I see this denial when mounting media. I'm running mount_exec_t
from my domain, not transitioning.
type=AVC msg=audit(1547086778.470:331): avc: denied { read write } for pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index bf9a8bf3..31475bde 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
')
+########################################
+## <summary>
+## Read and write mount runtime directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_runtime_dir',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:dir rw_dir_perms;
+')
+
--
2.20.1
type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9c70afc9..740b3a92 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_var_run_t:file read_file_perms;
')
+########################################
+## <summary>
+## Send and receive messages from
+## systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_hostnamed',`
+ gen_require(`
+ type systemd_hostnamed_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_hostnamed_t:dbus send_msg;
+ allow systemd_hostnamed_t $1:dbus send_msg;
+')
+
########################################
## <summary>
## allow systemd_passwd_agent to inherit fds
--
2.20.1
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/logging.fc | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index c579c2d3..6693d87b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,11 +1,13 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
-/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/systemd/journald\.conf\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
--
2.20.1
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/systemd.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index cd528938..1e5432a4 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -18,6 +18,7 @@ ifdef(`distro_debian',`
/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index abcc52f5..75ee4310 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -325,6 +325,9 @@ files_read_etc_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
+sysnet_etc_filetrans_config(systemd_hostnamed_t)
+sysnet_manage_config(systemd_hostnamed_t)
+
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
--
2.20.1
On 1/14/19 10:20 PM, Sugar, David wrote:
> I see this denial when mounting media. I'm running mount_exec_t
> from my domain, not transitioning.
>
> type=AVC msg=audit(1547086778.470:331): avc: denied { read write } for pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
Seems like there is a leaked file descriptor.
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/mount.if | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
> index bf9a8bf3..31475bde 100644
> --- a/policy/modules/system/mount.if
> +++ b/policy/modules/system/mount.if
> @@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
> rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
> ')
>
> +########################################
> +## <summary>
> +## Read and write mount runtime directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_rw_runtime_dir',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:dir rw_dir_perms;
> +')
> +
>
--
Chris PeBenito
On 1/14/19 10:20 PM, Sugar, David wrote:
> journald already runs as syslogd_t label the config files similarly to
> allow editing by domains that can edit syslog configuration files.
> Also added some missing '\' before dot in filenames.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/logging.fc | 14 ++++++++------
> 1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index c579c2d3..6693d87b 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -1,11 +1,13 @@
> /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>
> -/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> -/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> +/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> +/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/systemd/journald\.conf\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>
> /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
> /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
Merged, though preferrably, the whitespace changes would have been a
separate patch.
--
Chris PeBenito
On 1/14/19 10:20 PM, Sugar, David wrote:
> type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 9c70afc9..740b3a92 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
> allow $1 systemd_machined_var_run_t:file read_file_perms;
> ')
>
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## systemd hostnamed over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_dbus_chat_hostnamed',`
> + gen_require(`
> + type systemd_hostnamed_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 systemd_hostnamed_t:dbus send_msg;
> + allow systemd_hostnamed_t $1:dbus send_msg;
> +')
> +
> ########################################
> ## <summary>
> ## allow systemd_passwd_agent to inherit fds
Merged.
--
Chris PeBenito
On 1/14/19 10:20 PM, Sugar, David wrote:
> hostnamectl updates /etc/hostname
> This change is setting the type for the file /etc/hostname to
> net_conf_t and granting hostnamectl permission to edit this file.
> Note that hostnamectl is initially creating a new file .#hostname*
> which is why the create permissions are requied.
>
> type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
> type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
> type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/sysnetwork.fc | 1 +
> policy/modules/system/systemd.te | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index cd528938..1e5432a4 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -18,6 +18,7 @@ ifdef(`distro_debian',`
> /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index abcc52f5..75ee4310 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -325,6 +325,9 @@ files_read_etc_files(systemd_hostnamed_t)
>
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> +sysnet_etc_filetrans_config(systemd_hostnamed_t)
> +sysnet_manage_config(systemd_hostnamed_t)
> +
> systemd_log_parse_environment(systemd_hostnamed_t)
>
> optional_policy(`
Merged.
--
Chris PeBenito
On 1/16/19 6:06 PM, Chris PeBenito wrote:
> On 1/14/19 10:20 PM, Sugar, David wrote:
>> I see this denial when mounting media. I'm running mount_exec_t
>> from my domain, not transitioning.
>>
>> type=AVC msg=audit(1547086778.470:331): avc: denied { read write }
>> for pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470
>> scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
>
> Seems like there is a leaked file descriptor.
>
I have done some more looking into what is going on here and I just
wanted to close the loop in case this comes up again from somewhere. I
ran strace to see what is going on and the following snippet from that
output is relevant:
This is the default case on RHEL7. It appears that mount is trying to
access a file /run/mount/utab (that doesn't exist).
stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", 0x7ffd6ac8b0e0) = -1 ENOENT (No such file or
directory)
mkdir("/run/mount", 0755) = -1 EEXIST (File exists)
stat("/run/mount/utab", 0x7ffd6ac8afd0) = -1 ENOENT (No such file or
directory)
stat("/run/mount", {st_mode=S_IFDIR|0755, st_size=40, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/run/mount", R_OK|W_OK) = 0
If I create the file /run/mount/utab I get slightly a different result:
stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
stat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/run/mount/utab", R_OK|W_OK) = 0
I don't know what is supposed to be creating /run/mount/utab. I see it
exist on a Fedora 29 machine, but not a clean RHEL 7.6 machine.
I ended up using systemd-tmpfiles to create the file /run/mount/utab.
At this point I am able to get everything to work using the existing
mount_rw_runtime_files interface.
I guess this is the long way of saying that this patch can be ignored
but for anyone else seeing the problem they need to create the
/run/mount/utab file to work around the denial.
>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/system/mount.if | 18 ++++++++++++++++++
>> 1 file changed, 18 insertions(+)
>>
>> diff --git a/policy/modules/system/mount.if
>> b/policy/modules/system/mount.if
>> index bf9a8bf3..31475bde 100644
>> --- a/policy/modules/system/mount.if
>> +++ b/policy/modules/system/mount.if
>> @@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
>> rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
>> ')
>> +########################################
>> +## <summary>
>> +## Read and write mount runtime directory
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mount_rw_runtime_dir',`
>> + gen_require(`
>> + type mount_runtime_t;
>> + ')
>> +
>> + allow $1 mount_runtime_t:dir rw_dir_perms;
>> +')
>> +
>>
>
>