1 |
commit: 054510904041ecc1b8cbacfbfd853c88e01423d9 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Sun Sep 27 00:43:44 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 16 09:03:43 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05451090 |
7 |
|
8 |
To get pacemaker working in enforcing |
9 |
|
10 |
Allow pacemaker to map its shared memory |
11 |
|
12 |
Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 |
13 |
|
14 |
Label pacemaker private log file |
15 |
|
16 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 |
17 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 |
18 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 |
19 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 |
20 |
|
21 |
It writes to log, but also reads |
22 |
|
23 |
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1 |
24 |
|
25 |
Pacemaker can read stuff in /usr/share/pacemaker/ |
26 |
|
27 |
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 |
28 |
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 |
29 |
|
30 |
pacemaker dbus related stuff |
31 |
|
32 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1 |
33 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 |
34 |
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' |
35 |
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' |
36 |
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' |
37 |
|
38 |
Pacemaker execute network monitoring |
39 |
|
40 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 |
41 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 |
42 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
43 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
44 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
45 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
46 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
47 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 |
48 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1 |
49 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 |
50 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 |
51 |
|
52 |
Update pacemaker process perms |
53 |
|
54 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 |
55 |
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 |
56 |
Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 |
57 |
|
58 |
pacemaker network communication |
59 |
|
60 |
Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1 |
61 |
Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 |
62 |
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 |
63 |
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 |
64 |
|
65 |
Let pacemaker exec lib_t files |
66 |
|
67 |
Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 |
68 |
Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 |
69 |
Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 |
70 |
|
71 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
72 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
73 |
|
74 |
policy/modules/services/pacemaker.fc | 1 + |
75 |
policy/modules/services/pacemaker.te | 34 ++++++++++++++++++++++++++++++++-- |
76 |
2 files changed, 33 insertions(+), 2 deletions(-) |
77 |
|
78 |
diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc |
79 |
index 0df77ee6..dc7fbb8d 100644 |
80 |
--- a/policy/modules/services/pacemaker.fc |
81 |
+++ b/policy/modules/services/pacemaker.fc |
82 |
@@ -9,3 +9,4 @@ |
83 |
/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) |
84 |
|
85 |
/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_runtime_t,s0) |
86 |
+/run/resource-agents(/.*)? gen_context(system_u:object_r:pacemaker_runtime_t,s0) |
87 |
|
88 |
diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te |
89 |
index e7c0d691..f7a18a7f 100644 |
90 |
--- a/policy/modules/services/pacemaker.te |
91 |
+++ b/policy/modules/services/pacemaker.te |
92 |
@@ -12,6 +12,9 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) |
93 |
type pacemaker_initrc_exec_t; |
94 |
init_script_file(pacemaker_initrc_exec_t) |
95 |
|
96 |
+type pacemaker_log_t; |
97 |
+logging_log_file(pacemaker_log_t) |
98 |
+ |
99 |
type pacemaker_runtime_t alias pacemaker_var_run_t; |
100 |
files_runtime_file(pacemaker_runtime_t) |
101 |
|
102 |
@@ -29,15 +32,23 @@ files_type(pacemaker_var_lib_t) |
103 |
# Local policy |
104 |
# |
105 |
|
106 |
-allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid }; |
107 |
-allow pacemaker_t self:process { setrlimit signal setpgid }; |
108 |
+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid }; |
109 |
+allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull }; |
110 |
allow pacemaker_t self:fifo_file rw_fifo_file_perms; |
111 |
+allow pacemaker_t self:packet_socket { bind create getattr read write }; |
112 |
allow pacemaker_t self:unix_stream_socket { connectto accept listen }; |
113 |
|
114 |
+create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) |
115 |
+append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) |
116 |
+setattr_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) |
117 |
+read_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) |
118 |
+logging_log_filetrans(pacemaker_t, pacemaker_log_t, file) |
119 |
+ |
120 |
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) |
121 |
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) |
122 |
files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) |
123 |
|
124 |
+mmap_rw_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) |
125 |
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) |
126 |
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) |
127 |
fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file }) |
128 |
@@ -60,6 +71,8 @@ kernel_read_system_state(pacemaker_t) |
129 |
corecmd_exec_bin(pacemaker_t) |
130 |
corecmd_exec_shell(pacemaker_t) |
131 |
|
132 |
+corenet_udp_bind_generic_node(pacemaker_t) |
133 |
+ |
134 |
dev_getattr_mtrr_dev(pacemaker_t) |
135 |
dev_read_rand(pacemaker_t) |
136 |
dev_read_urand(pacemaker_t) |
137 |
@@ -68,11 +81,16 @@ domain_read_all_domains_state(pacemaker_t) |
138 |
domain_use_interactive_fds(pacemaker_t) |
139 |
|
140 |
files_read_kernel_symbol_table(pacemaker_t) |
141 |
+files_read_usr_files(pacemaker_t) |
142 |
|
143 |
fs_getattr_all_fs(pacemaker_t) |
144 |
|
145 |
auth_use_nsswitch(pacemaker_t) |
146 |
|
147 |
+init_dbus_chat(pacemaker_t) |
148 |
+ |
149 |
+libs_exec_lib_files(pacemaker_t) |
150 |
+ |
151 |
logging_send_syslog_msg(pacemaker_t) |
152 |
|
153 |
miscfiles_read_localization(pacemaker_t) |
154 |
@@ -81,3 +99,15 @@ optional_policy(` |
155 |
corosync_read_log(pacemaker_t) |
156 |
corosync_stream_connect(pacemaker_t) |
157 |
') |
158 |
+ |
159 |
+optional_policy(` |
160 |
+ dbus_system_bus_client(pacemaker_t) |
161 |
+') |
162 |
+ |
163 |
+optional_policy(` |
164 |
+ netutils_exec(pacemaker_t) |
165 |
+') |
166 |
+ |
167 |
+optional_policy(` |
168 |
+ sysnet_domtrans_ifconfig(pacemaker_t) |
169 |
+') |