commit: ee6fa61986a465420fe07823926a02ba076f04ce Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Wed Jan 15 20:46:40 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee6fa619
systemd: add an interface to use nss-systemd systemd's Name Service Switch (NSS) module provides UNIX user and group name resolution for dynamic users and groups allocated through options such as DynamicUser= in systemd unit files, according to its man page, https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml. If systemd compiled without NOLEGACY, commit https://github.com/systemd/systemd/commit/24eccc3414a29a14b319d639531bd23c158b20e1 ("nss-systemd,user-util: add a way how synthesizing "nobody" can be turned off") implemented a way to tweak nss-systemd's behavior by checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this access. Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 28 ++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 3 +++ 3 files changed, 32 insertions(+) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index c87311a6..4a873052 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -1,5 +1,6 @@ /etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0) +/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0) /etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0) /usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index a49b0f77..8f50e39e 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -79,6 +79,34 @@ interface(`systemd_log_parse_environment',` typeattribute $1 systemd_log_parse_env_type; ') +###################################### +## <summary> +## Allow domain to use systemd's Name Service Switch (NSS) module. +## This module provides UNIX user and group name resolution for dynamic users +## and groups allocated through the DynamicUser= option in systemd unit files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`systemd_use_nss',` + gen_require(` + type systemd_conf_t; + ') + + # Get attributes of /etc/systemd/dont-synthesize-nobody + files_search_etc($1) + allow $1 systemd_conf_t:file getattr; + + optional_policy(` + dbus_system_bus_client($1) + # For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager + init_dbus_chat($1) + ') +') + ###################################### ## <summary> ## Allow domain to be used as a systemd service with a unit diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1627e88e..e09bc338 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -58,6 +58,9 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t) type systemd_binfmt_unit_t; init_unit_file(systemd_binfmt_unit_t) +type systemd_conf_t; +files_config_file(systemd_conf_t) + type systemd_gpt_generator_t; type systemd_gpt_generator_exec_t; init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)