2de74b9ca1
systemd-logind exposes several properties related to the bootloader. One
of them is BootLoaderEntries [1], which scans the disks using
util-linux's blkid in order to find the ESP (EFI System Partition) [2][3].
This triggers the following logs in audit.log (where /dev/sda1 is the
ESP, mounted on /boot):
type=AVC msg=audit(1577692922.834:310): avc: denied { getattr }
for pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1
type=AVC msg=audit(1577692922.841:311): avc: denied { search } for
pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1
type=AVC msg=audit(1577692922.841:312): avc: denied { getattr }
for pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1
type=AVC msg=audit(1577692922.841:313): avc: denied { read } for
pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
type=AVC msg=audit(1577692922.841:313): avc: denied { open } for
pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
ino=2496 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
type=AVC msg=audit(1577692922.844:314): avc: denied { getattr }
for pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
ino=2496 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
type=AVC msg=audit(1577692922.844:315): avc: denied { ioctl } for
pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
permissive=1
type=AVC msg=audit(1577692922.851:316): avc: denied { read } for
pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=file permissive=1
type=AVC msg=audit(1577692922.851:316): avc: denied { open } for
pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=file permissive=1
type=AVC msg=audit(1577692922.851:317): avc: denied { getattr }
for pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=file permissive=1
type=AVC msg=audit(1577692922.851:318): avc: denied { ioctl } for
pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
dev="sda1" ino=4 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=file permissive=1
type=AVC msg=audit(1577692922.851:319): avc: denied { read } for
pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5
scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1
type=AVC msg=audit(1577692922.851:319): avc: denied { open } for
pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1"
ino=5 scontext=system_u:system_r:systemd_logind_t
tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1
As allowing read access to fixed disks (such as /dev/sda1 here) can be
considered as dangerous, add a conditional to allow the accesses.
[1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315
[2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118
[3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||
|---|---|---|
| .. | ||
| admin | ||
| apps | ||
| kernel | ||
| roles | ||
| services | ||
| system | ||