[yocto] [meta-selinux][RFC 6/8] systemd: mount: enable requiried refpolicy booleans

[Shrikant Bobade]

From: Shrikant Bobade <shrikant_bob...@mentor.com>

enable required refpolicy booleans for these modules mount:
allow_mount_anyfile & systemd:systemd_tmpfiles_manage_all

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 ...mount-enable-requiried-refpolicy-booleans.patch | 43 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
 
b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
new file mode 100644
index 0000000..cd93d1d
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20151208/0006-systemd-mount-enable-requiried-refpolicy-booleans.patch
@@ -0,0 +1,43 @@
+systemd: mount: enable requiried refpolicy booleans
+
+enable required refpolicy booleans for these modules
+
+i. mount:  allow_mount_anyfile
+without enabling this boolean we are getting below avc denial
+
+audit(): avc:  denied  { mounton } for  pid=462 comm="mount" path="/run/media
+/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
+tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
+
+This avc can be allowed using the boolean 'allow_mount_anyfile'
+allow mount_t initrc_var_run_t:dir mounton;
+
+ii. systemd : systemd_tmpfiles_manage_all
+without enabling this boolean we are not getting access to mount systemd
+essential tmpfs during bootup, also not getting access to create audit.log
+
+ ls  /var/log
+ /var/log -> volatile/log
+:~#
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+
+--- a/policy/booleans.conf
++++ b/policy/booleans.conf
+@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
+ #
+ # Allow the mount command to mount any directory or file.
+ # 
+-allow_mount_anyfile = false
++allow_mount_anyfile = true
+ 
+ #
+ # Enable support for systemd-tmpfiles to manage all non-security files.
+ # 
+-systemd_tmpfiles_manage_all = false
++systemd_tmpfiles_manage_all = true
+ 
+ #
+ # Allow users to connect to mysql
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc 
b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index d319561..b62167f 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -67,6 +67,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
        file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
        file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
        file://0005-init-fix-reboot-with-systemd-as-init-manager.patch \
+       file://0006-systemd-mount-enable-requiried-refpolicy-booleans.patch \
 "
 
 
-- 
1.9.1

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto