[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sat, 28 Nov 2020 23:09:33
Message-Id:	`1605517423.054510904041ecc1b8cbacfbfd853c88e01423d9.perfinion@gentoo`

1

commit:     054510904041ecc1b8cbacfbfd853c88e01423d9

2

Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>

3

AuthorDate: Sun Sep 27 00:43:44 2020 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Nov 16 09:03:43 2020 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05451090

7

8

To get pacemaker working in enforcing

9

10

Allow pacemaker to map its shared memory

11

12

Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc:  denied  { map } for  pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1

13

14

Label pacemaker private log file

15

16

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { write } for  pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1

17

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { add_name } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1

18

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { create } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1

19

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1

20

21

It writes to log, but also reads

22

23

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc:  denied  { read } for  pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1

24

25

Pacemaker can read stuff in /usr/share/pacemaker/

26

27

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { read } for  pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

28

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { open } for  pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

29

30

pacemaker dbus related stuff

31

32

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { write } for  pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1

33

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1

34

Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

35

Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

36

Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

37

38

Pacemaker execute network monitoring

39

40

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc:  denied  { getattr } for  pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1

41

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc:  denied  { execute } for  pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1

42

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc:  denied  { getattr } for  pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

43

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc:  denied  { execute } for  pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

44

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc:  denied  { read } for  pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

45

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { open } for  pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

46

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

47

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { map } for  pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1

48

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { nlmsg_write } for  pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1

49

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for  pid=7617 comm="ip" capability=12  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1

50

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1

51

52

Update pacemaker process perms

53

54

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc:  denied  { getsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

55

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc:  denied  { setsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

56

Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc:  denied  { signull } for  pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

57

58

pacemaker network communication

59

60

Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc:  denied  { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1

61

Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc:  denied  { net_raw } for  pid=8317 comm="send_arp" capability=13  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1

62

Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc:  denied  { getcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

63

Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc:  denied  { setcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

64

65

Let pacemaker exec lib_t files

66

67

Oct  1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc:  denied  { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1

68

Oct  1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc:  denied  { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1

69

Oct  1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc:  denied  { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1

70

71

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

72

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

73

74

 policy/modules/services/pacemaker.fc |  1 +

75

 policy/modules/services/pacemaker.te | 34 ++++++++++++++++++++++++++++++++--

76

 2 files changed, 33 insertions(+), 2 deletions(-)

77

78

diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc

79

index 0df77ee6..dc7fbb8d 100644

80

--- a/policy/modules/services/pacemaker.fc

81

+++ b/policy/modules/services/pacemaker.fc

82

@@ -9,3 +9,4 @@

83

 /var/lib/pengine(/.*)?	gen_context(system_u:object_r:pacemaker_var_lib_t,s0)

84

85

 /run/crm(/.*)?	gen_context(system_u:object_r:pacemaker_runtime_t,s0)

86

+/run/resource-agents(/.*)?		gen_context(system_u:object_r:pacemaker_runtime_t,s0)

87

88

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te

89

index e7c0d691..f7a18a7f 100644

90

--- a/policy/modules/services/pacemaker.te

91

+++ b/policy/modules/services/pacemaker.te

92

@@ -12,6 +12,9 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)

93

 type pacemaker_initrc_exec_t;

94

 init_script_file(pacemaker_initrc_exec_t)

95

96

+type pacemaker_log_t;

97

+logging_log_file(pacemaker_log_t)

98

+

99

 type pacemaker_runtime_t alias pacemaker_var_run_t;

100

 files_runtime_file(pacemaker_runtime_t)

101

102

@@ -29,15 +32,23 @@ files_type(pacemaker_var_lib_t)

103

 # Local policy

104

#

105

106

-allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };

107

-allow pacemaker_t self:process { setrlimit signal setpgid };

108

+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid };

109

+allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull };

110

 allow pacemaker_t self:fifo_file rw_fifo_file_perms;

111

+allow pacemaker_t self:packet_socket { bind create getattr read write };

112

 allow pacemaker_t self:unix_stream_socket { connectto accept listen };

113

114

+create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)

115

+append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)

116

+setattr_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)

117

+read_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)

118

+logging_log_filetrans(pacemaker_t, pacemaker_log_t, file)

119

+

120

 manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)

121

 manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)

122

 files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })

123

124

+mmap_rw_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)

125

 manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)

126

 manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)

127

 fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })

128

@@ -60,6 +71,8 @@ kernel_read_system_state(pacemaker_t)

129

 corecmd_exec_bin(pacemaker_t)

130

 corecmd_exec_shell(pacemaker_t)

131

132

+corenet_udp_bind_generic_node(pacemaker_t)

133

+

134

 dev_getattr_mtrr_dev(pacemaker_t)

135

 dev_read_rand(pacemaker_t)

136

 dev_read_urand(pacemaker_t)

137

@@ -68,11 +81,16 @@ domain_read_all_domains_state(pacemaker_t)

138

 domain_use_interactive_fds(pacemaker_t)

139

140

 files_read_kernel_symbol_table(pacemaker_t)

141

+files_read_usr_files(pacemaker_t)

142

143

 fs_getattr_all_fs(pacemaker_t)

144

145

 auth_use_nsswitch(pacemaker_t)

146

147

+init_dbus_chat(pacemaker_t)

148

+

149

+libs_exec_lib_files(pacemaker_t)

