commit: 51a5f6d799fac283615b106a05916e3179123db5 Author: Dave Sugar <dsugar <AT> tresys <DOT> com> AuthorDate: Sun Sep 27 02:07:21 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Mon Nov 16 09:03:43 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7
pacemaker systemd permissions Allow pacemaker to get status of all running services and reload systemd Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow pacemaker to start/sotp all units (when enabled) Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow for dynamic creation of unit files (with private type) By using a private type pacemaker doesn't need permission to read/write all init_runtime_t files. Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/pacemaker.te | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te index f7a18a7f..70d976ea 100644 --- a/policy/modules/services/pacemaker.te +++ b/policy/modules/services/pacemaker.te @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0) # Declarations # +## <desc> +## <p> +## Allow pacemaker to start/stop services +## </p> +## </desc> +gen_tunable(pacemaker_startstop_all_services, false) + type pacemaker_t; type pacemaker_exec_t; init_daemon_domain(pacemaker_t, pacemaker_exec_t) @@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t) type pacemaker_runtime_t alias pacemaker_var_run_t; files_runtime_file(pacemaker_runtime_t) +type pacemaker_runtime_unit_t; +init_unit_file(pacemaker_runtime_unit_t) + type pacemaker_tmp_t; files_tmp_file(pacemaker_tmp_t) @@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file }) +manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t) +manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t) +init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file }) + kernel_getattr_core_if(pacemaker_t) kernel_read_all_sysctls(pacemaker_t) kernel_read_messages(pacemaker_t) @@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t) miscfiles_read_localization(pacemaker_t) +ifdef(`init_systemd',` + init_get_all_units_status(pacemaker_t) + init_reload(pacemaker_t) +') + +tunable_policy(`pacemaker_startstop_all_services',` + init_start_all_units(pacemaker_t) + init_stop_all_units(pacemaker_t) +') + optional_policy(` corosync_read_log(pacemaker_t) corosync_stream_connect(pacemaker_t)