Commit Graph

29 Commits

Author SHA1 Message Date
Chris PeBenito da156aea1e systemd: Add initial policy for systemd --user.
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-04-25 11:18:58 -04:00
Sugar, David 9d2b68e0ba Allow additional map permission when reading hwdb
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:53:30 -04:00
Chris PeBenito ecb4968238 systemd: Move interface implementation. 2019-01-20 16:36:36 -05:00
Sugar, David 6e86de0736 Add interface to read journal files
When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-20 16:34:14 -05:00
Sugar, David 34e3505004 Interface with systemd_hostnamed over dbus to set hostname
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-16 18:12:50 -05:00
Chris PeBenito 61b83b30be systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime().
Move implementation with other networkd_runtime interfaces.
2019-01-06 13:49:02 -05:00
Russell Coker b77b4cd610 missing from previous
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
2019-01-06 13:44:18 -05:00
David Sugar 56e8f679b2 interface to enable/disable systemd_networkd service
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
Laurent Bigonville 06588b55b4 Add systemd_dbus_chat_resolved() interface 2018-11-11 13:33:00 +01:00
Chris PeBenito 0252046c95 systemd: Move lines. 2018-06-07 20:17:15 -04:00
Dave Sugar f4713393ae policy for systemd-hwdb
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar 2408d45a3d policy for systemd-update-done
systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
Dave Sugar 0ddccc81ad Allow systemd_resolved to read systemd_networkd runtime files
type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
Dave Sugar f865919872 Interface to read /run/systemd/resolve/resolv.conf
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
Chris PeBenito 03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Laurent Bigonville 88b7c61bd7 Add private type for systemd logind inhibit files and pipes 2017-12-07 18:50:30 -05:00
David Sugar 4a54f9c1f0 policy for systemd-networkd
Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-12 18:38:54 -04:00
David Sugar 967ef00181 Fix problem labeling /run/log/journal/*
Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2017-10-10 20:24:18 -04:00
Nicolas Iooss 60382e9e53 init: allow systemd to relabel /dev and /run
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:

    avc:  denied  { relabelfrom } for  pid=1 comm="systemd"
    name="control" dev="tmpfs" ino=7027
    scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
    tclass=sock_file permissive=1

    avc:  denied  { relabelto } for  pid=1 comm="systemd" name="control"
    dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
    permissive=1

/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
2017-09-11 20:03:31 -04:00
Chris PeBenito a46fbbc2fb systemd: Whitespace fix. 2017-09-08 11:41:56 -04:00
Chris PeBenito 60114027f7 more systemd stuff from Russell Coker
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.
2017-04-16 19:48:04 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
cgzones 4d0d7cfc6f systemd-tmpfiles: refactor runtime configs
handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
2017-02-27 19:32:20 +01:00
Chris PeBenito 65e60689d4 Fix CI errors. 2017-02-23 20:16:40 -05:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito 53fb3a3ba4 dpkg: Updates from Russell Coker. 2017-02-19 16:13:14 -05:00
Dominick Grift 3c9fa86f15 systemd: Add support for --log-target
https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

v2: Add comment about dontaudit rule

Signed-off-by: Dominick Grift <dac.override@gmail.com>
2016-03-31 08:22:50 -04:00
Chris PeBenito 37d2aeca3d Remove bad interface in systemd.if. 2015-11-05 15:31:53 -05:00
Chris PeBenito 3639880cf6 Implement core systemd policy.
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
2015-10-23 10:16:59 -04:00