From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Wed, 6 Sep 2017 22:44:16 +0200
Subject: [refpolicy] [PATCH 1/2] init: allow systemd to relabel /dev and /run
Message-ID: <20170906204417.15998-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
systemd relabels everything in /dev and /run after loading the policy.
In these directories there is a socket file for udev, /run/udev/control,
which is not allowed to be relabelled from tmpfs_t:
avc: denied { relabelfrom } for pid=1 comm="systemd"
name="control" dev="tmpfs" ino=7027
scontext=system_u:system_r:init_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file permissive=1
avc: denied { relabelto } for pid=1 comm="systemd" name="control"
dev="tmpfs" ino=7027 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:udev_var_run_t tclass=sock_file
permissive=1
/run/tmpfiles.d directory (used by systemd-tmpfiles service) is also
relabelled.
---
policy/modules/kernel/filesystem.if | 18 +++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/systemd.if | 39 +++++++++++++++++++++++++++++++++++++
policy/modules/system/udev.if | 1 +
4 files changed, 61 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c39ae0c4363a..e2e3a041d9a9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4553,6 +4553,24 @@ interface(`fs_read_tmpfs_symlinks',`
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
')
+########################################
+##
+## Relabelfrom socket files on tmpfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_relabelfrom_tmpfs_sockets',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms;
+')
+
########################################
##
## Relabelfrom tmpfs link files.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d59400317dd0..782916c55937 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -301,6 +301,7 @@ ifdef(`init_systemd',`
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
+ fs_relabelfrom_tmpfs_sockets(init_t)
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
@@ -322,6 +323,8 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
+ systemd_tmpfiles_list_conf(init_t)
+ systemd_tmpfiles_relabelto_conf(init_t)
term_create_devpts(init_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de39676..00d74936162d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -463,6 +463,45 @@ interface(`systemd_tmpfiles_conf_filetrans',`
filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4)
')
+########################################
+##
+## List systemd tmpfiles config directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_tmpfiles_list_conf',`
+ gen_require(`
+ type systemd_tmpfiles_conf_t;
+ ')
+
+ allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Relabel to systemd tmpfiles config directory
+## and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_tmpfiles_relabelto_conf',`
+ gen_require(`
+ attribute systemd_tmpfiles_conf_type;
+ type systemd_tmpfiles_conf_t;
+ ')
+
+ allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms;
+ allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms;
+')
+
#######################################
##
## Allow systemd_tmpfiles_t to manage filesystem objects
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9d5473e063e3..eb91fbaa0fe7 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -259,6 +259,7 @@ interface(`udev_relabelto_db',`
files_search_pids($1)
allow $1 udev_var_run_t:file relabelto_file_perms;
allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+ allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms;
')
########################################
--
2.14.1