[yocto] [meta-selinux][RFC 1/8] systemd:unconfined:lib: add systemd services allow rules
Shrikant Bobade
bobadeshrikant at gmail.com
Fri Jul 29 02:08:49 PDT 2016
From: Shrikant Bobade <shrikant_bobade at mentor.com>
systemd allow rules for systemd service file operations: start, stop, restart
& allow rule for unconfined systemd service.
without this change we are geting avc denials and access denied to perform
operations service file.
Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
...onfined-lib-add-systemd-services-allow-ru.patch | 123 +++++++++++++++++++++
.../refpolicy/refpolicy_2.20151208.inc | 9 ++
2 files changed, 132 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
new file mode 100644
index 0000000..2b09e1c
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch
@@ -0,0 +1,123 @@
+From 0bd77bedc3edab3703738f018cf76c70c8026a16 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Mon, 25 Jul 2016 16:58:59 +0530
+Subject: [PATCH 1/6] systemd:unconfined:lib: add systemd services allow rules
+
+systemd allow rules for systemd service file operations: start, stop, restart
+& allow rule for unconfined systemd service.
+
+without this change we are getting these errors:
+:~# systemctl status selinux-init.service
+Failed to get properties: Access denied
+
+:~# systemctl stop selinux-init.service
+Failed to stop selinux-init.service: Access denied
+
+:~# systemctl restart selinux-init.service
+audit: type=1107 audit: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0
+gid=0 path="/lib/systemd/system/selinux-init.service" cmdline="systemctl
+restart selinux-init.service" scontext=unconfined_u:unconfined_r:
+unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/init.te | 6 +++++-
+ policy/modules/system/libraries.te | 3 +++
+ policy/modules/system/systemd.if | 40 +++++++++++++++++++++++++++++++++++++
+ policy/modules/system/unconfined.te | 6 ++++++
+ 4 files changed, 54 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index d710fb0..f9d7114 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1100,4 +1100,8 @@ optional_policy(`
+ # systemd related allow rules
+ allow kernel_t init_t:process dyntransition;
+ allow devpts_t device_t:filesystem associate;
+-allow init_t self:capability2 block_suspend;
+\ No newline at end of file
++allow init_t self:capability2 block_suspend;
++allow init_t self:capability2 audit_read;
++
++allow initrc_t init_t:system { start status };
++allow initrc_t init_var_run_t:service { start status };
+diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
+index 0f5cd56..df98fe9 100644
+--- a/policy/modules/system/libraries.te
++++ b/policy/modules/system/libraries.te
+@@ -144,3 +144,6 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
++
++# systemd: init domain to start lib domain service
++systemd_service_lib_function(lib_t)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index 3cd6670..822c03d 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -171,3 +171,43 @@ interface(`systemd_start_power_units',`
+
+ allow $1 power_unit_t:service start;
+ ')
++
++
++########################################
++## <summary>
++## Allow specified domain to start stop reset systemd service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_file_operations',`
++ gen_require(`
++ class service { start status stop };
++ ')
++
++ allow $1 lib_t:service { start status stop };
++
++')
++
++
++########################################
++## <summary>
++## Allow init domain to start lib domain service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`systemd_service_lib_function',`
++ gen_require(`
++ class service start;
++ ')
++
++ allow initrc_t $1:service start;
++
++')
+diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
+index 99cab31..87a1b03 100644
+--- a/policy/modules/system/unconfined.te
++++ b/policy/modules/system/unconfined.te
+@@ -220,3 +220,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
+ optional_policy(`
+ unconfined_dbus_chat(unconfined_execmem_t)
+ ')
++
++
++# systemd: specified domain to start stop reset systemd service
++systemd_service_file_operations(unconfined_t)
++
++allow unconfined_t init_t:system reload;
+--
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index ce90b13..861bfdc 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -57,4 +57,13 @@ SRC_URI += " \
file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
"
+
+# systemd policy fixes
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPOLICY_PATCHES}', '', d)}"
+
+SYSTEMD_REFPOLICY_PATCHES = "\
+ file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
+"
+
+
include refpolicy_common.inc
--
1.9.1
More information about the yocto
mailing list