If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
I'm seeing problems on RHEL7 with lvm2-activation-generator that are
coming from recent changes to put systemd-fstab-generator into it's
own domain. I resolved the issues by creaing this generator attribute
to grant common generator permissions and move all generators into
a single systemd_generator_t domain.
Then setup specific types for the following generators:
lvm2-activation-generator - needs to read lvm2 config
systemd-sysv-generator - needs to read stuff in init_t that other generators don't.
systemd-efi-boot-generator - needs to read stuff on the EFI boot partition labeled boot_t
For fstab generator allow it to write /sys
[ 19.482951] type=1400 audit(1584548691.268:7): avc: denied { write } for pid=1638 comm="systemd-fstab-g" name="/" dev="sysfs" ino=1 Allow scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
audit(1585500099.139:6): avc: denied { read } for pid=1635 comm="systemd-cryptse" path="/run/systemd/generator/dev-mapper-luks\x2d6a613af0\x2d0a61\x2d462f\x2d8679\x2d1b0d964fbc88.device.d/.#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:7): avc: denied { setattr } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
audit(1585500099.139:8): avc: denied { rename } for pid=1635 comm="systemd-cryptse" name=".#90-device-timeout.confsOskdU" dev="tmpfs" ino=12243 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd's Name Service Switch (NSS) module provides UNIX user and group
name resolution for dynamic users and groups allocated through options
such as DynamicUser= in systemd unit files, according to its man page,
https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml.
If systemd compiled without NOLEGACY, commit
24eccc3414
("nss-systemd,user-util: add a way how synthesizing "nobody" can be
turned off") implemented a way to tweak nss-systemd's behavior by
checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this
access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
systemd-modules-load is used to pre-load kernal modules as the system comes up.
It was running initc_t which didn't have permissions to actually load kernel
modules. This change sets up a new domain for this service and grants permission
necessary to load kernel modules.
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:10): avc: denied { read } for pid=4257 comm="systemd-modules" name="fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Feb 05 03:38:20 4c4c4544-0052-5410-8043-b1c04f503232 kernel: type=1400 audit(1549337898.886:11): avc: denied { open } for pid=4257 comm="systemd-modules" path="/usr/lib/modules/3.10.0-957.1.3.el7.x86_64/kernel/fs/fuse/fuse.ko.xz" dev="dm-1" ino=2390271 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The type systemd_unit_t is actually declared in init.te.
Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Here's the latest version of my patch to remove all /var/run when it's not
needed. I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it. So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.
From Russell Coker
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight@.service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
Chris PeBenito
bauen1
Dave Sugar
Nicolas Iooss
Russell Coker
James Carter
Laurent Bigonville
Krzysztof Nowicki
cgzones
Dominick Grift
Chris PeBenito