1 files changed, 110 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
new file mode 100644
index 0000000..05543da
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,110 @@
+From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:17 +0530
+Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
+ services
+fix for systemd tmp files setup service while using refpolicy-minimum and
+systemd as init manager.
+these allow rules require kernel domain & files access, so added interfaces
+at systemd.te to merge these allow rules.
+without these changes we are getting avc denails like these and below
+systemd services failure:
+audit[]: AVC avc:  denied  { getattr } for  pid=232 comm="systemd-tmpfile"
+path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
+_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
+audit[]: AVC avc:  denied  { search } for  pid=232 comm="systemd-tmpfile"
+name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
+tclass=dir permissive=0
+[FAILED] Failed to start Create Static Device Nodes in /dev.
+See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
+[FAILED] Failed to start Create Volatile Files and Directories.
+See 'systemctl status systemd-tmpfiles-setup.service' for details.
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/kernel/files.if   | 19 +++++++++++++++++++
+ policy/modules/kernel/kernel.if  | 21 +++++++++++++++++++++
+ policy/modules/system/systemd.te |  2 ++
+ 3 files changed, 42 insertions(+)
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index eb067ad3..ff74f55a 100644
+--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
+@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
+ 
+        typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+## <summary>
+##     systemd tmp files access to kernel tmp files domain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
+       gen_require(`
+       type tmp_t;
+        class lnk_file getattr;
+       ')
+
+       allow $1 tmp_t:lnk_file getattr;
+')
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 1ad282aa..342eb033 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+        allow $1 unlabeled_t:infiniband_endport manage_subnet;
+ ')
+ 
+########################################
+## <summary>
+##     systemd tmp files access to kernel sysctl domain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
+         gen_require(`
+                type sysctl_kernel_t;
+                class dir search;
+                class file { open read };
+         ')
+
+        allow $1 sysctl_kernel_t:dir search;
+        allow $1 sysctl_kernel_t:file { open read };
+
+')
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f1d26a44..b4c64bc1 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
+ 
+ seutil_read_file_contexts(systemd_update_done_t)
+ 
+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
+ systemd_log_parse_environment(systemd_update_done_t)
+-- 
+2.19.1

diff --git a/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch new file mode 100644 index 0000000..05543da --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-git/0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch
@@ -0,0 +1,110 @@
	1	From c268b15ec696aa23be73e040daae433b509fa82f Mon Sep 17 00:00:00 2001
	2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
	3	Date: Fri, 26 Aug 2016 17:54:17 +0530
	4	Subject: [PATCH 8/9] refpolicy-minimum: systemd: fix for systemd tmp-files
	5	services
	6
	7	fix for systemd tmp files setup service while using refpolicy-minimum and
	8	systemd as init manager.
	9
	10	these allow rules require kernel domain & files access, so added interfaces
	11	at systemd.te to merge these allow rules.
	12
	13	without these changes we are getting avc denails like these and below
	14	systemd services failure:
	15
	16	audit[]: AVC avc: denied { getattr } for pid=232 comm="systemd-tmpfile"
	17	path="/var/tmp" dev="mmcblk2p2" ino=4993 scontext=system_u:system_r:systemd
	18	_tmpfiles_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file
	19
	20	audit[]: AVC avc: denied { search } for pid=232 comm="systemd-tmpfile"
	21	name="kernel" dev="proc" ino=9341 scontext=system_u:system_r:
	22	systemd_tmpfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0
	23	tclass=dir permissive=0
	24
	25	[FAILED] Failed to start Create Static Device Nodes in /dev.
	26	See 'systemctl status systemd-tmpfiles-setup-dev.service' for details.
	27
	28	[FAILED] Failed to start Create Volatile Files and Directories.
	29	See 'systemctl status systemd-tmpfiles-setup.service' for details.
	30
	31	Upstream-Status: Pending
	32
	33	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
	34	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	35	---
	36	policy/modules/kernel/files.if \| 19 +++++++++++++++++++
	37	policy/modules/kernel/kernel.if \| 21 +++++++++++++++++++++
	38	policy/modules/system/systemd.te \| 2 ++
	39	3 files changed, 42 insertions(+)
	40
	41	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
	42	index eb067ad3..ff74f55a 100644
	43	--- a/policy/modules/kernel/files.if
	44	+++ b/policy/modules/kernel/files.if
	45	@@ -7076,3 +7076,22 @@ interface(`files_unconfined',`
	46
	47	typeattribute $1 files_unconfined_type;
	48	')
	49	+
	50	+########################################
	51	+## <summary>
	52	+## systemd tmp files access to kernel tmp files domain
	53	+## </summary>
	54	+## <param name="domain">
	55	+## <summary>
	56	+## Domain allowed access.
	57	+## </summary>
	58	+## </param>
	59	+#
	60	+interface(`systemd_service_allow_kernel_files_domain_to_tmp_t',`
	61	+ gen_require(`
	62	+ type tmp_t;
	63	+ class lnk_file getattr;
	64	+ ')
	65	+
	66	+ allow $1 tmp_t:lnk_file getattr;
	67	+')
	68	diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
	69	index 1ad282aa..342eb033 100644
	70	--- a/policy/modules/kernel/kernel.if
	71	+++ b/policy/modules/kernel/kernel.if
	72	@@ -3584,3 +3584,24 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
	73	allow $1 unlabeled_t:infiniband_endport manage_subnet;
	74	')
	75
	76	+########################################
	77	+## <summary>
	78	+## systemd tmp files access to kernel sysctl domain
	79	+## </summary>
	80	+## <param name="domain">
	81	+## <summary>
	82	+## Domain allowed access.
	83	+## </summary>
	84	+## </param>
	85	+#
	86	+interface(`systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t',`
	87	+ gen_require(`
	88	+ type sysctl_kernel_t;
	89	+ class dir search;
	90	+ class file { open read };
	91	+ ')
	92	+
	93	+ allow $1 sysctl_kernel_t:dir search;
	94	+ allow $1 sysctl_kernel_t:file { open read };
	95	+
	96	+')
	97	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	98	index f1d26a44..b4c64bc1 100644
	99	--- a/policy/modules/system/systemd.te
	100	+++ b/policy/modules/system/systemd.te
	101	@@ -1139,4 +1139,6 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated
	102
	103	seutil_read_file_contexts(systemd_update_done_t)
	104
	105	+systemd_service_allow_kernel_domain_access_to_sysctl_kernel_t(systemd_tmpfiles_t)
	106	+systemd_service_allow_kernel_files_domain_to_tmp_t(systemd_tmpfiles_t)
	107	systemd_log_parse_environment(systemd_update_done_t)
	108	--
	109	2.19.1
	110