From 805f2d9cd4b8b8623bdb8f032a1d3bcb57b9a37f Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Thu, 3 Oct 2019 18:22:17 +0200 Subject: [PATCH 1/5] Allow the systemd dbus-daemon to talk to systemd Recent versions of dbus are started as Type=notify type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc: denied { write } for pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/services/dbus.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index bb3dac7da..58b03757e 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -159,6 +159,9 @@ ifdef(`init_systemd', ` # for /run/systemd/dynamic-uid/ init_list_pids(system_dbusd_t) init_read_runtime_symlinks(system_dbusd_t) + + # Recent versions of dbus are started as Type=notify + init_write_runtime_socket(system_dbusd_t) ') optional_policy(` From 69d88981bc4cf026acd7f2efe6142442c72d918a Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Fri, 4 Oct 2019 16:13:02 +0200 Subject: [PATCH 2/5] Allow geoclue to log in syslog ---- time->Thu Oct 3 17:16:40 2019 type=AVC msg=audit(1570115800.136:513): avc: denied { create } for pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Thu Oct 3 17:16:40 2019 type=AVC msg=audit(1570115800.136:514): avc: denied { sendto } for pid=1384 comm="geoclue" path="/run/systemd/journal/socket" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tc lass=unix_dgram_socket permissive=1 type=AVC msg=audit(1570115800.136:514): avc: denied { write } for pid=1384 comm="geoclue" name="socket" dev="tmpfs" ino=1781 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:devlog_t:s0 tcla ss=sock_file permissive=1 type=AVC msg=audit(1570115800.136:514): avc: denied { search } for pid=1384 comm="geoclue" name="journal" dev="tmpfs" ino=1777 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:syslogd_runtim e_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1570115800.136:514): avc: denied { search } for pid=1384 comm="geoclue" name="systemd" dev="tmpfs" ino=11001 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:init_runtime_ t:s0 tclass=dir permissive=1 type=AVC msg=audit(1570115800.136:514): avc: denied { write } for pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1 ---- Signed-off-by: Laurent Bigonville --- policy/modules/services/geoclue.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te index c6e664088..a36bcb80d 100644 --- a/policy/modules/services/geoclue.te +++ b/policy/modules/services/geoclue.te @@ -30,6 +30,8 @@ dev_read_urand(geoclue_t) auth_use_nsswitch(geoclue_t) +logging_send_syslog_msg(geoclue_t) + miscfiles_read_generic_certs(geoclue_t) miscfiles_read_localization(geoclue_t) From 9b18951eb0ed1a08e07532608344c0231fadac85 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Sat, 5 Oct 2019 13:27:24 +0200 Subject: [PATCH 3/5] Allow realmd_t to read localization files ---- time->Sat Oct 5 13:11:40 2019 type=AVC msg=audit(1570273900.483:148): avc: denied { open } for pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570273900.483:148): avc: denied { read } for pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570273900.483:148): avc: denied { read } for pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=262415 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1570273900.483:148): avc: denied { search } for pid=1382 comm="realmd" name="locale" dev="dm-1" ino=262056 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 ---- time->Sat Oct 5 13:11:40 2019 type=AVC msg=audit(1570273900.483:149): avc: denied { getattr } for pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 ---- Signed-off-by: Laurent Bigonville --- policy/modules/services/realmd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/realmd.te b/policy/modules/services/realmd.te index 5bc878b29..841b02a44 100644 --- a/policy/modules/services/realmd.te +++ b/policy/modules/services/realmd.te @@ -44,6 +44,9 @@ auth_use_nsswitch(realmd_t) logging_send_syslog_msg(realmd_t) +# Read /etc/locale.alias +miscfiles_read_localization(realmd_t) + optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) From 56a11f07c39dacfed512e0d566ce65e458435e8a Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Sun, 6 Oct 2019 12:01:48 +0200 Subject: [PATCH 4/5] Allow alsa_t to create alsa_runtime_t file as well When alsactl is started as a daemon, it creates a pidfile (/run/alsactl.pid), that needs to be allowed ---- time->Sun Oct 6 10:59:09 2019 type=AVC msg=audit(1570352349.743:45): avc: denied { write open } for pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570352349.743:45): avc: denied { create } for pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.226:657): avc: denied { open } for pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570355678.226:657): avc: denied { read } for pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/admin/alsa.fc | 1 + policy/modules/admin/alsa.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 75ea9ebf1..3f52f370f 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) +/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index e567dd324..9d053c4df 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map; can_exec(alsa_t, alsa_exec_t) allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:file manage_file_perms; allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; -files_pid_filetrans(alsa_t, alsa_runtime_t, dir) +files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) From 53a76d3fb75383908498624739a3a2865f2609db Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Sun, 6 Oct 2019 12:32:03 +0200 Subject: [PATCH 5/5] Allow alsa_t to set scheduling priority and send signal to itself When alsactl is running as a daemon with systemd, it sets its process priority to be nice to other processes. When stopping the service, it's signaling to itself that it needs to exit. ---- time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 ---- time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 ---- time->Sun Oct 6 12:07:26 2019 type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/admin/alsa.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 9d053c4df..a22874850 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t) allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; # kill : kill pulseaudio dontaudit alsa_t self:capability { kill sys_admin }; +allow alsa_t self:process { getsched setsched signal }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen };