Merge pull request #2493 from evverx/fix-selinux-checks

Fix selinux check for ReloadUnit

8 files changed, 241 insertions, 7 deletions

diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 386ea96d1b..dca9f77528 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -458,7 +458,10 @@ int bus_unit_method_start_generic(
         assert(u);
         assert(job_type >= 0 && job_type < _JOB_TYPE_MAX);
 
-        r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error);
+        r = mac_selinux_unit_access_check(
+                        u, message,
+                        job_type_to_access_method(job_type),
+                        error);
         if (r < 0)
                 return r;
 
@@ -983,6 +986,13 @@ int bus_unit_queue_job(
         assert(type >= 0 && type < _JOB_TYPE_MAX);
         assert(mode >= 0 && mode < _JOB_MODE_MAX);
 
+        r = mac_selinux_unit_access_check(
+                        u, message,
+                        job_type_to_access_method(type),
+                        error);
+        if (r < 0)
+                return r;
+
         if (reload_if_possible && unit_can_reload(u)) {
                 if (type == JOB_RESTART)
                         type = JOB_RELOAD_OR_START;
@@ -990,12 +1000,6 @@ int bus_unit_queue_job(
                         type = JOB_TRY_RELOAD;
         }
 
-        r = mac_selinux_unit_access_check(
-                        u, message,
-                        (type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" :
-                        type == JOB_STOP ? "stop" : "reload", error);
-        if (r < 0)
-                return r;
 
         if (type == JOB_STOP &&
             (u->load_state == UNIT_NOT_FOUND || u->load_state == UNIT_ERROR) &&
diff --git a/src/core/job.c b/src/core/job.c
index 4e111ffb46..d8fdf1b53f 100644
--- a/src/core/job.c
+++ b/src/core/job.c
@@ -1240,3 +1240,15 @@ static const char* const job_result_table[_JOB_RESULT_MAX] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP(job_result, JobResult);
+
+const char* job_type_to_access_method(JobType t) {
+        assert(t >= 0);
+        assert(t < _JOB_TYPE_MAX);
+
+        if (IN_SET(t, JOB_START, JOB_RESTART, JOB_TRY_RESTART))
+                return "start";
+        else if (t == JOB_STOP)
+                return "stop";
+        else
+                return "reload";
+}
diff --git a/src/core/job.h b/src/core/job.h
index 52866fdc48..bbf5471e8b 100644
--- a/src/core/job.h
+++ b/src/core/job.h
@@ -240,3 +240,5 @@ const char* job_result_to_string(JobResult t) _const_;
 JobResult job_result_from_string(const char *s) _pure_;
 
