plymouth is started very early in the boot process. Looks like before the SELinux policy is loaded so plymouthd is running as kernel_t rather than plymouthd_t. Due to this I needed to allow a few permissions on kernel_t to get the system to boot. Please note that in this case I have the harddisk encrypted with LUKS so when plymouthd is started the harddisk is not unlocked yet. I don't know if the permissions are different in the case when LUKS is not involved. type=AVC msg=audit(1554917011.127:225): avc: denied { write } for pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:226): avc: denied { remove_name } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1554917011.127:227): avc: denied { unlink } for pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1554917011.116:224): avc: denied { write } for pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1555069712.938:237): avc: denied { ioctl } for pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/kernel/devices.if | 18 +++++++++++++ policy/modules/kernel/kernel.te | 5 +++- policy/modules/services/plymouthd.if | 38 ++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 78a95ce8..d1cdf933 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1939,6 +1939,24 @@ interface(`dev_setattr_dri_dev',` setattr_chr_files_pattern($1, device_t, dri_device_t) ') +######################################## +## <summary> +## IOCLT the dri devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_ioctl_dri_dev',` + gen_require(` + type device_t, dri_device_t; + ') + + allow $1 dri_device_t:chr_file ioctl; +') + ######################################## ## <summary> ## Read and write the dri devices. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b9ae4079..d230a5a2 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -397,9 +397,12 @@ optional_policy(` ') optional_policy(` - plymouthd_read_lib_files(kernel_t) + dev_ioctl_dri_dev(kernel_t) + + plymouthd_delete_pid_files(kernel_t) plymouthd_read_pid_files(kernel_t) plymouthd_read_spool_files(kernel_t) + plymouthd_rw_lib_files(kernel_t) term_use_ptmx(kernel_t) term_use_unallocated_ttys(kernel_t) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 04e0c734..3cc08b96 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -192,6 +192,25 @@ interface(`plymouthd_read_lib_files',` read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) ') +######################################## +## <summary> +## Read and write plymouthd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_rw_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + ######################################## ## <summary> ## Create, read, write, and delete @@ -232,6 +251,25 @@ interface(`plymouthd_read_pid_files',` allow $1 plymouthd_var_run_t:file read_file_perms; ') +######################################## +## <summary> +## Delete the plymouthd pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`plymouthd_delete_pid_files',` + gen_require(` + type plymouthd_var_run_t; + ') + + files_search_pids($1) + delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) +') + ######################################## ## <summary> ## All of the rules required to -- 2.20.1