7:52 p.m.
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the
shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require {
role staff_r;
type staff_t;
}
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the
error: "libsepol.print_missing_requirements: test's global requirements were not
met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from
/usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to
/usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7).
Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it
no longer exists because the shutdown binary has been replaced with a symlink to
systemctl.
Thanks,
Doug
7:38 a.m.
----- Original Message -----
From: "Douglas Brown" <doug.brown(a)qut.edu.au>
To: "SELinux Fedora List" <selinux(a)lists.fedoraproject.org>
Sent: Monday, June 13, 2016 8:52:40 PM
Subject: RHEL 7 shutdown_run interface
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with
the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require {
role staff_r;
type staff_t;
}
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule
gives the error: "libsepol.print_missing_requirements: test's global
requirements were not met: role shutdown_roles (No such file or directory)"
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
After looking into this, curiously the interface has moved from
/usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in
RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
(selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7
interface but it no longer exists because the shutdown binary has been
replaced with a symlink to systemctl.
Thanks,
Doug
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Simon Sekidde * Red Hat, Inc. * Westford, MA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
5:59 a.m.
On 14/06/2016, 10:38 PM, "Simon Sekidde" <ssekidde(a)redhat.com> wrote:
----- Original Message -----
> From: "Douglas Brown" <doug.brown(a)qut.edu.au>
> To: "SELinux Fedora List" <selinux(a)lists.fedoraproject.org>
> Sent: Monday, June 13, 2016 8:52:40 PM
> Subject: RHEL 7 shutdown_run interface
>
> Hi all,
>
> In the process of porting policies from RHEL 6 to 7, I’m having an issue with
> the shutdown_run interface.
>
> The trivial te file below compiles and loads fine on RHEL 6.7:
>
> policy_module(test, 0.1)
>
> require {
> role staff_r;
> type staff_t;
> }
>
> shutdown_run(staff_t, staff_r)
>
> However, there appears to be a bug in RHEL 7.2, because loading with semodule
> gives the error: "libsepol.print_missing_requirements: test's global
> requirements were not met: role shutdown_roles (No such file or directory)"
>
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
Thanks Simon, you’re right, shutdown_role is the right way to go, but it produced the same
error when trying to load.
Cheers,
Doug
3:15 a.m.
On 06/14/2016 02:52 AM, Douglas Brown wrote:
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue
with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require {
role staff_r;
type staff_t;
}
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with
semodule gives the error: "libsepol.print_missing_requirements: test's
global requirements were not met: role shutdown_roles (No such file or
directory)"
After looking into this, curiously the interface has moved from
/usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
(selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7
interface but it no longer exists because the shutdown binary has been
replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being
used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thank you.
Thanks,
Doug
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
7:04 a.m.
On 16/06/2016, 6:15 PM, "Miroslav Grepl" <mgrepl(a)redhat.com> wrote:
On 06/14/2016 02:52 AM, Douglas Brown wrote:
> Hi all,
>
> In the process of porting policies from RHEL 6 to 7, I’m having an issue
> with the shutdown_run interface.
>
> The trivial te file below compiles and loads fine on RHEL 6.7:
>
> policy_module(test, 0.1)
>
> require {
> role staff_r;
> type staff_t;
> }
>
> shutdown_run(staff_t, staff_r)
>
> However, there appears to be a bug in RHEL 7.2, because loading with
> semodule gives the error: "libsepol.print_missing_requirements: test's
> global requirements were not met: role shutdown_roles (No such file or
> directory)"
>
> After looking into this, curiously the interface has moved from
> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
> in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>
> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
> interface but it no longer exists because the shutdown binary has been
> replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being
used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write;
allow staff_t power_unit_file_t:service status;
Cheers,
Doug
2:42 a.m.
