To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.
- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).
Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.
In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.
Changes since v2:
- Fix typo in gen_require (had a closing : instead of ;)
Changes since v1:
- Use in-line XML comment and tunable definition
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:
- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content
Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.
As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.
Changes since v2:
- Fix typo in pattern call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).
Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.
The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_t, which is generally at $HOME/.config
The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.
This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.
The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.
Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.
[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
commit f865919872
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.
Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type systemd_unit_t is actually declared in init.te.
Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.
Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The type var_log_t is actually declared in logging.te.
Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Marked unused parameters as unused in the interfaces listed below.
userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Deprecate mmap_file_perms and mmap_files_pattern since they are not fully
informative about their access. Replace with a full set of permission
set macros for mmap.
Requested for selinux-testsuite usage.
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
I am seeing (on RHEL 7.4 w/systemd) that halting the system doesn't work. It took me a long time (and a lot of help from Steve L.) to figure out what was going on. It turns out in refpolicy the default label for /usr/lib/systemd/systemd-shutdown is bin_t. But when systemd tried to execve systemd-shutdown it fails because init_t isn't allowed file entrypoint for bin_t. When I labeled systemd-shutdown as init_exec_t shutting down the system works.
I was seeing the following log (from systemd) when I enabled systemd debug logging (which was very useful).
[ 59.745037] systemd[1]: Starting Final Step.
[ 59.746112] systemd[1]: Starting Power-Off...
[ 59.776320] systemd[1]: Shutting down.
[ 59.783559] systemd[1]: Failed to execute shutdown binary, freezing: Operation not permitted
At this point everything locks up instead of actually halting the system.
This is a patch to change the label for systemd-shutdown which solves the problem. I'm happy to go through and make a distinct type of systemd-shutdown if someone doesn't think it is a good idea to share the type with systemd. But based on what is going on, this might be reasonable.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
