Issue OwlCyberDefense#190 - Fix up service-related policy

- Move "service" access vector to logical location and add comments
- Fix systemd unit service naming schemes and get rid of redundant interfaces
- Add some toor policy for starting/stopping services
- Let staff_t talk to init through dbus

packages/clip-selinux-policy/clip-selinux-policy/policy/flask/access_vectors

@@ -331,6 +331,19 @@ class process
 	setsockcreate
 }
 
+#
+# Define the access vector interpretation for service-related objects
+#
+
+class service
+{
+	start
+	stop
+	status
+	reload
+	enable
+	disable
+}
 
 #
 # Define the access vector interpretation for ipc-related objects
@@ -877,14 +890,3 @@ inherits database
 	implement
 	execute
 }
-
-class service
-{
-	start
-	stop
-	status
-	reload
-	enable
-	disable
-}
-

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/staff.te

@@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
 
 	optional_policy(`
 		dbus_role_template(staff, staff_r, staff_t)
+		init_dbus_chat(staff_t)
 
 		optional_policy(`
 			gnome_role_template(staff, staff_r, staff_t)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.if

@@ -2139,3 +2139,23 @@ interface(`init_service_start',`
 	allow $1 init_t:service start;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 init_t:dbus send_msg;
+	allow init_t $1:dbus send_msg;
+')

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/init.te

@@ -299,6 +299,7 @@ ifdef(`init_systemd',`
 	term_relabel_pty_dir(init_t)
 
 	files_search_kernel_modules(init_t)
+
 	optional_policy(`
 		modutils_domtrans_insmod(init_t)
 	')
@@ -761,12 +762,11 @@ ifdef(`init_systemd',`
 	# Connect to private bus (/run/systemd/private)
 	init_connect_private_bus(initrc_t)
 	kernel_dgram_send(initrc_t)
-	systemd_unit_files_service_status(initrc_t)
-	systemd_unit_files_service_start(initrc_t)
-	systemd_unit_files_service_stop(initrc_t)
-	systemd_power_units_service_start(initrc_t)
+	systemd_status_unit_services(initrc_t)
+	systemd_stop_unit_services(initrc_t)
+	systemd_start_power_unit_services(initrc_t)
 	systemd_manage_unit_files(initrc_t)
-	systemd_create_unit_file_dirs(initrc_t)
+	systemd_create_unit_dirs(initrc_t)
 	systemd_manage_unit_symlinks(initrc_t)
 	manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
 	systemd_socket_activated(initrc_t, init_var_run_t)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/sysnetwork.te

@@ -162,6 +162,7 @@ ifdef(`distro_redhat', `
 
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(dhcpc_t)
+	init_read_state(dhcpc_t)
 ')
 
 ifdef(`distro_ubuntu',`
@@ -243,7 +244,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	systemd_services_status(dhcpc_t)
+	systemd_status_unit_services(dhcpc_t)
 	systemd_search_units(dhcpc_t)
 ')
 

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.if

@@ -59,25 +59,6 @@ interface(`systemd_list_units',`
 	allow $1 systemdunitfile:dir list_dir_perms;
 ')
 
-######################################
-## <summary>
-##   Allow domain to create systemd unit dirs.
-## </summary>
-## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
-## </param>
-#
-interface(`systemd_create_unit_dirs',`
-	gen_require(`
-		attribute systemdunitfile;
-	')
-
-	files_search_var_lib($1)
-	allow $1 systemdunitfile:dir create;
-')
-
 ########################################
 ## <summary>
 ##   Manage systemd unit dirs
@@ -361,60 +342,6 @@ interface(`systemd_logind_dbus_send',`
 	allow $1 systemd_logind_t:dbus send_msg;
 ')
 
