mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-19 09:44:27 +00:00
Setup generic generator attribute and change generator types.
I'm seeing problems on RHEL7 with lvm2-activation-generator that are
coming from recent changes to put systemd-fstab-generator into it's
own domain. I resolved the issues by creaing this generator attribute
to grant common generator permissions and move all generators into
a single systemd_generator_t domain.
Then setup specific types for the following generators:
lvm2-activation-generator - needs to read lvm2 config
systemd-sysv-generator - needs to read stuff in init_t that other generators don't.
systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t
For fstab generator allow it to write /sys
[ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
Dave Sugar
parent
07c77bf481
commit
ea2dc052c7
@ -227,12 +227,8 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -2924,6 +2924,24 @@ interface(`init_create_runtime_dirs',`
|
||||
create_dirs_pattern($1, init_runtime_t, init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read init_runtime_t files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_read_runtime_files',`
|
||||
gen_require(`
|
||||
type init_runtime_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, init_runtime_t, init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Rename init_runtime_t files
|
||||
@ -2957,6 +2975,24 @@ interface(`init_rename_runtime_files',`
|
||||
rename_files_pattern($1, init_runtime_t, init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Setattr init_runtime_t files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## domain
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`init_setattr_runtime_files',`
|
||||
gen_require(`
|
||||
type init_runtime_t;
|
||||
')
|
||||
|
||||
setattr_files_pattern($1, init_runtime_t, init_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete init_runtime_t files
|
||||
|
||||
@ -102,6 +102,35 @@ interface(`lvm_read_config',`
|
||||
read_files_pattern($1, lvm_etc_t, lvm_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Map lvm config files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to map lvm config files.
|
||||
## </p>
|
||||
## <p>
|
||||
## Related interfaces:
|
||||
## </p>
|
||||
## <ul>
|
||||
## <li>lvm_read_config()</li>
|
||||
## </ul>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`lvm_map_config',`
|
||||
gen_require(`
|
||||
type lvm_etc_t;
|
||||
')
|
||||
|
||||
allow $1 lvm_etc_t:file map;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage LVM configuration files.
|
||||
|
||||
@ -18,8 +18,15 @@
|
||||
/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
|
||||
|
||||
# Systemd generators
|
||||
/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/user-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/user-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/lvm2-activation-generator -- gen_context(system_u:object_r:systemd_lvm2_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/systemd-efi-boot-generator -- gen_context(system_u:object_r:systemd_efi_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
|
||||
/usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
|
||||
|
||||
@ -60,6 +60,32 @@ template(`systemd_role_template',`
|
||||
allow $3 $1_systemd_t:fd use;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Make the specified type usable as a
|
||||
## systemd generator
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a systemd generator type.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
## <summary>
|
||||
## Type of the program to be used as an entry point to the generator domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_unit_generator',`
|
||||
gen_require(`
|
||||
attribute systemd_generator_type;
|
||||
')
|
||||
|
||||
typeattribute $1 systemd_generator_type;
|
||||
|
||||
init_system_domain($1, $2)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Make the specified type usable as an
|
||||
|
||||
@ -29,6 +29,7 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
|
||||
## </desc>
|
||||
gen_tunable(systemd_logind_get_bootloader, false)
|
||||
|
||||
attribute systemd_generator_type;
|
||||
attribute systemd_log_parse_env_type;
|
||||
attribute systemd_tmpfiles_conf_type;
|
||||
attribute systemd_user_session_type;
|
||||
@ -61,13 +62,29 @@ init_unit_file(systemd_binfmt_unit_t)
|
||||
type systemd_conf_t;
|
||||
files_config_file(systemd_conf_t)
|
||||
|
||||
type systemd_generator_t;
|
||||
type systemd_generator_exec_t;
|
||||
systemd_unit_generator(systemd_generator_t, systemd_generator_exec_t)
