nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pacemaker systemd permissions

Browse Source 
Allow pacemaker to get status of all running services and reload systemd

Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow pacemaker to start/sotp all units (when enabled)

Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow for dynamic creation of unit files (with private type)

By using a private type pacemaker doesn't need permission to
read/write all init_runtime_t files.

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { write } for  pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { add_name } for  pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { create } for  pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { create } for  pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { write open } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc:  denied  { getattr } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
Dave Sugar 2020-09-26 22:07:21 -04:00
parent 428cc2ef9c
commit f36e39b45e
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
policy/modules/services/pacemaker.te
View File

@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0)
# Declarations
#
## <desc>
## <p>
## Allow pacemaker to start/stop services
## </p>
## </desc>
gen_tunable(pacemaker_startstop_all_services, false)
type pacemaker_t;
type pacemaker_exec_t;
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t)
type pacemaker_runtime_t alias pacemaker_var_run_t;
files_runtime_file(pacemaker_runtime_t)
type pacemaker_runtime_unit_t;
init_unit_file(pacemaker_runtime_unit_t)
type pacemaker_tmp_t;
files_tmp_file(pacemaker_tmp_t)
@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })
manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })
kernel_getattr_core_if(pacemaker_t)
kernel_read_all_sysctls(pacemaker_t)
kernel_read_messages(pacemaker_t)
@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t)
miscfiles_read_localization(pacemaker_t)
ifdef(`init_systemd',`
init_get_all_units_status(pacemaker_t)
init_reload(pacemaker_t)
')
tunable_policy(`pacemaker_startstop_all_services',`
init_start_all_units(pacemaker_t)
init_stop_all_units(pacemaker_t)
')
optional_policy(`
corosync_read_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)