diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-minimum')
9 files changed, 0 insertions, 699 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch b/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch deleted file mode 100644 index b5ca0f8..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch +++ /dev/null | |||
| @@ -1,121 +0,0 @@ | |||
| 1 | From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:51:32 +0530 | ||
| 4 | Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd | ||
| 5 | services allow rules | ||
| 6 | |||
| 7 | systemd allow rules for systemd service file operations: start, stop, restart | ||
| 8 | & allow rule for unconfined systemd service. | ||
| 9 | |||
| 10 | without this change we are getting these errors: | ||
| 11 | :~# systemctl status selinux-init.service | ||
| 12 | Failed to get properties: Access denied | ||
| 13 | |||
| 14 | :~# systemctl stop selinux-init.service | ||
| 15 | Failed to stop selinux-init.service: Access denied | ||
| 16 | |||
| 17 | :~# systemctl restart selinux-init.service | ||
| 18 | audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
| 19 | system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 | ||
| 20 | gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl | ||
| 21 | restart selinux-init.service" scontext=unconfined_u:unconfined_r: | ||
| 22 | unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service | ||
| 23 | |||
| 24 | Upstream-Status: Pending | ||
| 25 | |||
| 26 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 27 | --- | ||
| 28 | policy/modules/system/init.te | 6 +++++- | ||
| 29 | policy/modules/system/libraries.te | 3 +++ | ||
| 30 | policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++ | ||
| 31 | policy/modules/system/unconfined.te | 6 ++++++ | ||
| 32 | 4 files changed, 54 insertions(+), 1 deletion(-) | ||
| 33 | |||
| 34 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| 35 | index d710fb0..f9d7114 100644 | ||
| 36 | --- a/policy/modules/system/init.te | ||
| 37 | +++ b/policy/modules/system/init.te | ||
| 38 | @@ -1114,3 +1114,7 @@ optional_policy(` | ||
| 39 | allow kernel_t init_t:process dyntransition; | ||
| 40 | allow devpts_t device_t:filesystem associate; | ||
| 41 | allow init_t self:capability2 block_suspend; | ||
| 42 | +allow init_t self:capability2 audit_read; | ||
| 43 | + | ||
| 44 | +allow initrc_t init_t:system { start status }; | ||
| 45 | +allow initrc_t init_var_run_t:service { start status }; | ||
| 46 | diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te | ||
| 47 | index 0f5cd56..df98fe9 100644 | ||
| 48 | --- a/policy/modules/system/libraries.te | ||
| 49 | +++ b/policy/modules/system/libraries.te | ||
| 50 | @@ -144,3 +144,6 @@ optional_policy(` | ||
| 51 | optional_policy(` | ||
| 52 | unconfined_domain(ldconfig_t) | ||
| 53 | ') | ||
| 54 | + | ||
| 55 | +# systemd: init domain to start lib domain service | ||
| 56 | +systemd_service_lib_function(lib_t) | ||
| 57 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
| 58 | index 3cd6670..822c03d 100644 | ||
| 59 | --- a/policy/modules/system/systemd.if | ||
| 60 | +++ b/policy/modules/system/systemd.if | ||
| 61 | @@ -171,3 +171,43 @@ interface(`systemd_start_power_units',` | ||
| 62 | |||
| 63 | allow $1 power_unit_t:service start; | ||
| 64 | ') | ||
| 65 | + | ||
| 66 | + | ||
| 67 | +######################################## | ||
| 68 | +## <summary> | ||
| 69 | +## Allow specified domain to start stop reset systemd service | ||
| 70 | +## </summary> | ||
| 71 | +## <param name="domain"> | ||
| 72 | +## <summary> | ||
| 73 | +## Domain to not audit. | ||
| 74 | +## </summary> | ||
| 75 | +## </param> | ||
| 76 | +# | ||
| 77 | +interface(`systemd_service_file_operations',` | ||
| 78 | + gen_require(` | ||
| 79 | + class service { start status stop }; | ||
| 80 | + ') | ||
| 81 | + | ||
| 82 | + allow $1 lib_t:service { start status stop }; | ||
| 83 | + | ||
| 84 | +') | ||
| 85 | + | ||
| 86 | + | ||
| 87 | +######################################## | ||
| 88 | +## <summary> | ||
| 89 | +## Allow init domain to start lib domain service | ||
| 90 | +## </summary> | ||
| 91 | +## <param name="domain"> | ||
| 92 | +## <summary> | ||
| 93 | +## Domain to not audit. | ||
| 94 | +## </summary> | ||
| 95 | +## </param> | ||
| 96 | +# | ||
| 97 | +interface(`systemd_service_lib_function',` | ||
| 98 | + gen_require(` | ||
| 99 | + class service start; | ||
| 100 | + ') | ||
| 101 | + | ||
| 102 | + allow initrc_t $1:service start; | ||
| 103 | + | ||
| 104 | +') | ||
| 105 | diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te | ||
| 106 | index 99cab31..87a1b03 100644 | ||
| 107 | --- a/policy/modules/system/unconfined.te | ||
| 108 | +++ b/policy/modules/system/unconfined.te | ||
| 109 | @@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) | ||
| 110 | optional_policy(` | ||
| 111 | unconfined_dbus_chat(unconfined_execmem_t) | ||
| 112 | ') | ||
| 113 | + | ||
| 114 | + | ||
| 115 | +# systemd: specified domain to start stop reset systemd service | ||
| 116 | +systemd_service_file_operations(unconfined_t) | ||
| 117 | + | ||
| 118 | +allow unconfined_t init_t:system reload; | ||
| 119 | -- | ||
| 120 | 1.9.1 | ||
| 121 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch deleted file mode 100644 index 23bc397..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ /dev/null | |||
| @@ -1,67 +0,0 @@ | |||
| 1 | From edbc234baecfbf5b8e2dbadc976750071d5e7f7f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:51:44 +0530 | ||
| 4 | Subject: [PATCH 2/9] refpolicy-minimum: audit: logging: getty: audit related | ||
| 5 | allow rules | ||
| 6 | |||
| 7 | add allow rules for audit.log file & resolve dependent avc denials. | ||
| 8 | |||
| 9 | without this change we are getting audit avc denials mixed into bootlog & | ||
| 10 | audit other avc denials. | ||
| 11 | |||
| 12 | audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" | ||
| 13 | name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 | ||
| 14 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
| 15 | path="/run/systemd/journal/dev-log" scontext=sy0 | ||
| 16 | audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" | ||
| 17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 | ||
| 18 | audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ | ||
| 19 | volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t | ||
| 20 | :s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
| 21 | |||
| 22 | Upstream-Status: Pending | ||
| 23 | |||
| 24 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 25 | --- | ||
| 26 | policy/modules/system/getty.te | 3 +++ | ||
| 27 | policy/modules/system/logging.te | 8 ++++++++ | ||
| 28 | 2 files changed, 11 insertions(+) | ||
| 29 | |||
| 30 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
| 31 | index f6743ea..84eaf77 100644 | ||
| 32 | --- a/policy/modules/system/getty.te | ||
| 33 | +++ b/policy/modules/system/getty.te | ||
| 34 | @@ -139,3 +139,6 @@ optional_policy(` | ||
| 35 | optional_policy(` | ||
| 36 | udev_read_db(getty_t) | ||
| 37 | ') | ||
| 38 | + | ||
| 39 | +allow getty_t tmpfs_t:dir search; | ||
| 40 | +allow getty_t tmpfs_t:file { open write lock }; | ||
| 41 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
| 42 | index 9b18aad..fdf86ef 100644 | ||
| 43 | --- a/policy/modules/system/logging.te | ||
| 44 | +++ b/policy/modules/system/logging.te | ||
| 45 | @@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; | ||
| 46 | allow audisp_t self:unix_dgram_socket create_socket_perms; | ||
| 47 | |||
| 48 | allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; | ||
| 49 | +allow audisp_t initrc_t:unix_dgram_socket sendto; | ||
| 50 | |||
| 51 | manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) | ||
| 52 | files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) | ||
| 53 | @@ -569,3 +570,10 @@ optional_policy(` | ||
| 54 | # log to the xconsole | ||
| 55 | xserver_rw_console(syslogd_t) | ||
| 56 | ') | ||
| 57 | + | ||
| 58 | + | ||
| 59 | +allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
