[yocto] [meta-selinux] [PATCH 6/9] refpolicy-minimum: systemd: mount: enable required refpolicy booleans

Shrikant Bobade bobadeshrikant at gmail.com
Mon Aug 29 06:38:07 PDT 2016 

From: Shrikant Bobade <shrikant_bobade at mentor.com>

enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all

Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
 ...inimum-systemd-mount-enable-requiried-ref.patch | 47 ++++++++++++++++++++++
 .../refpolicy/refpolicy-minimum_2.20151208.bb      |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
new file mode 100644
index 0000000..bf7b980
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch
@@ -0,0 +1,47 @@
+refpolicy-minimum: systemd: mount: enable required refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount:  allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+audit(): avc:  denied  { search } for  pid=168 comm="systemd-tmpfile" name=
+"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
+_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
+
+ ls  /var/log
+ /var/log -> volatile/log
+:~#
+
+Upstream-Status: Pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+
+--- a/policy/booleans.conf
++++ b/policy/booleans.conf
+@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
+ #
+ # Allow the mount command to mount any directory or file.
+ # 
+-allow_mount_anyfile = false
++allow_mount_anyfile = true
+ 
+ #
+ # Enable support for systemd-tmpfiles to manage all non-security files.
+ # 
+-systemd_tmpfiles_manage_all = false
++systemd_tmpfiles_manage_all = true
+ 
+ #
+ # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 9c806c4..1647c28 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -77,4 +77,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
 	file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
 	file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
 	file://0005-refpolicy-minimum-init-fix-reboot-with-systemd-as-in.patch \
+	file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
 	"
-- 
1.9.1

More information about the yocto mailing list