150

+

151

 logging_send_syslog_msg(pacemaker_t)

152

153

 miscfiles_read_localization(pacemaker_t)

154

@@ -81,3 +99,15 @@ optional_policy(`

155

 	corosync_read_log(pacemaker_t)

156

 	corosync_stream_connect(pacemaker_t)

157

')

158

+

159

+optional_policy(`

160

+	dbus_system_bus_client(pacemaker_t)

161

+')

162

+

163

+optional_policy(`

164

+	netutils_exec(pacemaker_t)

165

+')

166

+

167

+optional_policy(`

168

+	sysnet_domtrans_ifconfig(pacemaker_t)

169

+')

1	commit: 054510904041ecc1b8cbacfbfd853c88e01423d9
2	Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Sun Sep 27 00:43:44 2020 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Nov 16 09:03:43 2020 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05451090
7
8	To get pacemaker working in enforcing
9
10	Allow pacemaker to map its shared memory
11
12	Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
13
14	Label pacemaker private log file
15
16	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
17	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
18	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
19	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
20
21	It writes to log, but also reads
22
23	Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1
24
25	Pacemaker can read stuff in /usr/share/pacemaker/
26
27	Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
28	Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
29
30	pacemaker dbus related stuff
31
32	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1
33	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
34	Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
35	Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
36	Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
37
38	Pacemaker execute network monitoring
39
40	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
41	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
42	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
43	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
44	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
45	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
46	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
47	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
48	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1
49	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
50	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
51
52	Update pacemaker process perms
53
54	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
55	Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
56	Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
57
58	pacemaker network communication
59
60	Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
61	Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
62	Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
63	Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
64
65	Let pacemaker exec lib_t files
66
67	Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
68	Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
69	Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
70
71	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
72	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
73
74	policy/modules/services/pacemaker.fc \| 1 +
75	policy/modules/services/pacemaker.te \| 34 ++++++++++++++++++++++++++++++++--
76	2 files changed, 33 insertions(+), 2 deletions(-)
77
78	diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc
79	index 0df77ee6..dc7fbb8d 100644
80	--- a/policy/modules/services/pacemaker.fc
81	+++ b/policy/modules/services/pacemaker.fc
82	@@ -9,3 +9,4 @@
83	/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
84
85	/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_runtime_t,s0)
86	+/run/resource-agents(/.*)? gen_context(system_u:object_r:pacemaker_runtime_t,s0)
87
88	diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
89	index e7c0d691..f7a18a7f 100644
90	--- a/policy/modules/services/pacemaker.te
91	+++ b/policy/modules/services/pacemaker.te
92	@@ -12,6 +12,9 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
93	type pacemaker_initrc_exec_t;
94	init_script_file(pacemaker_initrc_exec_t)
95
96	+type pacemaker_log_t;
97	+logging_log_file(pacemaker_log_t)
98	+
99	type pacemaker_runtime_t alias pacemaker_var_run_t;
100	files_runtime_file(pacemaker_runtime_t)
101
102	@@ -29,15 +32,23 @@ files_type(pacemaker_var_lib_t)
103	# Local policy
104	#
105
106	-allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };
107	-allow pacemaker_t self:process { setrlimit signal setpgid };
108	+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid };
109	+allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull };
110	allow pacemaker_t self:fifo_file rw_fifo_file_perms;
111	+allow pacemaker_t self:packet_socket { bind create getattr read write };
112	allow pacemaker_t self:unix_stream_socket { connectto accept listen };
113
114	+create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
115	+append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
116	+setattr_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
117	+read_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
118	+logging_log_filetrans(pacemaker_t, pacemaker_log_t, file)
119	+
120	manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
121	manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
122	files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
123
124	+mmap_rw_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
125	manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
126	manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
127	fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
128	@@ -60,6 +71,8 @@ kernel_read_system_state(pacemaker_t)
129	corecmd_exec_bin(pacemaker_t)
130	corecmd_exec_shell(pacemaker_t)
131
132	+corenet_udp_bind_generic_node(pacemaker_t)
133	+
134	dev_getattr_mtrr_dev(pacemaker_t)
135	dev_read_rand(pacemaker_t)
136	dev_read_urand(pacemaker_t)
137	@@ -68,11 +81,16 @@ domain_read_all_domains_state(pacemaker_t)
138	domain_use_interactive_fds(pacemaker_t)
139
140	files_read_kernel_symbol_table(pacemaker_t)
141	+files_read_usr_files(pacemaker_t)
142
143	fs_getattr_all_fs(pacemaker_t)
144
145	auth_use_nsswitch(pacemaker_t)
146
147	+init_dbus_chat(pacemaker_t)
148	+
149	+libs_exec_lib_files(pacemaker_t)
150	+
151	logging_send_syslog_msg(pacemaker_t)
152
153	miscfiles_read_localization(pacemaker_t)
154	@@ -81,3 +99,15 @@ optional_policy(`
155	corosync_read_log(pacemaker_t)
156	corosync_stream_connect(pacemaker_t)
157	')
158	+
159	+optional_policy(`
160	+ dbus_system_bus_client(pacemaker_t)
161	+')
162	+
163	+optional_policy(`
164	+ netutils_exec(pacemaker_t)
165	+')
166	+
167	+optional_policy(`
168	+ sysnet_domtrans_ifconfig(pacemaker_t)
169	+')

Gentoo Archives: gentoo-commits