[meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

[meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

[Shrikant Bobade]

[-- Attachment #1.1: Type: text/plain, Size: 999 bytes --]

Hi,

Using refpolicy-minimum v20151208 with systemd as init manager,

I am facing few issues during enforcing mode,
1. systemd service status check, start & stop
2. auditd logfile error, so it is mixing with the boot log.
3. also other avc denials related to tmpfs & other types etc..


setup details:poky and meta-selinux: both at master head & systemd enabled.
with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
ii.allow_mount_anyfile

captured the avc denial to fix the systemd execution well, attached
SELinux-Modules.txt :- the allow rules generated using audit tools.
I am trying to merge these module into actual refpolicy modules, so we get
the out of box experience for smooth systemd execution.
Observed policy store seems corrupted some time, when start inserting the
prepared policy modules allow rules into actual refpolicy modules..

Does anyone also faced similar issues?

Any pointers or references will be a great help.


Thanks
Shrikant

[-- Attachment #1.2: Type: text/html, Size: 1199 bytes --]

[-- Attachment #2: SELinux-Modules.txt --]
[-- Type: text/plain, Size: 4795 bytes --]

############################# SELinux Modules ################################



require {
	type unconfined_t;
	type init_t;
	class system reload;
}

#============= unconfined_t ==============
allow unconfined_t init_t:system reload;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class file create;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:file create;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class file { open read };
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:file { open read };

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class file append;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:file append;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class file getattr;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:file getattr;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class file setattr;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:file setattr;


require {
	type tmpfs_t;
	type auditd_t;
	class dir open;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:dir open;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class dir read;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:dir read;

##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class dir open;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:dir open;



require {
	type tmpfs_t;
	type initrc_t;
	type auditd_t;
	class unix_dgram_socket sendto;
	class dir search;
}

#============= auditd_t ==============
allow auditd_t initrc_t:unix_dgram_socket sendto;
allow auditd_t tmpfs_t:dir search;


require {
	type tmpfs_t;
	type auditd_t;
	class dir add_name;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:dir add_name;


##################################################################################

require {
	type tmpfs_t;
	type auditd_t;
	class dir write;
}

#============= auditd_t ==============
allow auditd_t tmpfs_t:dir write;

##################################################################################

require {
	type var_run_t;
	type init_t;
	type syslogd_t;
	type systemd_tmpfiles_t;
	type initrc_t;
	type klogd_t;
	type chkpwd_t;
	type local_login_t;
	type proc_t;
	type getty_t;
	type tmpfs_t;
	type mount_t;
	class capability2 audit_read;
	class file read;
	class filesystem getattr;
	class unix_dgram_socket sendto;
	class shm create;
	class dir search;
}

#============= chkpwd_t ==============
allow chkpwd_t proc_t:filesystem getattr;

#============= getty_t ==============
allow getty_t tmpfs_t:dir search;

#============= init_t ==============
allow init_t self:capability2 audit_read;

#============= klogd_t ==============

#!!!! This avc is allowed in the current policy
allow klogd_t initrc_t:unix_dgram_socket sendto;

#============= local_login_t ==============
allow local_login_t var_run_t:file read;

#============= mount_t ==============
allow mount_t proc_t:filesystem getattr;

#============= syslogd_t ==============
allow syslogd_t self:shm create;

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t init_t:dir search;
allow systemd_tmpfiles_t proc_t:filesystem getattr;


##################################################################################

require {
	type unconfined_t;
	type lib_t;
	class service status;
}

#============= unconfined_t ==============
allow unconfined_t lib_t:service status;

##################################################################################


require {
	type initrc_t;
	type klogd_t;
	class unix_dgram_socket sendto;
}

#============= klogd_t ==============
allow klogd_t initrc_t:unix_dgram_socket sendto;


##################################################################################

require {
	type unconfined_t;
	type lib_t;
	class service start;
}

#============= unconfined_t ==============
allow unconfined_t lib_t:service start;

##################################################################################


require {
	type unconfined_t;
	type lib_t;
	class service stop;
}

#============= unconfined_t ==============
allow unconfined_t lib_t:service stop;

##################################################################################

Re: [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

[Shrikant Bobade]

[-- Attachment #1: Type: text/plain, Size: 2174 bytes --]

Hi,


Request for comment set from:
https://lists.yoctoproject.org/pipermail/yocto/2016-July/031362.html to
https://lists.yoctoproject.org/pipermail/yocto/2016-July/031369.html

checked on below build config. with refpolicy-minimum using systemd as init
manager.

These are comparative boot logs.
refpolicy-minimum without RFC set: http://paste.ubuntu.com/21383917/

refpolicy-minimum with RFC set: http://paste.ubuntu.com/21383939/



Build Configuration:
BB_VERSION        = "1.31.0"
BUILD_SYS         = "x86_64-linux"
NATIVELSBSTRING   = "universal"
TARGET_SYS        = "arm-poky-linux-gnueabi"
MACHINE           = "qemuarm"
DISTRO            = "poky-selinux"
DISTRO_VERSION    = "2.1+snapshot-20160729"
TUNE_FEATURES     = "arm armv5 thumb dsp"
TARGET_FPU        = "soft"
meta
meta-poky
meta-yocto-bsp    = "master:039f47ad197a9a53109c9f3deadd9c35e62c056d"
meta-selinux      = "master:d0f889259b610c3365962775c6e96a7cba407177"



Please advice, It will be a great help !


