commit: 51a5f6d799fac283615b106a05916e3179123db5
Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sun Sep 27 02:07:21 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7
pacemaker systemd permissions
Allow pacemaker to get status of all running services and reload systemd
Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC
msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a
uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service"
cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC
msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a
uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd"
scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
Allow pacemaker to start/sotp all units (when enabled)
Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC
msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a
uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service"
cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Allow for dynamic creation of unit files (with private type)
By using a private type pacemaker doesn't need permission to
read/write all init_runtime_t files.
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075
comm="lrmd" name="system" dev="tmpfs" ino=1177
scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075
comm="lrmd" name="target-monitor <AT> my.service.d"
scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075
comm="lrmd" name="target-monitor <AT> my.service.d"
scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075
comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075
comm="lrmd" path="/run/systemd/system/target-monitor <AT>
my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933
scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC
msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075
comm="lrmd" path="/run/systemd/system/target-monitor <AT>
my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933
scontext=system_u:system_r:pacemaker_t:s0
tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/pacemaker.te | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/policy/modules/services/pacemaker.te
b/policy/modules/services/pacemaker.te
index f7a18a7f..70d976ea 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow pacemaker to start/stop services
+## </p>
+## </desc>
+gen_tunable(pacemaker_startstop_all_services, false)
+
type pacemaker_t;
type pacemaker_exec_t;
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t)
type pacemaker_runtime_t alias pacemaker_var_run_t;
files_runtime_file(pacemaker_runtime_t)
+type pacemaker_runtime_unit_t;
+init_unit_file(pacemaker_runtime_unit_t)
+
type pacemaker_tmp_t;
files_tmp_file(pacemaker_tmp_t)
@@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t,
pacemaker_runtime_t)
manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })
+manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t,
pacemaker_runtime_unit_t)
+manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t,
pacemaker_runtime_unit_t)
+init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })
+
kernel_getattr_core_if(pacemaker_t)
kernel_read_all_sysctls(pacemaker_t)
kernel_read_messages(pacemaker_t)
@@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t)
miscfiles_read_localization(pacemaker_t)
+ifdef(`init_systemd',`
+ init_get_all_units_status(pacemaker_t)
+ init_reload(pacemaker_t)
+')
+
+tunable_policy(`pacemaker_startstop_all_services',`
+ init_start_all_units(pacemaker_t)
+ init_stop_all_units(pacemaker_t)
+')
+
optional_policy(`
corosync_read_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
