From: "Sugar, David" <dsugar@tresys.com>
To: "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 2/3] Changes to support plymouth working in enforcing
Date: Fri, 12 Apr 2019 19:39:31 +0000 [thread overview]
Message-ID: <20190412193917.23886-3-dsugar@tresys.com> (raw)
In-Reply-To: <20190412193917.23886-1-dsugar@tresys.com>
plymouth is started very early in the boot process. Looks
like before the SELinux policy is loaded so plymouthd is
running as kernel_t rather than plymouthd_t. Due to this
I needed to allow a few permissions on kernel_t to get
the system to boot.
Please note that in this case I have the harddisk encrypted
with LUKS so when plymouthd is started the harddisk is not
unlocked yet. I don't know if the permissions are different
in the case when LUKS is not involved.
type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/kernel/devices.if | 18 +++++++++++++
policy/modules/kernel/kernel.te | 5 +++-
policy/modules/services/plymouthd.if | 38 ++++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 78a95ce8..d1cdf933 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1939,6 +1939,24 @@ interface(`dev_setattr_dri_dev',`
setattr_chr_files_pattern($1, device_t, dri_device_t)
')
+########################################
+## <summary>
+## IOCLT the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_ioctl_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ allow $1 dri_device_t:chr_file ioctl;
+')
+
########################################
## <summary>
## Read and write the dri devices.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b9ae4079..d230a5a2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -397,9 +397,12 @@ optional_policy(`
')
optional_policy(`
- plymouthd_read_lib_files(kernel_t)
+ dev_ioctl_dri_dev(kernel_t)
+
+ plymouthd_delete_pid_files(kernel_t)
plymouthd_read_pid_files(kernel_t)
plymouthd_read_spool_files(kernel_t)
+ plymouthd_rw_lib_files(kernel_t)
term_use_ptmx(kernel_t)
term_use_unallocated_ttys(kernel_t)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 04e0c734..3cc08b96 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -192,6 +192,25 @@ interface(`plymouthd_read_lib_files',`
read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
')
+########################################
+## <summary>
+## Read and write plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_rw_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete
@@ -232,6 +251,25 @@ interface(`plymouthd_read_pid_files',`
allow $1 plymouthd_var_run_t:file read_file_perms;
')
+########################################
+## <summary>
+## Delete the plymouthd pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_delete_pid_files',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
+')
+
########################################
## <summary>
## All of the rules required to
--
2.20.1
next prev parent reply other threads:[~2019-04-12 19:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-12 19:39 [PATCH 0/3] Resolve issues with plymouth in enforcing Sugar, David
2019-04-12 19:39 ` [PATCH 1/3] Allow xdm (lightdm) execute plymouth Sugar, David
2019-04-17 2:49 ` Sugar, David
2019-04-23 22:31 ` Chris PeBenito
2019-04-12 19:39 ` Sugar, David [this message]
2019-04-13 2:43 ` [PATCH 2/3] Changes to support plymouth working in enforcing Russell Coker
2019-04-13 3:23 ` Sugar, David
2019-04-13 4:24 ` Russell Coker
2019-04-13 7:51 ` Dominick Grift
2019-04-17 2:51 ` Sugar, David
2019-04-23 22:31 ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd Sugar, David
2019-04-13 2:33 ` Russell Coker
2019-04-13 3:26 ` Sugar, David
2019-04-13 4:24 ` Russell Coker
2019-04-13 7:54 ` Dominick Grift
2019-04-17 2:53 ` Sugar, David
2019-04-14 17:49 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190412193917.23886-3-dsugar@tresys.com \
--to=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).