selinux-refpolicy/policy/modules/system/systemd.te

1510 lines
48 KiB
Plaintext
Raw Normal View History

policy_module(systemd, 1.10.9)
#########################################
#
# Declarations
#
## <desc>
## <p>
## Enable support for systemd-tmpfiles to manage all non-security files.
## </p>
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
2017-02-24 01:03:23 +00:00
## <desc>
## <p>
## Allow systemd-nspawn to create a labelled namespace with the same types
## as parent environment
## </p>
## </desc>
gen_tunable(systemd_nspawn_labeled_namespace, false)
systemd-logind: allow using BootLoaderEntries DBUS property systemd-logind exposes several properties related to the bootloader. One of them is BootLoaderEntries [1], which scans the disks using util-linux's blkid in order to find the ESP (EFI System Partition) [2][3]. This triggers the following logs in audit.log (where /dev/sda1 is the ESP, mounted on /boot): type=AVC msg=audit(1577692922.834:310): avc: denied { getattr } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 type=AVC msg=audit(1577692922.841:311): avc: denied { search } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:312): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { read } for pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { open } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:314): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:315): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { read } for pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:317): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:318): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { read } for pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 As allowing read access to fixed disks (such as /dev/sda1 here) can be considered as dangerous, add a conditional to allow the accesses. [1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315 [2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118 [3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 19:51:45 +00:00
## <desc>
## <p>
## Allow systemd-logind to interact with the bootloader (read which one is
## installed on fixed disks, enumerate entries for dbus property
## BootLoaderEntries, etc.)
## </p>
## </desc>
gen_tunable(systemd_logind_get_bootloader, false)
## <desc>
## <p>
## Allow systemd-socket-proxyd to bind any port instead of one labelled
## with systemd_socket_proxyd_port_t.
## </p>
## </desc>
gen_tunable(systemd_socket_proxyd_bind_any, false)
## <desc>
## <p>
## Allow systemd-socket-proxyd to connect to any port instead of
## labelled ones.
## </p>
## </desc>
gen_tunable(systemd_socket_proxyd_connect_any, false)
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;
attribute_role systemd_sysusers_roles;
type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
type systemd_analyze_t;
type systemd_analyze_exec_t;
init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
type systemd_backlight_unit_t;
init_unit_file(systemd_backlight_unit_t)
type systemd_backlight_var_lib_t;
files_type(systemd_backlight_var_lib_t)
type systemd_binfmt_t;
type systemd_binfmt_exec_t;
init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
type systemd_binfmt_unit_t;
init_unit_file(systemd_binfmt_unit_t)
type systemd_conf_t;
files_config_file(systemd_conf_t)
type systemd_cgroups_t;
type systemd_cgroups_exec_t;
domain_type(systemd_cgroups_t)
domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
role system_r types systemd_cgroups_t;
type systemd_cgroups_runtime_t alias systemd_cgroups_var_run_t;
files_runtime_file(systemd_cgroups_runtime_t)
init_daemon_runtime_file(systemd_cgroups_runtime_t, dir, "systemd_cgroups")
type systemd_cgtop_t;
type systemd_cgtop_exec_t;
init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
2017-02-24 01:03:23 +00:00
type systemd_coredump_var_lib_t;
files_type(systemd_coredump_var_lib_t)
type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
type systemd_generator_t;
type systemd_generator_exec_t;
typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };
init_system_domain(systemd_generator_t, systemd_generator_exec_t)
type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
type systemd_hw_t;
type systemd_hw_exec_t;
init_system_domain(systemd_hw_t, systemd_hw_exec_t)
type systemd_hwdb_t;
files_type(systemd_hwdb_t)
2017-02-24 01:03:23 +00:00
type systemd_journal_t;
files_type(systemd_journal_t)
logging_log_file(systemd_journal_t)
type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
type systemd_logind_t;
type systemd_logind_exec_t;
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t;
files_runtime_file(systemd_logind_inhibit_runtime_t)
init_mountpoint(systemd_logind_inhibit_runtime_t)
type systemd_logind_runtime_t alias systemd_logind_var_run_t;
files_runtime_file(systemd_logind_runtime_t)
init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
init_mountpoint(systemd_logind_runtime_t)
type systemd_logind_var_lib_t;
files_type(systemd_logind_var_lib_t)
init_mountpoint(systemd_logind_var_lib_t)
type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
type systemd_machined_runtime_t alias systemd_machined_var_run_t;
files_runtime_file(systemd_machined_runtime_t)
init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
2017-02-24 01:03:23 +00:00
type systemd_modules_load_t;
type systemd_modules_load_exec_t;
init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
type systemd_networkd_t;
type systemd_networkd_exec_t;
init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t)
type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)
2017-02-24 01:03:23 +00:00
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
mcs_killall(systemd_nspawn_t)
type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
files_runtime_file(systemd_nspawn_runtime_t)
2017-02-24 01:03:23 +00:00
type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)
type systemd_pstore_t;
type systemd_pstore_exec_t;
init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
type systemd_pstore_var_lib_t;
files_type(systemd_pstore_var_lib_t)
type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
type systemd_run_t;
type systemd_run_exec_t;
init_daemon_domain(systemd_run_t, systemd_run_exec_t)
type systemd_stdio_bridge_t;
type systemd_stdio_bridge_exec_t;
init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
type systemd_passwd_runtime_t alias systemd_passwd_var_run_t;
files_runtime_file(systemd_passwd_runtime_t)
init_path_unit_location_file(systemd_passwd_runtime_t)
2017-02-24 01:03:23 +00:00
2017-08-14 20:32:29 +00:00
type systemd_rfkill_t;
type systemd_rfkill_exec_t;
init_daemon_domain(systemd_rfkill_t, systemd_rfkill_exec_t)
type systemd_rfkill_unit_t;
init_unit_file(systemd_rfkill_unit_t)
type systemd_rfkill_var_lib_t;
files_type(systemd_rfkill_var_lib_t)
type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
type systemd_sessions_runtime_t alias systemd_sessions_var_run_t;
files_runtime_file(systemd_sessions_runtime_t)
init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
init_mountpoint(systemd_sessions_runtime_t)
type systemd_socket_proxyd_t;
type systemd_socket_proxyd_exec_t;
init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
type systemd_socket_proxyd_port_t;
