nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
491ae9991a
selinux-refpolicy/policy/modules/services/plymouthd.if
Dave Sugar 51aadce3c2 Changes to support plymouth working in enforcing 
plymouth is started very early in the boot process.  Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t.  Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.

type=AVC msg=audit(1554917011.127:225): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc:  denied  { remove_name } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc:  denied  { unlink } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1

type=AVC msg=audit(1554917011.116:224): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1

type=AVC msg=audit(1555069712.938:237): avc:  denied  { ioctl } for  pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
2019-04-23 07:48:15 -04:00

308 lines
6.0 KiB
Plaintext
Raw Blame History

## <summary>Plymouth graphical boot.</summary>
########################################
## <summary>
## Execute a domain transition to run plymouthd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans',`
gen_require(`
type plymouthd_t, plymouthd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
')
########################################
## <summary>
## Execute plymouthd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec',`
gen_require(`
type plymouthd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, plymouthd_exec_t)
')
########################################
## <summary>
## Connect to plymouthd using a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_stream_connect',`
gen_require(`
type plymouthd_t, plymouthd_spool_t;
')
files_search_spool($1)
stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
')
########################################
## <summary>
## Execute plymouth in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_exec_plymouth',`
gen_require(`
type plymouth_exec_t;
')
corecmd_search_bin($1)
can_exec($1, plymouth_exec_t)
')
########################################
## <summary>
## Execute a domain transition to run plymouth.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`plymouthd_domtrans_plymouth',`
gen_require(`
type plymouth_t, plymouth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
')
########################################
## <summary>
## Search plymouthd spool directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_spool',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
allow $1 plymouthd_spool_t:dir search_dir_perms;
')
########################################
## <summary>
## Read plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd spool files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_spool_files',`
gen_require(`
type plymouthd_spool_t;
')
files_search_spool($1)
manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
')
########################################
## <summary>
## Search plymouthd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_search_lib',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Read plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Read and write plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_rw_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## plymouthd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_manage_lib_files',`
gen_require(`
type plymouthd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
########################################
## <summary>
## Read plymouthd pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_read_pid_files',`
gen_require(`
type plymouthd_var_run_t;
')
files_search_pids($1)
allow $1 plymouthd_var_run_t:dir search_dir_perms;
allow $1 plymouthd_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Delete the plymouthd pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`plymouthd_delete_pid_files',`
gen_require(`
type plymouthd_var_run_t;
')
files_search_pids($1)
delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
')
########################################
## <summary>
## All of the rules required to
## administrate an plymouthd environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin',`
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
type plymouthd_var_run_t;
')
allow $1 plymouthd_t:process { ptrace signal_perms };
read_files_pattern($1, plymouthd_t, plymouthd_t)
files_search_spool($1)
admin_pattern($1, plymouthd_spool_t)
files_search_var_lib($1)
admin_pattern($1, plymouthd_var_lib_t)
files_search_pids($1)
admin_pattern($1, plymouthd_var_run_t)
')
Reference in New Issue View Git Blame Copy Permalink