[meta-selinux][RFC 5/8] init: fix reboot with systemd as init manager.

* [meta-selinux][RFC 5/8] init: fix reboot with systemd as init manager.
@ 2016-07-29  9:10 Shrikant Bobade
  0 siblings, 0 replies; only message in thread
From: Shrikant Bobade @ 2016-07-29  9:10 UTC (permalink / raw)
  To: yocto; +Cc: Shrikant Bobade

From: Shrikant Bobade <shrikant_bobade@mentor.com>

add allow rule to fix avc denial during system reboot.

Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
 ...t-fix-reboot-with-systemd-as-init-manager.patch | 35 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch
new file mode 100644
index 0000000..69a9019
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0005-init-fix-reboot-with-systemd-as-init-manager.patch
@@ -0,0 +1,35 @@
+From cabab1db81115da296193ea8d917dc7cadfdd8f6 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Mon, 25 Jul 2016 18:30:59 +0530
+Subject: [PATCH 5/6] init: fix reboot with systemd as init manager.
+
+add allow rule to fix avc denial during system reboot.
+
+without this change we are getting:
+
+audit: type=1107 audit(): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=
+system_u:system_r:init_t:s0 msg='avc:  denied  { reboot } for auid=n/a uid=0
+gid=0 cmdline="/bin/systemctl --force reboot" scontext=system_u:system_r:
+initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/init.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index f9d7114..19a7a20 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1103,5 +1103,5 @@ allow devpts_t device_t:filesystem associate;
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:capability2 audit_read;
+ 
+-allow initrc_t init_t:system { start status };
++allow initrc_t init_t:system { start status reboot };
+ allow initrc_t init_var_run_t:service { start status };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 151c973..d319561 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -66,6 +66,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0002-audit-logging-getty-audit-related-allow-rules.patch \
 	file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
 	file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
+	file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
 "
 
 
-- 
1.9.1



^ permalink raw reply related	[flat|nested] only message in thread