selinux-refpolicy/policy/modules/system/systemd.fc

87 lines
6.5 KiB
Plaintext
Raw Normal View History

Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)
/etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0)
2018-06-08 00:17:15 +00:00
/etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0)
/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
/usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
/usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
/usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hw_exec_t,s0)
/usr/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
/usr/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
2017-02-24 01:03:23 +00:00
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
2017-05-18 19:31:08 +00:00
# Systemd generators
Setup generic generator attribute and change generator types. I'm seeing problems on RHEL7 with lvm2-activation-generator that are coming from recent changes to put systemd-fstab-generator into it's own domain. I resolved the issues by creaing this generator attribute to grant common generator permissions and move all generators into a single systemd_generator_t domain. Then setup specific types for the following generators: lvm2-activation-generator - needs to read lvm2 config systemd-sysv-generator - needs to read stuff in init_t that other generators don't. systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t For fstab generator allow it to write /sys [ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-03-17 12:39:30 +00:00
/usr/lib/systemd/system-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
/usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
/usr/lib/systemd/user-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
/usr/lib/systemd/user-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
/usr/lib/systemd/system-generators/lvm2-activation-generator -- gen_context(system_u:object_r:systemd_lvm2_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-efi-boot-generator -- gen_context(system_u:object_r:systemd_efi_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
/usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
2017-05-18 19:31:08 +00:00
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
2017-08-14 20:32:29 +00:00
/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
2020-01-31 21:46:56 +00:00
/usr/lib/systemd/systemd-user-runtime-dir -- gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
# Systemd unit files
/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
2017-08-14 20:32:29 +00:00
/usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
Update systemd-update-done policy systemd-update-done sends logs to journald like other services, as shown by the following AVC: type=AVC msg=audit(1550865504.453:76): avc: denied { sendto } for pid=277 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { write } for pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1550865504.453:76): avc: denied { connect } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=unix_dgram_socket permissive=1 Moreover it creates /etc/.updated and /var/.updated using temporary files: type=AVC msg=audit(1550865504.463:83): avc: denied { setfscreate } for pid=277 comm="systemd-update-" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:system_r:systemd_update_done_t tclass=process permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { read write open } for pid=277 comm="systemd-update-" path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:84): avc: denied { create } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 [...] type=AVC msg=audit(1550865504.463:87): avc: denied { unlink } for pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1 type=AVC msg=audit(1550865504.463:87): avc: denied { rename } for pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1" ino=806171 scontext=system_u:system_r:systemd_update_done_t tcontext=system_u:object_r:etc_t tclass=file permissive=1
2019-02-24 10:08:20 +00:00
/var/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0)
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
2017-02-24 01:03:23 +00:00
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
2017-08-14 20:32:29 +00:00
/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
2017-02-24 01:03:23 +00:00
/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)