-########################################
-## <summary>
-##   Allow the specified domain to start all systemd services.
-## </summary>
-## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
-## </param>
-#
-interface(`systemd_services_start',`
-	gen_require(`
-		attribute systemdunitfile;
-	')
-
-	allow $1 systemdunitfile:service start;
-')
-
-########################################
-## <summary>
-##   Allow the specified domain to access status of systemd services.
-## </summary>
-## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##   </summary>
-## </param>
-#
-interface(`systemd_services_status',`
-	gen_require(`
-		attribute systemdunitfile;
-	')
-
-	allow $1 systemdunitfile:service status;
-')
-
-#######################################
-## <summary>
-##   Allow the specified domain to reload all systemd services.
-## </summary>
-## <param name="domain">
-##   <summary>
-##     Domain allowed access.
-##    </summary>
-## </param>
-#
-interface(`systemd_services_reload',`
-	gen_require(`
-		attribute systemdunitfile;
-	')
-
-	allow $1 systemdunitfile:service reload;
-')
-
 ########################################
 ## <summary>
 ##   Allow the specified domain to modify the systemd configuration of
@@ -446,7 +373,7 @@ interface(`systemd_config_all_services',`
 ##   </summary>
 ## </param>
 #
-interface(`systemd_config_systemd_services',`
+interface(`systemd_config_unit_services',`
 	gen_require(`
 		type systemd_unit_file_t;
 	')
@@ -580,7 +507,7 @@ interface(`systemd_relabelto_kmod_files',`
 ## </summary>
 ## </param>
 #
-interface(`systemd_unit_file_filetrans',`
+interface(`systemd_unit_filetrans',`
 	gen_require(`
 		type systemd_unit_file_t;
 	')
@@ -599,7 +526,7 @@ interface(`systemd_unit_file_filetrans',`
 ##  </summary>
 ## </param>
 #
-interface(`systemd_create_unit_file_dirs',`
+interface(`systemd_create_unit_dirs',`
 	gen_require(`
 		type systemd_unit_file_t;
 	')
@@ -617,7 +544,7 @@ interface(`systemd_create_unit_file_dirs',`
 ##  </summary>
 ## </param>
 #
-interface(`systemd_create_unit_file_lnk',`
+interface(`systemd_create_unit_lnk_files',`
 	gen_require(`
 		type systemd_unit_file_t;
 	')
@@ -812,58 +739,80 @@ interface(`systemd_socket_activated',`
 
 ########################################
 ## <summary>
-## Allow specified domain to get status of systemd unit files
+## Allow specified domain to get status of all systemd services.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ## Domain to not audit.
 ## </summary>
 ## </param>
 #
-interface(`systemd_unit_files_service_status',`
+interface(`systemd_status_unit_services',`
 	gen_require(`
 		attribute systemdunitfile;
+		class service status;
 	')
 
 	allow $1 systemdunitfile:service status;
 ')
 
 ########################################
 ## <summary>
-## Allow specified domain to start systemd unit files
+## Allow specified domain to start all systemd services.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ## Domain to not audit.
 ## </summary>
 ## </param>
 #
-interface(`systemd_unit_files_service_start',`
+interface(`systemd_start_unit_services',`
 	gen_require(`
 		attribute systemdunitfile;
+		class service start;
 	')
 
 	allow $1 systemdunitfile:service start;
 ')
 
 ########################################
 ## <summary>
-## Allow specified domain to stop systemd unit files
+## Allow specified domain to stop all systemd services.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ## Domain to not audit.
 ## </summary>
 ## </param>
 #
-interface(`systemd_unit_files_service_stop',`
+interface(`systemd_stop_unit_services',`
 	gen_require(`
 		attribute systemdunitfile;
+		class service stop;
 	')
 
 	allow $1 systemdunitfile:service stop;
 ')
 
+#######################################
+## <summary>
+##   Allow the specified domain to reload all systemd services.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`systemd_reload_unit_services',`
+	gen_require(`
+		attribute systemdunitfile;
+		class service reload;
+	')
+
+	allow $1 systemdunitfile:service reload;
+')
+
 ########################################
 ## <summary>
 ## Allow specified domain to start power units
@@ -874,10 +823,49 @@ interface(`systemd_unit_files_service_stop',`
 ## </summary>
 ## </param>
 #
-interface(`systemd_power_units_service_start',`
+interface(`systemd_start_power_unit_services',`
 	gen_require(`
 		type power_unit_file_t;
+		class service start;
 	')
 
 	allow $1 power_unit_file_t:service start;
 ')
+
+########################################
+## <summary>
+## Allow specified domain to stop power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_stop_power_unit_services',`
+	gen_require(`
+		type power_unit_file_t;
+		class service stop;
+	')
+
+	allow $1 power_unit_file_t:service stop;
+')
+
+########################################
+## <summary>
+## Allow specified domain to reload power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_reload_power_unit_services',`
+	gen_require(`
+		type power_unit_file_t;
+		class service reload;
+	')
+
+	allow $1 power_unit_file_t:service reload;
+')

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/systemd.te

@@ -413,10 +413,10 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
-systemd_unit_files_service_status(systemd_logind_t)
-systemd_unit_files_service_start(systemd_logind_t)
-systemd_unit_files_service_stop(systemd_logind_t)
-systemd_power_units_service_start(systemd_logind_t)
+systemd_status_unit_services(systemd_logind_t)
+systemd_start_unit_services(systemd_logind_t)
+systemd_stop_unit_services(systemd_logind_t)
+systemd_start_power_unit_services(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_service_start(systemd_logind_t)
 # This is for reading /proc/1/cgroup