diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch | 103 |
1 files changed, 0 insertions, 103 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch b/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch deleted file mode 100644 index 307574c..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch +++ /dev/null | |||
| @@ -1,103 +0,0 @@ | |||
| 1 | From a1b92a176fe791468e750b95fa8299e8beecf2b1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 3 | Date: Fri, 26 Aug 2016 17:54:09 +0530 | ||
| 4 | Subject: [PATCH 7/9] refpolicy-minimum: systemd: fix for login & journal | ||
| 5 | service | ||
| 6 | |||
| 7 | 1. fix for systemd services: login & journal wile using refpolicy-minimum and | ||
| 8 | systemd as init manager. | ||
| 9 | 2. fix login duration after providing root password. | ||
| 10 | |||
| 11 | without these changes we are getting avc denails like these and below | ||
| 12 | systemd services failure: | ||
| 13 | |||
| 14 | audit[]: AVC avc: denied { write } for pid=422 comm="login" path="/run/ | ||
| 15 | systemd/sessions/c1.ref" dev="tmpfs" ino=13455 scontext=system_u:system_r: | ||
| 16 | local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 | ||
| 17 | tclass=fifo_file permissive=0 | ||
| 18 | |||
| 19 | audit[]: AVC avc: denied { open } for pid=216 comm="systemd-tmpfile" path | ||
| 20 | ="/proc/1/environ" dev="proc" ino=9221 scontext=system_u:system_r: | ||
| 21 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file | ||
| 22 | |||
| 23 | audit[]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u: | ||
| 24 | system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path | ||
| 25 | ="/lib/systemd/system/systemd-journald.service" cmdline="/bin/journalctl | ||
| 26 | --flush" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r: | ||
| 27 | lib_t:s0 tclass=service | ||
| 28 | |||
| 29 | [FAILED] Failed to start Flush Journal to Persistent Storage. | ||
| 30 | See 'systemctl status systemd-journal-flush.service' for details. | ||
| 31 | |||
| 32 | [FAILED] Failed to start Login Service. | ||
| 33 | See 'systemctl status systemd-logind.service' for details. | ||
| 34 | |||
| 35 | [FAILED] Failed to start Avahi mDNS/DNS-SD Stack. | ||
| 36 | See 'systemctl status avahi-daemon.service' for details. | ||
| 37 | |||
| 38 | Upstream-Status: Pending | ||
| 39 | |||
| 40 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
| 41 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
| 42 | --- | ||
| 43 | policy/modules/system/init.te | 2 ++ | ||
| 44 | policy/modules/system/locallogin.te | 3 +++ | ||
| 45 | policy/modules/system/systemd.if | 6 ++++-- | ||
| 46 | policy/modules/system/systemd.te | 2 +- | ||
| 47 | 4 files changed, 10 insertions(+), 3 deletions(-) | ||
| 48 | |||
| 49 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
| 50 | index 843fdcff..ca8678b8 100644 | ||
| 51 | --- a/policy/modules/system/init.te | ||
| 52 | +++ b/policy/modules/system/init.te | ||
| 53 | @@ -1429,3 +1429,5 @@ allow init_t self:capability2 audit_read; | ||
| 54 | |||
| 55 | allow initrc_t init_t:system { start status reboot }; | ||
| 56 | allow initrc_t init_var_run_t:service { start status }; | ||
| 57 | + | ||
| 58 | +allow initrc_t init_var_run_t:service stop; | ||
| 59 | diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te | ||
| 60 | index 75750e4c..2c2cfc7d 100644 | ||
| 61 | --- a/policy/modules/system/locallogin.te | ||
| 62 | +++ b/policy/modules/system/locallogin.te | ||
| 63 | @@ -298,3 +298,6 @@ allow local_login_t var_run_t:file { open read write lock}; | ||
| 64 | allow local_login_t var_run_t:sock_file write; | ||
| 65 | allow local_login_t tmpfs_t:dir { add_name write search}; | ||
| 66 | allow local_login_t tmpfs_t:file { create open read write lock }; | ||
| 67 | +allow local_login_t init_var_run_t:fifo_file write; | ||
| 68 | +allow local_login_t initrc_t:dbus send_msg; | ||
| 69 | +allow initrc_t local_login_t:dbus send_msg; | ||
| 70 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
| 71 | index 4519a448..79133e6f 100644 | ||
| 72 | --- a/policy/modules/system/systemd.if | ||
| 73 | +++ b/policy/modules/system/systemd.if | ||
| 74 | @@ -938,9 +938,11 @@ interface(`systemd_service_file_operations',` | ||
| 75 | # | ||
| 76 | interface(`systemd_service_lib_function',` | ||
| 77 | gen_require(` | ||
| 78 | - class service start; | ||
| 79 | + class service { start status stop }; | ||
| 80 | + class file { execmod open }; | ||
| 81 | ') | ||
| 82 | |||
| 83 | - allow initrc_t $1:service start; | ||
| 84 | + allow initrc_t $1:service { start status stop }; | ||
| 85 | + allow initrc_t $1:file execmod; | ||
| 86 | |||
| 87 | ') | ||
| 88 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| 89 | index 74f9c1cb..f1d26a44 100644 | ||
| 90 | --- a/policy/modules/system/systemd.te | ||
| 91 | +++ b/policy/modules/system/systemd.te | ||
| 92 | @@ -1013,7 +1013,7 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
| 93 | |||
| 94 | allow systemd_tmpfiles_t init_t:dir search; | ||
| 95 | allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
| 96 | -allow systemd_tmpfiles_t init_t:file read; | ||
| 97 | +allow systemd_tmpfiles_t init_t:file { open getattr read }; | ||
| 98 | allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
| 99 | |||
| 100 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
| 101 | -- | ||
| 102 | 2.19.1 | ||
| 103 | |||