diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch deleted file mode 100644 index e7ce388..0000000 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-modutils-allow-mod_t-to-access.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 24 Aug 2020 11:29:09 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access | ||
5 | confidentiality of class lockdown | ||
6 | |||
7 | The SELinux lockdown implementation was introduced since kernel 5.6 by | ||
8 | commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t | ||
9 | and udev_t to access confidentiality of class lockdown to mount tracefs. | ||
10 | |||
11 | Fixes: | ||
12 | kernel: Could not create tracefs 'iwlwifi_data/filter' entry | ||
13 | kernel: Could not create tracefs 'enable' entry | ||
14 | kernel: Could not create tracefs 'id' entry | ||
15 | kernel: Could not create tracefs 'filter' entry | ||
16 | kernel: Could not create tracefs 'trigger' entry | ||
17 | kernel: Could not create tracefs 'format' entry | ||
18 | |||
19 | audit[170]: AVC avc: denied { confidentiality } for pid=170 | ||
20 | comm="modprobe" lockdown_reason="use of tracefs" | ||
21 | scontext=system_u:system_r:kmod_t:s15:c0.c1023 | ||
22 | tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown | ||
23 | permissive=0 | ||
24 | |||
25 | audit[190]: AVC avc: denied { confidentiality } for pid=190 | ||
26 | comm="systemd-udevd" lockdown_reason="use of tracefs" | ||
27 | scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 | ||
28 | tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown | ||
29 | permissive=0 | ||
30 | |||
31 | Upstream-Status: Inappropriate [embedded specific] | ||
32 | |||
33 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
34 | --- | ||
35 | policy/modules/system/modutils.te | 2 ++ | ||
36 | policy/modules/system/udev.te | 2 ++ | ||
37 | 2 files changed, 4 insertions(+) | ||
38 | |||
39 | diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te | ||
40 | index b0a419dc1..5b4f0aca1 100644 | ||
41 | --- a/policy/modules/system/modutils.te | ||
42 | +++ b/policy/modules/system/modutils.te | ||
43 | @@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin; | ||
44 | allow kmod_t self:udp_socket create_socket_perms; | ||
45 | allow kmod_t self:rawip_socket create_socket_perms; | ||
46 | |||
47 | +allow kmod_t self:lockdown confidentiality; | ||
48 | + | ||
49 | # Read module config and dependency information | ||
50 | list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) | ||
51 | read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) | ||
52 | diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te | ||
53 | index c50ff68c1..4c5a690fb 100644 | ||
54 | --- a/policy/modules/system/udev.te | ||
55 | +++ b/policy/modules/system/udev.te | ||
56 | @@ -67,6 +67,8 @@ ifdef(`init_systemd',` | ||
57 | # for systemd-udevd to rename interfaces | ||
58 | allow udev_t self:netlink_route_socket nlmsg_write; | ||
59 | |||
60 | +allow udev_t self:lockdown confidentiality; | ||
61 | + | ||
62 | can_exec(udev_t, udev_exec_t) | ||
63 | |||
64 | allow udev_t udev_helper_exec_t:dir list_dir_perms; | ||
65 | -- | ||
66 | 2.17.1 | ||
67 | |||