corenet_port(systemd_socket_proxyd_port_t)
type systemd_socket_proxyd_unit_file_t;
init_unit_file(systemd_socket_proxyd_unit_file_t)
type systemd_sysusers_t;
type systemd_sysusers_exec_t;
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
role systemd_sysusers_roles types systemd_sysusers_t;
type systemd_tmpfiles_t;
type systemd_tmpfiles_exec_t;
init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
type systemd_tmpfiles_conf_t;
files_config_file(systemd_tmpfiles_conf_t)
type systemd_update_done_t;
type systemd_update_done_exec_t;
init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
type systemd_update_run_t;
files_type(systemd_update_run_t)
type systemd_user_runtime_notify_t;
userdom_user_runtime_content(systemd_user_runtime_notify_t)
type systemd_user_runtime_t;
userdom_user_runtime_content(systemd_user_runtime_t)
2020-01-31 21:46:56 +00:00
type systemd_user_runtime_dir_t;
type systemd_user_runtime_dir_exec_t;
init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
systemd: allow sd-executor to manage its memfd files When systemd --user runs helper programs in order to generate user environment variables, it reads memfd temporary files, which are labeled tmpfs_t: type=AVC msg=audit(1569787627.183:487): avc: denied { getattr } for pid=19182 comm="(sd-executor)" path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429 dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1 type=SYSCALL msg=audit(1569787627.183:487): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7ffd324679d0 a2=7ffd324679d0 a3=4 items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1569787627.183:487): proctitle="(sd-executor)" type=AVC msg=audit(1569787627.183:488): avc: denied { read } for pid=19182 comm="(sd-executor)" path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429 dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1 type=SYSCALL msg=audit(1569787627.183:488): arch=c000003e syscall=0 success=yes exit=0 a0=a a1=559bf537abb0 a2=1000 a3=559bf5376010 items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1569787627.183:488): proctitle="(sd-executor)" The hexadecimal path is "/memfd:30-systemd-environment-d-generator (deleted)". The name "(sd-executor)" is the name of a child process (cf. https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L222) and the name of the memfd file comes from "open_serialization_fd(name)" in https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-16 14:30:56 +00:00
type systemd_user_tmpfs_t;
userdom_user_tmpfs_file(systemd_user_tmpfs_t)
type systemd_userdb_runtime_t;
files_runtime_file(systemd_userdb_runtime_t)
#
# Unit file types
#
type power_unit_t;
init_unit_file(power_unit_t)
######################################
#
# Backlight local policy
#
2017-02-24 01:03:23 +00:00
allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
2017-02-24 01:03:23 +00:00
# for udev.conf
files_read_etc_files(systemd_backlight_t)
2017-02-24 01:03:23 +00:00
# for /run/udev/data/+backlight*
udev_read_runtime_files(systemd_backlight_t)
files_search_var_lib(systemd_backlight_t)
#######################################
#
# Binfmt local policy
#
kernel_read_kernel_sysctls(systemd_binfmt_t)
systemd_log_parse_environment(systemd_binfmt_t)
# Allow to read /etc/binfmt.d/ files
files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
Setup generic generator attribute and change generator types. I'm seeing problems on RHEL7 with lvm2-activation-generator that are coming from recent changes to put systemd-fstab-generator into it's own domain. I resolved the issues by creaing this generator attribute to grant common generator permissions and move all generators into a single systemd_generator_t domain. Then setup specific types for the following generators: lvm2-activation-generator - needs to read lvm2 config systemd-sysv-generator - needs to read stuff in init_t that other generators don't. systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t For fstab generator allow it to write /sys [ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-17 12:39:30 +00:00
######################################
#
# Cgroups local policy
#
allow systemd_cgroups_t self:capability net_admin;
2019-01-10 00:30:15 +00:00
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
# for /proc/cmdline
kernel_read_system_state(systemd_cgroups_t)
2019-01-10 00:30:15 +00:00
mls_fd_use_all_levels(systemd_cgroups_t)
2017-01-05 10:40:32 +00:00
selinux_getattr_fs(systemd_cgroups_t)
# write to /run/systemd/cgroups-agent
init_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
# for /proc/1/environ
init_read_state(systemd_cgroups_t)
seutil_libselinux_linked(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
2019-01-10 00:30:15 +00:00
ifdef(`enable_mls',`
kernel_ranged_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t, s0 - mls_systemhigh)
')
######################################
#
# coredump local policy
#
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
allow systemd_coredump_t self:capability { setgid setuid setpcap };
allow systemd_coredump_t self:process { getcap setcap setfscreate };
manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t)
kernel_read_kernel_sysctls(systemd_coredump_t)
kernel_read_system_state(systemd_coredump_t)
kernel_rw_pipes(systemd_coredump_t)
kernel_use_fds(systemd_coredump_t)
corecmd_exec_bin(systemd_coredump_t)
corecmd_read_all_executables(systemd_coredump_t)
dev_write_kmsg(systemd_coredump_t)
files_getattr_all_mountpoints(systemd_coredump_t)
files_read_etc_files(systemd_coredump_t)
files_search_var_lib(systemd_coredump_t)
fs_getattr_xattr_fs(systemd_coredump_t)
selinux_getattr_fs(systemd_coredump_t)
init_list_var_lib_dirs(systemd_coredump_t)
init_read_state(systemd_coredump_t)
init_search_runtime(systemd_coredump_t)
init_write_runtime_socket(systemd_coredump_t)
logging_send_syslog_msg(systemd_coredump_t)
seutil_search_default_contexts(systemd_coredump_t)
#######################################
#
# Systemd generator local policy
#
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
corecmd_getattr_bin_files(systemd_generator_t)
dev_read_sysfs(systemd_generator_t)
dev_write_kmsg(systemd_generator_t)
dev_write_sysfs_dirs(systemd_generator_t)
files_read_etc_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
files_read_boot_files(systemd_generator_t)
files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
fs_list_efivars(systemd_generator_t)
fs_getattr_xattr_fs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
init_manage_runtime_dirs(systemd_generator_t)
init_manage_runtime_symlinks(systemd_generator_t)
init_read_runtime_files(systemd_generator_t)
init_read_state(systemd_generator_t)
init_rename_runtime_files(systemd_generator_t)
init_search_runtime(systemd_generator_t)
init_setattr_runtime_files(systemd_generator_t)
init_write_runtime_files(systemd_generator_t)
init_list_unit_dirs(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
kernel_use_fds(systemd_generator_t)
kernel_read_system_state(systemd_generator_t)
kernel_read_kernel_sysctls(systemd_generator_t)
storage_raw_read_fixed_disk(systemd_generator_t)
systemd_log_parse_environment(systemd_generator_t)
term_use_unallocated_ttys(systemd_generator_t)
optional_policy(`
