From a7e34076061e2500204938508e2a92ca509d41aa Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Thu, 29 Aug 2019 20:05:29 +0200 Subject: [PATCH 1/2] systemd: introduce an interface for services using PrivateDevices=yes When a service is configured with PrivateDevices=yes, its /dev directory has label tmpfs_t. This requires allowing more accesses in order for the service to use /dev. This is related to https://github.com/SELinuxProject/refpolicy/pull/61 Signed-off-by: Nicolas Iooss --- policy/modules/system/systemd.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 2f782d9d7..28f96fab4 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -76,6 +76,24 @@ interface(`systemd_log_parse_environment',` typeattribute $1 systemd_log_parse_env_type; ') +###################################### +## +## Allow domain to be used as a systemd service with a unit +## that uses PrivateDevices=yes in section [Service]. +## +## +## +## Domain allowed access +## +## +# +interface(`systemd_PrivateDevices',` + # For services using PrivateDevices, systemd mounts a dedicated + # tmpfs filesystem for the /dev, which gets label tmpfs_t. + # Allow to traverse /dev and to read symlinks in /dev (for example /dev/log) + fs_read_tmpfs_symlinks($1) +') + ####################################### ## ## Allow domain to read udev hwdb file From 58189f4965cee47f28ea2f73e3ceee4355ee53d1 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 1 Sep 2019 13:47:45 +0200 Subject: [PATCH 2/2] entropyd: haveged service uses PrivateDevices=yes On Debian, haveged fails to start with "haveged: Couldn't open random device: Permission denied". strace shows: openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied) audit.log has: type=AVC msg=audit(1566048720.132:1338): avc: denied { search } for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666 scontext=system_u:system_r:entropyd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs the search permission to it in order to open /dev/random. Use the newly-added interface to allow this access. Signed-off-by: Nicolas Iooss --- policy/modules/services/entropyd.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te index be383c89f..7f15dc284 100644 --- a/policy/modules/services/entropyd.te +++ b/policy/modules/services/entropyd.te @@ -64,6 +64,12 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) +ifdef(`init_systemd', ` + optional_policy(` + systemd_PrivateDevices(entropyd_t) + ') +') + tunable_policy(`entropyd_use_audio',` dev_read_sound(entropyd_t) dev_write_sound(entropyd_t)