1 files changed, 45 insertions, 38 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
index 85bb82b..6a48b3d 100644
--- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
+++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -1,4 +1,4 @@
-From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001
+From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001
 From: Yi Zhao <yi.zhao@windriver.com>
 Date: Thu, 4 Feb 2021 10:48:54 +0800
 Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
@@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/roles/sysadm.te   |  2 ++
+ policy/modules/system/systemd.if    | 30 +++++++++++++++++++++++++++++
- policy/modules/system/systemd.if | 21 ++++++++++++++++++++-
+ policy/modules/system/userdomain.if |  4 ++++
- 2 files changed, 22 insertions(+), 1 deletion(-)
+ 2 files changed, 34 insertions(+)
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 088c954f5..92f50fd5a 100644
--- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -98,6 +98,8 @@ ifdef(`init_systemd',`
- 
-        # Allow sysadm to follow logs in the journal, i.e. with podman logs -f
-        systemd_watch_journal_dirs(sysadm_t)
-+
-+       systemd_sysadm_user(sysadm_t)
- ')
- 
- tunable_policy(`allow_ptrace',`
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 9dc91fbb7..325ca548b 100644
+index 6054b5038..d89ad35b1 100644
 --- a/policy/modules/system/systemd.if
 +++ b/policy/modules/system/systemd.if
-@@ -58,7 +58,7 @@ template(`systemd_role_template',`
+@@ -199,6 +199,36 @@ template(`systemd_role_template',`
-        allow $1_systemd_t self:process { getsched signal };
+        ')
-        allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
-        allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
-       allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
-+       allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
-        corecmd_shell_domtrans($1_systemd_t, $3)
-        corecmd_bin_domtrans($1_systemd_t, $3)
- 
-@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', `
-        allow $1 systemd_machined_t:fd use;
-        allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
 ')
-+
+ 
-+#########################################
+######################################
 +## <summary>
-+##     sysadm user for systemd --user
+##     Admin role for systemd --user
 +## </summary>
+## <param name="prefix">
+##     <summary>
+##     Prefix for generated types
+##     </summary>
+## </param>
 +## <param name="role">
 +##     <summary>
-+##  Role allowed access.
+##     The admin role.
+##     </summary>
+## </param>
+## <param name="userdomain">
+##     <summary>
+##     The amdin domain for the role.
 +##     </summary>
 +## </param>
 +#
-+interface(`systemd_sysadm_user',`
+template(`systemd_admin_role_extra',`
 +       gen_require(`
-+               type sysadm_systemd_t;
+               type $1_systemd_t;
 +       ')
 +
-+       allow sysadm_systemd_t self:capability { mknod sys_admin };
+       allow $1_systemd_t $3:process noatsecure;
-+       allow sysadm_systemd_t self:capability2 { bpf perfmon };
+       allow $1_systemd_t self:capability { mknod sys_admin };
+       allow $1_systemd_t self:capability2 { bpf perfmon };
 +')
+
+ ######################################
+ ## <summary>
+ ##   Allow the specified domain to be started as a daemon by the
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 24c3cb012..80072c03e 100644
+--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
+@@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',`
+        optional_policy(`
+                userhelper_exec($1_t)
+        ')
+
+       optional_policy(`
+               systemd_admin_role_extra($1, $1_r, $1_t)
+       ')
+ ')
+ 
+ ########################################
 -- 
 2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch index 85bb82b..6a48b3d 100644 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch
@@ -1,4 +1,4 @@
1	From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001	1	From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>	2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Thu, 4 Feb 2021 10:48:54 +0800	3	Date: Thu, 4 Feb 2021 10:48:54 +0800
4	Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes	4	Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
@@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific]
26		26
27	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	27	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28	---	28	---
29	policy/modules/roles/sysadm.te \| 2 ++	29	policy/modules/system/systemd.if \| 30 +++++++++++++++++++++++++++++
30	policy/modules/system/systemd.if \| 21 ++++++++++++++++++++-	30	policy/modules/system/userdomain.if \| 4 ++++
31	2 files changed, 22 insertions(+), 1 deletion(-)	31	2 files changed, 34 insertions(+)
32		32
33	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
34	index 088c954f5..92f50fd5a 100644
35	--- a/policy/modules/roles/sysadm.te
36	+++ b/policy/modules/roles/sysadm.te
37	@@ -98,6 +98,8 @@ ifdef(`init_systemd',`
38
39	# Allow sysadm to follow logs in the journal, i.e. with podman logs -f
40	systemd_watch_journal_dirs(sysadm_t)
41	+
42	+ systemd_sysadm_user(sysadm_t)
43	')
44
45	tunable_policy(`allow_ptrace',`
46	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if	33	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
47	index 9dc91fbb7..325ca548b 100644	34	index 6054b5038..d89ad35b1 100644
48	--- a/policy/modules/system/systemd.if	35	--- a/policy/modules/system/systemd.if
49	+++ b/policy/modules/system/systemd.if	36	+++ b/policy/modules/system/systemd.if
50	@@ -58,7 +58,7 @@ template(`systemd_role_template',`	37	@@ -199,6 +199,36 @@ template(`systemd_role_template',`
51	allow $1_systemd_t self:process { getsched signal };	38	')
52	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
53	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
54	- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
55	+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
56	corecmd_shell_domtrans($1_systemd_t, $3)
57	corecmd_bin_domtrans($1_systemd_t, $3)
58
59	@@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', `
60	allow $1 systemd_machined_t:fd use;
61	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
62	')	39	')
63	+	40
64	+#########################################	41	+######################################
65	+## <summary>	42	+## <summary>
66	+## sysadm user for systemd --user	43	+## Admin role for systemd --user
67	+## </summary>	44	+## </summary>
		45	+## <param name="prefix">
		46	+## <summary>
		47	+## Prefix for generated types
		48	+## </summary>
		49	+## </param>
68	+## <param name="role">	50	+## <param name="role">
69	+## <summary>	51	+## <summary>
70	+## Role allowed access.	52	+## The admin role.
		53	+## </summary>
		54	+## </param>
		55	+## <param name="userdomain">
		56	+## <summary>
		57	+## The amdin domain for the role.
71	+## </summary>	58	+## </summary>
72	+## </param>	59	+## </param>
73	+#	60	+#
74	+interface(`systemd_sysadm_user',`	61	+template(`systemd_admin_role_extra',`
75	+ gen_require(`	62	+ gen_require(`
76	+ type sysadm_systemd_t;	63	+ type $1_systemd_t;
77	+ ')	64	+ ')
78	+	65	+
79	+ allow sysadm_systemd_t self:capability { mknod sys_admin };	66	+ allow $1_systemd_t $3:process noatsecure;
80	+ allow sysadm_systemd_t self:capability2 { bpf perfmon };	67	+ allow $1_systemd_t self:capability { mknod sys_admin };
		68	+ allow $1_systemd_t self:capability2 { bpf perfmon };
81	+')	69	+')
		70	+
		71	######################################
		72	## <summary>
		73	## Allow the specified domain to be started as a daemon by the
		74	diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
		75	index 24c3cb012..80072c03e 100644
		76	--- a/policy/modules/system/userdomain.if
		77	+++ b/policy/modules/system/userdomain.if
		78	@@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',`
		79	optional_policy(`
		80	userhelper_exec($1_t)
		81	')
		82	+
		83	+ optional_policy(`
		84	+ systemd_admin_role_extra($1, $1_r, $1_t)
		85	+ ')
		86	')
		87
		88	########################################
82	--	89	--
83	2.25.1	90	2.25.1
84		91