[yocto] [meta-selinux][RFC 3/8] systemd: mount: logging: authlogin: add allow rules

Shrikant Bobade bobadeshrikant at gmail.com
Fri Jul 29 02:09:59 PDT 2016 

From: Shrikant Bobade <shrikant_bobade at mentor.com>

add allow rules for avc denails for systemd, mount, logging & authlogin
modules. without this change we are  getting avc. denials from these
modules.

Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
 ...d-mount-logging-authlogin-add-allow-rules.patch | 92 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch
new file mode 100644
index 0000000..8e330ce
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch
@@ -0,0 +1,92 @@
+From 9a9490491e6d4c30249033c84c21634dac988b06 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Mon, 25 Jul 2016 18:10:28 +0530
+Subject: [PATCH 3/6] systemd: mount: logging: authlogin: add allow rules
+
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+
+without this change we are getting avc denial like these:
+
+type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+
+type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+
+type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+
+type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
+comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te   | 7 ++++++-
+ policy/modules/system/mount.te     | 3 +++
+ policy/modules/system/systemd.te   | 6 ++++++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index f80dfcb..5fab54a 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -464,3 +464,5 @@ optional_policy(`
+ 	samba_read_var_files(nsswitch_domain)
+ 	samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
++
++allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fdf86ef..107db03 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+ 
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
++allow klogd_t initrc_t:unix_dgram_socket sendto;
++
++allow syslogd_t self:shm create;
++allow syslogd_t self:sem { create read unix_write write };
++allow syslogd_t self:shm { read unix_read unix_write write };
++allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 1c2fc33..b699309 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -229,3 +229,6 @@ optional_policy(`
+ 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ 	unconfined_domain(unconfined_mount_t)
+ ')
++
++allow mount_t proc_t:filesystem getattr;
++allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index fdb9fef..734d455 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
+ 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ 	files_relabel_non_security_files(systemd_tmpfiles_t)
+ ')
++
++allow systemd_tmpfiles_t init_t:dir search;
++allow systemd_tmpfiles_t proc_t:filesystem getattr;
++allow systemd_tmpfiles_t init_t:file read;
++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
++allow systemd_tmpfiles_t self:capability net_admin;
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 4d07e62..c051aec 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -64,6 +64,7 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO
 SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
 	file://0002-audit-logging-getty-audit-related-allow-rules.patch \
+	file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
 "
 
 
-- 
1.9.1

More information about the yocto mailing list