fstools_exec(systemd_generator_t)
')
optional_policy(`
lvm_exec(systemd_generator_t)
lvm_map_config(systemd_generator_t)
lvm_read_config(systemd_generator_t)
miscfiles_read_localization(systemd_generator_t)
')
#######################################
#
# Hostnamed policy
#
2019-02-20 03:20:57 +00:00
allow systemd_hostnamed_t self:capability sys_admin;
kernel_read_kernel_sysctls(systemd_hostnamed_t)
dev_read_sysfs(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
selinux_use_status_page(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
Modify type for /etc/hostname hostnamectl updates /etc/hostname This change is setting the type for the file /etc/hostname to net_conf_t and granting hostnamectl permission to edit this file. Note that hostnamectl is initially creating a new file .#hostname* which is why the create permissions are requied. type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-15 03:20:29 +00:00
sysnet_etc_filetrans_config(systemd_hostnamed_t)
sysnet_manage_config(systemd_hostnamed_t)
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
dbus_system_bus_client(systemd_hostnamed_t)
2018-02-15 22:07:08 +00:00
init_dbus_chat(systemd_hostnamed_t)
')
optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
#########################################
#
# hw local policy
#
kernel_read_kernel_sysctls(systemd_hw_t)
allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabel_file_perms };
files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
files_search_runtime(systemd_hw_t)
selinux_get_fs_mount(systemd_hw_t)
selinux_use_status_page(systemd_hw_t)
2018-06-08 00:17:15 +00:00
init_read_state(systemd_hw_t)
init_search_runtime(systemd_hw_t)
2018-06-08 00:17:15 +00:00
seutil_read_config(systemd_hw_t)
seutil_read_file_contexts(systemd_hw_t)
#######################################
#
# locale local policy
#
kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
selinux_use_status_page(systemd_locale_t)
seutil_read_file_contexts(systemd_locale_t)
systemd_log_parse_environment(systemd_locale_t)
optional_policy(`
dbus_connect_system_bus(systemd_locale_t)
dbus_system_bus_client(systemd_locale_t)
')
######################################
#
# systemd log parse environment
#
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
dontaudit systemd_log_parse_env_type self:capability net_admin;
kernel_read_system_state(systemd_log_parse_env_type)
dev_write_kmsg(systemd_log_parse_env_type)
systemd: allow reading options from EFI variable SystemdOptions Since systemd 244, systemd can parse EFI variable SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 like /proc/cmdline in order to find options. systemd's NEWS file [1] states: systemd will also read configuration options from the EFI variable SystemdOptions. This may be used to configure systemd behaviour when modifying the kernel command line is inconvenient, but configuration on disk is read too late, for example for the options related to cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to set the EFI variable. In practice, all callers of log_parse_environment() read this EFI variable, because: * log_parse_environment() is a macro which is expanded to log_parse_environment_realm(LOG_REALM) [2]. * log_parse_environment_realm() calls proc_cmdline_parse() when being use in system daemons [3]. * proc_cmdline_parse() always calls systemd_efi_options_variable() [4]. * systemd_efi_options_variable() reads SystemdOptions variable [5]. For SELinux, this means that every domain with attribute systemd_log_parse_env_type wants to read an EFI variable. Allow this access. [1] https://github.com/systemd/systemd/blob/v244/NEWS#L18-L23 [2] https://github.com/systemd/systemd/blob/v244/src/basic/log.h#L84 [3] https://github.com/systemd/systemd/blob/v244/src/basic/log.c#L1116 [4] https://github.com/systemd/systemd/blob/v244/src/basic/proc-cmdline.c#L122 [5] https://github.com/systemd/systemd/blob/v244/src/basic/efivars.c#L242 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-30 17:01:43 +00:00
# For /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67
fs_read_efivarfs_files(systemd_log_parse_env_type)
term_use_console(systemd_log_parse_env_type)
init_read_state(systemd_log_parse_env_type)
logging_send_syslog_msg(systemd_log_parse_env_type)
#########################################
#
# Logind local policy
#
allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
kernel_read_kernel_sysctls(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
dev_getattr_generic_usb_dev(systemd_logind_t)
dev_getattr_kvm_dev(systemd_logind_t)
dev_getattr_sound_dev(systemd_logind_t)
dev_getattr_video_dev(systemd_logind_t)
dev_manage_wireless(systemd_logind_t)
dev_read_urand(systemd_logind_t)
dev_rw_dri(systemd_logind_t)
dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
domain_obj_id_change_exemption(systemd_logind_t)
files_search_runtime(systemd_logind_t)
fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
fs_getattr_tmpfs_dirs(systemd_logind_t)
fs_list_tmpfs(systemd_logind_t)
fs_mount_tmpfs(systemd_logind_t)
fs_read_cgroup_files(systemd_logind_t)
2016-02-03 13:14:38 +00:00
fs_read_efivarfs_files(systemd_logind_t)
fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
fs_unmount_tmpfs(systemd_logind_t)
2016-02-03 13:14:38 +00:00
selinux_use_status_page(systemd_logind_t)
storage_getattr_removable_dev(systemd_logind_t)
storage_getattr_scsi_generic_dev(systemd_logind_t)
storage_setattr_removable_dev(systemd_logind_t)
storage_setattr_scsi_generic_dev(systemd_logind_t)
term_setattr_unallocated_ttys(systemd_logind_t)
term_use_unallocated_ttys(systemd_logind_t)
auth_manage_faillog(systemd_logind_t)
auth_use_nsswitch(systemd_logind_t)
init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
init_get_system_status(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_service_start(systemd_logind_t)
init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
seutil_libselinux_linked(systemd_logind_t)
seutil_read_default_contexts(systemd_logind_t)
seutil_read_file_contexts(systemd_logind_t)
systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
udev_list_runtime(systemd_logind_t)
udev_read_runtime_files(systemd_logind_t)
Allow systemd_logind to delete user_runtime_content_type files Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects. type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-12-12 02:15:28 +00:00
userdom_delete_all_user_runtime_dirs(systemd_logind_t)
userdom_delete_all_user_runtime_files(systemd_logind_t)
userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
userdom_delete_user_tmp_dirs(systemd_logind_t)
userdom_delete_user_tmp_files(systemd_logind_t)
userdom_delete_user_tmp_symlinks(systemd_logind_t)
userdom_delete_user_tmp_named_pipes(systemd_logind_t)
userdom_delete_user_tmp_named_sockets(systemd_logind_t)
2018-02-15 22:07:08 +00:00
# user_tmp_t is for the dbus-1 directory
userdom_list_user_tmp(systemd_logind_t)
userdom_manage_user_runtime_dirs(systemd_logind_t)
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
userdom_mounton_user_runtime_dirs(systemd_logind_t)
userdom_read_all_users_state(systemd_logind_t)
userdom_relabel_user_tmpfs_dirs(systemd_logind_t)
userdom_relabel_user_tmpfs_files(systemd_logind_t)
