[PATCH] Interface to read and write the mount_runtime_t directory.

[PATCH] Interface to read and write the mount_runtime_t directory.

[Sugar, David]

I see this denial when mounting media.  I'm running mount_exec_t
from my domain, not transitioning.

type=AVC msg=audit(1547086778.470:331): avc:  denied  { read write } for  pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index bf9a8bf3..31475bde 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
 	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Read and write mount runtime directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_runtime_dir',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir rw_dir_perms;
+')
+
-- 
2.20.1

[PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname

[Sugar, David]

type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9c70afc9..740b3a92 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_hostnamed',`
+	gen_require(`
+		type systemd_hostnamed_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_hostnamed_t:dbus send_msg;
+	allow systemd_hostnamed_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##      allow systemd_passwd_agent to inherit fds
-- 
2.20.1

Re: [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname

[Chris PeBenito]

On 1/14/19 10:20 PM, Sugar, David wrote:
> type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/systemd.if | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 9c70afc9..740b3a92 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
>   	allow $1 systemd_machined_var_run_t:file read_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##   Send and receive messages from
> +##   systemd hostnamed over dbus.
> +## </summary>
> +## <param name="domain">
> +##   <summary>
> +##     Domain allowed access.
> +##   </summary>
> +## </param>
> +#
> +interface(`systemd_dbus_chat_hostnamed',`
> +	gen_require(`
> +		type systemd_hostnamed_t;
> +		class dbus send_msg;
> +	')
> +
> +	allow $1 systemd_hostnamed_t:dbus send_msg;
> +	allow systemd_hostnamed_t $1:dbus send_msg;
> +')
> +
>   ########################################
>   ## <summary>
>   ##      allow systemd_passwd_agent to inherit fds

Merged.

-- 
Chris PeBenito

[PATCH 2/2 v2] Modify type for /etc/hostname

[Sugar, David]

hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to 
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.

type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/sysnetwork.fc | 1 +
 policy/modules/system/systemd.te    | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index cd528938..1e5432a4 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -18,6 +18,7 @@ ifdef(`distro_debian',`
 /etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hostname		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index abcc52f5..75ee4310 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -325,6 +325,9 @@ files_read_etc_files(systemd_hostnamed_t)
 
 seutil_read_file_contexts(systemd_hostnamed_t)
 
+sysnet_etc_filetrans_config(systemd_hostnamed_t)
+sysnet_manage_config(systemd_hostnamed_t)
+
 systemd_log_parse_environment(systemd_hostnamed_t)
 
 optional_policy(`
-- 
2.20.1

Re: [PATCH 2/2 v2] Modify type for /etc/hostname

[Chris PeBenito]

On 1/14/19 10:20 PM, Sugar, David wrote:
> hostnamectl updates /etc/hostname
> This change is setting the type for the file /etc/hostname to
> net_conf_t and granting hostnamectl permission to edit this file.
> Note that hostnamectl is initially creating a new file .#hostname*
> which is why the create permissions are requied.
> 
> type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:563): avc:  denied  { add_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:563): avc:  denied  { create } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547039052.041:563): avc:  denied  { write } for  pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
> type=AVC msg=audit(1547039052.041:564): avc:  denied  { setattr } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
> type=AVC msg=audit(1547039052.041:565): avc:  denied  { remove_name } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547039052.041:565): avc:  denied  { rename } for  pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547039052.041:565): avc:  denied  { unlink } for  pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/sysnetwork.fc | 1 +
>   policy/modules/system/systemd.te    | 3 +++
>   2 files changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index cd528938..1e5432a4 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -18,6 +18,7 @@ ifdef(`distro_debian',`
>   /etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/hostname		--	gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index abcc52f5..75ee4310 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -325,6 +325,9 @@ files_read_etc_files(systemd_hostnamed_t)
>   
>   seutil_read_file_contexts(systemd_hostnamed_t)
>   
> +sysnet_etc_filetrans_config(systemd_hostnamed_t)
> +sysnet_manage_config(systemd_hostnamed_t)
> +
>   systemd_log_parse_environment(systemd_hostnamed_t)
>   
>   optional_policy(`

Merged.

-- 
Chris PeBenito

[PATCH] label journald configuraiton files syslog_conf_t

[Sugar, David]

journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/logging.fc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index c579c2d3..6693d87b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,11 +1,13 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
-/etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/rsyslog.d(/.*)?	gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
-/etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rsyslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rsyslog\.d(/.*)?					gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/audit(/.*)?						gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/systemd/journal.*\.conf		--	gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/systemd/journald\.conf\.d(/.*)?	gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rc\.d/init\.d/auditd 			--	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rsyslog 			--	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 
 /usr/bin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /usr/bin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
-- 
2.20.1

Re: [PATCH] label journald configuraiton files syslog_conf_t

[Chris PeBenito]

On 1/14/19 10:20 PM, Sugar, David wrote:
> journald already runs as syslogd_t label the config files similarly to
> allow editing by domains that can edit syslog configuration files.
> Also added some missing '\' before dot in filenames.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/logging.fc | 14 ++++++++------
>   1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index c579c2d3..6693d87b 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -1,11 +1,13 @@
>   /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>   
> -/etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/rsyslog.d(/.*)?	gen_context(system_u:object_r:syslog_conf_t,s0)
> -/etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> -/etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> +/etc/rsyslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/syslog\.conf					--	gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rsyslog\.d(/.*)?					gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/audit(/.*)?						gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> +/etc/systemd/journal.*\.conf		--	gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/systemd/journald\.conf\.d(/.*)?	gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rc\.d/init\.d/auditd 			--	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/rsyslog 			--	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>   
>   /usr/bin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
>   /usr/bin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)

Merged, though preferrably, the whitespace changes would have been a 
separate patch.

