[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sat, 28 Nov 2020 23:09:33
Message-Id:	`1605517423.51a5f6d799fac283615b106a05916e3179123db5.perfinion@gentoo`

1

commit:     51a5f6d799fac283615b106a05916e3179123db5

2

Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>

3

AuthorDate: Sun Sep 27 02:07:21 2020 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Nov 16 09:03:43 2020 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7

7

8

pacemaker systemd permissions

9

10

Allow pacemaker to get status of all running services and reload systemd

11

12

Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

13

14

Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

15

16

Allow pacemaker to start/sotp all units (when enabled)

17

18

Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

19

20

Allow for dynamic creation of unit files (with private type)

21

22

By using a private type pacemaker doesn't need permission to

23

read/write all init_runtime_t files.

24

25

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { write } for  pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1

26

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { add_name } for  pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1

27

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { create } for  pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1

28

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { create } for  pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

29

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { write open } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

30

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc:  denied  { getattr } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

31

32

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

33

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

34

35

 policy/modules/services/pacemaker.te | 24 ++++++++++++++++++++++++

36

 1 file changed, 24 insertions(+)

37

38

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te

39

index f7a18a7f..70d976ea 100644

40

--- a/policy/modules/services/pacemaker.te

41

+++ b/policy/modules/services/pacemaker.te

42

@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0)

43

 # Declarations

44

#

45

46

+## <desc>

47

+## <p>

48

+## Allow pacemaker to start/stop services

49

+## </p>

50

+## </desc>

51

+gen_tunable(pacemaker_startstop_all_services, false)

52

+

53

 type pacemaker_t;

54

 type pacemaker_exec_t;

55

 init_daemon_domain(pacemaker_t, pacemaker_exec_t)

56

@@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t)

57

 type pacemaker_runtime_t alias pacemaker_var_run_t;

58

 files_runtime_file(pacemaker_runtime_t)

59

60

+type pacemaker_runtime_unit_t;

61

+init_unit_file(pacemaker_runtime_unit_t)

62

+

63

 type pacemaker_tmp_t;

64

 files_tmp_file(pacemaker_tmp_t)

65

66

@@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)

67

 manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)

68

 files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })

69

70

+manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)

71

+manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)

72

+init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })

73

+

74

 kernel_getattr_core_if(pacemaker_t)

75

 kernel_read_all_sysctls(pacemaker_t)

76

 kernel_read_messages(pacemaker_t)

77

@@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t)

78

79

 miscfiles_read_localization(pacemaker_t)

80

81

+ifdef(`init_systemd',`

82

+	init_get_all_units_status(pacemaker_t)

83

+	init_reload(pacemaker_t)

84

+')

85

+

86

+tunable_policy(`pacemaker_startstop_all_services',`

87

+	init_start_all_units(pacemaker_t)

88

+	init_stop_all_units(pacemaker_t)

89

+')

90

+

91

 optional_policy(`

92

 	corosync_read_log(pacemaker_t)

93

 	corosync_stream_connect(pacemaker_t)

1	commit: 51a5f6d799fac283615b106a05916e3179123db5
2	Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Sun Sep 27 02:07:21 2020 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Nov 16 09:03:43 2020 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7
7
8	pacemaker systemd permissions
9
10	Allow pacemaker to get status of all running services and reload systemd
11
12	Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
13
14	Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
15
16	Allow pacemaker to start/sotp all units (when enabled)
17
18	Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
19
20	Allow for dynamic creation of unit files (with private type)
21
22	By using a private type pacemaker doesn't need permission to
23	read/write all init_runtime_t files.
24
25	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
26	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
27	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
28	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
29	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
30	Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
31
32	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
33	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
34
35	policy/modules/services/pacemaker.te \| 24 ++++++++++++++++++++++++
36	1 file changed, 24 insertions(+)
37
38	diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
39	index f7a18a7f..70d976ea 100644
40	--- a/policy/modules/services/pacemaker.te
41	+++ b/policy/modules/services/pacemaker.te
42	@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0)
43	# Declarations
44	#
45
46	+## <desc>
47	+## <p>
48	+## Allow pacemaker to start/stop services
49	+## </p>
50	+## </desc>
51	+gen_tunable(pacemaker_startstop_all_services, false)
52	+
53	type pacemaker_t;
54	type pacemaker_exec_t;
55	init_daemon_domain(pacemaker_t, pacemaker_exec_t)
56	@@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t)
57	type pacemaker_runtime_t alias pacemaker_var_run_t;
58	files_runtime_file(pacemaker_runtime_t)
59
60	+type pacemaker_runtime_unit_t;
61	+init_unit_file(pacemaker_runtime_unit_t)
62	+
63	type pacemaker_tmp_t;
64	files_tmp_file(pacemaker_tmp_t)
65
66	@@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
67	manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
68	files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })
69
70	+manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
71	+manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
72	+init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })
73	+
74	kernel_getattr_core_if(pacemaker_t)
75	kernel_read_all_sysctls(pacemaker_t)
76	kernel_read_messages(pacemaker_t)
77	@@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t)
78
79	miscfiles_read_localization(pacemaker_t)
80
81	+ifdef(`init_systemd',`
82	+ init_get_all_units_status(pacemaker_t)
83	+ init_reload(pacemaker_t)
84	+')
85	+
86	+tunable_policy(`pacemaker_startstop_all_services',`
87	+ init_start_all_units(pacemaker_t)
88	+ init_stop_all_units(pacemaker_t)
89	+')
90	+
91	optional_policy(`
92	corosync_read_log(pacemaker_t)
93	corosync_stream_connect(pacemaker_t)

Gentoo Archives: gentoo-commits