 int job_get_timeout(Job *j, uint64_t *timeout) _pure_;
+
+const char* job_type_to_access_method(JobType t);
diff --git a/test/TEST-06-SELINUX/Makefile b/test/TEST-06-SELINUX/Makefile
new file mode 100644
index 0000000000..5e89a29eff
--- /dev/null
+++ b/test/TEST-06-SELINUX/Makefile
@@ -0,0 +1,10 @@
+all:
+	@make -s --no-print-directory -C ../.. all
+	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --all
+setup:
+	@make --no-print-directory -C ../.. all
+	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --setup
+clean:
+	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --clean
+run:
+	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --run
diff --git a/test/TEST-06-SELINUX/systemd_test.if b/test/TEST-06-SELINUX/systemd_test.if
new file mode 100644
index 0000000000..25c91adce9
--- /dev/null
+++ b/test/TEST-06-SELINUX/systemd_test.if
@@ -0,0 +1,8 @@
+template(`systemd_test_base_template', `
+	gen_require(`
+		attribute systemd_test_domain_type;
+	')
+
+	type $1_t, systemd_test_domain_type;
+	domain_type($1_t)
+')
diff --git a/test/TEST-06-SELINUX/systemd_test.te b/test/TEST-06-SELINUX/systemd_test.te
new file mode 100644
index 0000000000..ff01c09b5e
--- /dev/null
+++ b/test/TEST-06-SELINUX/systemd_test.te
@@ -0,0 +1,50 @@
+policy_module(systemd_test, 0.0.1)
+
+# declarations
+attribute systemd_test_domain_type;
+
+systemd_test_base_template(systemd_test)
+systemd_test_base_template(systemd_test_status)
+systemd_test_base_template(systemd_test_start)
+systemd_test_base_template(systemd_test_stop)
+systemd_test_base_template(systemd_test_reload)
+
+# systemd_test_domain_type
+
+require {
+	role system_r;
+	role unconfined_r;
+	type bin_t;
+	type initrc_t;
+	type systemd_systemctl_exec_t;
+	type unconfined_service_t;
+}
+
+role system_r types systemd_test_domain_type;
+role unconfined_r types systemd_test_domain_type;
+
+allow systemd_test_domain_type bin_t: file entrypoint;
+allow systemd_test_domain_type systemd_systemctl_exec_t: file entrypoint;
+allow initrc_t systemd_test_domain_type: process transition;
+allow unconfined_service_t systemd_test_domain_type: process transition;
+corecmd_exec_bin(systemd_test_domain_type)
+init_signal_script(systemd_test_domain_type)
+init_sigchld_script(systemd_test_domain_type)
+systemd_exec_systemctl(systemd_test_domain_type)
+userdom_use_user_ttys(systemd_test_domain_type)
+userdom_use_user_ptys(systemd_test_domain_type)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_test_domain_type)
+	init_dbus_chat(systemd_test_domain_type)
+')
+
+# systemd_test_*_t
+require {
+	type systemd_unit_file_t;
+}
+
+allow systemd_test_status_t systemd_unit_file_t: service { status };
+allow systemd_test_start_t systemd_unit_file_t: service { start };
+allow systemd_test_stop_t systemd_unit_file_t: service { stop };
+allow systemd_test_reload_t systemd_unit_file_t: service { reload };
diff --git a/test/TEST-06-SELINUX/test-selinux-checks.sh b/test/TEST-06-SELINUX/test-selinux-checks.sh
new file mode 100755
index 0000000000..08d2ddf4f0
--- /dev/null
+++ b/test/TEST-06-SELINUX/test-selinux-checks.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -x
+set -e
+set -o pipefail
+
+echo 1 >/sys/fs/selinux/enforce
+runcon -t systemd_test_start_t systemctl start hola
+runcon -t systemd_test_reload_t systemctl reload hola
+runcon -t systemd_test_stop_t systemctl stop hola
+
+touch /testok
+exit 0
diff --git a/test/TEST-06-SELINUX/test.sh b/test/TEST-06-SELINUX/test.sh
new file mode 100755
index 0000000000..4f5895be66
--- /dev/null
+++ b/test/TEST-06-SELINUX/test.sh
@@ -0,0 +1,135 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+TEST_DESCRIPTION="SELinux tests"
+
+# Requirements:
+# Fedora 23
+# selinux-policy-targeted
+# selinux-policy-devel
+
+. $TEST_BASE_DIR/test-functions
+SETUP_SELINUX=yes
+KERNEL_APPEND="$KERNEL_APPEND selinux=1"
+
+check_result_qemu() {
+    ret=1
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+    [[ -e $TESTDIR/root/testok ]] && ret=0
+    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
+    cp -a $TESTDIR/root/var/log/journal $TESTDIR
+    umount $TESTDIR/root
+    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
+    ls -l $TESTDIR/journal/*/*.journal
+    test -s $TESTDIR/failed && ret=$(($ret+1))
+    return $ret
+}
+
+test_run() {
+    if run_qemu; then
+        check_result_qemu || return 1
+    else
+        dwarn "can't run QEMU, skipping"
+    fi
+    return 0
+}
+
+test_setup() {
+    create_empty_image
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+
+    # Create what will eventually be our root filesystem onto an overlay
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+
+        # setup the testsuite service
+        cat <<EOF >$initdir/etc/systemd/system/testsuite.service
+[Unit]
+Description=Testsuite service
+After=multi-user.target
+
+[Service]
+ExecStart=/test-selinux-checks.sh
+Type=oneshot
+EOF
+
+        cat <<EOF >$initdir/etc/systemd/system/hola.service
+[Service]
+Type=oneshot
+ExecStart=/bin/echo Start Hola
+ExecReload=/bin/echo Reload Hola
+ExecStop=/bin/echo Stop Hola
+RemainAfterExit=yes
+EOF
+
+        setup_testsuite
+
+        cat <<EOF >$initdir/etc/systemd/system/load-systemd-test-module.service
+[Unit]
+Description=Load systemd-test module
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target autorelabel.service
+ConditionSecurity=selinux
+ConditionPathExists=|/.load-systemd-test-module
+
+[Service]
+ExecStart=/bin/sh -x -c 'echo 0 >/sys/fs/selinux/enforce && cd /systemd-test-module && make -f /usr/share/selinux/devel/Makefile load  && rm /.load-systemd-test-module'
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+EOF
+
+        touch $initdir/.load-systemd-test-module
+        mkdir -p $initdir/etc/systemd/system/basic.target.wants
+        ln -fs load-systemd-test-module.service $initdir/etc/systemd/system/basic.target.wants/load-systemd-test-module.service
+
+        local _modules_dir=/var/lib/selinux
+        rm -rf $initdir/$_modules_dir
+        if ! cp -ar $_modules_dir $initdir/$_modules_dir; then
+            dfatal "Failed to copy $_modules_dir"
+            exit 1
+        fi
+
+        local _policy_headers_dir=/usr/share/selinux/devel
+        rm -rf $initdir/$_policy_headers_dir
+        inst_dir /usr/share/selinux
+        if ! cp -ar $_policy_headers_dir $initdir/$_policy_headers_dir; then
+            dfatal "Failed to copy $_policy_headers_dir"
+            exit 1
+        fi
+
+        mkdir $initdir/systemd-test-module
+        cp systemd_test.te $initdir/systemd-test-module
+        cp systemd_test.if $initdir/systemd-test-module
+        cp test-selinux-checks.sh $initdir
+        dracut_install -o sesearch
+        dracut_install runcon
+        dracut_install checkmodule semodule semodule_package m4 make /usr/libexec/selinux/hll/pp load_policy sefcontext_compile
+    ) || return 1
+
+    # mask some services that we do not want to run in these tests
+    ln -s /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
+    ln -s /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
+    ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.service
+    ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
+    ln -s /dev/null $initdir/etc/systemd/system/systemd-resolved.service
+
+    ddebug "umount $TESTDIR/root"
+    umount $TESTDIR/root
+}
+
+test_cleanup() {
+    umount $TESTDIR/root 2>/dev/null
+    [[ $LOOPDEV ]] && losetup -d $LOOPDEV
+    return 0
+}
+
+do_test "$@"