[yocto] [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208
Shrikant Bobade
bobadeshrikant at gmail.com
Fri Jul 1 06:43:23 PDT 2016
Hi,
Using refpolicy-minimum v20151208 with systemd as init manager,
I am facing few issues during enforcing mode,
1. systemd service status check, start & stop
2. auditd logfile error, so it is mixing with the boot log.
3. also other avc denials related to tmpfs & other types etc..
setup details:poky and meta-selinux: both at master head & systemd enabled.
with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
ii.allow_mount_anyfile
captured the avc denial to fix the systemd execution well, attached
SELinux-Modules.txt :- the allow rules generated using audit tools.
I am trying to merge these module into actual refpolicy modules, so we get
the out of box experience for smooth systemd execution.
Observed policy store seems corrupted some time, when start inserting the
prepared policy modules allow rules into actual refpolicy modules..
Does anyone also faced similar issues?
Any pointers or references will be a great help.
Thanks
Shrikant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20160701/fa093cb2/attachment.html>
-------------- next part --------------
############################# SELinux Modules ################################
require {
type unconfined_t;
type init_t;
class system reload;
}
#============= unconfined_t ==============
allow unconfined_t init_t:system reload;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class file create;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:file create;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class file { open read };
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:file { open read };
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class file append;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:file append;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class file getattr;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:file getattr;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class file setattr;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:file setattr;
require {
type tmpfs_t;
type auditd_t;
class dir open;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:dir open;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class dir read;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:dir read;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class dir open;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:dir open;
require {
type tmpfs_t;
type initrc_t;
type auditd_t;
class unix_dgram_socket sendto;
class dir search;
}
#============= auditd_t ==============
allow auditd_t initrc_t:unix_dgram_socket sendto;
allow auditd_t tmpfs_t:dir search;
require {
type tmpfs_t;
type auditd_t;
class dir add_name;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:dir add_name;
##################################################################################
require {
type tmpfs_t;
type auditd_t;
class dir write;
}
#============= auditd_t ==============
allow auditd_t tmpfs_t:dir write;
##################################################################################
require {
type var_run_t;
type init_t;
type syslogd_t;
type systemd_tmpfiles_t;
type initrc_t;
type klogd_t;
type chkpwd_t;
type local_login_t;
type proc_t;
type getty_t;
type tmpfs_t;
type mount_t;
class capability2 audit_read;
class file read;
class filesystem getattr;
class unix_dgram_socket sendto;
class shm create;
class dir search;
}
#============= chkpwd_t ==============
allow chkpwd_t proc_t:filesystem getattr;
#============= getty_t ==============
allow getty_t tmpfs_t:dir search;
#============= init_t ==============
allow init_t self:capability2 audit_read;
#============= klogd_t ==============
#!!!! This avc is allowed in the current policy
allow klogd_t initrc_t:unix_dgram_socket sendto;
#============= local_login_t ==============
allow local_login_t var_run_t:file read;
#============= mount_t ==============
allow mount_t proc_t:filesystem getattr;
#============= syslogd_t ==============
allow syslogd_t self:shm create;
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t init_t:dir search;
allow systemd_tmpfiles_t proc_t:filesystem getattr;
##################################################################################
require {
type unconfined_t;
type lib_t;
class service status;
}
#============= unconfined_t ==============
allow unconfined_t lib_t:service status;
##################################################################################
require {
type initrc_t;
type klogd_t;
class unix_dgram_socket sendto;
}
#============= klogd_t ==============
allow klogd_t initrc_t:unix_dgram_socket sendto;
##################################################################################
require {
type unconfined_t;
type lib_t;
class service start;
}
#============= unconfined_t ==============
allow unconfined_t lib_t:service start;
##################################################################################
require {
type unconfined_t;
type lib_t;
class service stop;
}
#============= unconfined_t ==============
allow unconfined_t lib_t:service stop;
##################################################################################
More information about the yocto
mailing list