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
# Once a newer systemd (v229 or later) is in RHEL (or patch is cherry-picked) this should be able to be removed.
ifdef(`distro_redhat',`
userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
')
systemd-logind: allow using BootLoaderEntries DBUS property systemd-logind exposes several properties related to the bootloader. One of them is BootLoaderEntries [1], which scans the disks using util-linux's blkid in order to find the ESP (EFI System Partition) [2][3]. This triggers the following logs in audit.log (where /dev/sda1 is the ESP, mounted on /boot): type=AVC msg=audit(1577692922.834:310): avc: denied { getattr } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 type=AVC msg=audit(1577692922.841:311): avc: denied { search } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:312): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { read } for pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { open } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:314): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:315): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { read } for pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:317): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:318): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { read } for pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 As allowing read access to fixed disks (such as /dev/sda1 here) can be considered as dangerous, add a conditional to allow the accesses. [1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315 [2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118 [3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 19:51:45 +00:00
tunable_policy(`systemd_logind_get_bootloader',`
fs_getattr_dos_fs(systemd_logind_t)
fs_list_dos(systemd_logind_t)
fs_read_dos_files(systemd_logind_t)
')
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
# This reads the first sectors of fixed disk devices.
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
systemd-logind: allow using BootLoaderEntries DBUS property systemd-logind exposes several properties related to the bootloader. One of them is BootLoaderEntries [1], which scans the disks using util-linux's blkid in order to find the ESP (EFI System Partition) [2][3]. This triggers the following logs in audit.log (where /dev/sda1 is the ESP, mounted on /boot): type=AVC msg=audit(1577692922.834:310): avc: denied { getattr } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1 type=AVC msg=audit(1577692922.841:311): avc: denied { search } for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:312): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { read } for pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.841:313): avc: denied { open } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:314): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.844:315): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs" ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { read } for pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:316): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:317): avc: denied { getattr } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:318): avc: denied { ioctl } for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf" dev="sda1" ino=4 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=file permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { read } for pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 type=AVC msg=audit(1577692922.851:319): avc: denied { open } for pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1" ino=5 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1 As allowing read access to fixed disks (such as /dev/sda1 here) can be considered as dangerous, add a conditional to allow the accesses. [1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315 [2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118 [3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 19:51:45 +00:00
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
')
optional_policy(`
devicekit_dbus_chat_disk(systemd_logind_t)
devicekit_dbus_chat_power(systemd_logind_t)
')
2018-02-15 22:07:08 +00:00
optional_policy(`
modemmanager_dbus_chat(systemd_logind_t)
')
optional_policy(`
networkmanager_dbus_chat(systemd_logind_t)
')
optional_policy(`
policykit_dbus_chat(systemd_logind_t)
')
optional_policy(`
xserver_read_state(systemd_logind_t)
xserver_dbus_chat(systemd_logind_t)
xserver_dbus_chat_xdm(systemd_logind_t)
xserver_read_xdm_state(systemd_logind_t)
')
optional_policy(`
unconfined_dbus_send(systemd_logind_t)
')
#########################################
#
# machined local policy
#
allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
allow systemd_machined_t self:process setfscreate;
allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
init_read_script_state(systemd_machined_t)
init_get_system_status(systemd_machined_t)
init_read_state(systemd_machined_t)
init_service_start(systemd_machined_t)
init_service_status(systemd_machined_t)
init_start_system(systemd_machined_t)
init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
seutil_search_default_contexts(systemd_machined_t)
optional_policy(`
init_dbus_chat(systemd_machined_t)
init_dbus_send_script(systemd_machined_t)
dbus_connect_system_bus(systemd_machined_t)
dbus_system_bus_client(systemd_machined_t)
')
########################################
#
# modules-load local policy
#
kernel_load_module(systemd_modules_load_t)
kernel_read_kernel_sysctls(systemd_modules_load_t)
kernel_request_load_module(systemd_modules_load_t)
dev_read_sysfs(systemd_modules_load_t)
files_mmap_read_kernel_modules(systemd_modules_load_t)
files_read_etc_files(systemd_modules_load_t)
modutils_read_module_config(systemd_modules_load_t)
modutils_read_module_deps(systemd_modules_load_t)
systemd_log_parse_environment(systemd_modules_load_t)
########################################
#
# networkd local policy
#
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:packet_socket create_socket_perms;
allow systemd_networkd_t self:process { getcap setcap setfscreate };
allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
kernel_read_system_state(systemd_networkd_t)
kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)
corecmd_bin_entry_type(systemd_networkd_t)
corecmd_exec_bin(systemd_networkd_t)
corenet_sendrecv_icmp_packets(systemd_networkd_t)
corenet_sendrecv_dhcpd_client_packets(systemd_networkd_t)
corenet_rw_tun_tap_dev(systemd_networkd_t)
corenet_udp_bind_dhcpc_port(systemd_networkd_t)
corenet_udp_bind_generic_node(systemd_networkd_t)
dev_read_urand(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
files_read_etc_files(systemd_networkd_t)
files_watch_runtime_dirs(systemd_networkd_t)
files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
fs_getattr_xattr_fs(systemd_networkd_t)
auth_use_nsswitch(systemd_networkd_t)
init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)
logging_send_syslog_msg(systemd_networkd_t)
miscfiles_read_localization(systemd_networkd_t)
sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
dbus_watch_system_bus_runtime_dirs(systemd_networkd_t)
dbus_watch_system_bus_runtime_named_sockets(systemd_networkd_t)
systemd_dbus_chat_hostnamed(systemd_networkd_t)
')
optional_policy(`
udev_read_runtime_files(systemd_networkd_t)
')
########################################
#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
allow systemd_notify_t self:process { setfscreate setsockcreate };
allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(systemd_notify_t)
files_read_etc_files(systemd_notify_t)
files_read_usr_files(systemd_notify_t)
fs_getattr_cgroup_files(systemd_notify_t)
auth_use_nsswitch(systemd_notify_t)
init_rw_stream_sockets(systemd_notify_t)
miscfiles_read_localization(systemd_notify_t)
2017-02-24 01:03:23 +00:00
########################################
#
# Nspawn local policy
#
allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms;
init_runtime_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir)
2017-02-24 01:03:23 +00:00
files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
# for /tmp/.#inaccessible*
allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton;
kernel_mount_proc(systemd_nspawn_t)
kernel_mounton_sysctl_dirs(systemd_nspawn_t)
kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
kernel_mounton_message_if(systemd_nspawn_t)
kernel_mounton_proc(systemd_nspawn_t)
kernel_read_kernel_sysctls(systemd_nspawn_t)
kernel_read_system_state(systemd_nspawn_t)
kernel_remount_proc(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
corecmd_search_bin(systemd_nspawn_t)
corenet_rw_tun_tap_dev(systemd_nspawn_t)
dev_getattr_fs(systemd_nspawn_t)
dev_manage_sysfs_dirs(systemd_nspawn_t)
dev_mounton_sysfs_dirs(systemd_nspawn_t)
dev_mount_sysfs(systemd_nspawn_t)
dev_read_rand(systemd_nspawn_t)
dev_read_urand(systemd_nspawn_t)
files_getattr_tmp_dirs(systemd_nspawn_t)
files_manage_etc_files(systemd_nspawn_t)
files_manage_mnt_dirs(systemd_nspawn_t)
files_mounton_mnt(systemd_nspawn_t)
files_mounton_root(systemd_nspawn_t)
files_mounton_tmp(systemd_nspawn_t)
files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_runtime_dirs(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
fs_remount_xattr_fs(systemd_nspawn_t)
fs_read_cgroup_files(systemd_nspawn_t)
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
term_mount_devpts(systemd_nspawn_t)
term_search_ptys(systemd_nspawn_t)
term_setattr_generic_ptys(systemd_nspawn_t)
term_use_ptmx(systemd_nspawn_t)
init_domtrans_script(systemd_nspawn_t)
init_getrlimit(systemd_nspawn_t)
init_kill_scripts(systemd_nspawn_t)
init_read_state(systemd_nspawn_t)
init_search_run(systemd_nspawn_t)
init_write_runtime_socket(systemd_nspawn_t)
init_spec_domtrans_script(systemd_nspawn_t)
miscfiles_manage_localization(systemd_nspawn_t)
# for writing inside chroot
sysnet_manage_config(systemd_nspawn_t)
userdom_manage_user_home_dirs(systemd_nspawn_t)
tunable_policy(`systemd_nspawn_labeled_namespace',`
corecmd_exec_bin(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
dev_mounton(systemd_nspawn_t)
dev_setattr_generic_dirs(systemd_nspawn_t)
# manage etc symlinks for /etc/localtime
files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_runtime_dirs(systemd_nspawn_t)
files_search_home(systemd_nspawn_t)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
fs_manage_tmpfs_dirs(systemd_nspawn_t)
fs_manage_tmpfs_files(systemd_nspawn_t)
fs_manage_tmpfs_symlinks(systemd_nspawn_t)
fs_mount_cgroup(systemd_nspawn_t)
fs_mounton_cgroup(systemd_nspawn_t)
fs_mounton_tmpfs(systemd_nspawn_t)
fs_mounton_tmpfs_files(systemd_nspawn_t)
fs_remount_cgroup(systemd_nspawn_t)
fs_search_tmpfs(systemd_nspawn_t)
fs_unmount_cgroup(systemd_nspawn_t)
fs_write_cgroup_files(systemd_nspawn_t)
selinux_getattr_fs(systemd_nspawn_t)
selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
init_domtrans(systemd_nspawn_t)
logging_search_logs(systemd_nspawn_t)
seutil_search_default_contexts(systemd_nspawn_t)
')
optional_policy(`
allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
dbus_system_bus_client(systemd_nspawn_t)
2018-02-15 22:07:08 +00:00
optional_policy(`
unconfined_dbus_send(systemd_machined_t)
')
')
optional_policy(`
virt_manage_virt_content(systemd_nspawn_t)
')
#######################################
#
# systemd_passwd_agent_t local policy
#
allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file })
kernel_read_system_state(systemd_passwd_agent_t)
kernel_stream_connect(systemd_passwd_agent_t)
dev_create_generic_dirs(systemd_passwd_agent_t)
dev_read_generic_files(systemd_passwd_agent_t)
dev_write_generic_sock_files(systemd_passwd_agent_t)
dev_write_kmsg(systemd_passwd_agent_t)
files_read_etc_files(systemd_passwd_agent_t)
fs_getattr_xattr_fs(systemd_passwd_agent_t)
selinux_get_enforce_mode(systemd_passwd_agent_t)
selinux_getattr_fs(systemd_passwd_agent_t)
term_read_console(systemd_passwd_agent_t)
auth_use_nsswitch(systemd_passwd_agent_t)
init_create_runtime_dirs(systemd_passwd_agent_t)
init_read_runtime_pipes(systemd_passwd_agent_t)
init_read_state(systemd_passwd_agent_t)
init_read_utmp(systemd_passwd_agent_t)
init_stream_connect(systemd_passwd_agent_t)
logging_send_syslog_msg(systemd_passwd_agent_t)
miscfiles_read_localization(systemd_passwd_agent_t)
seutil_search_default_contexts(systemd_passwd_agent_t)
userdom_use_user_terminals(systemd_passwd_agent_t)
optional_policy(`
getty_use_fds(systemd_passwd_agent_t)
')
optional_policy(`
lvm_signull(systemd_passwd_agent_t)
')
optional_policy(`
plymouthd_stream_connect(systemd_passwd_agent_t)
')
2017-02-24 01:03:23 +00:00
#########################################
#
# systemd-pstore local policy
#
dontaudit systemd_pstore_t self:capability net_admin;
manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
files_read_etc_files(systemd_pstore_t)
files_search_var_lib(systemd_pstore_t)
fs_list_pstore_dirs(systemd_pstore_t)
fs_read_pstore_files(systemd_pstore_t)
fs_delete_pstore_files(systemd_pstore_t)
init_search_run(systemd_pstore_t)
init_list_var_lib_dirs(systemd_pstore_t)
kernel_read_system_state(systemd_pstore_t)
logging_send_syslog_msg(systemd_pstore_t)
2017-08-14 20:32:29 +00:00
#######################################
#
# Rfkill local policy
#
allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
2017-08-14 20:32:29 +00:00
manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
kernel_read_kernel_sysctls(systemd_rfkill_t)
2017-08-14 20:32:29 +00:00
dev_read_sysfs(systemd_rfkill_t)
dev_rw_wireless(systemd_rfkill_t)
# Allow reading /etc/udev/udev.conf
files_read_etc_files(systemd_rfkill_t)
# Allow reading /run/udev/data/+rfkill:rfkill0
udev_read_runtime_files(systemd_rfkill_t)
2017-08-14 20:32:29 +00:00
systemd_log_parse_environment(systemd_rfkill_t)
#########################################
#
# Resolved local policy
#
allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
allow systemd_resolved_t self:tcp_socket { accept listen };
allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
Allow systemd-resolved to read sysctl type=AVC msg=audit(1527698300.007:150): avc: denied { search } for pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1527698300.007:150): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:150): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:151): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.007:149): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:06 +00:00
dev_read_sysfs(systemd_resolved_t)
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
Allow systemd-resolved to read sysctl type=AVC msg=audit(1527698300.007:150): avc: denied { search } for pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1527698300.007:150): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:150): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.007:151): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.006:148): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1527698300.007:149): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:06 +00:00
