From c2e99e27acc1454d792b3e8d6f24d3a2a3be29e3 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Fri, 13 Oct 2017 07:20:40 +0000 Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for lowering the level of files The boot process hangs with the error while using MLS policy: [!!!!!!] Failed to mount API filesystems, freezing. [ 4.085349] systemd[1]: Freezing execution. Make kernel_t mls trusted for lowering the level of files to fix below avc denials and remove the hang issue. op=security_validate_transition seresult=denied \ oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ newcontext=system_u:object_r:device_t:s0 \ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted avc: denied { create } for pid=1 comm="systemd" name="shm" \ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory avc: denied { create } for pid=1 comm="systemd" name="pts" \ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 op=security_validate_transition seresult=denied \ oldcontext=system_u:object_r:unlabeled_t:s0 \ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir op=security_validate_transition seresult=denied \ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted op=security_validate_transition seresult=denied \ oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ newcontext=system_u:object_r:cgroup_t:s0 \ taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted avc: denied { create } for pid=1 comm="systemd" name="pstore" \ scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Wenzong Fan Signed-off-by: Yi Zhao --- policy/modules/kernel/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index a32c59eb1..1c53754ee 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -358,6 +358,8 @@ mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) mls_socket_write_all_levels(kernel_t) mls_fd_use_all_levels(kernel_t) +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 +mls_file_downgrade(kernel_t) ifdef(`distro_redhat',` # Bugzilla 222337 -- 2.17.1