[yocto] [meta-selinux][RFC 8/8] systemd: fix for systemd tmp-files services
Shrikant Bobade
bobadeshrikant at gmail.com
Fri Jul 29 02:11:19 PDT 2016
From: Shrikant Bobade <shrikant_bobade at mentor.com>
fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.
Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
...ystemd-fix-for-systemd-tmp-files-services.patch | 110 +++++++++++++++++++++
.../refpolicy/refpolicy_2.20151208.inc | 1 +
2 files changed, 111 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
new file mode 100644
index 0000000..385e6e2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
@@ -0,0 +1,110 @@
+From 2156e7428c5f58f3b13cfa95a1a4789299d2c448 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Wed, 27 Jul 2016 19:42:43 +0530
+Subject: [PATCH 8/8] systemd: fix for systemd tmp-files services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if | 23 +++++++++++++++++++++++
+ policy/modules/system/systemd.te | 3 +++
+ 3 files changed, 45 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 1cedea2..4ea7d55 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## systemd tmp files access to kernel tmp files domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++ gen_require(`
++ type tmp_t;
++ class lnk_file getattr;
++ ')
++
++ allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index f1130d1..4604441 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
+ typeattribute $1 kern_unconfined;
+ kernel_load_module($1)
+ ')
++
++########################################
++## <summary>
++## systemd tmp files access to kernel sysctl domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++ gen_require(`
++ type sysctl_kernel_t;
++ class dir search;
++ class file { open read };
++ ')
++
++ allow $1 sysctl_kernel_t:dir search;
++ allow $1 sysctl_kernel_t:file { open read };
++
++')
++
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22021eb..8813664 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+ allow systemd_tmpfiles_t self:capability net_admin;
+
+ allow systemd_tmpfiles_t init_t:file { open getattr read };
++
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+--
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 74f7e19..8a73293 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -69,6 +69,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
file://0007-systemd-fix-for-login-journal-service.patch \
+ file://0008-systemd-fix-for-systemd-tmp-files-services.patch \
"
--
1.9.1
More information about the yocto
mailing list