1 |
commit: 08fff4870eab9cec72d17019d21d832176fd5905 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Thu Oct 12 16:16:17 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 29 12:59:08 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08fff487 |
7 |
|
8 |
Denial relabeling /run/systemd/private |
9 |
|
10 |
I am seeing the following denial (in dmesg) during system startup: |
11 |
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file |
12 |
|
13 |
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission. |
14 |
|
15 |
Updated to create new interface for relabeling of sock_files rather than adding to existing interface |
16 |
|
17 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
18 |
|
19 |
policy/modules/kernel/files.if | 19 +++++++++++++++++++ |
20 |
policy/modules/system/init.te | 1 + |
21 |
2 files changed, 20 insertions(+) |
22 |
|
23 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
24 |
index 12a1210c..ec2c8999 100644 |
25 |
--- a/policy/modules/kernel/files.if |
26 |
+++ b/policy/modules/kernel/files.if |
27 |
@@ -6741,6 +6741,25 @@ interface(`files_relabel_all_pid_dirs',` |
28 |
|
29 |
######################################## |
30 |
## <summary> |
31 |
+## Relabel to/from all var_run (pid) socket files |
32 |
+## </summary> |
33 |
+## <param name="domain"> |
34 |
+## <summary> |
35 |
+## Domain alloed access. |
36 |
+## </summary> |
37 |
+## </param> |
38 |
+# |
39 |
+interface(`files_relabel_all_pid_sock_files',` |
40 |
+ gen_require(` |
41 |
+ attribute pidfile; |
42 |
+ ') |
43 |
+ |
44 |
+ relabel_sock_files_pattern($1, pidfile, pidfile) |
45 |
+') |
46 |
+ |
47 |
+ |
48 |
+######################################## |
49 |
+## <summary> |
50 |
## Relabel to/from all var_run (pid) files and directories |
51 |
## </summary> |
52 |
## <param name="domain"> |
53 |
|
54 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
55 |
index 75da7a62..350554d3 100644 |
56 |
--- a/policy/modules/system/init.te |
57 |
+++ b/policy/modules/system/init.te |
58 |
@@ -320,6 +320,7 @@ ifdef(`init_systemd',` |
59 |
files_mounton_root(init_t) |
60 |
files_search_pids(init_t) |
61 |
files_relabel_all_pids(init_t) |
62 |
+ files_relabel_all_pid_sock_files(init_t) |
63 |
files_relabelto_etc_runtime_dirs(init_t) |
64 |
files_relabelto_etc_runtime_files(init_t) |
65 |
files_read_all_locks(init_t) |