Resolve toor_t denials

[mpalmi]

In order to get this system booting in Enforcing, we will need to resolve the remaining kernel_t denials.

Assumptions:

• Work will be done off of mpalmi/clip@95bafa0
• Allow rules are needed to get CLIP booting in Enforcing
• Least privilege access model will be employed
• refpolicy guidelines for policy development will be followed.

Subtasks:

• Ensure all files are properly labeled
• Resolve power_unit_file denials
• Determine whether or not toor_t should have other permissions and allow using least privilege

---

audit2allow

#============= toor_t ==============
allow toor_t power_unit_file_t:service start;

#=============staff_t ==============
allow staff_t toor_t:key create;
allow staff_t toor_t:process { siginh rlimitinh signal transition noatsecure };

audit.log

type=AVC msg=audit(1429889792.932:869): avc:  denied  { signal } for  pid=1291 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=process
type=USER_ROLE_CHANGE msg=audit(1429890038.964:606): pid=1267 uid=0 auid=1000 ses=1 subj=toor_u:staff_r:staff_t:s0 msg='newrole: old-context=toor_u:staff_r:staff_t:s0 new-context=toor_u:toor_r:toor_t:s0 exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/tty1 res=success'
type=AVC msg=audit(1429890038.966:608): avc:  denied  { create } for  pid=1267 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=key
type=AVC msg=audit(1429890038.966:609): avc:  denied  { transition } for  pid=1267 comm="sudoaudit_logs_20150424--114351/audit.log:957:type=AVC msg=audit(1429890038.966:609): avc:  denied  { rlimitinh } for  pid=1267 comm="sesh" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=process
type=AVC msg=audit(1429890038.966:609): avc:  denied  { siginh } for  pid=1267 comm="sesh" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=process
type=AVC msg=audit(1429890038.966:609): avc:  denied  { noatsecure } for  pid=1267 comm="sesh" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=process
type=SYSCALL msg=audit(1429890038.966:609): arch=c000003e syscall=59 success=yes exit=0 a0=7f6eee72bbc0 a1=7f6ef02cf8e0 a2=7f6ef02cfb30 a3=65726379656b2f72 items=0 ppid=1263 pid=1267 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="sesh" exe="/usr/libexec/sesh" subj=toor_u:toor_r:toor_t:s0 key=(null)
type=USER_AVC msg=audit(1429890042.190:610): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=1000 uid=0 gid=0 path="/usr/lib/systemd/system/reboot.target" cmdline="shutdown -r now" scontext=toor_u:toor_r:toor_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1429890042.198:614): avc:  denied  { signal } for  pid=1263 comm="sudo" scontext=toor_u:staff_r:staff_t:s0 tcontext=toor_u:toor_r:toor_t:s0 tclass=process

[ghost]

@mpalmi can you please update this what else needs to be done before we can close out the issue?

[mpalmi]

I believe we just need to verify that auditd can be started/stopped/statused in Enforcing.