-- 
Chris PeBenito

Re: [PATCH] Interface to read and write the mount_runtime_t directory.

[Chris PeBenito]

On 1/14/19 10:20 PM, Sugar, David wrote:
> I see this denial when mounting media.  I'm running mount_exec_t
> from my domain, not transitioning.
> 
> type=AVC msg=audit(1547086778.470:331): avc:  denied  { read write } for  pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1

Seems like there is a leaked file descriptor.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/mount.if | 18 ++++++++++++++++++
>   1 file changed, 18 insertions(+)
> 
> diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
> index bf9a8bf3..31475bde 100644
> --- a/policy/modules/system/mount.if
> +++ b/policy/modules/system/mount.if
> @@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
>   	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Read and write mount runtime directory
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mount_rw_runtime_dir',`
> +	gen_require(`
> +		type mount_runtime_t;
> +	')
> +
> +	allow $1 mount_runtime_t:dir rw_dir_perms;
> +')
> +
> 


-- 
Chris PeBenito

Re: [PATCH] Interface to read and write the mount_runtime_t directory.

[Sugar, David]

On 1/16/19 6:06 PM, Chris PeBenito wrote:
> On 1/14/19 10:20 PM, Sugar, David wrote:
>> I see this denial when mounting media.  I'm running mount_exec_t
>> from my domain, not transitioning.
>>
>> type=AVC msg=audit(1547086778.470:331): avc:  denied  { read write } 
>> for  pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 
>> scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
> 
> Seems like there is a leaked file descriptor.
> 

I have done some more looking into what is going on here and I just 
wanted to close the loop in case this comes up again from somewhere. I 
ran strace to see what is going on and the following snippet from that 
output is relevant:

This is the default case on RHEL7.  It appears that mount is trying to 
access a file /run/mount/utab (that doesn't exist).

stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", 0x7ffd6ac8b0e0) = -1 ENOENT (No such file or 
directory)
mkdir("/run/mount", 0755)               = -1 EEXIST (File exists)
stat("/run/mount/utab", 0x7ffd6ac8afd0) = -1 ENOENT (No such file or 
directory)
stat("/run/mount", {st_mode=S_IFDIR|0755, st_size=40, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/run/mount", R_OK|W_OK)         = 0


If I create the file /run/mount/utab I get slightly a different result:

stat("/run", {st_mode=S_IFDIR|0755, st_size=740, ...}) = 0
lstat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
stat("/run/mount/utab", {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
geteuid()                               = 0
getegid()                               = 0
getuid()                                = 0
getgid()                                = 0
access("/run/mount/utab", R_OK|W_OK)    = 0


I don't know what is supposed to be creating /run/mount/utab.  I see it 
exist on a Fedora 29 machine, but not a clean RHEL 7.6 machine.

I ended up using systemd-tmpfiles to create the file /run/mount/utab. 
At this point I am able to get everything to work using the existing 
mount_rw_runtime_files interface.

I guess this is the long way of saying that this patch can be ignored 
but for anyone else seeing the problem they need to create the 
/run/mount/utab file to work around the denial.


> 
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/system/mount.if | 18 ++++++++++++++++++
>>   1 file changed, 18 insertions(+)
>>
>> diff --git a/policy/modules/system/mount.if 
>> b/policy/modules/system/mount.if
>> index bf9a8bf3..31475bde 100644
>> --- a/policy/modules/system/mount.if
>> +++ b/policy/modules/system/mount.if
>> @@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
>>       rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Read and write mount runtime directory
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`mount_rw_runtime_dir',`
>> +    gen_require(`
>> +        type mount_runtime_t;
>> +    ')
>> +
>> +    allow $1 mount_runtime_t:dir rw_dir_perms;
>> +')
>> +
>>
> 
> 

[PATCH] Add interface to create unit files with specified type via filetrans.

[Sugar, David]

This is adding an interface to perform a filetrans when creating
systemd unit files (in systemd_unit_t directory).  Something like this
is required if creating new unit files for systemd and you want them
to have something other than the generic systemd_unit_t type.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/init.if | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 5beb21e9..caed4867 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3040,6 +3040,40 @@ interface(`init_reload_all_units',`
 	allow $1 { init_script_file_type systemdunit }:service reload;
 ')
 
+########################################
+## <summary>
+##	Create systemd_unit_t objects with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_unit_filetrans',`
+	gen_require(`
+		type systemd_unit_t;
+	')
+
+	filetrans_pattern($1, systemd_unit_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##      Allow unconfined access to send instructions to init
-- 
2.20.1

[PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname

[Sugar, David]

type=USER_AVC msg=audit(1547039052.040:558): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetPrettyHostname dest=org.freedesktop.hostname1 spid=7563 tpid=7564 scontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1547039052.040:560): pid=7159 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.29 spid=7564 tpid=7563 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=sysadm_u:sysadm_r:applyconfig_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9c70afc9..740b3a92 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -268,6 +268,27 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd hostnamed over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_hostnamed',`
+	gen_require(`
+		type systemd_hostnamed_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_hostnamed_t:dbus send_msg;
+	allow systemd_hostnamed_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##      allow systemd_passwd_agent to inherit fds
-- 
2.20.1