Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Thanks, Doug
----- Original Message -----
From: "Douglas Brown" doug.brown@qut.edu.au To: "SELinux Fedora List" selinux@lists.fedoraproject.org Sent: Monday, June 13, 2016 8:52:40 PM Subject: RHEL 7 shutdown_run interface
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Thanks, Doug
-- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On 14/06/2016, 10:38 PM, "Simon Sekidde" ssekidde@redhat.com wrote:
----- Original Message -----
From: "Douglas Brown" doug.brown@qut.edu.au To: "SELinux Fedora List" selinux@lists.fedoraproject.org Sent: Monday, June 13, 2016 8:52:40 PM Subject: RHEL 7 shutdown_run interface
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
Thanks Simon, you’re right, shutdown_role is the right way to go, but it produced the same error when trying to load.
Cheers, Doug
On 06/14/2016 02:52 AM, Douglas Brown wrote:
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thank you.
Thanks, Doug
-- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On 16/06/2016, 6:15 PM, "Miroslav Grepl" mgrepl@redhat.com wrote:
On 06/14/2016 02:52 AM, Douglas Brown wrote:
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write; allow staff_t power_unit_file_t:service status;
Cheers, Doug
On 06/16/2016 02:04 PM, Douglas Brown wrote:
On 16/06/2016, 6:15 PM, "Miroslav Grepl" mgrepl@redhat.com wrote:
On 06/14/2016 02:52 AM, Douglas Brown wrote:
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write; allow staff_t power_unit_file_t:service status;
Thank you for testing.
Could you also attach raw AVC messages?
Cheers, Doug -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On 17/06/2016, 5:42 PM, "Miroslav Grepl" mgrepl@redhat.com wrote:
On 06/16/2016 02:04 PM, Douglas Brown wrote:
On 16/06/2016, 6:15 PM, "Miroslav Grepl" mgrepl@redhat.com wrote:
On 06/14/2016 02:52 AM, Douglas Brown wrote:
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Yes, the shutdown policy is no longer used. power_unit_file_t is being used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
Thanks, the systemd_start_power_services interface works but produced these AVCs:
allow staff_t init_var_run_t:dir write; allow staff_t power_unit_file_t:service status;
Thank you for testing.
Could you also attach raw AVC messages?
Apologies for the delay, please see below:
type=USER_AVC msg=audit(1466565200.249:10133): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1466565200.468:10147): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=4959 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="/usr/bin/systemctl reboot" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=SYSCALL msg=audit(1466565200.235:10132): arch=c000003e syscall=83 success=no exit=-13 a0=7fffe605bf80 a1=1c0 a2=7f84b56bc3dc a3=7fffe605bbd0 items=0 ppid=28177 pid=28178 auid=redacted uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=139 comm="systemd-tty-ask" exe="/usr/bin/systemd-tty-ask-password-agent" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1466565200.235:10132): avc: denied { write } for pid=28178 comm="systemd-tty-ask" name="systemd" dev="tmpfs" ino=6413 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
N.B. We receive the message: "PolicyKit daemon disconnected from the bus. We are no longer a registered authentication agent.”
when I run the command (sudo -t staff_t -r staff_r /usr/bin/systemctl reboot) to generate the AVCs above but the host reboots successfully. There seems to be an existing bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1205008
Cheers, Doug
selinux@lists.fedoraproject.org