nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2de74b9ca1
selinux-refpolicy/policy/modules/system
History
Nicolas Iooss 2de74b9ca1 systemd-logind: allow using BootLoaderEntries DBUS property 
systemd-logind exposes several properties related to the bootloader. One
of them is BootLoaderEntries [1], which scans the disks using
util-linux's blkid in order to find the ESP (EFI System Partition) [2][3].

This triggers the following logs in audit.log (where /dev/sda1 is the
ESP, mounted on /boot):

    type=AVC msg=audit(1577692922.834:310): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=filesystem permissive=1

    type=AVC msg=audit(1577692922.841:311): avc:  denied  { search } for
    pid=690 comm="systemd-logind" name="/" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:312): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot" dev="sda1" ino=1
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="sda1" dev="devtmpfs" ino=2496
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.841:313): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:314): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.844:315): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/dev/sda1" dev="devtmpfs"
    ino=2496 ioctlcmd=0x1272 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
    permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="loader.conf" dev="sda1" ino=4
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:316): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:317): avc:  denied  { getattr }
    for  pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:318): avc:  denied  { ioctl } for
    pid=690 comm="systemd-logind" path="/boot/loader/loader.conf"
    dev="sda1" ino=4 ioctlcmd=0x5401
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=file permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { read } for
    pid=690 comm="systemd-logind" name="entries" dev="sda1" ino=5
    scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

    type=AVC msg=audit(1577692922.851:319): avc:  denied  { open } for
    pid=690 comm="systemd-logind" path="/boot/loader/entries" dev="sda1"
    ino=5 scontext=system_u:system_r:systemd_logind_t
    tcontext=system_u:object_r:dosfs_t tclass=dir permissive=1

As allowing read access to fixed disks (such as /dev/sda1 here) can be
considered as dangerous, add a conditional to allow the accesses.

[1] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3315
[2] https://github.com/systemd/systemd/blob/v244/src/login/logind-dbus.c#L3118
[3] https://github.com/systemd/systemd/blob/v244/src/shared/bootspec.c#L835

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 20:51:45 +01:00
..
application.fc
application.if Start pulling in pieces of Fedora policy in system layer. 2011-03-31 13:29:59 -04:00
application.te Start pulling in pieces of Fedora policy in system layer. 2011-03-31 13:29:59 -04:00
authlogin.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
authlogin.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
authlogin.te various: Module version bump. 2019-09-30 20:39:31 -04:00
clock.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
clock.if Rearrange interfaces in files, clock, and udev. 2012-10-30 14:16:30 -04:00
clock.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
daemontools.fc Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
daemontools.if Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
daemontools.te Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
fstools.fc fstools: label e2mmpstatus as fsadm_exec_t 2018-08-04 08:50:06 -04:00
fstools.if dphysswapfile: add interfaces and sysadm access 2017-09-14 17:19:55 -04:00
fstools.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
getty.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
getty.if getty: overlook module 2017-02-27 19:21:39 +01:00
getty.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
hostname.fc Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
hostname.if
hostname.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
hotplug.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
hotplug.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
hotplug.te various: Module version bump. 2019-09-30 20:39:31 -04:00
init.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
init.if unconfined: Fix systemd --user rule. 2019-11-22 16:39:35 -05:00
init.te various: Module version bump. 2019-12-26 11:48:27 -05:00
ipsec.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
ipsec.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
ipsec.te various: Module version bump. 2019-09-30 20:39:31 -04:00
iptables.fc iptables: fcontexts for 1.8.0 2018-07-10 17:25:11 -04:00
iptables.if Add interface to start/stop iptables service 2019-01-12 14:32:00 -05:00
iptables.te Bump module versions for release. 2019-02-01 15:03:42 -05:00
iscsi.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
iscsi.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
iscsi.te various: Module version bump. 2019-09-30 20:39:31 -04:00
libraries.fc libraries: fix some misspellings in patterns 2019-09-01 15:47:57 +02:00
libraries.if Add new mmap permission set and pattern support macros. 2017-12-13 18:58:34 -05:00
libraries.te various: Module version bump. 2019-09-03 19:47:12 -04:00
locallogin.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
locallogin.if Fix interface descriptions when duplicate ones are found 2016-01-19 00:17:34 +01:00
locallogin.te various: Module version bump. 2019-09-07 16:58:51 -04:00
logging.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
logging.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
logging.te logging: Module version bump. 2019-11-23 10:27:14 -05:00
lvm.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
lvm.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
lvm.te various: Module version bump. 2019-09-30 20:39:31 -04:00
metadata.xml
miscfiles.fc Remove unescaped single dot from the policy 2019-08-27 23:38:09 +02:00
miscfiles.if New interface to dontaudit access to cert_t 2019-02-20 19:28:45 -08:00
miscfiles.te Various: Module version bump. 2019-08-31 06:55:57 -04:00
modutils.fc Remove unescaped single dot from the policy 2019-08-27 23:38:09 +02:00
modutils.if modutils: libkmod mmap()s modules.dep and *.ko's 2017-09-11 20:31:23 -04:00
modutils.te various: Module version bump. 2019-09-30 20:39:31 -04:00
mount.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
mount.if mount: allow callers of mount to search /usr/bin 2019-12-22 16:54:51 +01:00
mount.te various: Module version bump. 2019-12-26 11:48:27 -05:00
netlabel.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
netlabel.if
netlabel.te Bump module versions for release. 2017-08-05 12:59:42 -04:00
pcmcia.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
pcmcia.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
pcmcia.te various: Module version bump. 2019-09-30 20:39:31 -04:00
raid.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
raid.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
raid.te various: Module version bump. 2019-09-30 20:39:31 -04:00
selinuxutil.fc Support systems with a single /usr/bin directory 2017-04-15 20:49:07 +02:00
selinuxutil.if fix: sudo can't determine default type for sysadm_r 2019-12-09 21:13:23 +01:00
selinuxutil.te various: Module version bump. 2019-12-26 11:48:27 -05:00
setrans.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
setrans.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
setrans.te various: Module version bump. 2019-09-30 20:39:31 -04:00
sysnetwork.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
sysnetwork.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
sysnetwork.te various: Module version bump. 2019-09-30 20:39:31 -04:00
systemd.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
systemd.if Merge pull request #112 from fishilico/systemd-sd-executor-use 2019-09-30 20:43:01 -04:00
systemd.te systemd-logind: allow using BootLoaderEntries DBUS property 2020-01-12 20:51:45 +01:00
udev.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
udev.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
udev.te various: Module version bump. 2019-12-26 12:21:07 -05:00
unconfined.fc Apache OpenOffice module (base policy part) 2016-12-06 20:08:06 -05:00
unconfined.if unconfined: Add namespaced capabilities. 2019-11-15 11:13:58 -05:00
unconfined.te unconfined: Module version bump. 2019-12-02 08:47:19 -05:00
userdomain.fc Move use of user_devpts_t from terminal.fc to userdomain.fc 2018-04-12 18:44:50 -04:00
userdomain.if systemd: Add initial policy for systemd --user. 2019-04-25 11:18:58 -04:00
userdomain.te various: Module version bump. 2019-09-30 20:39:31 -04:00
xdg.fc freedesktop location support 2018-06-10 13:23:01 -04:00
xdg.if xdg: Introduce xdg_search_cache_dirs 2018-06-24 19:11:14 -04:00
xdg.te Bump module versions for release. 2018-07-01 11:02:33 -04:00
xen.fc Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
xen.if Rename *_var_run_t types to *_runtime_t. 2019-09-30 20:02:43 -04:00
xen.te various: Module version bump. 2019-09-30 20:39:31 -04:00