From 2b022c1f4bd2369f7b66b764b2d16c7f19680e93 Mon Sep 17 00:00:00 2001 From: Shrikant Bobade Date: Mon, 29 Aug 2016 19:06:47 +0530 Subject: refpolicy-minimum: systemd: mount: logging: authlogin: add allow rules add allow rules for avc denails for systemd, mount, logging & authlogin modules. without this change we are getting avc. denials from these modules. Signed-off-by: Shrikant Bobade Signed-off-by: Joe MacDonald --- ...inimum-systemd-mount-logging-authlogin-ad.patch | 93 ++++++++++++++++++++++ .../refpolicy/refpolicy-minimum_2.20151208.bb | 1 + 2 files changed, 94 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch diff --git a/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..35a8e1b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch @@ -0,0 +1,93 @@ +From edae03ea521a501a2b3229383609f1aec85575c1 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:53:37 +0530 +Subject: [PATCH 3/9] refpolicy-minimum: systemd: mount: logging: authlogin: + add allow rules + +add allow rules for avc denails for systemd, mount, logging & authlogin +modules. + +without this change we are getting avc denial like these: + +type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- +tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= +unix_dgram_socket permissive=0 + +type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- +tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: +system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= +file permissive=0 + +type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" +path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: +mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket + +type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 +comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 +tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +--- + policy/modules/system/authlogin.te | 2 ++ + policy/modules/system/logging.te | 7 ++++++- + policy/modules/system/mount.te | 3 +++ + policy/modules/system/systemd.te | 6 ++++++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index f80dfcb..5fab54a 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -464,3 +464,5 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++allow chkpwd_t proc_t:filesystem getattr; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index fdf86ef..107db03 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; + allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; + allow auditd_t initrc_t:unix_dgram_socket sendto; + +-allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file ++allow klogd_t initrc_t:unix_dgram_socket sendto; ++ ++allow syslogd_t self:shm create; ++allow syslogd_t self:sem { create read unix_write write }; ++allow syslogd_t self:shm { read unix_read unix_write write }; ++allow syslogd_t tmpfs_t:file { read write }; +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 1c2fc33..b699309 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -229,3 +229,6 @@ optional_policy(` + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) + ') ++ ++allow mount_t proc_t:filesystem getattr; ++allow mount_t initrc_t:udp_socket { read write }; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index fdb9fef..734d455 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` + files_relabel_non_security_dirs(systemd_tmpfiles_t) + files_relabel_non_security_files(systemd_tmpfiles_t) + ') ++ ++allow systemd_tmpfiles_t init_t:dir search; ++allow systemd_tmpfiles_t proc_t:filesystem getattr; ++allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; ++allow systemd_tmpfiles_t self:capability net_admin; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9e1dc9b..f4b80bc 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb @@ -74,4 +74,5 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO SYSTEMD_REFPOLICY_PATCHES = " \ file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \ file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \ + file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \ " -- cgit v1.2.3-54-g00ecf