[meta-selinux][PATCH] refpolicy: fix boot failure with systemd + mls


wenzong.fan@...
 

From: Wenzong Fan <wenzong.fan@...>

* Allow kernel_t to lower file level
* Allow kernel_t to set process level

Signed-off-by: Wenzong Fan <wenzong.fan@...>
---
...-kernel_t-mls-trusted-for-lowering-file-l.patch | 74 ++++++++++++++++++++++
...-kernel_t-mls-trusted-for-setting-process.patch | 43 +++++++++++++
.../refpolicy/refpolicy_2.20170204.inc | 2 +
3 files changed, 119 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-lowering-file-l.patch
create mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-setting-process.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-lowering-file-l.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-lowering-file-l.patch
new file mode 100644
index 0000000..a3b4803
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-lowering-file-l.patch
@@ -0,0 +1,74 @@
+From 04643644acfa30eaa0a2f7902ea48cf79f571f6d Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@...>
+Date: Fri, 13 Oct 2017 07:20:40 +0000
+Subject: [PATCH] poky-policy: kernel_t mls trusted for lowering file level
+
+The boot process hangs with the error while using MLS policy:
+
+ [!!!!!!] Failed to mount API filesystems, freezing.
+ [ 4.085349] systemd[1]: Freezing execution.
+
+Make kernel_t mls trusted for lowering the level of files to fix below
+avc denials and remove the hang issue.
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:device_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:device_t:s0 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted
+
+ avc: denied { create } for pid=1 comm="systemd" name="shm" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+ systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory
+
+ avc: denied { create } for pid=1 comm="systemd" name="pts" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:unlabeled_t:s0 \
+ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted
+
+ op=security_validate_transition seresult=denied \
+ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \
+ newcontext=system_u:object_r:cgroup_t:s0 \
+ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir
+ systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted
+
+ avc: denied { create } for pid=1 comm="systemd" name="pstore" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@...>
+---
+ policy/modules/kernel/kernel.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 4794f29..363381c 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -328,6 +328,8 @@ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
++# https://bugzilla.redhat.com/show_bug.cgi?id=667370
++mls_file_downgrade(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
+--
+2.13.3
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-setting-process.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-setting-process.patch
new file mode 100644
index 0000000..530b30d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-kernel_t-mls-trusted-for-setting-process.patch
@@ -0,0 +1,43 @@
+From 5a47be14ff03ae0d959908ad39b429787670d40e Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@...>
+Date: Fri, 13 Oct 2017 08:16:18 +0000
+Subject: [PATCH] poky-policy: kernel_t mls trusted for setting process level
+
+Because of selinux-init.service always checks the label of init
+process to determine if the system needs to be re-labeled and re-
+booted, a failed transition will cause the target falls into loop
+of re-label & re-boot.
+
+Make kernel_t MLS trusted for setting the level of processes it
+executes to fix below avc denial and remove the error:
+
+ avc: denied { dyntransition } for pid=1 comm="systemd" \
+ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \
+ tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+ tclass=process permissive=0
+
+ systemd[1]: Failed to transition into init label \
+ 'system_u:system_r:init_t:s0-s15:c0.c1023', ignoring.
+
+Upstream-Status: Pending
+
+Signed-off-by: Wenzong Fan <wenzong.fan@...>
+---
+ policy/modules/kernel/kernel.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 363381c..8105b91 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -328,6 +328,7 @@ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+ mls_socket_write_all_levels(kernel_t)
+ mls_fd_use_all_levels(kernel_t)
++mls_process_set_level(kernel_t)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=667370
+ mls_file_downgrade(kernel_t)
+
+--
+2.13.3
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20170204.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc
index 51c5050..06e8c08 100644
--- a/recipes-security/refpolicy/refpolicy_2.20170204.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20170204.inc
@@ -53,6 +53,8 @@ SRC_URI += " \
file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
file://ftp-add-ftpd_t-to-mlsfilewrite.patch \
+ file://poky-policy-kernel_t-mls-trusted-for-lowering-file-l.patch \
+ file://poky-policy-kernel_t-mls-trusted-for-setting-process.patch \
"

# Backport from upstream
--
2.13.0

Join yocto@lists.yoctoproject.org to automatically receive all group messages.