1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
From 6ac3c261a7cfc3a5d38ccc420f1ea371258c49fa Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:54:17 +0530
Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
services
fix for systemd tmp files setup service while using refpolicy-minimum and
systemd as init manager.
these allow rules require kernel domain & files access, so added interfaces
at systemd.te to merge these allow rules.
without these changes we are getting avc denails like these and below
systemd services failure:
audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
tclass=dir permissive=0
[FAILED] Failed to start Create Static Device Nodes in /dev.
See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
[FAILED] Failed to start Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details.
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++
policy/modules/system/systemd.te | 2 ++
3 files changed, 42 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index eb067ad3..ff74f55a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
+
+########################################
+## <summary>
+## systemd tmp files access to kernel tmp files domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
+ gen_require(`
+ type tmp_t;
+ class lnk_file getattr;
+ ')
+
+ allow $1 tmp_t:lnk_file getattr;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1ad282aa..342eb033 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
allow $1 unlabeled_t:infiniband_endport manage_subnet;
')
+########################################
+## <summary>
+## systemd tmp files access to kernel sysctl domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
+ gen_require(`
+ type sysctl_kernel_t;
+ class dir search;
+ class file { open read };
+ ')
+
+ allow $1 sysctl_kernel_t:dir search;
+ allow $1 sysctl_kernel_t:file { open read };
+
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a62c3c38..9b696823 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1121,3 +1121,5 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
kernel_read_system_state(systemd_update_done_t)
+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
--
2.19.1
|