1 |
commit: 52c2b105a22a89b938af9d558bbfbf4a1c8198a3 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Mon Oct 9 21:15:13 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 29 12:59:08 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52c2b105 |
7 |
|
8 |
Fix problem labeling /run/log/journal/* |
9 |
|
10 |
Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* |
11 |
|
12 |
[ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir |
13 |
[ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied |
14 |
[ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir |
15 |
[ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied |
16 |
[ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir |
17 |
[ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied |
18 |
[ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file |
19 |
[ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied |
20 |
|
21 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
22 |
|
23 |
policy/modules/system/init.te | 3 +++ |
24 |
policy/modules/system/systemd.if | 40 ++++++++++++++++++++++++++++++++++++++++ |
25 |
2 files changed, 43 insertions(+) |
26 |
|
27 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
28 |
index 63cec7d6..9ff247d1 100644 |
29 |
--- a/policy/modules/system/init.te |
30 |
+++ b/policy/modules/system/init.te |
31 |
@@ -320,12 +320,15 @@ ifdef(`init_systemd',` |
32 |
logging_manage_pid_sockets(init_t) |
33 |
logging_send_audit_msgs(init_t) |
34 |
logging_relabelto_devlog_sock_files(init_t) |
35 |
+ logging_relabel_generic_log_dirs(init_t) |
36 |
|
37 |
systemd_manage_passwd_runtime_symlinks(init_t) |
38 |
systemd_use_passwd_agent(init_t) |
39 |
systemd_list_tmpfiles_conf(init_t) |
40 |
systemd_relabelto_tmpfiles_conf_dirs(init_t) |
41 |
systemd_relabelto_tmpfiles_conf_files(init_t) |
42 |
+ systemd_relabelto_journal_dirs(init_t) |
43 |
+ systemd_relabelto_journal_files(init_t) |
44 |
|
45 |
term_create_devpts_dirs(init_t) |
46 |
|
47 |
|
48 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
49 |
index 766f33fb..69669a1a 100644 |
50 |
--- a/policy/modules/system/systemd.if |
51 |
+++ b/policy/modules/system/systemd.if |
52 |
@@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',` |
53 |
manage_files_pattern($1, systemd_journal_t, systemd_journal_t) |
54 |
') |
55 |
|
56 |
+ |
57 |
+######################################## |
58 |
+## <summary> |
59 |
+## Relabel to systemd-journald directory type. |
60 |
+## </summary> |
61 |
+## <param name="domain"> |
62 |
+## <summary> |
63 |
+## Domain allowed access. |
64 |
+## </summary> |
65 |
+## </param> |
66 |
+# |
67 |
+interface(`systemd_relabelto_journal_dirs',` |
68 |
+ gen_require(` |
69 |
+ type systemd_journal_t; |
70 |
+ ') |
71 |
+ |
72 |
+ files_search_var($1) |
73 |
+ allow $1 systemd_journal_t:dir relabelto_dir_perms; |
74 |
+') |
75 |
+ |
76 |
+######################################## |
77 |
+## <summary> |
78 |
+## Relabel to systemd-journald file type. |
79 |
+## </summary> |
80 |
+## <param name="domain"> |
81 |
+## <summary> |
82 |
+## Domain allowed access. |
83 |
+## </summary> |
84 |
+## </param> |
85 |
+# |
86 |
+interface(`systemd_relabelto_journal_files',` |
87 |
+ gen_require(` |
88 |
+ type systemd_journal_t; |
89 |
+ ') |
90 |
+ |
91 |
+ files_search_var($1) |
92 |
+ list_dirs_pattern($1,systemd_journal_t,systemd_journal_t) |
93 |
+ allow $1 systemd_journal_t:file relabelto_file_perms; |
94 |
+') |
95 |
+ |
96 |
######################################## |
97 |
## <summary> |
98 |
## Allow systemd_logind_t to read process state for cgroup file |