd_homed_t) files_search_home(systemd_homed_t) -# labeled home directories -userdom_home_manager(systemd_homed_t) -userdom_manage_home_role(system_r, systemd_homed_t) - # unlabeled home directories files_manage_isid_type_dirs(systemd_homed_t) files_manage_isid_type_files(systemd_homed_t) @@ -98,7 +93,6 @@ filetrans_pattern(systemd_homed_t, systemd_homed_runtime_dir_t, systemd_homed_ru # /var/run/systemd/userdb/io.systemd.Home systemd_manage_userdbd_runtime_sock_files(systemd_homed_t) add_entry_dirs_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, sock_file, "io.systemd.Home") # /tmp rw_files_pattern(systemd_homed_t, systemd_homed_tmpfs_t, systemd_homed_tmpfs_t) @@ -107,8 +101,6 @@ fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file) kernel_dgram_send(systemd_homed_t) kernel_read_system_state(systemd_homed_t) -auth_use_nsswitch(systemd_homed_t) - dev_getattr_generic_blk_files(systemd_homed_t) dev_read_sysfs(systemd_homed_t) @@ -117,16 +109,12 @@ fs_getattr_xattr_fs(systemd_homed_t) fs_search_cgroup_dirs(systemd_homed_t) fs_write_cgroup_files(systemd_homed_t) -logging_send_syslog_msg(systemd_homed_t) - -miscfiles_read_all_certs(systemd_homed_t) - storage_getattr_fixed_disk_dev(systemd_homed_t) storage_raw_read_removable_device(systemd_homed_t) -udev_manage_pid_files(systemd_homed_t) - -usermanage_read_crack_db(systemd_homed_t) +optional_policy(` + auth_use_nsswitch(systemd_homed_t) +') optional_policy(` container_runtime_read_tmpfs_files(systemd_homed_t) @@ -136,19 +124,39 @@ optional_policy(` dbus_connect_system_bus(systemd_homed_t) ') +optional_policy(` + logging_send_syslog_msg(systemd_homed_t) +') + +optional_policy(` + miscfiles_read_all_certs(systemd_homed_t) +') + optional_policy(` mta_getattr_spool(systemd_homed_t) ') +optional_policy(` + udev_manage_pid_files(systemd_homed_t) +') + +optional_policy(` + # labeled home directories + userdom_home_manager(systemd_homed_t) + userdom_manage_home_role(system_r, systemd_homed_t) +') + +optional_policy(` + usermanage_read_crack_db(systemd_homed_t) +') + ####################################### # # systemd_homework local policy # allow systemd_homework_t self:cap_userns { sys_admin sys_ptrace }; -allow systemd_homework_t self:capability { chown fowner fsetid setfcap }; -allow systemd_homework_t self:capability { dac_override dac_read_search setuid setgid }; -allow systemd_homework_t self:capability { sys_admin sys_resource }; +allow systemd_homework_t self:capability { chown fowner fsetid setfcap dac_override dac_read_search setuid setgid sys_admin sys_resource }; allow systemd_homework_t self:file mounton; allow systemd_homework_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_homework_t self:process { setsched getsched }; @@ -163,20 +171,11 @@ files_search_home(systemd_homework_t) files_home_filetrans(systemd_homework_t, systemd_homed_crypto_luks_t, file) files_home_filetrans(systemd_homework_t, user_home_dir_t, dir) -# labeled home directories -userdom_home_manager(systemd_homework_t) -userdom_manage_home_role(system_r, systemd_homework_t) - # unlabeled home directories files_manage_isid_type_dirs(systemd_homework_t) files_manage_isid_type_files(systemd_homework_t) files_mounton_isid(systemd_homework_t) -# /var/run/cryptsetup -manage_dirs_pattern(systemd_homework_t, var_run_t, systemd_homed_cryptsetup_dir_t) -manage_files_pattern(systemd_homework_t, systemd_homed_cryptsetup_dir_t, systemd_homed_cryptsetup_dir_t) -files_pid_filetrans(systemd_homework_t, systemd_homed_cryptsetup_dir_t, dir, "cryptsetup") - # /var/run/systemd/home/notify write_sock_files_pattern(systemd_homework_t, systemd_homed_runtime_dir_t, systemd_homed_runtime_socket_t) @@ -197,8 +196,6 @@ kernel_read_fs_sysctls(systemd_homework_t) kernel_read_system_state(systemd_homework_t) kernel_request_load_module(systemd_homework_t) -auth_read_passwd_file(systemd_homework_t) - corecmd_exec_shell(systemd_homework_t) dev_getattr_fs(systemd_homework_t) @@ -218,18 +215,41 @@ fs_relabelfrom_xattr_fs(systemd_homework_t) fs_search_all(systemd_homework_t) fsadm_manage_pid(systemd_homework_t) -fstools_nnp_domtrans(systemd_homework_t) init_read_state(systemd_homework_t) init_rw_stream_sockets(systemd_homework_t) -logging_send_syslog_msg(systemd_homework_t) - -miscfiles_read_all_certs(systemd_homework_t) - storage_raw_read_removable_device(systemd_homework_t) storage_rw_inherited_removable_device(systemd_homework_t) storage_manage_fixed_disk(systemd_homework_t) -udev_read_pid_files(systemd_homework_t) -udev_search_pids(systemd_homework_t) +optional_policy(` + auth_read_passwd_file(systemd_homework_t) + +optional_policy(` + fstools_domtrans(systemd_homework_t) + fstools_nnp_domtrans(systemd_homework_t) +') + +optional_policy(` + lvm_manage_var_run(systemd_homework_t) +') + +optional_policy(` + logging_send_syslog_msg(systemd_homework_t) +') + +optional_policy(` + miscfiles_read_all_certs(systemd_homework_t) +') + +optional_policy(` + udev_read_pid_files(systemd_homework_t) + udev_search_pids(systemd_homework_t) +') + +optional_policy(` + # labeled home directories + userdom_home_manager(systemd_homework_t) + userdom_manage_home_role(system_r, systemd_homework_t) +')