policy for systemd-update-done

systemd-update-done needs to be able to create /etc/.updated and /var/.updated Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed. Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state. Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 15:19:41 -04:00 · 2018-06-07 15:19:41 -04:00 · 2408d45a3d
parent 664d932c0f
commit 2408d45a3d
4 changed files with 45 additions and 0 deletions
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -406,6 +406,7 @@ ifdef(`init_systemd',`
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(init_t)

+	systemd_getattr_updated_runtime(init_t)
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@ -25,6 +25,7 @@
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+/usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)

 # Systemd unit files
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 ')

+#######################################
+## <summary>
+##  Allow domain to getattr on .updated file (generated by systemd-update-done
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_updated_runtime',`
+	gen_require(`
+		type systemd_update_run_t;
+	')
+
+	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+')
+
+
+
+
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 type systemd_tmpfiles_conf_t;
 files_config_file(systemd_tmpfiles_conf_t)

+type systemd_update_done_t;
+type systemd_update_done_exec_t;
+init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
+
+type systemd_update_run_t;
+files_type(systemd_update_run_t)
+
 #
 # Unit file types
 #
@ -1006,3 +1013,18 @@ optional_policy(`
 	xserver_relabel_console_pipes(systemd_tmpfiles_t)
 	xserver_setattr_console_pipes(systemd_tmpfiles_t)
 ')
+
+#########################################
+#
+# Update Done local policy
+#
+
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+
+dev_write_kmsg(systemd_update_done_t)
+
+files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+
+kernel_read_system_state(systemd_update_done_t)
+