All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-selinux][RFC 6/8] systemd: mount: enable requiried refpolicy booleans
@ 2016-07-29  9:10 Shrikant Bobade
  0 siblings, 0 replies; only message in thread
From: Shrikant Bobade @ 2016-07-29  9:10 UTC (permalink / raw)
  To: yocto; +Cc: Shrikant Bobade

From: Shrikant Bobade <shrikant_bobade@mentor.com>

enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all

Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
 ...mount-enable-requiried-refpolicy-booleans.patch | 43 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
new file mode 100644
index 0000000..cd93d1d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
@@ -0,0 +1,43 @@
+systemd: mount: enable requiried refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount:  allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+ ls  /var/log
+ /var/log -> volatile/log
+:~#
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+
+--- a/policy/booleans.conf
++++ b/policy/booleans.conf
+@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
+ #
+ # Allow the mount command to mount any directory or file.
+ # 
+-allow_mount_anyfile = false
++allow_mount_anyfile = true
+ 
+ #
+ # Enable support for systemd-tmpfiles to manage all non-security files.
+ # 
+-systemd_tmpfiles_manage_all = false
++systemd_tmpfiles_manage_all = true
+ 
+ #
+ # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index d319561..b62167f 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -67,6 +67,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
 	file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
 	file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
+	file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
 "
 
 
-- 
1.9.1



^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2016-07-29  9:11 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-29  9:10 [meta-selinux][RFC 6/8] systemd: mount: enable requiried refpolicy booleans Shrikant Bobade

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.