systemd-logind: allow using BootLoaderEntries DBUS property

systemd-logind exposes several properties related to the bootloader. One
of them is BootLoaderEntries [1], which scans the disks using
util-linux's blkid in order to find the ESP (EFI System Partition) [2][3].

This triggers the following logs in audit.log (where /dev/sda1 is the
ESP, mounted on /boot):

    type=AVC msg=audit(1577692922.834:310): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1

    type=AVC msg=audit(1577692922.841:311): avc:  denied  { search } for
    pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:312): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:314): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:315): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:317): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:318): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 ioctlcmd=0x5401
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1"
    ino=5 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

As allowing read access to fixed disks (such as /dev/sda1 here) can be
considered as dangerous, add a conditional to allow the accesses.

[1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315
[2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118
[3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2020-01-12 20:51:45 +01:00 committed by Nicolas Iooss
parent cb5e78abe7
commit 2de74b9ca1
1 changed files with 19 additions and 0 deletions

View File

@ -20,6 +20,15 @@ gen_tunable(systemd_tmpfiles_manage_all, false)
## </desc>
gen_tunable(systemd_nspawn_labeled_namespace, false)
## <desc>
## <p>
## Allow systemd-logind to interact with the bootloader (read which one is
## installed on fixed disks, enumerate entries for dbus property
## BootLoaderEntries, etc.)
## </p>
## </desc>
gen_tunable(systemd_logind_get_bootloader, false)
attribute systemd_log_parse_env_type;
attribute systemd_tmpfiles_conf_type;
attribute systemd_user_session_type;
@ -546,6 +555,16 @@ ifdef(`distro_redhat',`
userdom_user_runtime_root_filetrans_user_runtime(systemd_logind_t, dir)
')
tunable_policy(`systemd_logind_get_bootloader',`
fs_getattr_dos_fs(systemd_logind_t)
fs_list_dos(systemd_logind_t)
fs_read_dos_files(systemd_logind_t)
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
# This reads the first sectors of fixed disk devices.
storage_raw_read_fixed_disk(systemd_logind_t)
')
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)