From: Shrikant Bobade <shrikant_bob...@mentor.com> add allow rules for avc denails for systemd, mount, logging & authlogin modules. without this change we are getting avc. denials from these modules.
Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> --- ...d-mount-logging-authlogin-add-allow-rules.patch | 92 ++++++++++++++++++++++ .../refpolicy/refpolicy_2.20151208.inc | 1 + 2 files changed, 93 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch new file mode 100644 index 0000000..8e330ce --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20151208/0003-systemd-mount-logging-authlogin-add-allow-rules.patch @@ -0,0 +1,92 @@ +From 9a9490491e6d4c30249033c84c21634dac988b06 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade <shrikant_bob...@mentor.com> +Date: Mon, 25 Jul 2016 18:10:28 +0530 +Subject: [PATCH 3/6] systemd: mount: logging: authlogin: add allow rules + +add allow rules for avc denails for systemd, mount, logging & authlogin +modules. + +without this change we are getting avc denial like these: + +type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- +tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: +systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= +unix_dgram_socket permissive=0 + +type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- +tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: +system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= +file permissive=0 + +type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" +path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: +mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket + +type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 +comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 +tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 + +upstream-status: pending + +Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com> +--- + policy/modules/system/authlogin.te | 2 ++ + policy/modules/system/logging.te | 7 ++++++- + policy/modules/system/mount.te | 3 +++ + policy/modules/system/systemd.te | 6 ++++++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index f80dfcb..5fab54a 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -464,3 +464,5 @@ optional_policy(` + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) + ') ++ ++allow chkpwd_t proc_t:filesystem getattr; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index fdf86ef..107db03 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -576,4 +576,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; + allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; + allow auditd_t initrc_t:unix_dgram_socket sendto; + +-allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file ++allow klogd_t initrc_t:unix_dgram_socket sendto; ++ ++allow syslogd_t self:shm create; ++allow syslogd_t self:sem { create read unix_write write }; ++allow syslogd_t self:shm { read unix_read unix_write write }; ++allow syslogd_t tmpfs_t:file { read write }; +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 1c2fc33..b699309 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -229,3 +229,6 @@ optional_policy(` + files_etc_filetrans_etc_runtime(unconfined_mount_t, file) + unconfined_domain(unconfined_mount_t) + ') ++ ++allow mount_t proc_t:filesystem getattr; ++allow mount_t initrc_t:udp_socket { read write }; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index fdb9fef..734d455 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -262,3 +262,9 @@ tunable_policy(`systemd_tmpfiles_manage_all',` + files_relabel_non_security_dirs(systemd_tmpfiles_t) + files_relabel_non_security_files(systemd_tmpfiles_t) + ') ++ ++allow systemd_tmpfiles_t init_t:dir search; ++allow systemd_tmpfiles_t proc_t:filesystem getattr; ++allow systemd_tmpfiles_t init_t:file read; ++allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; ++allow systemd_tmpfiles_t self:capability net_admin; +-- +1.9.1 + diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc index 4d07e62..c051aec 100644 --- a/recipes-security/refpolicy/refpolicy_2.20151208.inc +++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc @@ -64,6 +64,7 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO SYSTEMD_REFPOLICY_PATCHES = "\ file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \ file://0002-audit-logging-getty-audit-related-allow-rules.patch \ + file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \ " -- 1.9.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto