From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 7 Jun 2018 20:02:09 -0400 Subject: [refpolicy] [PATCH 1/1] policy for systemd-update-done In-Reply-To: <20180607191941.31672-2-dsugar@tresys.com> References: <20180607191941.31672-1-dsugar@tresys.com> <20180607191941.31672-2-dsugar@tresys.com> Message-ID: <58ca9379-3120-da1b-0f53-426551db6742@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/07/2018 03:19 PM, Dave Sugar via refpolicy wrote: > systemd-update-done needs to be able to create /etc/.updated and /var/.updated > > Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied > Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied > Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE > Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed. > Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state. > Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed. > > Signed-off-by: Dave Sugar > --- > policy/modules/system/init.te | 1 + > policy/modules/system/systemd.fc | 1 + > policy/modules/system/systemd.if | 21 +++++++++++++++++++++ > policy/modules/system/systemd.te | 22 ++++++++++++++++++++++ > 4 files changed, 45 insertions(+) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 9bdb7e82..f77580d0 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -406,6 +406,7 @@ ifdef(`init_systemd',` > # lvm2-activation-generator checks file labels > seutil_read_file_contexts(init_t) > > + systemd_getattr_updated_runtime(init_t) > systemd_manage_passwd_runtime_symlinks(init_t) > systemd_use_passwd_agent(init_t) > systemd_list_tmpfiles_conf(init_t) > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc > index f8812453..64f1683c 100644 > --- a/policy/modules/system/systemd.fc > +++ b/policy/modules/system/systemd.fc > @@ -25,6 +25,7 @@ > /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) > /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) > /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) > +/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0) > /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) > > # Systemd unit files > diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if > index c605602a..bc988150 100644 > --- a/policy/modules/system/systemd.if > +++ b/policy/modules/system/systemd.if > @@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',` > read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) > ') > > +####################################### > +## > +## Allow domain to getattr on .updated file (generated by systemd-update-done > +## > +## > +## > +## domain allowed access > +## > +## > +# > +interface(`systemd_getattr_updated_runtime',` > + gen_require(` > + type systemd_update_run_t; > + ') > + > + getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) > +') > + > + > + > + > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index cf2c3296..15fe6e1b 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) > type systemd_tmpfiles_conf_t; > files_config_file(systemd_tmpfiles_conf_t) > > +type systemd_update_done_t; > +type systemd_update_done_exec_t; > +init_system_domain(systemd_update_done_t, systemd_update_done_exec_t) > + > +type systemd_update_run_t; > +files_type(systemd_update_run_t) > + > # > # Unit file types > # > @@ -1006,3 +1013,18 @@ optional_policy(` > xserver_relabel_console_pipes(systemd_tmpfiles_t) > xserver_setattr_console_pipes(systemd_tmpfiles_t) > ') > + > +######################################### > +# > +# Update Done local policy > +# > + > +allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; > + > +dev_write_kmsg(systemd_update_done_t) > + > +files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") > +files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") > + > +kernel_read_system_state(systemd_update_done_t) Merged. -- Chris PeBenito