[DSE-Dev] Bug#756729: AVCs for Jessie
Andreas Florath
andre at flonatel.org
Sat Aug 9 16:34:23 UTC 2014
Hello!
After some experiments it was somewhat clear for me that this must
be a SELinux or policy 'problem'. The problem is, that the things
are set up during boot time and I did not receive any hint what
was going on.
Therefore I disabled the 'virtio_net' module during boot, set
the system to enforcing an loaded the module manually:
# run_init modprobe virtio_net
I got this AVC
type=USER_AVC msg=audit(1407598899.576:95): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup at .service" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
created policy file from it, rebooted, modprobe again and another AVC:
type=USER_AVC msg=audit(1407599868.756:93): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/lib/systemd/system/ifup at .service" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
This was all I got - no more AVCs. For me the resulting policy file is:
# cat local-network-hotplug.te
policy_module(localnetworkhotplug, 1.0.1)
gen_require(`
type udev_t;
type systemd_unit_file_t;
')
allow udev_t systemd_unit_file_t:service { start status };
After loading this policy, re-enabling the module during boot, the eth0
interface was brought up directly during boot. Adding this rule solves
the problem for me.
=== Start Assumptions
In refpolicy-2.20140421/policy/modules/system/systemd.te I found:
allow init_t systemd_unit_file_t:service { stop start status };
in the Debian patch to the ref-policy. IMHO not only init but also
udev should be able to start / stop / status a service like ifup
(especially for hotplug).
root at debselinux01:~# ls -Z /lib/systemd/system/ifup\@.service
system_u:object_r:systemd_unit_file_t:SystemLow /lib/systemd/system/ifup at .service
=== End Assumptions
Kind regards
Andre
root at debselinux01:~# dpkg -l | grep systemd
ii libpam-systemd:amd64 208-6 amd64 system and service manager - PAM module
ii libsystemd-daemon0:amd64 208-6 amd64 systemd utility library
ii libsystemd-journal0:amd64 208-6 amd64 systemd journal utility library
ii libsystemd-login0:amd64 208-6 amd64 systemd login utility library
ii systemd 208-6 amd64 system and service manager
ii systemd-sysv 208-6 amd64 system and service manager - SysV links
root at debselinux01:~# dpkg -l | grep udev
ii libudev1:amd64 208-6 amd64 libudev shared library
ii udev 208-6 amd64 /dev/ and hotplug management daemon
root at debselinux01:~# dpkg -l | grep selinux
ii libselinux1:amd64 2.3-1 amd64 SELinux runtime shared libraries
ii python-selinux 2.3-1 amd64 Python bindings to SELinux shared libraries
ii selinux-basics 0.5.2 all SELinux basic support
ii selinux-policy-default 2:2.20140421-4 all Strict and Targeted variants of the SELinux policy
ii selinux-policy-dev 2:2.20140421-4 all Headers from the SELinux reference policy for building modules
ii selinux-utils 2.3-1 amd64 SELinux utility programs
More information about the SELinux-devel
mailing list