refpolicy-minimum: systemd:unconfined:lib: add systemd services allow rules

systemd allow rules for systemd service file operations: start, stop, restart & allow rule for unconfined systemd service. without this change we are geting avc denials and access denied to perform operations on service file. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Shrikant Bobade <shrikant_bobade@mentor.com> 2016-08-29 19:05:39 +0530
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-09-01 14:30:46 -0400
commit: 34ab910f6414ff6eb8495bc6c727f0808e5bd8f8 (patch)
tree: 05521c787227100bff7de13de96260a77d739866
parent: d3c54a1a5a131e3d14f10451f05f6fb4080222a4 (diff)
download: meta-selinux-34ab910f6414ff6eb8495bc6c727f0808e5bd8f8.tar.gz
2 files changed, 131 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
new file mode 100644
index 0000000..7a72f18
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,124 @@
+From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:51:32 +0530
+Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
+ services allow rules
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+:~# systemctl restart  selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/init.te       |  6 +++++-
+ policy/modules/system/libraries.te  |  3 +++
+ policy/modules/system/systemd.if    | 40 +++++++++++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te |  6 ++++++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d710fb0..f9d7114 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1100,4 +1100,8 @@ optional_policy(`
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
+allow init_t self:capability2 block_suspend;
+allow init_t self:capability2 audit_read;
+
+allow initrc_t init_t:system { start status };
+allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 0f5cd56..df98fe9 100644
+--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
+@@ -144,3 +144,6 @@ optional_policy(`
+ optional_policy(`
+        unconfined_domain(ldconfig_t)
+ ')
+
+# systemd: init domain to start lib domain service
+systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 3cd6670..822c03d 100644
+--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
+@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
+ 
+        allow $1 power_unit_t:service start;
+ ')
+
+
+########################################
+## <summary>
+## Allow specified domain to start stop reset systemd service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_file_operations',`
+         gen_require(`
+               class service { start status stop };
+         ')
+
+       allow $1 lib_t:service { start status stop };
+
+')
+
+
+########################################
+## <summary>
+## Allow init domain to start lib domain service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_lib_function',`
+         gen_require(`
+               class service start;
+         ')
+
+       allow initrc_t $1:service start;
+
+')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 99cab31..87a1b03 100644
+--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
+@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+        unconfined_dbus_chat(unconfined_execmem_t)
+ ')
+
+
+# systemd: specified domain to start stop reset systemd service
+systemd_service_file_operations(unconfined_t)
+
+allow unconfined_t init_t:system reload;
+-- 
+1.9.1
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 04ceadd..16592e5 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -67,3 +67,10 @@ prepare_policy_store () {
                cp ${MOD_FILE} ${MOD_DIR}/hll
        done
 }
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}"
+SYSTEMD_REFPOLICY_PATCHES = " \
+        file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
+        "
author	Shrikant Bobade <shrikant_bobade@mentor.com>	2016-08-29 19:05:39 +0530
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-09-01 14:30:46 -0400
commit	34ab910f6414ff6eb8495bc6c727f0808e5bd8f8 (patch)
tree	05521c787227100bff7de13de96260a77d739866
parent	d3c54a1a5a131e3d14f10451f05f6fb4080222a4 (diff)
download	meta-selinux-34ab910f6414ff6eb8495bc6c727f0808e5bd8f8.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch new file mode 100644 index 0000000..7a72f18 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch
@@ -0,0 +1,124 @@
		1	From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
		2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
		3	Date: Fri, 26 Aug 2016 17:51:32 +0530
		4	Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
		5	services allow rules
		6
		7	systemd allow rules for systemd service file operations: start, stop, restart
		8	& allow rule for unconfined systemd service.
