On 1/23/20 7:40 AM, Sugar, David wrote:
Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which
are used to check various path/file/directory to control starting a
service. But this requires getattr permissions on the types.
Example denials that fit the problem.
The first example is from lvm where accessing config file.
type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for
pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0
This second example is from chronyd, but it is happening becuase I added
the conditional in a drop-in file.
type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for
pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1
v3 - rework to not use interface and allow getattr for all files
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 281d4fd2..c772ff40 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -335,6 +335,11 @@ ifdef(`init_systemd',`
domain_subj_id_change_exemption(init_t)
domain_role_change_exemption(init_t)
+ files_getattr_all_dirs(init_t)
+ files_getattr_all_files(init_t)
+ files_getattr_all_pipes(init_t)
+ files_getattr_all_sockets(init_t)
+ files_read_all_symlinks(init_t)
files_read_all_pids(init_t)
files_list_usr(init_t)
files_list_var(init_t)
Sorry for the delay. Merged.
--
Chris PeBenito