On 06/16/2016 02:04 PM, Douglas Brown wrote:
On 16/06/2016, 6:15 PM, "Miroslav Grepl"
<mgrepl(a)redhat.com> wrote:
> On 06/14/2016 02:52 AM, Douglas Brown wrote:
>> Hi all,
>>
>> In the process of porting policies from RHEL 6 to 7, I’m having an issue
>> with the shutdown_run interface.
>>
>> The trivial te file below compiles and loads fine on RHEL 6.7:
>>
>> policy_module(test, 0.1)
>>
>> require {
>> role staff_r;
>> type staff_t;
>> }
>>
>> shutdown_run(staff_t, staff_r)
>>
>> However, there appears to be a bug in RHEL 7.2, because loading with
>> semodule gives the error: "libsepol.print_missing_requirements: test's
>> global requirements were not met: role shutdown_roles (No such file or
>> directory)"
>>
>> After looking into this, curiously the interface has moved from
>> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
>> in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
>> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>>
>> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
>> interface but it no longer exists because the shutdown binary has been
>> replaced with a symlink to systemctl.
>
> Yes, the shutdown policy is no longer used. power_unit_file_t is being
> used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write;
allow staff_t power_unit_file_t:service status;
Thank you for testing.
Could you also attach raw AVC messages?
Cheers,
Doug
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
10:31 p.m.
On 17/06/2016, 5:42 PM, "Miroslav Grepl" <mgrepl(a)redhat.com> wrote:
On 06/16/2016 02:04 PM, Douglas Brown wrote:
> On 16/06/2016, 6:15 PM, "Miroslav Grepl" <mgrepl(a)redhat.com> wrote:
>
>
>> On 06/14/2016 02:52 AM, Douglas Brown wrote:
>>> Hi all,
>>>
>>> In the process of porting policies from RHEL 6 to 7, I’m having an issue
>>> with the shutdown_run interface.
>>>
>>> The trivial te file below compiles and loads fine on RHEL 6.7:
>>>
>>> policy_module(test, 0.1)
>>>
>>> require {
>>> role staff_r;
>>> type staff_t;
>>> }
>>>
>>> shutdown_run(staff_t, staff_r)
>>>
>>> However, there appears to be a bug in RHEL 7.2, because loading with
>>> semodule gives the error: "libsepol.print_missing_requirements:
test's
>>> global requirements were not met: role shutdown_roles (No such file or
>>> directory)"
>>>
>>> After looking into this, curiously the interface has moved from
>>> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
>>> in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
>>> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>>>
>>> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
>>> interface but it no longer exists because the shutdown binary has been
>>> replaced with a symlink to systemctl.
>>
>> Yes, the shutdown policy is no longer used. power_unit_file_t is being
>> used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
>
> Thanks, the systemd_start_power_services interface works but produced these AVCs:
>
> allow staff_t init_var_run_t:dir write;
> allow staff_t power_unit_file_t:service status;
Thank you for testing.
Could you also attach raw AVC messages?
Apologies for the delay, please see below:
type=USER_AVC msg=audit(1466565200.249:10133): pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1466565200.468:10147): pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=4959 uid=0
gid=0 path="/usr/lib/systemd/system/reboot.target"
cmdline="/usr/bin/systemctl reboot"
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SYSCALL msg=audit(1466565200.235:10132): arch=c000003e syscall=83 success=no exit=-13
a0=7fffe605bf80 a1=1c0 a2=7f84b56bc3dc a3=7fffe605bbd0 items=0 ppid=28177 pid=28178
auid=redacted uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=139
comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1466565200.235:10132): avc: denied { write } for pid=28178
comm="systemd-tty-ask" name="systemd" dev="tmpfs" ino=6413
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
N.B. We receive the message:
"PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.”
when I run the command (sudo -t staff_t -r staff_r /usr/bin/systemctl reboot) to generate
the AVCs above but the host reboots successfully. There seems to be an existing bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1205008
Cheers,
Doug
2857
days inactive
2865
days old
selinux@lists.fedoraproject.org
6 comments
3 participants
participants (3)
-
Douglas Brown -
Miroslav Grepl -
Simon Sekidde