| 60 | +allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
| 61 | +allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
| 62 | + | ||
| 63 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
| 64 | \ No newline at end of file | ||
| 65 | -- | ||
| 66 | 1.9.1 | ||
| 67 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch deleted file mode 100644 index 35a8e1b..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ /dev/null | |||
| @@ -1,93 +0,0 @@ | |||
| 1 | From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 | ||
| 4 | Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: | ||
| 5 | add allow rules | ||
| 6 | |||
| 7 | add allow rules for avc denails for systemd, mount, logging & authlogin | ||
| 8 | modules. | ||
| 9 | |||
| 10 | without this change we are getting avc denial like these: | ||
| 11 | |||
| 12 | type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- | ||
| 13 | tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: | ||
| 14 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= | ||
| 15 | unix_dgram_socket permissive=0 | ||
| 16 | |||
| 17 | type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- | ||
| 18 | tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: | ||
| 19 | system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= | ||
| 20 | file permissive=0 | ||
| 21 | |||
| 22 | type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" | ||
| 23 | path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: | ||
| 24 | mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket | ||
| 25 | |||
| 26 | type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 | ||
| 27 | comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 | ||
| 28 | tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 | ||
| 29 | |||
| 30 | Upstream-Status: Pending | ||
| 31 | |||
| 32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 33 | --- | ||
| 34 | policy/modules/system/authlogin.te | 2 ++ | ||
| 35 | policy/modules/system/logging.te | 7 ++++++- | ||
| 36 | policy/modules/system/mount.te | 3 +++ | ||
| 37 | policy/modules/system/systemd.te | 6 ++++++ | ||
| 38 | 4 files changed, 17 insertions(+), 1 deletion(-) | ||
| 39 | |||
| 40 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
| 41 | index f80dfcb..5fab54a 100644 | ||
| 42 | --- a/policy/modules/system/authlogin.te | ||
| 43 | +++ b/policy/modules/system/authlogin.te | ||
| 44 | @@ -464,3 +464,5 @@ optional_policy(` | ||
| 45 | samba_read_var_files(nsswitch_domain) | ||
| 46 | samba_dontaudit_write_var_files(nsswitch_domain) | ||
| 47 | ') | ||
| 48 | + | ||
| 49 | +allow chkpwd_t proc_t:filesystem getattr; | ||
| 50 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
| 51 | index fdf86ef..107db03 100644 | ||
| 52 | --- a/policy/modules/system/logging.te | ||
| 53 | +++ b/policy/modules/system/logging.te | ||
| 54 | @@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
| 55 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
| 56 | allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
| 57 | |||
| 58 | -allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
| 59 | \ No newline at end of file | ||
| 60 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
| 61 | + | ||
| 62 | +allow syslogd_t self:shm create; | ||
| 63 | +allow syslogd_t self:sem { create read unix_write write }; | ||
| 64 | +allow syslogd_t self:shm { read unix_read unix_write write }; | ||
| 65 | +allow syslogd_t tmpfs_t:file { read write }; | ||
| 66 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
| 67 | index 1c2fc33..b699309 100644 | ||
| 68 | --- a/policy/modules/system/mount.te | ||
| 69 | +++ b/policy/modules/system/mount.te | ||
| 70 | @@ -229,3 +229,6 @@ optional_policy(` | ||
| 71 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) | ||
| 72 | unconfined_domain(unconfined_mount_t) | ||
| 73 | ') | ||
| 74 | + | ||
| 75 | +allow mount_t proc_t:filesystem getattr; | ||
| 76 | +allow mount_t initrc_t:udp_socket { read write }; | ||
| 77 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 78 | index fdb9fef..734d455 100644 | ||
| 79 | --- a/policy/modules/system/systemd.te | ||
| 80 | +++ b/policy/modules/system/systemd.te | ||
| 81 | @@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` | ||
| 82 | files_relabel_non_security_dirs(systemd_tmpfiles_t) | ||
| 83 | files_relabel_non_security_files(systemd_tmpfiles_t) | ||
| 84 | ') | ||
| 85 | + | ||
| 86 | +allow systemd_tmpfiles_t init_t:dir search; | ||
| 87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
| 88 | +allow systemd_tmpfiles_t init_t:file read; | ||
| 89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
| 90 | +allow systemd_tmpfiles_t self:capability net_admin; | ||
| 91 | -- | ||
| 92 | 1.9.1 | ||
| 93 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch deleted file mode 100644 index 3623215..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch +++ /dev/null | |||
| @@ -1,53 +0,0 @@ | |||
| 1 | From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:53:46 +0530 | ||
| 4 | Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type | ||
| 5 | local_login_t | ||
| 6 | |||
| 7 | add allow rules for locallogin module avc denials. | ||
| 8 | |||
| 9 | without this change we are getting errors like these: | ||
| 10 | |||
| 11 | type=AVC msg=audit(): avc: denied { read write open } for pid=353 | ||
| 12 | comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext | ||
| 13 | =system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r: | ||
| 14 | var_log_t:s0 tclass=file permissive=1 | ||
| 15 | |||
| 16 | type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login" | ||
| 17 | path="/run/systemd/journal/dev-log" scontext=system_u:system_r: | ||
| 18 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 | ||
| 19 | tclass=unix_dgram_socket permissive=1 | ||
| 20 | |||
| 21 | type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path= | ||
| 22 | "/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r | ||
| 23 | :local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass | ||
| 24 | =file permissive=1 | ||
| 25 | |||
| 26 | Upstream-Status: Pending | ||
| 27 | |||
| 28 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 29 | --- | ||
| 30 | policy/modules/system/locallogin.te | 10 ++++++++++ | ||
| 31 | 1 file changed, 10 insertions(+) | ||
| 32 | |||
| 33 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
| 34 | index 53923f8..09ec33f 100644 | ||
| 35 | --- a/policy/modules/system/locallogin.te | ||
| 36 | +++ b/policy/modules/system/locallogin.te | ||
| 37 | @@ -274,3 +274,13 @@ optional_policy(` | ||
| 38 | optional_policy(` | ||
| 39 | nscd_use(sulogin_t) | ||
| 40 | ') | ||
| 41 | + | ||
| 42 | +allow local_login_t initrc_t:fd use; | ||
| 43 | +allow local_login_t initrc_t:unix_dgram_socket sendto; | ||
| 44 | +allow local_login_t initrc_t:unix_stream_socket connectto; | ||
| 45 | +allow local_login_t self:capability net_admin; | ||
| 46 | +allow local_login_t var_log_t:file { create lock open read write }; | ||
| 47 | +allow local_login_t var_run_t:file { open read write lock}; | ||
| 48 | +allow local_login_t var_run_t:sock_file write; | ||
| 49 | +allow local_login_t tmpfs_t:dir { add_name write search}; | ||
| 50 | +allow local_login_t tmpfs_t:file { create open read write lock }; | ||
| 51 | -- | ||
| 52 | 1.9.1 | ||
| 53 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch b/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch deleted file mode 100644 index c88f2b2..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch +++ /dev/null | |||
| @@ -1,36 +0,0 @@ | |||
| 1 | From 07b7eb45458de8a6781019a927c66aabe736e03a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:53:53 +0530 | ||
| 4 | Subject: [PATCH 5/9] refpolicy-minimum: init: fix reboot with systemd as init | ||
| 5 | manager. | ||
| 6 | |||
| 7 | add allow rule to fix avc denial during system reboot. | ||
| 8 | |||
| 9 | without this change we are getting: | ||
| 10 | |||
| 11 | audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj= | ||
| 12 | system_u:system_r:init_t:s0 msg='avc: denied { reboot } for auid=n/a uid=0 | ||
