Bug 431115 - upstart does not work in enforcing mode
upstart does not work in enforcing mode
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Josef Kubin
Fedora Extras Quality Assurance
:
Depends On: 431111
Blocks: upstart
  Show dependency treegraph
 
Reported: 2008-01-31 15:19 EST by Bill Nottingham
Modified: 2014-03-16 23:12 EDT (History)
2 users (show)

See Also:
Fixed In Version: 3.3.0-1.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-25 16:01:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2008-01-31 15:19:55 EST
Description of problem:

This could require changes to upstart, policy, or both. At a minumum, probably
need to tweak labeling.

(More details later; just filing before I forget.)

Version-Release number of selected component (if applicable):

upstart-0.3.9
selinux-policy-3.2.5-22.fc9
Comment 1 Josef Kubin 2008-02-18 12:59:55 EST
Send me please more details, how it happens, and of course your audit.log.
Comment 2 Bill Nottingham 2008-02-18 17:43:32 EST
type=1400 audit(1203365995.899:3): avc:  denied  { setsched } for  pid=454
comm="init" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process

are the initial AVCs in question. However, even after making a module that
allows that, the initial setting of keymaps and fonts fail, but no AVC is generated.
Comment 3 Bill Nottingham 2008-02-20 17:33:28 EST
There is also:

type=AVC msg=audit(1203544844.064:9322): avc:  denied  { sendto } for  pid=1
comm="init" path=002F636F6D2F7562756E74752F757073746172742F32343833
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_dgram_socket

However, for this we probably want to actually have policy for initctl (the
sender, running as unconfined_t in this example.
Comment 4 Bill Nottingham 2008-02-21 18:14:59 EST
OK, so the sum total of stuff to get this working appears to be:

Random
------
allow init_t self:process setsched;

initctl defs:
# cat initctl.fc 

/sbin/initctl	--	gen_context(system_u:object_r:initctl_exec_t,s0)

[root@localhost ~]# cat initctl.if

## <summary>policy for initctl</summary>

########################################
## <summary>
##	Execute a domain transition to run initctl.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`initctl_domtrans',`
	gen_require(`
		type upstart_initctl_t;
                type initctl_exec_t;
	')

	domtrans_pattern($1,initctl_exec_t,upstart_initctl_t)
')


########################################
## <summary>
##	Execute initctl in the initctl domain, and
##	allow the specified role the initctl domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the initctl domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the role's terminal.
##	</summary>
## </param>
#
interface(`initctl_run',`
	gen_require(`
		type upstart_initctl_t;
	')

	initctl_domtrans($1)
	role $2 types upstart_initctl_t;
	allow upstart_initctl_t $3:chr_file rw_term_perms;
')

[root@localhost ~]# cat initctl.te
policy_module(initctl,1.0.0)

########################################
#
# Declarations
#

type upstart_initctl_t;
type initctl_exec_t;
application_domain(upstart_initctl_t, initctl_exec_t)
role system_r types upstart_initctl_t;


########################################
#
# initctl local policy
#

gen_require(`
	type init_t;
	type user_tmp_t;
')

## internal communication is often done using fifo and unix sockets.
allow upstart_initctl_t self:fifo_file rw_file_perms;
allow upstart_initctl_t self:unix_stream_socket create_stream_socket_perms;
allow upstart_initctl_t self:unix_dgram_socket create_socket_perms;
allow upstart_initctl_t init_t:unix_dgram_socket sendto;
allow init_t upstart_initctl_t:unix_dgram_socket sendto;

files_read_etc_files(upstart_initctl_t)

libs_use_ld_so(upstart_initctl_t)
libs_use_shared_libs(upstart_initctl_t)

miscfiles_read_localization(upstart_initctl_t)

optional_policy(`
	gen_require(`
		type sysadm_t;
		type sysadm_devpts_t;
		type sysadm_tty_device_t;
		role sysadm_r;
	')

	initctl_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
')

optional_policy(`
	gen_require(`
		type unconfined_t;
		type unconfined_devpts_t;
		type unconfined_tty_device_t;
		role unconfined_r;
	')

	initctl_run(unconfined_t, unconfined_r, { unconfined_tty_device_t
unconfined_devpts_t })
')

There's still some weirdness (initctl wants to setuid, which looks wrong), but
it's good enough for now. I'd rather use 'initctl_t' instead of
'upstart_initctl_t', but initctl_t is taken for the crappy /dev/initctl socket. :)
Comment 5 Daniel Walsh 2008-02-22 08:53:17 EST
Why not just label it initrc_t?

Comment 6 Daniel Walsh 2008-02-22 08:53:50 EST
/sbin/initctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
Comment 7 Bill Nottingham 2008-02-22 09:47:00 EST
Well, it's not really an init *script* ; it's just something that signals init
to start/stop things, and report on status. It's sort of like /sbin/service,
execept it talks to the daemon itself over sockets instead of just wrapping
other scripts.
Comment 8 Bill Nottingham 2008-02-25 16:01:05 EST
Policy added by Dan in selinux-policy-3.3.0-1.fc9.

Note You need to log in before you can comment on or make changes to this bug.