SELinux policies for systemd-homed

arturasb · January 11, 2023, 7:27pm

Hi.

I was looking for the solution to missing SELinux policies for systemd-homed in F37. There are community members who have created custom SELinux policies, but I found that there are systemd-homed file types, contexts and policies already created in the SELinuxProject / refpolicy project.
My questions is to community members who has SELinux experience - what would be the proper way to add systemd-homed policies from the SELinuxProject/refpolicy project ?
The files containing systemd-homed:

github.com

SELinuxProject/refpolicy/blob/84a78f686e202a0b80c88899cd1cc5767ec37b99/policy/modules/system/systemd.fc

/etc/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)

/etc/systemd/dont-synthesize-nobody	--	gen_context(system_u:object_r:systemd_conf_t,s0)
/etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)

/run/log/journal(/.*)?				gen_context(system_u:object_r:systemd_journal_t,s0)

/usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
/usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
/usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
/usr/bin/systemd-hwdb			--	gen_context(system_u:object_r:systemd_hw_exec_t,s0)
/usr/bin/systemd-nspawn			--	gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
/usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-sysusers		--	gen_context(system_u:object_r:systemd_sysusers_exec_t,s0)
/usr/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)

# Systemd generators
/usr/lib/systemd/system-environment-generators/.*				--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)

This file has been truncated. show original

github.com

SELinuxProject/refpolicy/blob/50f2c7ad05c6a7d9fb65035b90e8ae06ee456735/policy/modules/system/systemd.te

policy_module(systemd)

#########################################
#
# Declarations
#

## <desc>
## <p>
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)

## <desc>
## <p>
## Allow systemd-networkd to run its DHCPd server component
## </p>
## </desc>
gen_tunable(systemd_networkd_dhcp_server, false)

This file has been truncated. show original

I’m willing to spend time experimenting if someone could give/point to instructions.

Regards
ArtūrasB.

mattdm · January 12, 2023, 2:49am

I think probably the best way would be to get those policies from the refences policy included in GitHub - fedora-selinux/selinux-policy: selinux-policy for Fedora is a large patch off the mainline

richiedaze · January 12, 2023, 4:44am

The homed policy addition in the ref are still incomplete and are for reference. The one that’s mentioned in the fedora-selinux policy are also incomplete and not fully tested, hence why they were not merged.

As per SELinux/IndependentPolicy - Fedora Project Wiki

Write his own SELinux policy from scratch and ask SELinux team for policy review.

arturasb · January 12, 2023, 9:18am

I think probably the best way would be to get those policies from the refences policy included in https://github.com/fedora-selinux/selinux-policy

I agree with you, but the issue is that there is nothing about homed in the Fedora’s SELinux policies

We couldn’t find any code matching ‘homed’ in fedora-selinux/selinux-policy

My idea was to “extraxt” homed related stuff from refpolicy and add it to my installation properly (as a custom policy, I guess) so I could test it. Maybe I need to find instructions on how to achieve that…

arturasb · January 12, 2023, 9:20am

Yes, I realize that, but having all elements for systemd-homed in place, except SELinux policies for Fedora, makes me want to help with testing, at least, as I’m not SELinux expert.

richiedaze · January 12, 2023, 3:58pm

github.com/fedora-selinux/selinux-policy

[RFC] Support systemd-homed

fedora-selinux:rawhide ← maage:systemd-homed-1

opened 08:28PM - 11 Nov 21 UTC

maage

+635 -1

From: https://bugzilla.redhat.com/show_bug.cgi?id=1809878 systemd-249.6-2.fc3…5.x86_64 Regression: devicekit_var_run_t: cryptsetup lock files under /var/run/cryptsetup are created using domain devicekit_var_run_t without any modifications. To fix this either make what ever is creating the file use var_run_t or mark files as devicekit_var_run_t. I chose latter. Files are created there at least at: cryptsetup:lib/utils_device_locking.c:open_lock_dir I guess the /run/cryptsetup directory could have fcontext devicekit_var_run_t. But for now it is not implemented. I guess there is multiple domains from where /run/cryptsetup directory is created. I was not able to see how to find them all. Most other subdirectories under /run have own <subsystem>_var_run_t fcontext. New types: - systemd_homed_exec_t: file type for systemd-homed and systemd-homework helper - systemd_homed_t: process type for them - systemd_homed_unit_file_t: for unit files - systemd_homed_var_lib_t: local state - systemd_homed_runtime_t: notify socket, homectl locks etc - systemd_homed_home_file_t: /home/*.home images Reused types: - user_home_dir_t: /var/run/systemd/user-home-mount is used as setup area Capabilities are from: * /usr/lib/systemd/system/systemd-homed.service Not all capabilities usage was seen so some AVC messages are missing there. Actions: - journal logging - pw used in crypto is saved into keyring - load kernel modules regarding to storage, like dm-integrity - uses loopback device - runs mkfs, fsck and different filesystems use different resources - uses device mapper / lvm - uses cryptsetup - uses netlink - uses dbus - mount, unmount Home filesystem is created under /run/systemd/user-home-mount and then mount moved under /home/<username>. systemd-homed does not have any SELinux support bits, so newly created filesystem is unlabeled (unlabeled_t). Any system with SELinux enforced needs to run ``` sudo homectl with <username> -- restorecon -vFR /home/<username> ``` right after creating the homed disk / user. It sure would be nice if systemd-homework would do it automatically. Info about users homed config is saved in /home/<username>/.identity. Actual storage used is file in /home/<username>.home. systemd homed system talks with other components via /run/systemd/userdb/io.systemd.Home. Most probably current list is lacking. systemd-homed setups also quota and mail file. Systems view of identity file is under /var/lib/systemd/home and there is also other state files. I've included a my test script `test/test-systemd-homed.sh`. It uses username `testuser` and needs about 1GiB of disk space. You need to paste passwords yourself. It would be nice if homectl could accept password via file, but I guess that would not be secure. There is 2 parts disabled by default, but for full test both should be enabled. First tests fresh start w/o any files to see if fcontexts are done right by systemd-homed / systemd-homework. Second tests all different filesystems to iterate all possible mkfs / fsck uses. Full testing must have MxN matrix of real /home filesystem x homed filesystem. Also homed filesystem should be fully fleshed out filesystem with all variety of files seen under $HOME. Also all supported login methods should be employed during testing. I have briefly tested login from console and gdm under Fedora 35.

mattdm · January 12, 2023, 11:09pm

Sorry, I was unclear — I meant exactly what it looks like you’ve done: submit a PR to take the required policy from the reference implementation and include it in the Fedora version.

arturasb · January 13, 2023, 1:17pm

That’s fine, thanks for explaining.

Anyone could give me hints on how to put a proper PR to get homed reference policies from SELInux refpolicy project into Fedora’ SELinux policy project ? I know how PR works in general, but how to make that cross-project ?

mattdm · January 13, 2023, 1:37pm

Quick answer is:

Make a local clone of the reference repo
Fork the Fedora repo
Make a local clone of that fork
In that fork, checkout a new branch git checkout -b systemd-homed
Copy all of the needed files from the reference repo to your local fork of the Fedora repo
git diff to verify the changes
git add all the new and changed files
git commit with a descriptive message
git push back to your fork on github
Make the PR

(I suppose “test that your changes are correct” should be in there somewhere…)