1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:32 +0530
Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
services allow rules
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are getting these errors:
:~# systemctl status selinux-init.service
Failed to get properties: Access denied
:~# systemctl stop selinux-init.service
Failed to stop selinux-init.service: Access denied
:~# systemctl restart selinux-init.service
audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
restart selinux-init.service" scontext=unconfined_u:unconfined_r:
unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/init.te | 4 +++
policy/modules/system/libraries.te | 3 +++
policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 6 +++++
4 files changed, 52 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d8696580..e15ec4b9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1425,3 +1425,7 @@ optional_policy(`
allow kernel_t init_t:process dyntransition;
allow devpts_t device_t:filesystem associate;
allow init_t self:capability2 block_suspend;
+allow init_t self:capability2 audit_read;
+
+allow initrc_t init_t:system { start status };
+allow initrc_t init_var_run_t:service { start status };
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 422b0ea1..80b0c9a5 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -145,3 +145,6 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
')
+
+# systemd: init domain to start lib domain service
+systemd_service_lib_function(lib_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 6353ca69..4519a448 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',`
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
+########################################
+## <summary>
+## Allow specified domain to start stop reset systemd service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_file_operations',`
+ gen_require(`
+ class service { start status stop };
+ ')
+
+ allow $1 lib_t:service { start status stop };
+
+')
+
+
+########################################
+## <summary>
+## Allow init domain to start lib domain service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_lib_function',`
+ gen_require(`
+ class service start;
+ ')
+
+ allow initrc_t $1:service start;
+
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 12cc0d7c..c09e94a5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+
+# systemd: specified domain to start stop reset systemd service
+systemd_service_file_operations(unconfined_t)
+
+allow unconfined_t init_t:system reload;
--
2.19.1
|