From: russell@coker.com.au (Russell Coker)
Date: Sat, 15 Apr 2017 01:58:11 +1000
Subject: [refpolicy] [PATCH] systemd init
Message-ID: <20170414155811.vtj6lbvb6yctmhjc@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.
Allow init_t to do several things that it requires when init is systemd.
Allow various operations on var_log_t to access var_log_t symlinks too.
Let auditd setattr it's directory.
Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
+++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
@@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
+fs_getattr_xattr_fs(mandb_t)
corecmd_exec_bin(mandb_t)
corecmd_exec_shell(mandb_t)
@@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
userdom_use_inherited_user_terminals(mandb_t)
+ifdef(`init_systemd',`
+ init_search_run(mandb_t)
+')
+
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
')
Index: refpolicy-2.20170410/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/init.te
+++ refpolicy-2.20170410/policy/modules/system/init.te
@@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+logging_create_devlog_dev(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
@@ -316,6 +317,8 @@ ifdef(`init_systemd',`
seutil_read_file_contexts(init_t)
+ systemd_manage_lnk_file_passwd_run(init_t)
+
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
@@ -402,7 +405,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
-allow initrc_t self:capability2 block_suspend;
+allow initrc_t self:capability2 { wake_alarm block_suspend };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -830,6 +833,7 @@ ifdef(`init_systemd',`
allow init_t self:process { getcap setcap };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
# Until systemd is fixed
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
allow init_t self:udp_socket create_socket_perms;
Index: refpolicy-2.20170410/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170410/policy/modules/system/logging.if
@@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
files_search_var($1)
filetrans_pattern($1, var_log_t, $2, $3, $4)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
########################################
##
+## Connect to the syslog control unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
+########################################
+##
## Read the auditd configuration files.
##
##
@@ -742,6 +763,7 @@ interface(`logging_search_logs',`
files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -779,6 +801,7 @@ interface(`logging_list_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
#######################################
@@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
files_search_var($1)
append_files_pattern($1, var_log_t, logfile)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
write_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
rw_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
Index: refpolicy-2.20170410/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170410/policy/modules/system/logging.te
@@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t auditd_log_t:dir setattr;
allow auditd_t var_log_t:dir search_dir_perms;
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)