1 files changed, 60 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
new file mode 100644
index 0000000..ea8af31
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
@@ -0,0 +1,60 @@
+From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 25 Jan 2021 14:14:59 +0800
+Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
+ failures
+* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
+  files
+* Allow systemd_resolved_t to send and recevie messages from dhcpc over
+  dbus
+Fixes:
+avc:  denied  { create } for  pid=329 comm="systemd-resolve"
+name=".#stub-resolv.conf53cb7f9d1e3aa72b"
+scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
+permissive=0
+avc:  denied  { send_msg } for msgtype=method_call
+interface=org.freedesktop.resolve1.Manager member=RevertLink
+dest=org.freedesktop.resolve1 spid=340 tpid=345
+scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tclass=dbus permissive=0
+avc:  denied  { send_msg } for msgtype=method_return dest=:1.6 spid=345
+tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
+tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
+permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 31d28a0e3..448905ff7 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
+ 
+ manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
+ 
+@@ -1236,6 +1237,7 @@ optional_policy(`
+        dbus_system_bus_client(systemd_resolved_t)
+        dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
+        dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
+       sysnet_dbus_chat_dhcpc(systemd_resolved_t)
+ ')
+ 
+ #########################################
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch new file mode 100644 index 0000000..ea8af31 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch
@@ -0,0 +1,60 @@
	1	From 99139408a7919282e97e1b2fcd5da33248386d73 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Mon, 25 Jan 2021 14:14:59 +0800
	4	Subject: [PATCH] policy/modules/system/systemd: fix systemd-resolved startup
	5	failures
	6
	7	* Allow systemd_resolved_t to manage systemd_resolved_runtime_t link
	8	files
	9	* Allow systemd_resolved_t to send and recevie messages from dhcpc over
	10	dbus
	11
	12	Fixes:
	13	avc: denied { create } for pid=329 comm="systemd-resolve"
	14	name=".#stub-resolv.conf53cb7f9d1e3aa72b"
	15	scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
	16	tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file
	17	permissive=0
	18
	19	avc: denied { send_msg } for msgtype=method_call
	20	interface=org.freedesktop.resolve1.Manager member=RevertLink
	21	dest=org.freedesktop.resolve1 spid=340 tpid=345
	22	scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
	23	tcontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
	24	tclass=dbus permissive=0
	25
	26	avc: denied { send_msg } for msgtype=method_return dest=:1.6 spid=345
	27	tpid=340 scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023
	28	tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=dbus
	29	permissive=0
	30
	31	Upstream-Status: Inappropriate [embedded specific]
	32
	33	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	34	---
	35	policy/modules/system/systemd.te \| 2 ++
	36	1 file changed, 2 insertions(+)
	37
	38	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	39	index 31d28a0e3..448905ff7 100644
	40	--- a/policy/modules/system/systemd.te
	41	+++ b/policy/modules/system/systemd.te
	42	@@ -1199,6 +1199,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
	43
	44	manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
	45	manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
	46	+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
	47	manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
	48	init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
	49
	50	@@ -1236,6 +1237,7 @@ optional_policy(`
	51	dbus_system_bus_client(systemd_resolved_t)
	52	dbus_watch_system_bus_runtime_dirs(systemd_resolved_t)
	53	dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
	54	+ sysnet_dbus_chat_dhcpc(systemd_resolved_t)
	55	')
	56
	57	#########################################
	58	--
	59	2.17.1
	60