|
||||
|
||||
type systemd_efi_generator_t;
|
||||
type systemd_efi_generator_exec_t;
|
||||
systemd_unit_generator(systemd_efi_generator_t, systemd_efi_generator_exec_t)
|
||||
|
||||
type systemd_fstab_generator_t;
|
||||
type systemd_fstab_generator_exec_t;
|
||||
init_system_domain(systemd_fstab_generator_t, systemd_fstab_generator_exec_t)
|
||||
systemd_unit_generator(systemd_fstab_generator_t, systemd_fstab_generator_exec_t)
|
||||
|
||||
type systemd_gpt_generator_t;
|
||||
type systemd_gpt_generator_exec_t;
|
||||
init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
|
||||
systemd_unit_generator(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
|
||||
|
||||
type systemd_lvm2_generator_t;
|
||||
type systemd_lvm2_generator_exec_t;
|
||||
systemd_unit_generator(systemd_lvm2_generator_t, systemd_lvm2_generator_exec_t)
|
||||
|
||||
type systemd_sysv_generator_t;
|
||||
type systemd_sysv_generator_exec_t;
|
||||
systemd_unit_generator(systemd_sysv_generator_t, systemd_sysv_generator_exec_t)
|
||||
|
||||
type systemd_cgroups_t;
|
||||
type systemd_cgroups_exec_t;
|
||||
@ -275,26 +292,52 @@ files_read_etc_files(systemd_binfmt_t)
|
||||
|
||||
fs_register_binary_executable_type(systemd_binfmt_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# generic generator local policy
|
||||
#
|
||||
|
||||
corecmd_search_bin(systemd_generator_type)
|
||||
|
||||
dev_read_sysfs(systemd_generator_type)
|
||||
dev_write_kmsg(systemd_generator_type)
|
||||
|
||||
files_read_etc_files(systemd_generator_type)
|
||||
files_search_pids(systemd_generator_type)
|
||||
|
||||
init_create_pid_files(systemd_generator_type)
|
||||
init_manage_pid_dirs(systemd_generator_type)
|
||||
init_manage_pid_symlinks(systemd_generator_type)
|
||||
init_read_runtime_files(systemd_generator_type)
|
||||
init_read_state(systemd_generator_type)
|
||||
init_rename_runtime_files(systemd_generator_type)
|
||||
init_search_pids(systemd_generator_type)
|
||||
init_setattr_runtime_files(systemd_generator_type)
|
||||
init_write_pid_files(systemd_generator_type)
|
||||
|
||||
kernel_use_fds(systemd_generator_type)
|
||||
kernel_read_system_state(systemd_generator_type)
|
||||
kernel_read_kernel_sysctls(systemd_generator_type)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# efi generator local policy
|
||||
#
|
||||
|
||||
files_list_boot(systemd_efi_generator_t)
|
||||
files_read_boot_files(systemd_efi_generator_t)
|
||||
|
||||
fs_list_efivars(systemd_efi_generator_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# fstab generator local policy
|
||||
#
|
||||
|
||||
corecmd_search_bin(systemd_fstab_generator_t)
|
||||
|
||||
files_read_etc_files(systemd_fstab_generator_t)
|
||||
files_search_pids(systemd_fstab_generator_t)
|
||||
dev_write_sysfs_dirs(systemd_fstab_generator_t)
|
||||
|
||||
fstools_exec(systemd_fstab_generator_t)
|
||||
|
||||
init_create_pid_files(systemd_fstab_generator_t)
|
||||
init_manage_pid_dirs(systemd_fstab_generator_t)
|
||||
init_manage_pid_symlinks(systemd_fstab_generator_t)
|
||||
init_search_pids(systemd_fstab_generator_t)
|
||||
init_write_pid_files(systemd_fstab_generator_t)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_fstab_generator_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_fstab_generator_t)
|
||||
|
||||
#######################################
|
||||
@ -302,16 +345,33 @@ systemd_log_parse_environment(systemd_fstab_generator_t)
|
||||
# GPT auto generator local policy
|
||||
#
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_gpt_generator_t)
|
||||
|
||||
dev_read_sysfs(systemd_gpt_generator_t)
|
||||
files_list_usr(systemd_gpt_generator_t)
|
||||
files_read_etc_files(systemd_gpt_generator_t)
|
||||
fs_getattr_xattr_fs(systemd_gpt_generator_t)
|
||||
storage_raw_read_fixed_disk(systemd_gpt_generator_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_gpt_generator_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# lvm2 activation generator local policy
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
lvm_map_config(systemd_lvm2_generator_t)
|
||||
lvm_read_config(systemd_lvm2_generator_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# sysv generator local policy
|
||||
#
|
||||
|
||||
corecmd_getattr_bin_files(systemd_sysv_generator_t)
|
||||
|
||||
init_list_unit_dirs(systemd_sysv_generator_t)
|
||||
init_read_generic_units_symlinks(systemd_sysv_generator_t)
|
||||
init_read_script_files(systemd_sysv_generator_t)
|
||||
|
||||
######################################
|
||||
#
|
||||
# Cgroups local policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user