| 13 | gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r: | ||
| 14 | initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system | ||
| 15 | |||
| 16 | Upstream-Status: Pending | ||
| 17 | |||
| 18 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 19 | --- | ||
| 20 | policy/modules/system/init.te | 2 +- | ||
| 21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 22 | |||
| 23 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| 24 | index f9d7114..19a7a20 100644 | ||
| 25 | --- a/policy/modules/system/init.te | ||
| 26 | +++ b/policy/modules/system/init.te | ||
| 27 | @@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate; | ||
| 28 | allow init_t self:capability2 block_suspend; | ||
| 29 | allow init_t self:capability2 audit_read; | ||
| 30 | |||
| 31 | -allow initrc_t init_t:system { start status }; | ||
| 32 | +allow initrc_t init_t:system { start status reboot }; | ||
| 33 | allow initrc_t init_var_run_t:service { start status }; | ||
| 34 | -- | ||
| 35 | 1.9.1 | ||
| 36 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch deleted file mode 100644 index bf7b980..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch +++ /dev/null | |||
| @@ -1,47 +0,0 @@ | |||
| 1 | refpolicy-minimum: systemd: mount: enable required refpolicy booleans | ||
| 2 | |||
| 3 | enable required refpolicy booleans for these modules | ||
| 4 | |||
| 5 | i. mount: allow_mount_anyfile | ||
| 6 | without enabling this boolean we are getting below avc denial | ||
| 7 | |||
| 8 | audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media | ||
| 9 | /mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 | ||
| 10 | tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 | ||
| 11 | |||
| 12 | This avc can be allowed using the boolean 'allow_mount_anyfile' | ||
| 13 | allow mount_t initrc_var_run_t:dir mounton; | ||
| 14 | |||
| 15 | ii. systemd : systemd_tmpfiles_manage_all | ||
| 16 | without enabling this boolean we are not getting access to mount systemd | ||
| 17 | essential tmpfs during bootup, also not getting access to create audit.log | ||
| 18 | |||
| 19 | audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= | ||
| 20 | "sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles | ||
| 21 | _t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 | ||
| 22 | |||
| 23 | ls /var/log | ||
| 24 | /var/log -> volatile/log | ||
| 25 | :~# | ||
| 26 | |||
| 27 | Upstream-Status: Pending | ||
| 28 | |||
| 29 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 30 | |||
| 31 | --- a/policy/booleans.conf | ||
| 32 | +++ b/policy/booleans.conf | ||
| 33 | @@ -1156,12 +1156,12 @@ racoon_read_shadow = false | ||
| 34 | # | ||
| 35 | # Allow the mount command to mount any directory or file. | ||
| 36 | # | ||
| 37 | -allow_mount_anyfile = false | ||
| 38 | +allow_mount_anyfile = true | ||
| 39 | |||
| 40 | # | ||
| 41 | # Enable support for systemd-tmpfiles to manage all non-security files. | ||
| 42 | # | ||
| 43 | -systemd_tmpfiles_manage_all = false | ||
| 44 | +systemd_tmpfiles_manage_all = true | ||
| 45 | |||
| 46 | # | ||
| 47 | # Allow users to connect to mysql | ||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 2dd90fe..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null | |||
| @@ -1,102 +0,0 @@ | |||
| 1 | From 5a1cef9e4a9472982f6c68190f3aa20c73c8de1e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 | ||
| 4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal | ||
| 5 | service | ||
| 6 | |||
| 7 | 1. fix for systemd services: login & journal wile using refpolicy-minimum and | ||
| 8 | systemd as init manager. | ||
| 9 | 2. fix login duration after providing root password. | ||
| 10 | |||
| 11 | without these changes we are getting avc denails like these and below | ||
| 12 | systemd services failure: | ||
| 13 | |||
| 14 | audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ | ||
| 15 | systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: | ||
| 16 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 | ||
| 17 | tclass=fifo_file permissive=0 | ||
| 18 | |||