kernel_read_net_sysctls(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_dns_port(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_generic_node(systemd_resolved_t)
corenet_udp_bind_dns_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
selinux_use_status_page(systemd_resolved_t)
auth_use_nsswitch(systemd_resolved_t)
files_watch_root_dirs(systemd_resolved_t)
files_watch_runtime_dirs(systemd_resolved_t)
files_list_runtime(systemd_resolved_t)
2020-02-01 21:18:25 +00:00
init_dgram_send(systemd_resolved_t)
seutil_read_file_contexts(systemd_resolved_t)
systemd_log_parse_environment(systemd_resolved_t)
Allow systemd_resolved to read systemd_networkd runtime files type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-06 14:25:07 +00:00
systemd_read_networkd_runtime(systemd_resolved_t)
optional_policy(`
dbus_connect_system_bus(systemd_resolved_t)
dbus_system_bus_client(systemd_resolved_t)
dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
')
#########################################
#
# Socket-proxyd local policy
#
allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
allow systemd_socket_proxyd_t self:tcp_socket accept;
kernel_read_system_state(systemd_socket_proxyd_t)
auth_use_nsswitch(systemd_socket_proxyd_t)
sysnet_dns_name_resolve(systemd_socket_proxyd_t)
tunable_policy(`systemd_socket_proxyd_bind_any',`
corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
',`
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
')
tunable_policy(`systemd_socket_proxyd_connect_any',`
corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
',`
allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
')
#########################################
#
# Sessions local policy
#
allow systemd_sessions_t self:process setfscreate;
allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
kernel_read_kernel_sysctls(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)
selinux_use_status_page(systemd_sessions_t)
seutil_read_config(systemd_sessions_t)
seutil_read_default_contexts(systemd_sessions_t)
seutil_read_file_contexts(systemd_sessions_t)
systemd_log_parse_environment(systemd_sessions_t)
#########################################
#
# Sysusers local policy
#
allow systemd_sysusers_t self:capability { chown fsetid };
allow systemd_sysusers_t self:process setfscreate;
allow systemd_sysusers_t self:unix_dgram_socket sendto;
files_manage_etc_files(systemd_sysusers_t)
kernel_read_kernel_sysctls(systemd_sysusers_t)
selinux_use_status_page(systemd_sysusers_t)
auth_manage_shadow(systemd_sysusers_t)
auth_etc_filetrans_shadow(systemd_sysusers_t)
auth_use_nsswitch(systemd_sysusers_t)
seutil_libselinux_linked(systemd_sysusers_t)
seutil_read_file_contexts(systemd_sysusers_t)
systemd_log_parse_environment(systemd_sysusers_t)
#########################################
#
# Tmpfiles local policy
#
allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
allow systemd_tmpfiles_t systemd_pstore_var_lib_t:file manage_file_perms;
allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { manage_file_perms relabel_file_perms };
2017-02-24 01:03:23 +00:00
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms;
allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
2017-02-24 01:03:23 +00:00
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
dev_getattr_fs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_setattr_all_sysfs(systemd_tmpfiles_t)
# Allow systemd-tmpfiles to enable pstore kernel parameters over sysfs
# /sys/module/printk/parameters/always_kmsg_dump
# /sys/module/kernel/parameters/crash_kexec_post_notifiers
dev_write_sysfs(systemd_tmpfiles_t)
files_create_lock_dirs(systemd_tmpfiles_t)
files_manage_all_runtime_dirs(systemd_tmpfiles_t)
files_delete_usr_files(systemd_tmpfiles_t)
files_list_home(systemd_tmpfiles_t)
files_list_locks(systemd_tmpfiles_t)
files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
files_manage_var_dirs(systemd_tmpfiles_t)
files_manage_var_lib_dirs(systemd_tmpfiles_t)
files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_read_etc_runtime_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
files_relabel_var_dirs(systemd_tmpfiles_t)
files_relabel_var_lib_dirs(systemd_tmpfiles_t)
files_relabelfrom_home(systemd_tmpfiles_t)
files_relabelto_home(systemd_tmpfiles_t)
files_relabelto_etc_dirs(systemd_tmpfiles_t)
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
fs_list_tmpfs(systemd_tmpfiles_t)
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_use_status_page(systemd_tmpfiles_t)
auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
init_manage_utmp(systemd_tmpfiles_t)
init_manage_var_lib_files(systemd_tmpfiles_t)
# for /proc/1/environ
init_read_state(systemd_tmpfiles_t)
init_relabel_utmp(systemd_tmpfiles_t)
init_relabel_var_lib_dirs(systemd_tmpfiles_t)
logging_manage_generic_logs(systemd_tmpfiles_t)
logging_manage_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
miscfiles_manage_man_pages(systemd_tmpfiles_t)
miscfiles_relabel_man_cache(systemd_tmpfiles_t)
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
sysnet_manage_config(systemd_tmpfiles_t)
sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
files_manage_non_security_dirs(systemd_tmpfiles_t)
files_manage_non_security_files(systemd_tmpfiles_t)
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')
optional_policy(`
apt_use_fds(systemd_tmpfiles_t)
dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
')
optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')
optional_policy(`
xserver_create_console_pipes(systemd_tmpfiles_t)
xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
xserver_relabel_console_pipes(systemd_tmpfiles_t)
xserver_setattr_console_pipes(systemd_tmpfiles_t)
')
#########################################
#
# Update Done local policy
#
Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
allow systemd_update_done_t self:process setfscreate;
Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
kernel_read_kernel_sysctls(systemd_update_done_t)
selinux_use_status_page(systemd_update_done_t)
Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
seutil_read_file_contexts(systemd_update_done_t)
Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
systemd_log_parse_environment(systemd_update_done_t)
#########################################
#
# User session (systemd --user) local policy
#
allow systemd_user_session_type self:bpf { prog_load prog_run };
allow systemd_user_session_type self:capability { dac_read_search sys_resource };
dontaudit systemd_user_session_type self:capability dac_override;
allow systemd_user_session_type self:fifo_file rw_fifo_file_perms;
allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap };
allow systemd_user_session_type self:udp_socket create_socket_perms;
allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow systemd_user_session_type systemd_user_runtime_t:dir manage_dir_perms;
allow systemd_user_session_type systemd_user_runtime_t:lnk_file manage_lnk_file_perms;
allow systemd_user_session_type systemd_user_runtime_t:sock_file { create write };
userdom_user_runtime_filetrans(systemd_user_session_type, systemd_user_runtime_t, dir)
allow systemd_user_session_type systemd_user_runtime_notify_t:sock_file create;
type_transition systemd_user_session_type systemd_user_runtime_t:sock_file systemd_user_runtime_notify_t "notify";
