1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
From 17507a42ce91376b00069ff22b43786894910ed6 Mon Sep 17 00:00:00 2001
From: Shrikant Bobade <shrikant_bobade@mentor.com>
Date: Fri, 26 Aug 2016 17:51:32 +0530
Subject: [PATCH 1/9] refpolicy-minimum: systemd:unconfined:lib: add systemd
services allow rules
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are getting these errors:
:~# systemctl status selinux-init.service
Failed to get properties: Access denied
:~# systemctl stop selinux-init.service
Failed to stop selinux-init.service: Access denied
:~# systemctl restart selinux-init.service
audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
restart selinux-init.service" scontext=unconfined_u:unconfined_r:
unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
policy/modules/system/init.te | 6 +++++-
policy/modules/system/libraries.te | 3 +++
policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 6 ++++++
4 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d710fb0..f9d7114 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1100,4 +1100,8 @@ optional_policy(`
# systemd related allow rules
allow kernel_t init_t:process dyntransition;
allow devpts_t device_t:filesystem associate;
-allow init_t self:capability2 block_suspend;
\ No newline at end of file
+allow init_t self:capability2 block_suspend;
+allow init_t self:capability2 audit_read;
+
+allow initrc_t init_t:system { start status };
+allow initrc_t init_var_run_t:service { start status };
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0f5cd56..df98fe9 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -144,3 +144,6 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
')
+
+# systemd: init domain to start lib domain service
+systemd_service_lib_function(lib_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd6670..822c03d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
allow $1 power_unit_t:service start;
')
+
+
+########################################
+## <summary>
+## Allow specified domain to start stop reset systemd service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_file_operations',`
+ gen_require(`
+ class service { start status stop };
+ ')
+
+ allow $1 lib_t:service { start status stop };
+
+')
+
+
+########################################
+## <summary>
+## Allow init domain to start lib domain service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_service_lib_function',`
+ gen_require(`
+ class service start;
+ ')
+
+ allow initrc_t $1:service start;
+
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 99cab31..87a1b03 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+
+# systemd: specified domain to start stop reset systemd service
+systemd_service_file_operations(unconfined_t)
+
+allow unconfined_t init_t:system reload;
--
1.9.1
|