| 19 | audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path | ||
| 20 | ="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: | ||
| 21 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file | ||
| 22 | |||
| 23 | audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: | ||
| 24 | system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path | ||
| 25 | ="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl | ||
| 26 | --flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: | ||
| 27 | lib_t:s0 tclass=service | ||
| 28 | |||
| 29 | [FAILED] Failed to start Flush Journal to Persistent Storage. | ||
| 30 | See 'systemctl status systemd-journal-flush.service' for details. | ||
| 31 | |||
| 32 | [FAILED] Failed to start Login Service. | ||
| 33 | See 'systemctl status systemd-logind.service' for details. | ||
| 34 | |||
| 35 | [FAILED] Failed to start Avahi mDNS/DNS-SD Stack. | ||
| 36 | See 'systemctl status avahi-daemon.service' for details. | ||
| 37 | |||
| 38 | Upstream-Status: Pending | ||
| 39 | |||
| 40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 41 | --- | ||
| 42 | policy/modules/system/init.te | 5 +++++ | ||
| 43 | policy/modules/system/locallogin.te | 3 +++ | ||
| 44 | policy/modules/system/systemd.if | 6 ++++-- | ||
| 45 | policy/modules/system/systemd.te | 3 ++- | ||
| 46 | 4 files changed, 14 insertions(+), 3 deletions(-) | ||
| 47 | |||
| 48 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| 49 | index 19a7a20..cefa59d 100644 | ||
| 50 | --- a/policy/modules/system/init.te | ||
| 51 | +++ b/policy/modules/system/init.te | ||
| 52 | @@ -1105,3 +1105,5 @@ allow init_t self:capability2 audit_read; | ||
| 53 | |||
| 54 | allow initrc_t init_t:system { start status reboot }; | ||
| 55 | allow initrc_t init_var_run_t:service { start status }; | ||
| 56 | + | ||
| 57 | +allow initrc_t init_var_run_t:service stop; | ||
| 58 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
| 59 | index 09ec33f..be25c82 100644 | ||
| 60 | --- a/policy/modules/system/locallogin.te | ||
| 61 | +++ b/policy/modules/system/locallogin.te | ||
| 62 | @@ -284,3 +284,6 @@ allow local_login_t var_run_t:file { open read write lock}; | ||
| 63 | allow local_login_t var_run_t:sock_file write; | ||
| 64 | allow local_login_t tmpfs_t:dir { add_name write search}; | ||
| 65 | allow local_login_t tmpfs_t:file { create open read write lock }; | ||
| 66 | +allow local_login_t init_var_run_t:fifo_file write; | ||
| 67 | +allow local_login_t initrc_t:dbus send_msg; | ||
| 68 | +allow initrc_t local_login_t:dbus send_msg; | ||
| 69 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
| 70 | index 822c03d..8723527 100644 | ||
| 71 | --- a/policy/modules/system/systemd.if | ||
| 72 | +++ b/policy/modules/system/systemd.if | ||
| 73 | @@ -205,9 +205,11 @@ interface(`systemd_service_file_operations',` | ||
| 74 | # | ||
| 75 | interface(`systemd_service_lib_function',` | ||
| 76 | gen_require(` | ||
| 77 | - class service start; | ||
| 78 | + class service { start status stop }; | ||
| 79 | + class file { execmod open }; | ||
| 80 | ') | ||
| 81 | |||
| 82 | - allow initrc_t $1:service start; | ||
| 83 | + allow initrc_t $1:service { start status stop }; | ||
| 84 | + allow initrc_t $1:file execmod; | ||
| 85 | |||
| 86 | ') | ||
| 87 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 88 | index 70ccb0e..22021eb 100644 | ||
| 89 | --- a/policy/modules/system/systemd.te | ||
| 90 | +++ b/policy/modules/system/systemd.te | ||
| 91 | @@ -265,6 +265,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',` | ||
| 92 | |||
| 93 | allow systemd_tmpfiles_t init_t:dir search; | ||
| 94 | allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
| 95 | -allow systemd_tmpfiles_t init_t:file read; | ||
| 96 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
| 97 | allow systemd_tmpfiles_t self:capability net_admin; | ||
| 98 | + | ||
| 99 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
| 100 | -- | ||
| 101 | 1.9.1 | ||
