selinux-refpolicy/policy/modules/services/plymouthd.if

337 lines
6.7 KiB
Plaintext
Raw Normal View History

## <summary>Plymouth graphical boot.</summary>
########################################
## <summary>
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans',`
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
## <summary>
## Execute plymouthd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec',`
gen_require(`
type plymouthd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, plymouthd_exec_t)
')
########################################
## <summary>
## Connect to plymouthd using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_stream_connect',`
gen_require(`
type plymouthd_t, plymouthd_spool_t;
')
files_search_spool($1)
stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
')
########################################
## <summary>
## Execute plymouth in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec_plymouth',`
gen_require(`
type plymouth_exec_t;
')
corecmd_search_bin($1)
can_exec($1, plymouth_exec_t)
')
########################################
## <summary>
## Execute a domain transition to run plymouth.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans_plymouth',`
gen_require(`
type plymouth_t, plymouth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
########################################
## <summary>
## Search plymouthd spool directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_spool',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
allow $1 plymouthd_spool_t:dir search_dir_perms;
')
########################################
## <summary>
## Read plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Search plymouthd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_lib',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Read plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
########################################
## <summary>
## Read and write plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_rw_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Read plymouthd pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use plymouthd_read_runtime_files() instead.')
plymouthd_read_runtime_files($1)
')
########################################
## <summary>
## Delete the plymouthd pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_delete_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use plymouthd_delete_runtime_files() instead.')
plymouthd_delete_runtime_files($1)
')
########################################
## <summary>
## Read plymouthd runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_runtime_files',`
gen_require(`
type plymouthd_runtime_t;
')
files_search_pids($1)
read_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
')
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
########################################
## <summary>
## Delete the plymouthd runtime files.
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_delete_runtime_files',`
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
gen_require(`
type plymouthd_runtime_t;
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
')
files_search_pids($1)
delete_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t)
Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-11 12:56:12 +00:00
')
########################################
## <summary>
## All of the rules required to
## administrate an plymouthd environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin',`
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_runtime_t;
')
allow $1 plymouthd_t:process { ptrace signal_perms };
read_files_pattern($1, plymouthd_t, plymouthd_t)
files_search_spool($1)
admin_pattern($1, plymouthd_spool_t)
files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
files_search_pids($1)
admin_pattern($1, plymouthd_runtime_t)
')