1 |
commit: 51a5f6d799fac283615b106a05916e3179123db5 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Sun Sep 27 02:07:21 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 16 09:03:43 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7 |
7 |
|
8 |
pacemaker systemd permissions |
9 |
|
10 |
Allow pacemaker to get status of all running services and reload systemd |
11 |
|
12 |
Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' |
13 |
|
14 |
Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' |
15 |
|
16 |
Allow pacemaker to start/sotp all units (when enabled) |
17 |
|
18 |
Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' |
19 |
|
20 |
Allow for dynamic creation of unit files (with private type) |
21 |
|
22 |
By using a private type pacemaker doesn't need permission to |
23 |
read/write all init_runtime_t files. |
24 |
|
25 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 |
26 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 |
27 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 |
28 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 |
29 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 |
30 |
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 |
31 |
|
32 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
33 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
34 |
|
35 |
policy/modules/services/pacemaker.te | 24 ++++++++++++++++++++++++ |
36 |
1 file changed, 24 insertions(+) |
37 |
|
38 |
diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te |
39 |
index f7a18a7f..70d976ea 100644 |
40 |
--- a/policy/modules/services/pacemaker.te |
41 |
+++ b/policy/modules/services/pacemaker.te |
42 |
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0) |
43 |
# Declarations |
44 |
# |
45 |
|
46 |
+## <desc> |
47 |
+## <p> |
48 |
+## Allow pacemaker to start/stop services |
49 |
+## </p> |
50 |
+## </desc> |
51 |
+gen_tunable(pacemaker_startstop_all_services, false) |
52 |
+ |
53 |
type pacemaker_t; |
54 |
type pacemaker_exec_t; |
55 |
init_daemon_domain(pacemaker_t, pacemaker_exec_t) |
56 |
@@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t) |
57 |
type pacemaker_runtime_t alias pacemaker_var_run_t; |
58 |
files_runtime_file(pacemaker_runtime_t) |
59 |
|
60 |
+type pacemaker_runtime_unit_t; |
61 |
+init_unit_file(pacemaker_runtime_unit_t) |
62 |
+ |
63 |
type pacemaker_tmp_t; |
64 |
files_tmp_file(pacemaker_tmp_t) |
65 |
|
66 |
@@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) |
67 |
manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) |
68 |
files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file }) |
69 |
|
70 |
+manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t) |
71 |
+manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t) |
72 |
+init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file }) |
73 |
+ |
74 |
kernel_getattr_core_if(pacemaker_t) |
75 |
kernel_read_all_sysctls(pacemaker_t) |
76 |
kernel_read_messages(pacemaker_t) |
77 |
@@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t) |
78 |
|
79 |
miscfiles_read_localization(pacemaker_t) |
80 |
|
81 |
+ifdef(`init_systemd',` |
82 |
+ init_get_all_units_status(pacemaker_t) |
83 |
+ init_reload(pacemaker_t) |
84 |
+') |
85 |
+ |
86 |
+tunable_policy(`pacemaker_startstop_all_services',` |
87 |
+ init_start_all_units(pacemaker_t) |
88 |
+ init_stop_all_units(pacemaker_t) |
89 |
+') |
90 |
+ |
91 |
optional_policy(` |
92 |
corosync_read_log(pacemaker_t) |
93 |
corosync_stream_connect(pacemaker_t) |