[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Sun, 29 Oct 2017 20:43:01
Message-Id:	`1509281948.52c2b105a22a89b938af9d558bbfbf4a1c8198a3.perfinion@gentoo`

1

commit:     52c2b105a22a89b938af9d558bbfbf4a1c8198a3

2

Author:     David Sugar <dsugar <AT> tresys <DOT> com>

3

AuthorDate: Mon Oct  9 21:15:13 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Oct 29 12:59:08 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52c2b105

7

8

Fix problem labeling /run/log/journal/*

9

10

Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

11

12

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

13

[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied

14

[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir

15

[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied

16

[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir

17

[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied

18

[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file

19

[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

20

21

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

22

23

 policy/modules/system/init.te    |  3 +++

24

 policy/modules/system/systemd.if | 40 ++++++++++++++++++++++++++++++++++++++++

25

 2 files changed, 43 insertions(+)

26

27

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te

28

index 63cec7d6..9ff247d1 100644

29

--- a/policy/modules/system/init.te

30

+++ b/policy/modules/system/init.te

31

@@ -320,12 +320,15 @@ ifdef(`init_systemd',`

32

 	logging_manage_pid_sockets(init_t)

33

 	logging_send_audit_msgs(init_t)

34

 	logging_relabelto_devlog_sock_files(init_t)

35

+	logging_relabel_generic_log_dirs(init_t)

36

37

 	systemd_manage_passwd_runtime_symlinks(init_t)

38

 	systemd_use_passwd_agent(init_t)

39

 	systemd_list_tmpfiles_conf(init_t)

40

 	systemd_relabelto_tmpfiles_conf_dirs(init_t)

41

 	systemd_relabelto_tmpfiles_conf_files(init_t)

42

+	systemd_relabelto_journal_dirs(init_t)

43

+	systemd_relabelto_journal_files(init_t)

44

45

 	term_create_devpts_dirs(init_t)

46

47

48

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if

49

index 766f33fb..69669a1a 100644

50

--- a/policy/modules/system/systemd.if

51

+++ b/policy/modules/system/systemd.if

52

@@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',`

53

 	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)

54

')

55

56

+

57

+########################################

58

+## <summary>

59

+##	Relabel to systemd-journald directory type.

60

+## </summary>

61

+## <param name="domain">

62

+##	<summary>

63

+##	Domain allowed access.

64

+##	</summary>

65

+## </param>

66

+#

67

+interface(`systemd_relabelto_journal_dirs',`

68

+	gen_require(`

69

+		type systemd_journal_t;

70

+	')

71

+

72

+	files_search_var($1)

73

+	allow $1 systemd_journal_t:dir relabelto_dir_perms;

74

+')

75

+

76

+########################################

77

+## <summary>

78

+##	Relabel to systemd-journald file type.

79

+## </summary>

80

+## <param name="domain">

81

+##	<summary>

82

+##	Domain allowed access.

83

+##	</summary>

84

+## </param>

85

+#

86

+interface(`systemd_relabelto_journal_files',`

87

+	gen_require(`

88

+		type systemd_journal_t;

89

+	')

90

+

91

+	files_search_var($1)

92

+	list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)

93

+	allow $1 systemd_journal_t:file relabelto_file_perms;

94

+')

95

+

96

 ########################################

97

 ## <summary>

98

 ##     Allow systemd_logind_t to read process state for cgroup file

1	commit: 52c2b105a22a89b938af9d558bbfbf4a1c8198a3
2	Author: David Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Mon Oct 9 21:15:13 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Oct 29 12:59:08 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52c2b105
7
8	Fix problem labeling /run/log/journal/*
9
10	Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*
11
12	[ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
13	[ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
14	[ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
15	[ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
16	[ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
17	[ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
18	[ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
19	[ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied
20
21	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
22
23	policy/modules/system/init.te \| 3 +++
24	policy/modules/system/systemd.if \| 40 ++++++++++++++++++++++++++++++++++++++++
25	2 files changed, 43 insertions(+)
26
27	diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
28	index 63cec7d6..9ff247d1 100644
29	--- a/policy/modules/system/init.te
30	+++ b/policy/modules/system/init.te
31	@@ -320,12 +320,15 @@ ifdef(`init_systemd',`
32	logging_manage_pid_sockets(init_t)
33	logging_send_audit_msgs(init_t)
34	logging_relabelto_devlog_sock_files(init_t)
35	+ logging_relabel_generic_log_dirs(init_t)
36
37	systemd_manage_passwd_runtime_symlinks(init_t)
38	systemd_use_passwd_agent(init_t)
39	systemd_list_tmpfiles_conf(init_t)
40	systemd_relabelto_tmpfiles_conf_dirs(init_t)
41	systemd_relabelto_tmpfiles_conf_files(init_t)
42	+ systemd_relabelto_journal_dirs(init_t)
43	+ systemd_relabelto_journal_files(init_t)
44
45	term_create_devpts_dirs(init_t)
46
47
48	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
49	index 766f33fb..69669a1a 100644
50	--- a/policy/modules/system/systemd.if
51	+++ b/policy/modules/system/systemd.if
52	@@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',`
53	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
54	')
55
56	+
57	+########################################
58	+## <summary>
59	+## Relabel to systemd-journald directory type.
60	+## </summary>
61	+## <param name="domain">
62	+## <summary>
63	+## Domain allowed access.
64	+## </summary>
65	+## </param>
66	+#
67	+interface(`systemd_relabelto_journal_dirs',`
68	+ gen_require(`
69	+ type systemd_journal_t;
70	+ ')
71	+
72	+ files_search_var($1)
73	+ allow $1 systemd_journal_t:dir relabelto_dir_perms;
74	+')
75	+
76	+########################################
77	+## <summary>
78	+## Relabel to systemd-journald file type.
79	+## </summary>
80	+## <param name="domain">
81	+## <summary>
82	+## Domain allowed access.
83	+## </summary>
84	+## </param>
85	+#
86	+interface(`systemd_relabelto_journal_files',`
87	+ gen_require(`
88	+ type systemd_journal_t;
89	+ ')
90	+
91	+ files_search_var($1)
92	+ list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
93	+ allow $1 systemd_journal_t:file relabelto_file_perms;
94	+')
95	+
96	########################################
97	## <summary>
98	## Allow systemd_logind_t to read process state for cgroup file

Gentoo Archives: gentoo-commits