		9
		10	without this change we are getting these errors:
		11	:~# systemctl status selinux-init.service
		12	Failed to get properties: Access denied
		13
		14	:~# systemctl stop selinux-init.service
		15	Failed to stop selinux-init.service: Access denied
		16
		17	:~# systemctl restart selinux-init.service
		18	audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
		19	system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
		20	gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
		21	restart selinux-init.service" scontext=unconfined_u:unconfined_r:
		22	unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
		23
		24	Upstream-Status: Pending
		25
		26	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
		27	---
		28	policy/modules/system/init.te \| 6 +++++-
		29	policy/modules/system/libraries.te \| 3 +++
		30	policy/modules/system/systemd.if \| 40 +++++++++++++++++++++++++++++++++++++
		31	policy/modules/system/unconfined.te \| 6 ++++++
		32	4 files changed, 54 insertions(+), 1 deletion(-)
		33
		34	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
		35	index d710fb0..f9d7114 100644
		36	--- a/policy/modules/system/init.te
		37	+++ b/policy/modules/system/init.te
		38	@@ -1100,4 +1100,8 @@ optional_policy(`
		39	# systemd related allow rules
		40	allow kernel_t init_t:process dyntransition;
		41	allow devpts_t device_t:filesystem associate;
		42	-allow init_t self:capability2 block_suspend;
		43	\ No newline at end of file
		44	+allow init_t self:capability2 block_suspend;
		45	+allow init_t self:capability2 audit_read;
		46	+
		47	+allow initrc_t init_t:system { start status };
		48	+allow initrc_t init_var_run_t:service { start status };
		49	diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
		50	index 0f5cd56..df98fe9 100644
		51	--- a/policy/modules/system/libraries.te
		52	+++ b/policy/modules/system/libraries.te
		53	@@ -144,3 +144,6 @@ optional_policy(`
		54	optional_policy(`
		55	unconfined_domain(ldconfig_t)
		56	')
		57	+
		58	+# systemd: init domain to start lib domain service
		59	+systemd_service_lib_function(lib_t)
		60	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
		61	index 3cd6670..822c03d 100644
		62	--- a/policy/modules/system/systemd.if
		63	+++ b/policy/modules/system/systemd.if
		64	@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
		65
		66	allow $1 power_unit_t:service start;
		67	')
		68	+
		69	+
		70	+########################################
		71	+## <summary>
		72	+## Allow specified domain to start stop reset systemd service
		73	+## </summary>
		74	+## <param name="domain">
		75	+## <summary>
		76	+## Domain to not audit.
		77	+## </summary>
		78	+## </param>
		79	+#
		80	+interface(`systemd_service_file_operations',`
		81	+ gen_require(`
		82	+ class service { start status stop };
		83	+ ')
		84	+
		85	+ allow $1 lib_t:service { start status stop };
		86	+
		87	+')
		88	+
		89	+
		90	+########################################
		91	+## <summary>
		92	+## Allow init domain to start lib domain service
		93	+## </summary>
		94	+## <param name="domain">
		95	+## <summary>
		96	+## Domain to not audit.
		97	+## </summary>
		98	+## </param>
		99	+#
		100	+interface(`systemd_service_lib_function',`
		101	+ gen_require(`
		102	+ class service start;
		103	+ ')
		104	+
		105	+ allow initrc_t $1:service start;
		106	+
		107	+')
		108	diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
		109	index 99cab31..87a1b03 100644
		110	--- a/policy/modules/system/unconfined.te
		111	+++ b/policy/modules/system/unconfined.te
		112	@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
		113	optional_policy(`
		114	unconfined_dbus_chat(unconfined_execmem_t)
		115	')
		116	+
		117	+
		118	+# systemd: specified domain to start stop reset systemd service
		119	+systemd_service_file_operations(unconfined_t)
		120	+
		121	+allow unconfined_t init_t:system reload;
		122	--
		123	1.9.1
		124


diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 04ceadd..16592e5 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -67,3 +67,10 @@ prepare_policy_store () {
67	cp ${MOD_FILE} ${MOD_DIR}/hll	67	cp ${MOD_FILE} ${MOD_DIR}/hll
68	done	68	done
69	}	69	}
		70
		71	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}"
		72
		73
		74	SYSTEMD_REFPOLICY_PATCHES = " \
		75	file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
		76	"