| 102 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch deleted file mode 100644 index a7338e1..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch +++ /dev/null | |||
| @@ -1,111 +0,0 @@ | |||
| 1 | From ec96260a28f9aae44afc8eec0e089bf95a36b557 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:54:17 +0530 | ||
| 4 | Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files | ||
| 5 | services | ||
| 6 | |||
| 7 | fix for systemd tmp files setup service while using refpolicy-minimum and | ||
| 8 | systemd as init manager. | ||
| 9 | |||
| 10 | these allow rules require kernel domain & files access, so added interfaces | ||
| 11 | at systemd.te to merge these allow rules. | ||
| 12 | |||
| 13 | without these changes we are getting avc denails like these and below | ||
| 14 | systemd services failure: | ||
| 15 | |||
| 16 | audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" | ||
| 17 | path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd | ||
| 18 | _tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file | ||
| 19 | |||
| 20 | audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" | ||
| 21 | name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: | ||
| 22 | systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 | ||
| 23 | tclass=dir permissive=0 | ||
| 24 | |||
| 25 | [FAILED] Failed to start Create Static Device Nodes in /dev. | ||
| 26 | See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. | ||
| 27 | |||
| 28 | [FAILED] Failed to start Create Volatile Files and Directories. | ||
| 29 | See 'systemctl status systemd-tmpfiles-setup.service' for details. | ||
| 30 | |||
| 31 | Upstream-Status: Pending | ||
| 32 | |||
| 33 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 34 | --- | ||
| 35 | policy/modules/kernel/files.if | 19 +++++++++++++++++++ | ||
| 36 | policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++ | ||
| 37 | policy/modules/system/systemd.te | 3 +++ | ||
| 38 | 3 files changed, 45 insertions(+) | ||
| 39 | |||
| 40 | diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if | ||
| 41 | index 1cedea2..4ea7d55 100644 | ||
| 42 | --- a/policy/modules/kernel/files.if | ||
| 43 | +++ b/policy/modules/kernel/files.if | ||
| 44 | @@ -6729,3 +6729,22 @@ interface(`files_unconfined',` | ||
| 45 | |||
| 46 | typeattribute $1 files_unconfined_type; | ||
| 47 | ') | ||
| 48 | + | ||
| 49 | +######################################## | ||
| 50 | +## <summary> | ||
| 51 | +## systemd tmp files access to kernel tmp files domain | ||
| 52 | +## </summary> | ||
| 53 | +## <param name="domain"> | ||
| 54 | +## <summary> | ||
| 55 | +## Domain allowed access. | ||
| 56 | +## </summary> | ||
| 57 | +## </param> | ||
| 58 | +# | ||
| 59 | +interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` | ||
| 60 | + gen_require(` | ||
| 61 | + type tmp_t; | ||
| 62 | + class lnk_file getattr; | ||
| 63 | + ') | ||
| 64 | + | ||
| 65 | + allow $1 tmp_t:lnk_file getattr; | ||
| 66 | +') | ||
| 67 | diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if | ||
| 68 | index f1130d1..4604441 100644 | ||
| 69 | --- a/policy/modules/kernel/kernel.if | ||
| 70 | +++ b/policy/modules/kernel/kernel.if | ||
| 71 | @@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',` | ||
| 72 | typeattribute $1 kern_unconfined; | ||
| 73 | kernel_load_module($1) | ||
| 74 | ') | ||
| 75 | + | ||
| 76 | +######################################## | ||
| 77 | +## <summary> | ||
| 78 | +## systemd tmp files access to kernel sysctl domain | ||
| 79 | +## </summary> | ||
| 80 | +## <param name="domain"> | ||
| 81 | +## <summary> | ||
| 82 | +## Domain allowed access. | ||
| 83 | +## </summary> | ||
| 84 | +## </param> | ||
| 85 | +# | ||
| 86 | +interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` | ||
| 87 | + gen_require(` | ||
| 88 | + type sysctl_kernel_t; | ||
| 89 | + class dir search; | ||
| 90 | + class file { open read }; | ||
| 91 | + ') | ||
| 92 | + | ||
| 93 | + allow $1 sysctl_kernel_t:dir search; | ||
| 94 | + allow $1 sysctl_kernel_t:file { open read }; | ||
| 95 | + | ||
| 96 | +') | ||
| 97 | + | ||
