| 1 |
commit: 08fff4870eab9cec72d17019d21d832176fd5905 |
| 2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Thu Oct 12 16:16:17 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Oct 29 12:59:08 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08fff487 |
| 7 |
|
| 8 |
Denial relabeling /run/systemd/private |
| 9 |
|
| 10 |
I am seeing the following denial (in dmesg) during system startup: |
| 11 |
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file |
| 12 |
|
| 13 |
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission. |
| 14 |
|
| 15 |
Updated to create new interface for relabeling of sock_files rather than adding to existing interface |
| 16 |
|
| 17 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
| 18 |
|
| 19 |
policy/modules/kernel/files.if | 19 +++++++++++++++++++ |
| 20 |
policy/modules/system/init.te | 1 + |
| 21 |
2 files changed, 20 insertions(+) |
| 22 |
|
| 23 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
| 24 |
index 12a1210c..ec2c8999 100644 |
| 25 |
--- a/policy/modules/kernel/files.if |
| 26 |
+++ b/policy/modules/kernel/files.if |
| 27 |
@@ -6741,6 +6741,25 @@ interface(`files_relabel_all_pid_dirs',` |
| 28 |
|
| 29 |
######################################## |
| 30 |
## <summary> |
| 31 |
+## Relabel to/from all var_run (pid) socket files |
| 32 |
+## </summary> |
| 33 |
+## <param name="domain"> |
| 34 |
+## <summary> |
| 35 |
+## Domain alloed access. |
| 36 |
+## </summary> |
| 37 |
+## </param> |
| 38 |
+# |
| 39 |
+interface(`files_relabel_all_pid_sock_files',` |
| 40 |
+ gen_require(` |
| 41 |
+ attribute pidfile; |
| 42 |
+ ') |
| 43 |
+ |
| 44 |
+ relabel_sock_files_pattern($1, pidfile, pidfile) |
| 45 |
+') |
| 46 |
+ |
| 47 |
+ |
| 48 |
+######################################## |
| 49 |
+## <summary> |
| 50 |
## Relabel to/from all var_run (pid) files and directories |
| 51 |
## </summary> |
| 52 |
## <param name="domain"> |
| 53 |
|
| 54 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 55 |
index 75da7a62..350554d3 100644 |
| 56 |
--- a/policy/modules/system/init.te |
| 57 |
+++ b/policy/modules/system/init.te |
| 58 |
@@ -320,6 +320,7 @@ ifdef(`init_systemd',` |
| 59 |
files_mounton_root(init_t) |
| 60 |
files_search_pids(init_t) |
| 61 |
files_relabel_all_pids(init_t) |
| 62 |
+ files_relabel_all_pid_sock_files(init_t) |
| 63 |
files_relabelto_etc_runtime_dirs(init_t) |
| 64 |
files_relabelto_etc_runtime_files(init_t) |
| 65 |
files_read_all_locks(init_t) |
Archives