Thanks
Shrikant


On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade <bobadeshrikant@gmail.com>
wrote:

> Hi,
>
> Using refpolicy-minimum v20151208 with systemd as init manager,
>
> I am facing few issues during enforcing mode,
> 1. systemd service status check, start & stop
> 2. auditd logfile error, so it is mixing with the boot log.
> 3. also other avc denials related to tmpfs & other types etc..
>
>
> setup details:poky and meta-selinux: both at master head & systemd enabled.
> with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
> ii.allow_mount_anyfile
>
> captured the avc denial to fix the systemd execution well, attached
> SELinux-Modules.txt :- the allow rules generated using audit tools.
> I am trying to merge these module into actual refpolicy modules, so we get
> the out of box experience for smooth systemd execution.
> Observed policy store seems corrupted some time, when start inserting the
> prepared policy modules allow rules into actual refpolicy modules..
>
> Does anyone also faced similar issues?
>
> Any pointers or references will be a great help.
>
>
> Thanks
> Shrikant
>
>

[-- Attachment #2: Type: text/html, Size: 3441 bytes --]

Re: [meta-selinux] Regarding "systemd" support with refpolicy-minimum v20151208

[Shrikant Bobade]

[-- Attachment #1: Type: text/plain, Size: 2914 bytes --]

Hi,


Patch set for systemd and related fixes for refpolicy-minimum v2.20151208
from https://lists.yoctoproject.org/pipermail/yocto/2016-August/031763.html
to https://lists.yoctoproject.org/pipermail/yocto/2016-August/031771.html

Verified core-image-selinux build with refpolicy-minimum and systemd as
init manager, below are reference logs.

refpolicy-minimum with patch set: http://paste.ubuntu.com/23107423/

refpolicy-minimum without patch set: http://paste.ubuntu.com/23107437/

Please advise !


Thanks
Shrikant


On Fri, Jul 29, 2016 at 2:54 PM, Shrikant Bobade <bobadeshrikant@gmail.com>
wrote:

> Hi,
>
>
> Request for comment set from: https://lists.yoctoproject.
> org/pipermail/yocto/2016-July/031362.html to https://lists.yoctoproject.
> org/pipermail/yocto/2016-July/031369.html
>
> checked on below build config. with refpolicy-minimum using systemd as
> init manager.
>
> These are comparative boot logs.
> refpolicy-minimum without RFC set: http://paste.ubuntu.com/21383917/
>
> refpolicy-minimum with RFC set: http://paste.ubuntu.com/21383939/
>
>
>
> Build Configuration:
> BB_VERSION        = "1.31.0"
> BUILD_SYS         = "x86_64-linux"
> NATIVELSBSTRING   = "universal"
> TARGET_SYS        = "arm-poky-linux-gnueabi"
> MACHINE           = "qemuarm"
> DISTRO            = "poky-selinux"
> DISTRO_VERSION    = "2.1+snapshot-20160729"
> TUNE_FEATURES     = "arm armv5 thumb dsp"
> TARGET_FPU        = "soft"
> meta
> meta-poky
> meta-yocto-bsp    = "master:039f47ad197a9a53109c9f3deadd9c35e62c056d"
> meta-selinux      = "master:d0f889259b610c3365962775c6e96a7cba407177"
>
>
>
> Please advice, It will be a great help !
>
>
> Thanks
> Shrikant
>
>
> On Fri, Jul 1, 2016 at 7:13 PM, Shrikant Bobade <bobadeshrikant@gmail.com>
> wrote:
>
>> Hi,
>>
>> Using refpolicy-minimum v20151208 with systemd as init manager,
>>
>> I am facing few issues during enforcing mode,
>> 1. systemd service status check, start & stop
>> 2. auditd logfile error, so it is mixing with the boot log.
>> 3. also other avc denials related to tmpfs & other types etc..
>>
>>
>> setup details:poky and meta-selinux: both at master head & systemd
>> enabled.
>> with these SELinux booleans enabled: i.systemd_tmpfiles_manage_all
>> ii.allow_mount_anyfile
>>
>> captured the avc denial to fix the systemd execution well, attached
>> SELinux-Modules.txt :- the allow rules generated using audit tools.
>> I am trying to merge these module into actual refpolicy modules, so we
>> get the out of box experience for smooth systemd execution.
>> Observed policy store seems corrupted some time, when start inserting the
>> prepared policy modules allow rules into actual refpolicy modules..
>>
>> Does anyone also faced similar issues?
>>
>> Any pointers or references will be a great help.
>>
>>
>> Thanks
>> Shrikant
>>
>>
>

[-- Attachment #2: Type: text/html, Size: 5108 bytes --]