Refined SELinux policy

Relates to: eclipse-bluechi#883 When enforcing the SELinux policy of BlueChi, the calls from bluechi-agent to systemd are blocked. The missing privileges of bluechi_agent_t (source context) on the systemd types (e.g. systemd_unit_file_t) and init type have been added. Signed-off-by: Michael Engel <mengel@redhat.com>
engelmi · Sep 7, 2024 · 36d3fc7 · 36d3fc7
1 parent a890cbb
commit 36d3fc7
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/selinux/bluechi.te b/selinux/bluechi.te
@@ -25,10 +25,6 @@ corenet_port(bluechi_port_t)
 type bluechi_agent_port_t;
 corenet_port(bluechi_agent_port_t)
 
-permissive bluechi_t;
-permissive bluechi_agent_t;
-
-
 ########################################
 #
 # bluechi local policy
@@ -71,6 +67,14 @@ allow bluechi_agent_t self:fifo_file rw_fifo_file_perms;
 allow bluechi_agent_t self:unix_stream_socket create_stream_socket_perms;
 allow bluechi_agent_t self:unix_dgram_socket create_socket_perms;
 
+systemd_start_all_services(bluechi_agent_t)
+systemd_start_systemd_services(bluechi_agent_t)
+systemd_stop_systemd_services(bluechi_agent_t)
+systemd_status_systemd_services(bluechi_agent_t)
+systemd_reload_all_services(bluechi_agent_t)
+systemd_reload_systemd_services(bluechi_agent_t)
+init_reload_services(bluechi_agent_t)
+
 kernel_dgram_send(bluechi_agent_t)
 
 domain_use_interactive_fds(bluechi_agent_t)

diff --git a/selinux/policy-issues b/selinux/policy-issues
@@ -0,0 +1,40 @@
+- bluechictl stop
+type=USER_AVC 
+msg=audit(1725631488.897:292): 
+pid=1 
+uid=0 
+auid=4294967295 
+ses=4294967295 
+subj=system_u:system_r:init_t:s0 
+msg='
+    avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/simple.service" 
+    cmdline="" 
+    function="bus_unit_method_start_generic" 
+    scontext=system_u:system_r:bluechi_agent_t:s0 
+    tcontext=unconfined_u:object_r:systemd_unit_file_t:s0 
+    tclass=service 
+    permissive=0 
+    exe="/usr/lib/systemd/systemd" 
+    sauid=0 hostname=? addr=? terminal=?'
+
+- bluechictl start
+type=USER_AVC 
+msg=audit(1725632371.424:293): 
+pid=1 
+uid=0 
+auid=4294967295 
+ses=4294967295 
+subj=system_u:system_r:init_t:s0 
+msg='
+    avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/simple.service" 
+    cmdline="" 
+    function="bus_unit_method_start_generic" 
+    scontext=system_u:system_r:bluechi_agent_t:s0 
+    tcontext=unconfined_u:object_r:systemd_unit_file_t:s0 
+    tclass=service 
+    permissive=0 
+    exe="/usr/lib/systemd/systemd" 
+    sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
+
+- bluechictl freeze
+type=USER_AVC msg=audit(1725632546.949:294): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/etc/systemd/system/simple.service" cmdline="" function="bus_unit_method_freezer_generic" scontext=system_u:system_r:bluechi_agent_t:s0 tcontext=unconfined_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"