From 01556456a076d4e96d8a292872ea277580df26ce Mon Sep 17 00:00:00 2001 From: Shrikant Bobade Date: Mon, 29 Aug 2016 19:08:07 +0530 Subject: refpolicy-minimum: systemd: mount: enable required refpolicy booleans enable required refpolicy booleans for these modules mount: allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all Signed-off-by: Shrikant Bobade Signed-off-by: Joe MacDonald --- ...inimum-systemd-mount-enable-requiried-ref.patch | 47 ++++++++++++++++++++++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch new file mode 100644 index 0000000..bf7b980 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch @@ -0,0 +1,47 @@ +refpolicy-minimum: systemd: mount: enable required refpolicy booleans + +enable required refpolicy booleans for these modules + +i. mount: allow_mount_anyfile +without enabling this boolean we are getting below avc denial + +audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media +/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0 +tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0 + +This avc can be allowed using the boolean 'allow_mount_anyfile' +allow mount_t initrc_var_run_t:dir mounton; + +ii. systemd : systemd_tmpfiles_manage_all +without enabling this boolean we are not getting access to mount systemd +essential tmpfs during bootup, also not getting access to create audit.log + +audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name= +"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles +_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0 + + ls /var/log + /var/log -> volatile/log +:~# + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade + +--- a/policy/booleans.conf ++++ b/policy/booleans.conf +@@ -1156,12 +1156,12 @@ racoon_read_shadow = false + # + # Allow the mount command to mount any directory or file. + # +-allow_mount_anyfile = false ++allow_mount_anyfile = true + + # + # Enable support for systemd-tmpfiles to manage all non-security files. + # +-systemd_tmpfiles_manage_all = false ++systemd_tmpfiles_manage_all = true + + # + # Allow users to connect to mysql diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9c806c4..1647c28 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -77,4 +77,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \ file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \ file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \ + file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \ " -- cgit v1.2.3-54-g00ecf