diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch new file mode 100644 index 0000000..91588f1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch | |||
@@ -0,0 +1,156 @@ | |||
1 | From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 28 Sep 2021 10:03:04 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the | ||
5 | attributes of tmpfs and cgroups | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { getattr } for pid=245 comm="systemd-network" name="/" | ||
9 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t | ||
10 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
11 | |||
12 | avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/" | ||
13 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t | ||
14 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
15 | |||
16 | avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/" | ||
17 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t | ||
18 | tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 | ||
19 | |||
20 | avc: denied { search } for pid=293 comm="systemd-user-ru" name="/" | ||
21 | dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t | ||
22 | tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0 | ||
23 | |||
24 | Upstream-Status: Inappropriate [embedded specific] | ||
25 | |||
26 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
27 | --- | ||
28 | policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++ | ||
29 | 1 file changed, 35 insertions(+) | ||
30 | |||
31 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
32 | index 448905ff7..847895e63 100644 | ||
33 | --- a/policy/modules/system/systemd.te | ||
34 | +++ b/policy/modules/system/systemd.te | ||
35 | @@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t) | ||
36 | |||
37 | files_search_var_lib(systemd_backlight_t) | ||
38 | |||
39 | +fs_getattr_tmpfs(systemd_backlight_t) | ||
40 | +fs_search_cgroup_dirs(systemd_backlight_t) | ||
41 | +fs_getattr_cgroup(systemd_backlight_t) | ||
42 | + | ||
43 | ####################################### | ||
44 | # | ||
45 | # Binfmt local policy | ||
46 | @@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t) | ||
47 | fs_list_efivars(systemd_generator_t) | ||
48 | fs_getattr_cgroup(systemd_generator_t) | ||
49 | fs_getattr_xattr_fs(systemd_generator_t) | ||
50 | +fs_getattr_tmpfs(systemd_generator_t) | ||
51 | |||
52 | init_create_runtime_files(systemd_generator_t) | ||
53 | init_manage_runtime_dirs(systemd_generator_t) | ||
54 | @@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t) | ||
55 | # Allow reading /run/udev/data/+dmi:id | ||
56 | udev_read_runtime_files(systemd_hostnamed_t) | ||
57 | |||
58 | +fs_getattr_tmpfs(systemd_hostnamed_t) | ||
59 | +fs_search_cgroup_dirs(systemd_hostnamed_t) | ||
60 | +fs_getattr_cgroup(systemd_hostnamed_t) | ||
61 | + | ||
62 | optional_policy(` | ||
63 | dbus_connect_system_bus(systemd_hostnamed_t) | ||
64 | dbus_system_bus_client(systemd_hostnamed_t) | ||
65 | @@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t) | ||
66 | files_mmap_read_kernel_modules(systemd_modules_load_t) | ||
67 | files_read_etc_files(systemd_modules_load_t) | ||
68 | |||
69 | +fs_getattr_tmpfs(systemd_modules_load_t) | ||
70 | +fs_search_cgroup_dirs(systemd_modules_load_t) | ||
71 | +fs_getattr_cgroup(systemd_modules_load_t) | ||
72 | + | ||
73 | modutils_read_module_config(systemd_modules_load_t) | ||
74 | modutils_read_module_deps(systemd_modules_load_t) | ||
75 | |||
76 | @@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t) | ||
77 | files_watch_root_dirs(systemd_networkd_t) | ||
78 | files_list_runtime(systemd_networkd_t) | ||
79 | fs_getattr_xattr_fs(systemd_networkd_t) | ||
80 | +fs_getattr_tmpfs(systemd_networkd_t) | ||
81 | fs_getattr_cgroup(systemd_networkd_t) | ||
82 | fs_search_cgroup_dirs(systemd_networkd_t) | ||
83 | fs_read_nsfs_files(systemd_networkd_t) | ||
84 | @@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t) | ||
85 | |||
86 | systemd_log_parse_environment(systemd_rfkill_t) | ||
87 | |||
88 | +fs_getattr_tmpfs(systemd_rfkill_t) | ||
89 | +fs_search_cgroup_dirs(systemd_rfkill_t) | ||
90 | +fs_getattr_cgroup(systemd_rfkill_t) | ||
91 | + | ||
92 | ######################################### | ||
93 | # | ||
94 | # Resolved local policy | ||
95 | @@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t) | ||
96 | files_watch_root_dirs(systemd_resolved_t) | ||
97 | files_watch_runtime_dirs(systemd_resolved_t) | ||
98 | files_list_runtime(systemd_resolved_t) | ||
99 | +fs_getattr_tmpfs(systemd_resolved_t) | ||
100 | +fs_search_cgroup_dirs(systemd_resolved_t) | ||
101 | +fs_getattr_cgroup(systemd_resolved_t) | ||
102 | |||
103 | init_dgram_send(systemd_resolved_t) | ||
104 | |||
105 | @@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t) | ||
106 | |||
107 | systemd_log_parse_environment(systemd_sessions_t) | ||
108 | |||
109 | +fs_getattr_tmpfs(systemd_sessions_t) | ||
110 | +fs_search_cgroup_dirs(systemd_sessions_t) | ||
111 | +fs_getattr_cgroup(systemd_sessions_t) | ||
112 | + | ||
113 | ######################################## | ||
114 | # | ||
115 | # sysctl local policy | ||
116 | @@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t) | ||
117 | kernel_dontaudit_getattr_proc(systemd_sysctl_t) | ||
118 | |||
119 | files_read_etc_files(systemd_sysctl_t) | ||
120 | +fs_getattr_tmpfs(systemd_sysctl_t) | ||
121 | +fs_search_cgroup_dirs(systemd_sysctl_t) | ||
122 | +fs_getattr_cgroup(systemd_sysctl_t) | ||
123 | |||
124 | systemd_log_parse_environment(systemd_sysctl_t) | ||
125 | |||
126 | @@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t) | ||
127 | fs_getattr_xattr_fs(systemd_tmpfiles_t) | ||
128 | fs_list_tmpfs(systemd_tmpfiles_t) | ||
129 | fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) | ||
130 | +fs_search_cgroup_dirs(systemd_tmpfiles_t) | ||
131 | +fs_getattr_cgroup(systemd_tmpfiles_t) | ||
132 | |||
133 | selinux_get_fs_mount(systemd_tmpfiles_t) | ||
134 | selinux_use_status_page(systemd_tmpfiles_t) | ||
135 | @@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; | ||
136 | files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file) | ||
137 | files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file) | ||
138 | |||
139 | +fs_getattr_tmpfs(systemd_update_done_t) | ||
140 | +fs_search_cgroup_dirs(systemd_update_done_t) | ||
141 | +fs_getattr_cgroup(systemd_update_done_t) | ||
142 | + | ||
143 | kernel_read_kernel_sysctls(systemd_update_done_t) | ||
144 | |||
145 | selinux_use_status_page(systemd_update_done_t) | ||
146 | @@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t) | ||
147 | fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t) | ||
148 | fs_read_cgroup_files(systemd_user_runtime_dir_t) | ||
149 | fs_getattr_cgroup(systemd_user_runtime_dir_t) | ||
150 | +fs_search_cgroup_dirs(systemd_user_runtime_dir_t) | ||
151 | |||
152 | kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) | ||
153 | kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) | ||
154 | -- | ||
155 | 2.17.1 | ||
156 | |||