From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001 From: Shrikant Bobade Date: Fri, 26 Aug 2016 17:54:17 +0530 Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files services fix for systemd tmp files setup service while using refpolicy-minimum and systemd as init manager. these allow rules require kernel domain & files access, so added interfaces at systemd.te to merge these allow rules. without these changes we are getting avc denails like these and below systemd services failure: audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile" path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd _tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile" name="kernel" dev="proc" ino=9341 scontext=system_u:system_r: systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=0 [FAILED] Failed to start Create Static Device Nodes in /dev. See 'systemctl status systemd-tmpfiles-setup-dev.service' for details. [FAILED] Failed to start Create Volatile Files and Directories. See 'systemctl status systemd-tmpfiles-setup.service' for details. Upstream-Status: Pending Signed-off-by: Shrikant Bobade Signed-off-by: Joe MacDonald --- policy/modules/kernel/files.if | 19 +++++++++++++++++++ policy/modules/kernel/kernel.if | 21 +++++++++++++++++++++ policy/modules/system/systemd.te | 2 ++ 3 files changed, 42 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index eb067ad3..ff74f55a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -7076,3 +7076,22 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') + +######################################## +## +## systemd tmp files access to kernel tmp files domain +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',` + gen_require(` + type tmp_t; + class lnk_file getattr; + ') + + allow $1 tmp_t:lnk_file getattr; +') diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 1ad282aa..342eb033 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` allow $1 unlabeled_t:infiniband_endport manage_subnet; ') +######################################## +## +## systemd tmp files access to kernel sysctl domain +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',` + gen_require(` + type sysctl_kernel_t; + class dir search; + class file { open read }; + ') + + allow $1 sysctl_kernel_t:dir search; + allow $1 sysctl_kernel_t:file { open read }; + +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f1d26a44..b4c64bc1 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated seutil_read_file_contexts(systemd_update_done_t) +systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t) +systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_update_done_t) -- 2.19.1