From: dsugar@tresys.com (Dave Sugar) Date: Thu, 7 Jun 2018 15:19:41 -0400 Subject: [refpolicy] [PATCH 1/1] policy for systemd-update-done In-Reply-To: <20180607191941.31672-1-dsugar@tresys.com> References: <20180607191941.31672-1-dsugar@tresys.com> Message-ID: <20180607191941.31672-2-dsugar@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com systemd-update-done needs to be able to create /etc/.updated and /var/.updated Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed. Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state. Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed. Signed-off-by: Dave Sugar --- policy/modules/system/init.te | 1 + policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 21 +++++++++++++++++++++ policy/modules/system/systemd.te | 22 ++++++++++++++++++++++ 4 files changed, 45 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 9bdb7e82..f77580d0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -406,6 +406,7 @@ ifdef(`init_systemd',` # lvm2-activation-generator checks file labels seutil_read_file_contexts(init_t) + systemd_getattr_updated_runtime(init_t) systemd_manage_passwd_runtime_symlinks(init_t) systemd_use_passwd_agent(init_t) systemd_list_tmpfiles_conf(init_t) diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index f8812453..64f1683c 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -25,6 +25,7 @@ /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) +/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0) /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) # Systemd unit files diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index c605602a..bc988150 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',` read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) ') +####################################### +## +## Allow domain to getattr on .updated file (generated by systemd-update-done +## +## +## +## domain allowed access +## +## +# +interface(`systemd_getattr_updated_runtime',` + gen_require(` + type systemd_update_run_t; + ') + + getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) +') + + + + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index cf2c3296..15fe6e1b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) type systemd_tmpfiles_conf_t; files_config_file(systemd_tmpfiles_conf_t) +type systemd_update_done_t; +type systemd_update_done_exec_t; +init_system_domain(systemd_update_done_t, systemd_update_done_exec_t) + +type systemd_update_run_t; +files_type(systemd_update_run_t) + # # Unit file types # @@ -1006,3 +1013,18 @@ optional_policy(` xserver_relabel_console_pipes(systemd_tmpfiles_t) xserver_setattr_console_pipes(systemd_tmpfiles_t) ') + +######################################### +# +# Update Done local policy +# + +allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; + +dev_write_kmsg(systemd_update_done_t) + +files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") +files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") + +kernel_read_system_state(systemd_update_done_t) + -- 2.14.3