systemd: allow sd-executor to manage its memfd files When systemd --user runs helper programs in order to generate user environment variables, it reads memfd temporary files, which are labeled tmpfs_t: type=AVC msg=audit(1569787627.183:487): avc: denied { getattr } for pid=19182 comm="(sd-executor)" path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429 dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1 type=SYSCALL msg=audit(1569787627.183:487): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7ffd324679d0 a2=7ffd324679d0 a3=4 items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1569787627.183:487): proctitle="(sd-executor)" type=AVC msg=audit(1569787627.183:488): avc: denied { read } for pid=19182 comm="(sd-executor)" path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429 dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1 type=SYSCALL msg=audit(1569787627.183:488): arch=c000003e syscall=0 success=yes exit=0 a0=a a1=559bf537abb0 a2=1000 a3=559bf5376010 items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1569787627.183:488): proctitle="(sd-executor)" The hexadecimal path is "/memfd:30-systemd-environment-d-generator (deleted)". The name "(sd-executor)" is the name of a child process (cf. https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L222) and the name of the memfd file comes from "open_serialization_fd(name)" in https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-16 14:30:56 +00:00
allow systemd_user_session_type systemd_user_tmpfs_t:file manage_file_perms;
fs_tmpfs_filetrans(systemd_user_session_type, systemd_user_tmpfs_t, file)
# Run generators in /usr/lib/systemd/user-environment-generators with no domain transition
can_exec(systemd_user_session_type, systemd_generator_exec_t)
dev_write_sysfs_dirs(systemd_user_session_type)
dev_read_sysfs(systemd_user_session_type)
domain_getattr_all_entry_files(systemd_user_session_type)
files_read_etc_files(systemd_user_session_type)
files_list_usr(systemd_user_session_type)
# /etc/localtime
files_watch_etc_symlinks(systemd_user_session_type)
fs_getattr_cgroup(systemd_user_session_type)
systemd: allow more accesses to systemd --user systemd --user needs to: * run statfs() on /sys/fs/cgroup, which is a tmpfs on Debian 10: type=AVC msg=audit(1568544950.691:309): avc: denied { getattr } for pid=10128 comm="systemd" name="/" dev="tmpfs" ino=9656 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 type=SYSCALL msg=audit(1568544950.691:309): arch=c000003e syscall=137 success=no exit=-13 a0=7f96e8b23ddb a1=7ffefbffb410 a2=7f96e7b3c2a0 a3=0 items=0 ppid=1 pid=10128 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=14 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568544950.691:309): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 # ls -Zdi /sys/fs/cgroup # ino=9656 is /sys/fs/cgroup 9656 system_u:object_r:cgroup_t /sys/fs/cgroup # findmnt /sys/fs/cgroup /sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,seclabel,mode=755 * read /proc/sys/fs/nr_open: type=AVC msg=audit(1568545206.580:392): avc: denied { search } for pid=19003 comm="systemd" name="fs" dev="proc" ino=9699 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { read } for pid=19003 comm="systemd" name="nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { open } for pid=19003 comm="systemd" path="/proc/sys/fs/nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.580:392): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7fe0d8a8665f a2=80000 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.580:392): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * notify systemd like services (this was not allowed because *_systemd_t is not associated with attribute "daemon"): type=AVC msg=audit(1568545206.748:410): avc: denied { write } for pid=19003 comm="systemd" name="notify" dev="tmpfs" ino=9840 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1 type=AVC msg=audit(1568545206.748:410): avc: denied { sendto } for pid=19003 comm="systemd" path="/run/systemd/notify" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:system_r:init_t tclass=unix_dgram_socket permissive=1 type=SERVICE_START msg=audit(1568545206.756:411): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SYSCALL msg=audit(1568545206.748:410): arch=c000003e syscall=46 success=yes exit=36 a0=1e a1=7ffe70f2abf0 a2=4000 a3=7ffe70f2ab84 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:410): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * use /sys/fs/selinux/create to help define its own sockcreate attribute: type=AVC msg=audit(1568545206.748:406): avc: denied { write } for pid=19003 comm="systemd" name="create" dev="selinuxfs" ino=7 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.748:406): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7ffe70f29da0 a2=80002 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:406): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:407): avc: denied { compute_create } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=security permissive=1 type=SYSCALL msg=audit(1568545206.748:407): arch=c000003e syscall=1 success=yes exit=71 a0=c a1=5555d61eadb0 a2=47 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:407): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:408): avc: denied { setsockcreate } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=process permissive=1 type=SYSCALL msg=audit(1568545206.748:408): arch=c000003e syscall=1 success=yes exit=35 a0=c a1=5555d61e1320 a2=23 a3=3 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:408): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-19 19:20:57 +00:00
fs_getattr_tmpfs(systemd_user_session_type)
fs_rw_cgroup_files(systemd_user_session_type)
fs_manage_cgroup_dirs(systemd_user_session_type)
systemd: allow more accesses to systemd --user systemd --user needs to: * run statfs() on /sys/fs/cgroup, which is a tmpfs on Debian 10: type=AVC msg=audit(1568544950.691:309): avc: denied { getattr } for pid=10128 comm="systemd" name="/" dev="tmpfs" ino=9656 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 type=SYSCALL msg=audit(1568544950.691:309): arch=c000003e syscall=137 success=no exit=-13 a0=7f96e8b23ddb a1=7ffefbffb410 a2=7f96e7b3c2a0 a3=0 items=0 ppid=1 pid=10128 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=14 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568544950.691:309): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 # ls -Zdi /sys/fs/cgroup # ino=9656 is /sys/fs/cgroup 9656 system_u:object_r:cgroup_t /sys/fs/cgroup # findmnt /sys/fs/cgroup /sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,seclabel,mode=755 * read /proc/sys/fs/nr_open: type=AVC msg=audit(1568545206.580:392): avc: denied { search } for pid=19003 comm="systemd" name="fs" dev="proc" ino=9699 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { read } for pid=19003 comm="systemd" name="nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { open } for pid=19003 comm="systemd" path="/proc/sys/fs/nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.580:392): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7fe0d8a8665f a2=80000 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.580:392): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * notify systemd like services (this was not allowed because *_systemd_t is not associated with attribute "daemon"): type=AVC msg=audit(1568545206.748:410): avc: denied { write } for pid=19003 comm="systemd" name="notify" dev="tmpfs" ino=9840 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1 type=AVC msg=audit(1568545206.748:410): avc: denied { sendto } for pid=19003 comm="systemd" path="/run/systemd/notify" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:system_r:init_t tclass=unix_dgram_socket permissive=1 type=SERVICE_START