From 51aadce3c2082e7f0efdea34e7c86b016d272fbc Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Thu, 11 Apr 2019 08:56:12 -0400 Subject: [PATCH] Changes to support plymouth working in enforcing plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 --- policy/modules/kernel/devices.if | 18 +++++++++++++ policy/modules/kernel/kernel.te | 5 +++- policy/modules/services/plymouthd.if | 38 ++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 78a95ce81..a7bb2af57 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1939,6 +1939,24 @@ interface(`dev_setattr_dri_dev',` setattr_chr_files_pattern($1, device_t, dri_device_t) ') +######################################## +## +## IOCTL the dri devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_ioctl_dri_dev',` + gen_require(` + type device_t, dri_device_t; + ') + + allow $1 dri_device_t:chr_file ioctl; +') + ######################################## ## ## Read and write the dri devices. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b9ae4079c..d230a5a29 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -397,9 +397,12 @@ optional_policy(` ') optional_policy(` - plymouthd_read_lib_files(kernel_t) + dev_ioctl_dri_dev(kernel_t) + + plymouthd_delete_pid_files(kernel_t) plymouthd_read_pid_files(kernel_t) plymouthd_read_spool_files(kernel_t) + plymouthd_rw_lib_files(kernel_t) term_use_ptmx(kernel_t) term_use_unallocated_ttys(kernel_t) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 04e0c734f..3cc08b961 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -192,6 +192,25 @@ interface(`plymouthd_read_lib_files',` read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) ') +######################################## +## +## Read and write plymouthd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_rw_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + ######################################## ## ## Create, read, write, and delete @@ -232,6 +251,25 @@ interface(`plymouthd_read_pid_files',` allow $1 plymouthd_var_run_t:file read_file_perms; ') +######################################## +## +## Delete the plymouthd pid files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_delete_pid_files',` + gen_require(` + type plymouthd_var_run_t; + ') + + files_search_pids($1) + delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) +') + ######################################## ## ## All of the rules required to