Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:
avc: denied { mounton } for pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1
Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
lvm2 installs a file into /usr/lib/tmpfliles.d/ to create
/run/lock/lvm so systemd-tmpfilesd needs the rights to create it.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.
Fixes:
avc: denied { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.
This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.
Relevant denials are silenced in case the policy is disabled.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.
Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.
Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.
Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.
[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
tmp
On systemd, systemd-networkd keeps its configuration in
/etc/systemd/network, where both files and directories are labelled as
net_conf_t. When granting network configuration management permissions
also include directory management rights when systemd is in use.
This fixes denials from udev trying to parse systemd network
configuration.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.
This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.
Signed-off-by: Kenton Groombridge <me@concord.sh>
This patch is for systemd-machined. Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?
Signed-off-by: Russell Coker <russell@coker.com.au>
Also do not supply the policy path, it is ignored since at least 2008
(13cd4c8960).
/usr/sbin/load_policy: Warning! Policy file argument (/etc/selinux/debian/policy/policy.32) is no longer supported, installed policy is always loaded. Continuing...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Ignore version mismatch when OUTPUT_POLICY is defined and the kernel
supports a higher policy version.
Currently Debian ships SELinux userland tools 3.1, which supports
version 32, and Linux 5.10, which supports version 33.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>