msg=audit(1568545206.756:411): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SYSCALL msg=audit(1568545206.748:410): arch=c000003e syscall=46 success=yes exit=36 a0=1e a1=7ffe70f2abf0 a2=4000 a3=7ffe70f2ab84 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:410): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * use /sys/fs/selinux/create to help define its own sockcreate attribute: type=AVC msg=audit(1568545206.748:406): avc: denied { write } for pid=19003 comm="systemd" name="create" dev="selinuxfs" ino=7 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.748:406): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7ffe70f29da0 a2=80002 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:406): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:407): avc: denied { compute_create } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=security permissive=1 type=SYSCALL msg=audit(1568545206.748:407): arch=c000003e syscall=1 success=yes exit=71 a0=c a1=5555d61eadb0 a2=47 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:407): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:408): avc: denied { setsockcreate } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=process permissive=1 type=SYSCALL msg=audit(1568545206.748:408): arch=c000003e syscall=1 success=yes exit=35 a0=c a1=5555d61e1320 a2=23 a3=3 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:408): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-19 19:20:57 +00:00
# for /proc/sys/fs/nr_open
kernel_read_fs_sysctls(systemd_user_session_type)
kernel_read_kernel_sysctls(systemd_user_session_type)
selinux_compute_access_vector(systemd_user_session_type)
systemd: allow more accesses to systemd --user systemd --user needs to: * run statfs() on /sys/fs/cgroup, which is a tmpfs on Debian 10: type=AVC msg=audit(1568544950.691:309): avc: denied { getattr } for pid=10128 comm="systemd" name="/" dev="tmpfs" ino=9656 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 type=SYSCALL msg=audit(1568544950.691:309): arch=c000003e syscall=137 success=no exit=-13 a0=7f96e8b23ddb a1=7ffefbffb410 a2=7f96e7b3c2a0 a3=0 items=0 ppid=1 pid=10128 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=14 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568544950.691:309): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 # ls -Zdi /sys/fs/cgroup # ino=9656 is /sys/fs/cgroup 9656 system_u:object_r:cgroup_t /sys/fs/cgroup # findmnt /sys/fs/cgroup /sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,seclabel,mode=755 * read /proc/sys/fs/nr_open: type=AVC msg=audit(1568545206.580:392): avc: denied { search } for pid=19003 comm="systemd" name="fs" dev="proc" ino=9699 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { read } for pid=19003 comm="systemd" name="nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=AVC msg=audit(1568545206.580:392): avc: denied { open } for pid=19003 comm="systemd" path="/proc/sys/fs/nr_open" dev="proc" ino=14620 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:sysctl_fs_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.580:392): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7fe0d8a8665f a2=80000 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.580:392): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * notify systemd like services (this was not allowed because *_systemd_t is not associated with attribute "daemon"): type=AVC msg=audit(1568545206.748:410): avc: denied { write } for pid=19003 comm="systemd" name="notify" dev="tmpfs" ino=9840 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1 type=AVC msg=audit(1568545206.748:410): avc: denied { sendto } for pid=19003 comm="systemd" path="/run/systemd/notify" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:system_r:init_t tclass=unix_dgram_socket permissive=1 type=SERVICE_START msg=audit(1568545206.756:411): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SYSCALL msg=audit(1568545206.748:410): arch=c000003e syscall=46 success=yes exit=36 a0=1e a1=7ffe70f2abf0 a2=4000 a3=7ffe70f2ab84 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:410): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 * use /sys/fs/selinux/create to help define its own sockcreate attribute: type=AVC msg=audit(1568545206.748:406): avc: denied { write } for pid=19003 comm="systemd" name="create" dev="selinuxfs" ino=7 scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 type=SYSCALL msg=audit(1568545206.748:406): arch=c000003e syscall=257 success=yes exit=12 a0=ffffff9c a1=7ffe70f29da0 a2=80002 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:406): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:407): avc: denied { compute_create } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:security_t tclass=security permissive=1 type=SYSCALL msg=audit(1568545206.748:407): arch=c000003e syscall=1 success=yes exit=71 a0=c a1=5555d61eadb0 a2=47 a3=0 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:407): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 type=AVC msg=audit(1568545206.748:408): avc: denied { setsockcreate } for pid=19003 comm="systemd" scontext=sysadm_u:sysadm_r:sysadm_systemd_t tcontext=sysadm_u:sysadm_r:sysadm_systemd_t tclass=process permissive=1 type=SYSCALL msg=audit(1568545206.748:408): arch=c000003e syscall=1 success=yes exit=35 a0=c a1=5555d61e1320 a2=23 a3=3 items=0 ppid=1 pid=19003 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=16 comm="systemd" exe="/usr/lib/systemd/systemd" subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null) type=PROCTITLE msg=audit(1568545206.748:408): proctitle=2F6C69622F73797374656D642F73797374656D64002D2D75736572 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-19 19:20:57 +00:00
selinux_compute_create_context(systemd_user_session_type)
storage_getattr_fixed_disk_dev(systemd_user_session_type)
# for /run/systemd/notify
init_dgram_send(systemd_user_session_type)
init_signal(systemd_user_session_type)
logging_send_audit_msgs(systemd_user_session_type)
miscfiles_read_localization(systemd_user_session_type)
mount_list_runtime(systemd_user_session_type)
mount_watch_runtime_dirs(systemd_user_session_type)
# for systemd to read udev status
udev_read_runtime_files(systemd_user_session_type)
udev_list_runtime(systemd_user_session_type)
2020-01-31 21:46:56 +00:00
seutil_libselinux_linked(systemd_user_session_type)
2020-01-31 21:46:56 +00:00
#########################################
#
# systemd-user-runtime-dir local policy
#
allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override };
2020-01-31 21:46:56 +00:00
allow systemd_user_runtime_dir_t self:process setfscreate;
domain_obj_id_change_exemption(systemd_user_runtime_dir_t)
files_read_etc_files(systemd_user_runtime_dir_t)
fs_mount_tmpfs(systemd_user_runtime_dir_t)
fs_getattr_tmpfs(systemd_user_runtime_dir_t)
fs_list_tmpfs(systemd_user_runtime_dir_t)
fs_unmount_tmpfs(systemd_user_runtime_dir_t)
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
selinux_use_status_page(systemd_user_runtime_dir_t)
2020-01-31 21:46:56 +00:00
systemd_log_parse_environment(systemd_user_runtime_dir_t)
systemd_dbus_chat_logind(systemd_user_runtime_dir_t)
seutil_read_file_contexts(systemd_user_runtime_dir_t)
seutil_libselinux_linked(systemd_user_runtime_dir_t)
2020-01-31 21:46:56 +00:00
userdom_search_user_runtime_root(systemd_user_runtime_dir_t)
userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir)
userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
optional_policy(`
dbus_system_bus_client(systemd_user_runtime_dir_t)
')