From e20db26b7b7be4cf98989662a8bdc62d8d1b7b51 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Sun, 17 May 2020 13:36:56 +0200 Subject: [PATCH] systemd-timesyncd.service sandbox requried permissions For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 --- policy/modules/kernel/devices.te | 6 +++++- policy/modules/kernel/files.te | 4 ++++ policy/modules/kernel/filesystem.te | 4 ++++ policy/modules/kernel/kernel.te | 8 ++++++++ policy/modules/services/ntp.te | 2 ++ policy/modules/system/init.te | 1 + 6 files changed, 24 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 2795ad803..33f743b83 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -197,6 +197,10 @@ type mtrr_device_t; dev_node(mtrr_device_t) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) +optional_policy(` + init_mountpoint(mtrr_device_t) +') + # # null_device_t is the type of /dev/null. # @@ -285,7 +289,7 @@ type tpm_device_t; dev_node(tpm_device_t) # -# uhid_device_t is the thpe of /dev/uhid - +# uhid_device_t is the type of /dev/uhid - # User-space I/O driver support for HID subsystem # type uhid_device_t; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 24eae3b4d..9cd71d5ab 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -136,6 +136,10 @@ type system_map_t; files_type(system_map_t) genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) +optional_policy(` + init_mountpoint(system_map_t) +') + # # tmp_t is the type of the temporary directories # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index a6a56bf1e..a345398fa 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -181,6 +181,10 @@ type tracefs_t; fs_type(tracefs_t) genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) +optional_policy(` + init_mountpoint(tracefs_t) +') + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 562671bcd..750dccac7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -95,6 +95,10 @@ type proc_kcore_t, proc_type; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +optional_policy(` + init_mountpoint(proc_kcore_t) +') + type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -119,6 +123,10 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) type sysctl_irq_t, sysctl_type; genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) +optional_policy(` + init_mountpoint(sysctl_irq_t) +') + # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index a8ab90d47..b5dc138d2 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -12,6 +12,7 @@ files_config_file(ntp_conf_t) type ntp_drift_t; files_type(ntp_drift_t) +init_mountpoint(ntp_drift_t) type ntpd_t; type ntpd_exec_t; @@ -33,6 +34,7 @@ logging_log_file(ntpd_log_t) type ntpd_pid_t; files_pid_file(ntpd_pid_t) +init_mountpoint(ntpd_pid_t) type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d52490bb..cc9438ce5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -408,6 +408,7 @@ ifdef(`init_systemd',` fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t) fs_relabelfrom_tmpfs_sockets(init_t) + fs_manage_tmpfs_symlinks(init_t) # mount-setup fs_unmount_autofs(init_t) fs_getattr_pstore_dirs(init_t)