Re: [PATCH 2/3] Changes to support plymouth working in enforcing

[Chris PeBenito <pebenito@xxxxxxxx>]

On 4/12/19 3:39 PM, Sugar, David wrote:
> plymouth is started very early in the boot process.  Looks
> like before the SELinux policy is loaded so plymouthd is
> running as kernel_t rather than plymouthd_t.  Due to this
> I needed to allow a few permissions on kernel_t to get
> the system to boot.
>
> Please note that in this case I have the harddisk encrypted
> with LUKS so when plymouthd is started the harddisk is not
> unlocked yet.  I don't know if the permissions are different
> in the case when LUKS is not involved.
>
> type=AVC msg=audit(1554917011.127:225): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="plymouth" dev="tmpfs" ino=18877 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1554917011.127:226): avc:  denied  { remove_name } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1554917011.127:227): avc:  denied  { unlink } for  pid=2585 comm="plymouthd" name="pid" dev="tmpfs" ino=18883 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_run_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1554917011.116:224): avc:  denied  { write } for  pid=2585 comm="plymouthd" name="boot-duration" dev="dm-16" ino=2097285 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:plymouthd_var_lib_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1555069712.938:237): avc:  denied  { ioctl } for  pid=2554 comm="plymouthd" path="/dev/dri/card0" dev="devtmpfs" ino=12229 ioctlcmd=64b1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0
>
> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
> ---
>   policy/modules/kernel/devices.if     | 18 +++++++++++++
>   policy/modules/kernel/kernel.te      |  5 +++-
>   policy/modules/services/plymouthd.if | 38 ++++++++++++++++++++++++++++
>   3 files changed, 60 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 78a95ce8..d1cdf933 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1939,6 +1939,24 @@ interface(`dev_setattr_dri_dev',`
>   	setattr_chr_files_pattern($1, device_t, dri_device_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	IOCLT the dri devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_ioctl_dri_dev',`
> +	gen_require(`
> +		type device_t, dri_device_t;
> +	')
> +
> +	allow $1 dri_device_t:chr_file ioctl;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read and write the dri devices.
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index b9ae4079..d230a5a2 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -397,9 +397,12 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	plymouthd_read_lib_files(kernel_t)
> +	dev_ioctl_dri_dev(kernel_t)
> +
> +	plymouthd_delete_pid_files(kernel_t)
>   	plymouthd_read_pid_files(kernel_t)
>   	plymouthd_read_spool_files(kernel_t)
> +	plymouthd_rw_lib_files(kernel_t)
>   
>   	term_use_ptmx(kernel_t)
>   	term_use_unallocated_ttys(kernel_t)
> diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
> index 04e0c734..3cc08b96 100644
> --- a/policy/modules/services/plymouthd.if
> +++ b/policy/modules/services/plymouthd.if
> @@ -192,6 +192,25 @@ interface(`plymouthd_read_lib_files',`
>   	read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Read and write plymouthd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`plymouthd_rw_lib_files',`
> +	gen_require(`
> +		type plymouthd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +	rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Create, read, write, and delete
> @@ -232,6 +251,25 @@ interface(`plymouthd_read_pid_files',`
>   	allow $1 plymouthd_var_run_t:file read_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Delete the plymouthd pid files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`plymouthd_delete_pid_files',`
> +	gen_require(`
> +		type plymouthd_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	All of the rules required to

Merged.

--
Chris PeBenito