This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
---
policy/modules/kernel/terminal.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 16a96ec77e95..8be5a1d6de8d 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -149,6 +149,24 @@ interface(`term_mount_devpts',`
allow $1 devpts_t:filesystem mount;
')
+########################################
+## <summary>
+## Create directory /dev/pts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process creating the directory.
+## </summary>
+## </param>
+#
+interface(`term_create_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Create a pty in the /dev/pts directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bdb0d6c86638..c6d2304569c9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -323,6 +323,8 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
+ term_create_devpts(init_t)
+
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
--
2.14.1
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
---
policy/modules/kernel/filesystem.if | 18 +++++++++++++
policy/modules/system/init.te | 6 +++++
policy/modules/system/systemd.if | 54 +++++++++++++++++++++++++++++++++++++
policy/modules/system/udev.if | 18 +++++++++++++
4 files changed, 96 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c39ae0c4363a..e2e3a041d9a9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4553,6 +4553,24 @@ interface(`fs_read_tmpfs_symlinks',`
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
')
+########################################
+## <summary>
+## Relabelfrom socket files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs_sockets',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms;
+')
+
########################################
## <summary>
## Relabelfrom tmpfs link files.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c6d2304569c9..9bc5ee4b0858 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -301,6 +301,7 @@ ifdef(`init_systemd',`
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
+ fs_relabelfrom_tmpfs_sockets(init_t)
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
@@ -322,6 +323,9 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
+ systemd_list_tmpfiles_conf(init_t)
+ systemd_relabelto_tmpfiles_conf_dirs(init_t)
+ systemd_relabelto_tmpfiles_conf_files(init_t)
term_create_devpts(init_t)
@@ -331,6 +335,8 @@ ifdef(`init_systemd',`
# for systemd to read udev status
udev_read_pid_files(init_t)
+ udev_relabelto_db_sockets(init_t)
+
optional_policy(`
clock_read_adjtime(init_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fa1c6568c0fe..766f33fb6cc9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -463,6 +463,60 @@ interface(`systemd_tmpfiles_conf_filetrans',`
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
+########################################
+## <summary>
+## Allow domain to list systemd tmpfiles config directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_list_tmpfiles_conf',`
+ gen_require(`
+ type systemd_tmpfiles_conf_t;
+ ')
+
+ allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to relabel to systemd tmpfiles config directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabelto_tmpfiles_conf_dirs',`
+ gen_require(`
+ type systemd_tmpfiles_conf_t;
+ ')
+
+ allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to relabel to systemd tmpfiles config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabelto_tmpfiles_conf_files',`
+ gen_require(`
+ attribute systemd_tmpfiles_conf_type;
+ ')
+
+ allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
+')
+
#######################################
## <summary>
## Allow systemd_tmpfiles_t to manage filesystem objects
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9d5473e063e3..a2067895b6c4 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -261,6 +261,24 @@ interface(`udev_relabelto_db',`
allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
')
+########################################
+## <summary>
+## Allow process to relabelto sockets in /run/udev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_relabelto_db_sockets',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms;
+')
+
########################################
## <summary>
## Search through udev pid content
--
2.14.1
On 09/10/2017 02:22 PM, Nicolas Iooss via refpolicy wrote:
> This is currently denied:
>
> avc: denied { create } for pid=1 comm="systemd" name="pts"
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
> ---
> policy/modules/kernel/terminal.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 2 ++
> 2 files changed, 20 insertions(+)
>
> diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> index 16a96ec77e95..8be5a1d6de8d 100644
> --- a/policy/modules/kernel/terminal.if
> +++ b/policy/modules/kernel/terminal.if
> @@ -149,6 +149,24 @@ interface(`term_mount_devpts',`
> allow $1 devpts_t:filesystem mount;
> ')
>
> +########################################
> +## <summary>
> +## Create directory /dev/pts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process creating the directory.
