This patch allows some map permissions and allows systemd_tmpfiles_t to
stat some things it wants to stat and append and relabel the lastlog.
Index: refpolicy-2.20171105/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/logging.te
+++ refpolicy-2.20171105/policy/modules/system/logging.te
@@ -257,7 +257,7 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
-files_read_etc_files(audisp_t)
+files_map_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
mls_file_write_all_levels(audisp_t)
@@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
Index: refpolicy-2.20171105/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20171105/policy/modules/system/lvm.te
@@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
+
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
Index: refpolicy-2.20171105/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20171105/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
#######################################
## <summary>
+## relabel the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Read and write to the last logins log.
## </summary>
## <param name="domain">
Index: refpolicy-2.20171105/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20171105/policy/modules/system/systemd.if
@@ -346,6 +346,7 @@ interface(`systemd_manage_journal_files'
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+ allow $1 systemd_journal_t:file map;
')
Index: refpolicy-2.20171105/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20171105/policy/modules/system/systemd.te
@@ -868,9 +868,11 @@ allow systemd_tmpfiles_t systemd_journal
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
+dev_getattr_fs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -897,14 +899,17 @@ files_relabelto_etc_dirs(systemd_tmpfile
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_tmpfs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
+auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
Index: refpolicy-2.20171105/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20171105.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20171105/policy/modules/kernel/files.if
@@ -2944,6 +2944,38 @@ interface(`files_read_etc_files',`
########################################
## <summary>
+## Read and map generic files in /etc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and map generic
+## files in /etc.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_read_etc_files()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ files_read_etc_files($1)
+ allow $1 etc_t:file map;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write generic files in /etc.
## </summary>
## <param name="domain">
On 11/06/2017 01:42 AM, Russell Coker via refpolicy wrote:
> This patch allows some map permissions and allows systemd_tmpfiles_t to
> stat some things it wants to stat and append and relabel the lastlog.
>
> Index: refpolicy-2.20171105/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20171105/policy/modules/system/logging.te
> @@ -257,7 +257,7 @@ corecmd_exec_shell(audisp_t)
>
> domain_use_interactive_fds(audisp_t)
>
> -files_read_etc_files(audisp_t)
> +files_map_etc_files(audisp_t)
> files_read_etc_runtime_files(audisp_t)
>
> mls_file_write_all_levels(audisp_t)
> @@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
> # manage temporary files
> manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> +allow syslogd_t syslogd_tmp_t:file map;
> +
> files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>
> manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> @@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
>
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> +allow syslogd_t syslogd_var_run_t:file map;
I get the impression that these maps are all for journald. If so, they
should be in the init_systemd block.
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
> allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
>
> Index: refpolicy-2.20171105/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20171105/policy/modules/system/lvm.te
> @@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
> files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
>
> read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> +allow lvm_t lvm_etc_t:file map;
> +
> read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
> manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
> Index: refpolicy-2.20171105/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20171105/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20171105/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20171105/policy/modules/system/systemd.if
> @@ -346,6 +346,7 @@ interface(`systemd_manage_journal_files'
>
> manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
> + allow $1 systemd_journal_t:file map;
> ')
>
>
> Index: refpolicy-2.20171105/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20171105/policy/modules/system/systemd.te
> @@ -868,9 +868,11 @@ allow systemd_tmpfiles_t systemd_journal
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> +kernel_getattr_proc(systemd_tmpfiles_t)
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> kernel_read_network_state(systemd_tmpfiles_t)
>
> +dev_getattr_fs(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> @@ -897,14 +899,17 @@ files_relabelto_etc_dirs(systemd_tmpfile
> # for /etc/mtab
> files_manage_etc_symlinks(systemd_tmpfiles_t)
>
> +fs_getattr_tmpfs(systemd_tmpfiles_t)
> fs_getattr_xattr_fs(systemd_tmpfiles_t)
>
> selinux_get_fs_mount(systemd_tmpfiles_t)
> selinux_search_fs(systemd_tmpfiles_t)
>
> +auth_append_lastlog(systemd_tmpfiles_t)
> auth_manage_faillog(systemd_tmpfiles_t)
> auth_manage_login_records(systemd_tmpfiles_t)
> auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_lastlog(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> Index: refpolicy-2.20171105/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20171105.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20171105/policy/modules/kernel/files.if
> @@ -2944,6 +2944,38 @@ interface(`files_read_etc_files',`
>
> ########################################
> ## <summary>
> +## Read and map generic files in /etc.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read and map generic
> +## files in /etc.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>files_read_etc_files()</li>
> +## </ul>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_map_etc_files',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + files_read_etc_files($1)
> + allow $1 etc_t:file map;
The map should be an interface by itself, without the read, since etc_t
is such a wide variety of files.
--
Chris PeBenito