[meta-selinux][RFC 8/8] systemd: fix for systemd tmp-files services

[meta-selinux][RFC 8/8] systemd: fix for systemd tmp-files services

[Shrikant Bobade]

From: Shrikant Bobade <shrikant_bobade@mentor.com>

fix for systemd tmp files setup services:
systemd-journal-flush.service & systemd-logind.service.

Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
---
 ...ystemd-fix-for-systemd-tmp-files-services.patch | 110 +++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
new file mode 100644
index 0000000..385e6e2
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0008-systemd-fix-for-systemd-tmp-files-services.patch
@@ -0,0 +1,110 @@
+From 2156e7428c5f58f3b13cfa95a1a4789299d2c448 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Wed, 27 Jul 2016 19:42:43 +0530
+Subject: [PATCH 8/8] systemd: fix for systemd tmp-files services
+
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+
+without these changes we are getting avc denails like these and below
+systemd services failure:
+
+audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+
+audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/kernel/files.if   | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if  | 23 +++++++++++++++++++++++
+ policy/modules/system/systemd.te |  3 +++
+ 3 files changed, 45 insertions(+)
+
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 1cedea2..4ea7d55 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -6729,3 +6729,22 @@ interface(`files_unconfined',`
+ 
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##	systemd tmp files access to kernel tmp files domain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
++	gen_require(`
++	type tmp_t;
++        class lnk_file getattr;
++	')
++
++	allow $1 tmp_t:lnk_file getattr;
++')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index f1130d1..4604441 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3323,3 +3323,26 @@ interface(`kernel_unconfined',`
+ 	typeattribute $1 kern_unconfined;
+ 	kernel_load_module($1)
+ ')
++
++########################################
++## <summary>
++##	systemd tmp files access to kernel sysctl domain
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
++         gen_require(`
++                type sysctl_kernel_t;
++                class dir search;
++                class file { open read };
++         ')
++
++        allow $1 sysctl_kernel_t:dir search;
++        allow $1 sysctl_kernel_t:file { open read };
++
++')
++
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22021eb..8813664 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -269,3 +269,6 @@ allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+ allow systemd_tmpfiles_t self:capability net_admin;
+ 
+ allow systemd_tmpfiles_t init_t:file { open getattr read };
++
++systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
++systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 74f7e19..8a73293 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -69,6 +69,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
 	file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
 	file://0007-systemd-fix-for-login-journal-service.patch \
+	file://0008-systemd-fix-for-systemd-tmp-files-services.patch \
 "
 
 
-- 
1.9.1