diff options
author | Shrikant Bobade <shrikant_bobade@mentor.com> | 2016-08-29 19:05:39 +0530 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2016-09-01 14:30:46 -0400 |
commit | 34ab910f6414ff6eb8495bc6c727f0808e5bd8f8 (patch) | |
tree | 05521c787227100bff7de13de96260a77d739866 | |
parent | d3c54a1a5a131e3d14f10451f05f6fb4080222a4 (diff) | |
download | meta-selinux-34ab910f6414ff6eb8495bc6c727f0808e5bd8f8.tar.gz |
refpolicy-minimum: systemd:unconfined:lib: add systemd services allow rules
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations on service file.
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-rw-r--r-- | recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch | 124 | ||||
-rw-r--r-- | recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | 7 |
2 files changed, 131 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch new file mode 100644 index 0000000..7a72f18 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 | ||
4 | Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd | ||
5 | services allow rules | ||
6 | |||
7 | systemd allow rules for systemd service file operations: start, stop, restart | ||
8 | & allow rule for unconfined systemd service. | ||
9 | |||
10 | without this change we are getting these errors: | ||
11 | :~# systemctl status selinux-init.service | ||
12 | Failed to get properties: Access denied | ||
13 | |||
14 | :~# systemctl stop selinux-init.service | ||
15 | Failed to stop selinux-init.service: Access denied | ||
16 | |||
17 | :~# systemctl restart selinux-init.service | ||
18 | audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
19 | system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 | ||
20 | gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl | ||
21 | restart selinux-init.service" scontext=unconfined_u:unconfined_r: | ||
22 | unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service | ||
23 | |||
24 | Upstream-Status: Pending | ||
25 | |||
26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
27 | --- | ||
28 | policy/modules/system/init.te | 6 +++++- | ||
29 | policy/modules/system/libraries.te | 3 +++ | ||
30 | policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++ | ||
31 | policy/modules/system/unconfined.te | 6 ++++++ | ||
32 | 4 files changed, 54 insertions(+), 1 deletion(-) | ||
33 | |||
34 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
35 | index d710fb0..f9d7114 100644 | ||
36 | --- a/policy/modules/system/init.te | ||
37 | +++ b/policy/modules/system/init.te | ||
38 | @@ -1100,4 +1100,8 @@ optional_policy(` | ||
39 | # systemd related allow rules | ||
40 | allow kernel_t init_t:process dyntransition; | ||
41 | allow devpts_t device_t:filesystem associate; | ||
42 | -allow init_t self:capability2 block_suspend; | ||
43 | \ No newline at end of file | ||
44 | +allow init_t self:capability2 block_suspend; | ||
45 | +allow init_t self:capability2 audit_read; | ||
46 | + | ||
47 | +allow initrc_t init_t:system { start status }; | ||
48 | +allow initrc_t init_var_run_t:service { start status }; | ||
49 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te | ||
50 | index 0f5cd56..df98fe9 100644 | ||
51 | --- a/policy/modules/system/libraries.te | ||
52 | +++ b/policy/modules/system/libraries.te | ||
53 | @@ -144,3 +144,6 @@ optional_policy(` | ||
54 | optional_policy(` | ||
55 | unconfined_domain(ldconfig_t) | ||
56 | ') | ||
57 | + | ||
58 | +# systemd: init domain to start lib domain service | ||
59 | +systemd_service_lib_function(lib_t) | ||
60 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
61 | index 3cd6670..822c03d 100644 | ||
62 | --- a/policy/modules/system/systemd.if | ||
63 | +++ b/policy/modules/system/systemd.if | ||
64 | @@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` | ||
65 | |||
66 | allow $1 power_unit_t:service start; | ||
67 | ') | ||
68 | + | ||
69 | + | ||
70 | +######################################## | ||
71 | +## <summary> | ||
72 | +## Allow specified domain to start stop reset systemd service | ||
73 | +## </summary> | ||
74 | +## <param name="domain"> | ||
75 | +## <summary> | ||
76 | +## Domain to not audit. | ||
77 | +## </summary> | ||
78 | +## </param> | ||
79 | +# | ||
80 | +interface(`systemd_service_file_operations',` | ||
81 | + gen_require(` | ||
82 | + class service { start status stop }; | ||
83 | + ') | ||
84 | + | ||
85 | + allow $1 lib_t:service { start status stop }; | ||
86 | + | ||
87 | +') | ||
88 | + | ||
89 | + | ||
90 | +######################################## | ||
91 | +## <summary> | ||
92 | +## Allow init domain to start lib domain service | ||
93 | +## </summary> | ||
94 | +## <param name="domain"> | ||
95 | +## <summary> | ||
96 | +## Domain to not audit. | ||
97 | +## </summary> | ||
98 | +## </param> | ||
99 | +# | ||
100 | +interface(`systemd_service_lib_function',` | ||
101 | + gen_require(` | ||
102 | + class service start; | ||
103 | + ') | ||
104 | + | ||
105 | + allow initrc_t $1:service start; | ||
106 | + | ||
107 | +') | ||
108 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
109 | index 99cab31..87a1b03 100644 | ||
110 | --- a/policy/modules/system/unconfined.te | ||
111 | +++ b/policy/modules/system/unconfined.te | ||
112 | @@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) | ||
113 | optional_policy(` | ||
114 | unconfined_dbus_chat(unconfined_execmem_t) | ||
115 | ') | ||
116 | + | ||
117 | + | ||
118 | +# systemd: specified domain to start stop reset systemd service | ||
119 | +systemd_service_file_operations(unconfined_t) | ||
120 | + | ||
121 | +allow unconfined_t init_t:system reload; | ||
122 | -- | ||
123 | 1.9.1 | ||
124 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 04ceadd..16592e5 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | |||
@@ -67,3 +67,10 @@ prepare_policy_store () { | |||
67 | cp ${MOD_FILE} ${MOD_DIR}/hll | 67 | cp ${MOD_FILE} ${MOD_DIR}/hll |
68 | done | 68 | done |
69 | } | 69 | } |
70 | |||
71 | SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}" | ||
72 | |||
73 | |||
74 | SYSTEMD_REFPOLICY_PATCHES = " \ | ||
75 | file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ | ||
76 | " | ||