Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits. systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started. This interface allows that resource limit inheritance.
The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.
This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().
Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
This is a minor update of the last attempt at this patch.
Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
Dave Sugar
dsugar@tresys.com
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
Now in the proper location.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:
avc: denied { associate } for pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1
The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