> +## </summary>
> +## </param>
> +#
> +interface(`term_create_devpts',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:dir create_dir_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Create a pty in the /dev/pts directory.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index bdb0d6c86638..c6d2304569c9 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -323,6 +323,8 @@ ifdef(`init_systemd',`
> systemd_manage_passwd_runtime_symlinks(init_t)
> systemd_use_passwd_agent(init_t)
>
> + term_create_devpts(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
Merged, though I renamed the interface.
--
Chris PeBenito
On 09/10/2017 02:22 PM, Nicolas Iooss via refpolicy wrote:
> systemd relabels everything in /dev and /run after loading the policy.
> In these directories there is a socket file for udev, /run/udev/control,
> which is not allowed to be relabelled from tmpfs_t:
>
> avc: denied { relabelfrom } for pid=1 comm="systemd"
> name="control" dev="tmpfs" ino=7027
> scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
> tclass=sock_file permissive=1
>
> avc: denied { relabelto } for pid=1 comm="systemd" name="control"
> dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
> permissive=1
>
> /run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
> relabelled.
> ---
> policy/modules/kernel/filesystem.if | 18 +++++++++++++
> policy/modules/system/init.te | 6 +++++
> policy/modules/system/systemd.if | 54 +++++++++++++++++++++++++++++++++++++
> policy/modules/system/udev.if | 18 +++++++++++++
> 4 files changed, 96 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index c39ae0c4363a..e2e3a041d9a9 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -4553,6 +4553,24 @@ interface(`fs_read_tmpfs_symlinks',`
> read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
> ')
>
> +########################################
> +## <summary>
> +## Relabelfrom socket files on tmpfs filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_tmpfs_sockets',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Relabelfrom tmpfs link files.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index c6d2304569c9..9bc5ee4b0858 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -301,6 +301,7 @@ ifdef(`init_systemd',`
> # for privatetmp functions
> fs_relabel_tmpfs_dirs(init_t)
> fs_relabel_tmpfs_files(init_t)
> + fs_relabelfrom_tmpfs_sockets(init_t)
> # mount-setup
> fs_unmount_autofs(init_t)
> fs_getattr_pstore_dirs(init_t)
> @@ -322,6 +323,9 @@ ifdef(`init_systemd',`
>
> systemd_manage_passwd_runtime_symlinks(init_t)
> systemd_use_passwd_agent(init_t)
> + systemd_list_tmpfiles_conf(init_t)
> + systemd_relabelto_tmpfiles_conf_dirs(init_t)
> + systemd_relabelto_tmpfiles_conf_files(init_t)
>
> term_create_devpts(init_t)
>
> @@ -331,6 +335,8 @@ ifdef(`init_systemd',`
> # for systemd to read udev status
> udev_read_pid_files(init_t)
>
> + udev_relabelto_db_sockets(init_t)
> +
> optional_policy(`
> clock_read_adjtime(init_t)
> ')
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index fa1c6568c0fe..766f33fb6cc9 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -463,6 +463,60 @@ interface(`systemd_tmpfiles_conf_filetrans',`
> filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
> ')
>
> +########################################
> +## <summary>
> +## Allow domain to list systemd tmpfiles config directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_list_tmpfiles_conf',`
> + gen_require(`
> + type systemd_tmpfiles_conf_t;
> + ')
> +
> + allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to relabel to systemd tmpfiles config directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_relabelto_tmpfiles_conf_dirs',`
> + gen_require(`
> + type systemd_tmpfiles_conf_t;
> + ')
> +
> + allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to relabel to systemd tmpfiles config files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_relabelto_tmpfiles_conf_files',`
> + gen_require(`
> + attribute systemd_tmpfiles_conf_type;
> + ')
> +
> + allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
> +')
> +
> #######################################
> ## <summary>
> ## Allow systemd_tmpfiles_t to manage filesystem objects
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9d5473e063e3..a2067895b6c4 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -261,6 +261,24 @@ interface(`udev_relabelto_db',`
> allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
> ')
>
> +########################################
> +## <summary>
> +## Allow process to relabelto sockets in /run/udev
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_relabelto_db_sockets',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms;
> +')
> +
> ########################################
> ## <summary>
> ## Search through udev pid content
>
Merged.
--
Chris PeBenito