From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 28 Oct 2020 09:17:15 +0100 Subject: [PATCH] systemd: allow all systemd services to check selinux status After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd services fail to start with: Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service... Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE After disabling dontaudit: Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { read } for pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { open } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { map } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 As first step, allow all systemd services to check selinux status. The check for selinux status is called from mac_selinux_init() which is called in 16 different places, so I don't think it makes sense to try to list them all. Any code which wants to create a labelled file is likely to call mac_selinux_init(). --- policy/modules/system/systemd.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index ff3116142..253396f1c 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -24,6 +24,7 @@ template(`systemd_domain_template',` kernel_read_system_state($1_t) auth_use_nsswitch($1_t) + selinux_get_enforce_mode($1_t) ') ###################################### -- 2.23.0