1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:09 +0530
Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal
service
1. fix for systemd services: login & journal wile using refpolicy-minimum and
systemd as init manager.
2. fix login duration after providing root password.
without these changes we are getting avc denails like these and below
systemd services failure:
audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/
systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r:
local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0
tclass=fifo_file permissive=0
audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path
="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r:
systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:
system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path
="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl
--flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:
lib_t:s0 tclass=service
[FAILED] Failed to start Flush Journal to Persistent Storage.
See 'systemctl status systemd-journal-flush.service' for details.
[FAILED] Failed to start Login Service.
See 'systemctl status systemd-logind.service' for details.
[FAILED] Failed to start Avahi mDNS/DNS-SD Stack.
See 'systemctl status avahi-daemon.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 2 ++
policy/modules/system/locallogin.te | 3 +++
policy/modules/system/systemd.if | 6 ++++--
policy/modules/system/systemd.te | 2 +-
4 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 843fdcff..ca8678b8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read;
allow initrc_t init_t:system { start status reboot };
allow initrc_t init_var_run_t:service { start status };
+
+allow initrc_t init_var_run_t:service stop;
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 75750e4c..2c2cfc7d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock};
allow local_login_t var_run_t:sock_file write;
allow local_login_t tmpfs_t:dir { add_name write search};
allow local_login_t tmpfs_t:file { create open read write lock };
+allow local_login_t init_var_run_t:fifo_file write;
+allow local_login_t initrc_t:dbus send_msg;
+allow initrc_t local_login_t:dbus send_msg;
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 4519a448..79133e6f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',`
#
interface(`systemd_service_lib_function',`
gen_require(`
- class service start;
+ class service { start status stop };
+ class file { execmod open };
')
- allow initrc_t $1:service start;
+ allow initrc_t $1:service { start status stop };
+ allow initrc_t $1:file execmod;
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74f9c1cb..f1d26a44 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
allow systemd_tmpfiles_t init_t:dir search;
allow systemd_tmpfiles_t proc_t:filesystem getattr;
-allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t init_t:file { open getattr read };
allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
kernel_getattr_proc(systemd_tmpfiles_t)
--
2.19.1
|