| 98 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 99 | index 22021eb..8813664 100644 | ||
| 100 | --- a/policy/modules/system/systemd.te | ||
| 101 | +++ b/policy/modules/system/systemd.te | ||
| 102 | @@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
| 103 | allow systemd_tmpfiles_t self:capability net_admin; | ||
| 104 | |||
| 105 | allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
| 106 | + | ||
| 107 | +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) | ||
| 108 | +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) | ||
| 109 | -- | ||
| 110 | 1.9.1 | ||
| 111 | |||
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch deleted file mode 100644 index b01947d..0000000 --- a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ /dev/null | |||
| @@ -1,69 +0,0 @@ | |||
| 1 | From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 | ||
| 4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog | ||
| 5 | |||
| 6 | syslog & getty related allow rules required to fix the syslog mixup with | ||
| 7 | boot log, while using systemd as init manager. | ||
| 8 | |||
| 9 | without this change we are getting these avc denials: | ||
| 10 | |||
| 11 | audit: avc: denied { search } for pid=484 comm="syslogd" name="/" | ||
| 12 | dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
| 13 | system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
| 14 | |||
| 15 | audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= | ||
| 16 | "tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: | ||
| 17 | object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
| 18 | |||
| 19 | audit: avc: denied { add_name } for pid=390 comm="syslogd" name= | ||
| 20 | "messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r | ||
| 21 | :tmpfs_t:s0 tclass=dir permissive=0 | ||
| 22 | |||
| 23 | audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd | ||
| 24 | /journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: | ||
| 25 | system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 | ||
| 26 | |||
| 27 | audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" | ||
| 28 | scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: | ||
| 29 | s0 tclass=file permissive=0 | ||
| 30 | |||
| 31 | audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" | ||
| 32 | dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
| 33 | system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
| 34 | |||
| 35 | audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ | ||
| 36 | volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: | ||
| 37 | syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
| 38 | |||
| 39 | Upstream-Status: Pending | ||
| 40 | |||
| 41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 42 | --- | ||
| 43 | policy/modules/system/getty.te | 1 + | ||
| 44 | policy/modules/system/logging.te | 3 ++- | ||
| 45 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
| 46 | |||
| 47 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
| 48 | index 84eaf77..2e53daf 100644 | ||
| 49 | --- a/policy/modules/system/getty.te | ||
| 50 | +++ b/policy/modules/system/getty.te | ||
| 51 | @@ -142,3 +142,4 @@ optional_policy(` | ||
| 52 | |||
| 53 | allow getty_t tmpfs_t:dir search; | ||
| 54 | allow getty_t tmpfs_t:file { open write lock }; | ||
| 55 | +allow getty_t initrc_t:unix_dgram_socket sendto; | ||
| 56 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
| 57 | index 107db03..95de86d 100644 | ||
| 58 | --- a/policy/modules/system/logging.te | ||
| 59 | +++ b/policy/modules/system/logging.te | ||
| 60 | @@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
| 61 | allow syslogd_t self:shm create; | ||
| 62 | allow syslogd_t self:sem { create read unix_write write }; | ||
| 63 | allow syslogd_t self:shm { read unix_read unix_write write }; | ||
| 64 | -allow syslogd_t tmpfs_t:file { read write }; | ||
| 65 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; | ||
| 66 | +allow syslogd_t tmpfs_t:dir { search write add_name }; | ||
| 67 | -- | ||
| 68 | 1.9.1 | ||
| 69 | |||