diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch new file mode 100644 index 0000000..85bb82b --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes | ||
5 | |||
6 | Fixes: | ||
7 | systemctl[277]: Failed to connect to bus: No medium found | ||
8 | |||
9 | avc: denied { mknod } for pid=297 comm="systemd" capability=27 | ||
10 | scontext=root:sysadm_r:sysadm_systemd_t | ||
11 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
12 | |||
13 | avc: denied { bpf } for pid=297 comm="systemd" capability=39 | ||
14 | scontext=root:sysadm_r:sysadm_systemd_t | ||
15 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
16 | |||
17 | avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 | ||
18 | scontext=root:sysadm_r:sysadm_systemd_t | ||
19 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
20 | |||
21 | avc: denied { perfmon } for pid=297 comm="systemd" capability=38 | ||
22 | scontext=root:sysadm_r:sysadm_systemd_t | ||
23 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
24 | |||
25 | Upstream-Status: Inappropriate [embedded specific] | ||
26 | |||
27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
28 | --- | ||
29 | policy/modules/roles/sysadm.te | 2 ++ | ||
30 | policy/modules/system/systemd.if | 21 ++++++++++++++++++++- | ||
31 | 2 files changed, 22 insertions(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
34 | index 088c954f5..92f50fd5a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | ||
36 | +++ b/policy/modules/roles/sysadm.te | ||
37 | @@ -98,6 +98,8 @@ ifdef(`init_systemd',` | ||
38 | |||
39 | # Allow sysadm to follow logs in the journal, i.e. with podman logs -f | ||
40 | systemd_watch_journal_dirs(sysadm_t) | ||
41 | + | ||
42 | + systemd_sysadm_user(sysadm_t) | ||
43 | ') | ||
44 | |||
45 | tunable_policy(`allow_ptrace',` | ||
46 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
47 | index 9dc91fbb7..325ca548b 100644 | ||
48 | --- a/policy/modules/system/systemd.if | ||
49 | +++ b/policy/modules/system/systemd.if | ||
50 | @@ -58,7 +58,7 @@ template(`systemd_role_template',` | ||
51 | allow $1_systemd_t self:process { getsched signal }; | ||
52 | allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
53 | allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; | ||
54 | - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; | ||
55 | + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; | ||
56 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
57 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
58 | |||
59 | @@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
60 | allow $1 systemd_machined_t:fd use; | ||
61 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
62 | ') | ||
63 | + | ||
64 | +######################################### | ||
65 | +## <summary> | ||
66 | +## sysadm user for systemd --user | ||
67 | +## </summary> | ||
68 | +## <param name="role"> | ||
69 | +## <summary> | ||
70 | +## Role allowed access. | ||
71 | +## </summary> | ||
72 | +## </param> | ||
73 | +# | ||
74 | +interface(`systemd_sysadm_user',` | ||
75 | + gen_require(` | ||
76 | + type sysadm_systemd_t; | ||
77 | + ') | ||
78 | + | ||
79 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | ||
80 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | ||
81 | +') | ||
82 | -- | ||
83 | 2.25.1 | ||
84 | |||