refpolicy-minimum: systemd: mount: logging: authlogin: add allow rules

add allow rules for avc denails for systemd, mount, logging & authlogin modules. without this change we are getting avc. denials from these modules. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Shrikant Bobade <shrikant_bobade@mentor.com> 2016-08-29 19:06:47 +0530
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-09-01 14:30:46 -0400
commit: 2b022c1f4bd2369f7b66b764b2d16c7f19680e93 (patch)
tree: 5cdb9855cda5d9287dda4768b7a0b6548f973926
parent: 6cd54990a2428083dc87b53bd5e79a34f5864279 (diff)
download: meta-selinux-2b022c1f4bd2369f7b66b764b2d16c7f19680e93.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100644
index 0000000..35a8e1b
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,93 @@
+From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+without this change we are getting avc denial like these:
+type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
+comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te   | 7 ++++++-
+ policy/modules/system/mount.te     | 3 +++
+ policy/modules/system/systemd.te   | 6 ++++++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index f80dfcb..5fab54a 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -464,3 +464,5 @@ optional_policy(`
+        samba_read_var_files(nsswitch_domain)
+        samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
+
+allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fdf86ef..107db03 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+ 
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+allow klogd_t initrc_t:unix_dgram_socket sendto;
+
+allow syslogd_t self:shm create;
+allow syslogd_t self:sem { create read unix_write write };
+allow syslogd_t self:shm { read unix_read unix_write write };
+allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 1c2fc33..b699309 100644
+--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
+@@ -229,3 +229,6 @@ optional_policy(`
+        files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+        unconfined_domain(unconfined_mount_t)
+ ')
+
+allow mount_t proc_t:filesystem getattr;
+allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index fdb9fef..734d455 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+        files_relabel_non_security_dirs(systemd_tmpfiles_t)
+        files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
+
+allow systemd_tmpfiles_t init_t:dir search;
+allow systemd_tmpfiles_t proc_t:filesystem getattr;
+allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+allow systemd_tmpfiles_t self:capability net_admin;
+-- 
+1.9.1
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 9e1dc9b..f4b80bc 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -74,4 +74,5 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO
 SYSTEMD_REFPOLICY_PATCHES = " \
        file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
        file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
+        file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
        "
author	Shrikant Bobade <shrikant_bobade@mentor.com>	2016-08-29 19:06:47 +0530
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-09-01 14:30:46 -0400
commit	2b022c1f4bd2369f7b66b764b2d16c7f19680e93 (patch)
tree	5cdb9855cda5d9287dda4768b7a0b6548f973926
parent	6cd54990a2428083dc87b53bd5e79a34f5864279 (diff)
download	meta-selinux-2b022c1f4bd2369f7b66b764b2d16c7f19680e93.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..35a8e1b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,93 @@
		1	From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001
		2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
		3	Date: Fri, 26 Aug 2016 17:53:37 +0530
		4	Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin:
		5	add allow rules
		6
		7	add allow rules for avc denails for systemd, mount, logging & authlogin
		8	modules.
		9
		10	without this change we are getting avc denial like these:
		11
		12	type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
		13	tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
		14	systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
		15	unix_dgram_socket permissive=0
		16
		17	type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
		18	tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
		19	system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
		20	file permissive=0
		21
		22	type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
		23	path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
		24	mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
		25
		26	type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
		27	comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
		28	tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
		29
		30	Upstream-Status: Pending
		31
		32	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
		33	---
		34	policy/modules/system/authlogin.te \| 2 ++
		35	policy/modules/system/logging.te \| 7 ++++++-
		36	policy/modules/system/mount.te \| 3 +++
		37	policy/modules/system/systemd.te \| 6 ++++++
		38	4 files changed, 17 insertions(+), 1 deletion(-)
		39
		40	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
		41	index f80dfcb..5fab54a 100644
		42	--- a/policy/modules/system/authlogin.te
		43	+++ b/policy/modules/system/authlogin.te
		44	@@ -464,3 +464,5 @@ optional_policy(`
		45	samba_read_var_files(nsswitch_domain)
		46	samba_dontaudit_write_var_files(nsswitch_domain)
		47	')
		48	+
		49	+allow chkpwd_t proc_t:filesystem getattr;
		50	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		51	index fdf86ef..107db03 100644
		52	--- a/policy/modules/system/logging.te
		53	+++ b/policy/modules/system/logging.te
		54	@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
		55	allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
		56	allow auditd_t initrc_t:unix_dgram_socket sendto;
		57
		58	-allow klogd_t initrc_t:unix_dgram_socket sendto;
		59	\ No newline at end of file
		60	+allow klogd_t initrc_t:unix_dgram_socket sendto;
		61	+
		62	+allow syslogd_t self:shm create;
		63	+allow syslogd_t self:sem { create read unix_write write };
		64	+allow syslogd_t self:shm { read unix_read unix_write write };
		65	+allow syslogd_t tmpfs_t:file { read write };
		66	diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
		67	index 1c2fc33..b699309 100644
		68	--- a/policy/modules/system/mount.te
		69	+++ b/policy/modules/system/mount.te
		70	@@ -229,3 +229,6 @@ optional_policy(`
		71	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
		72	unconfined_domain(unconfined_mount_t)
		73	')
		74	+
		75	+allow mount_t proc_t:filesystem getattr;
		76	+allow mount_t initrc_t:udp_socket { read write };
		77	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
		78	index fdb9fef..734d455 100644
		79	--- a/policy/modules/system/systemd.te
		80	+++ b/policy/modules/system/systemd.te
		81	@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
		82	files_relabel_non_security_dirs(systemd_tmpfiles_t)
		83	files_relabel_non_security_files(systemd_tmpfiles_t)
		84	')
		85	+
		86	+allow systemd_tmpfiles_t init_t:dir search;
		87	+allow systemd_tmpfiles_t proc_t:filesystem getattr;
		88	+allow systemd_tmpfiles_t init_t:file read;
		89	+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
		90	+allow systemd_tmpfiles_t self:capability net_admin;
		91	--
		92	1.9.1
		93


diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9e1dc9b..f4b80bc 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -74,4 +74,5 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO
74	SYSTEMD_REFPOLICY_PATCHES = " \	74	SYSTEMD_REFPOLICY_PATCHES = " \
75	file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \	75	file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
76	file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \	76	file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
		77	file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
77	"	78	"