From ec36df125da565fe1a9b64000151afaf40c2887d Mon Sep 17 00:00:00 2001 From: Shrikant Bobade Date: Fri, 26 Aug 2016 17:51:32 +0530 Subject: [PATCH 3/9] refpolicy-minimum: systemd:unconfined:lib: add systemd services allow rules systemd allow rules for systemd service file operations: start, stop, restart & allow rule for unconfined systemd service. without this change we are getting these errors: :~# systemctl status selinux-init.service Failed to get properties: Access denied :~# systemctl stop selinux-init.service Failed to stop selinux-init.service: Access denied :~# systemctl restart selinux-init.service audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj= system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl restart selinux-init.service" scontext=unconfined_u:unconfined_r: unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service Upstream-Status: Pending Signed-off-by: Shrikant Bobade Signed-off-by: Joe MacDonald --- policy/modules/system/init.te | 4 +++ policy/modules/system/libraries.te | 3 +++ policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++ policy/modules/system/unconfined.te | 6 +++++ 4 files changed, 52 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d8696580..e15ec4b9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1425,3 +1425,7 @@ optional_policy(` allow kernel_t init_t:process dyntransition; allow devpts_t device_t:filesystem associate; allow init_t self:capability2 block_suspend; +allow init_t self:capability2 audit_read; + +allow initrc_t init_t:system { start status }; +allow initrc_t init_var_run_t:service { start status }; diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 422b0ea1..80b0c9a5 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -145,3 +145,6 @@ optional_policy(` optional_policy(` unconfined_domain(ldconfig_t) ') + +# systemd: init domain to start lib domain service +systemd_service_lib_function(lib_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 6353ca69..4519a448 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -905,3 +905,42 @@ interface(`systemd_getattr_updated_runtime',` getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) ') + +######################################## +## +## Allow specified domain to start stop reset systemd service +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_service_file_operations',` + gen_require(` + class service { start status stop }; + ') + + allow $1 lib_t:service { start status stop }; + +') + + +######################################## +## +## Allow init domain to start lib domain service +## +## +## +## Domain to not audit. +## +## +# +interface(`systemd_service_lib_function',` + gen_require(` + class service start; + ') + + allow initrc_t $1:service start; + +') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 12cc0d7c..c09e94a5 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -240,3 +240,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) optional_policy(` unconfined_dbus_chat(unconfined_execmem_t) ') + + +# systemd: specified domain to start stop reset systemd service +systemd_service_file_operations(unconfined_t) + +allow unconfined_t init_t:system reload; -- 2.19.1