1 files changed, 156 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
new file mode 100644
index 0000000..91588f1
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
@@ -0,0 +1,156 @@
+From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 28 Sep 2021 10:03:04 +0800
+Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
+ attributes of tmpfs and cgroups
+Fixes:
+avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
+tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
+avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
+tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 448905ff7..847895e63 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
+ 
+ files_search_var_lib(systemd_backlight_t)
+ 
+fs_getattr_tmpfs(systemd_backlight_t)
+fs_search_cgroup_dirs(systemd_backlight_t)
+fs_getattr_cgroup(systemd_backlight_t)
+
+ #######################################
+ #
+ # Binfmt local policy
+@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
+ fs_list_efivars(systemd_generator_t)
+ fs_getattr_cgroup(systemd_generator_t)
+ fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_tmpfs(systemd_generator_t)
+ 
+ init_create_runtime_files(systemd_generator_t)
+ init_manage_runtime_dirs(systemd_generator_t)
+@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
+ # Allow reading /run/udev/data/+dmi:id
+ udev_read_runtime_files(systemd_hostnamed_t)
+ 
+fs_getattr_tmpfs(systemd_hostnamed_t)
+fs_search_cgroup_dirs(systemd_hostnamed_t)
+fs_getattr_cgroup(systemd_hostnamed_t)
+
+ optional_policy(`
+        dbus_connect_system_bus(systemd_hostnamed_t)
+        dbus_system_bus_client(systemd_hostnamed_t)
+@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
+ files_mmap_read_kernel_modules(systemd_modules_load_t)
+ files_read_etc_files(systemd_modules_load_t)
+ 
+fs_getattr_tmpfs(systemd_modules_load_t)
+fs_search_cgroup_dirs(systemd_modules_load_t)
+fs_getattr_cgroup(systemd_modules_load_t)
+
+ modutils_read_module_config(systemd_modules_load_t)
+ modutils_read_module_deps(systemd_modules_load_t)
+ 
+@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
+ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+ fs_getattr_xattr_fs(systemd_networkd_t)
+fs_getattr_tmpfs(systemd_networkd_t)
+ fs_getattr_cgroup(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
+ 
+ systemd_log_parse_environment(systemd_rfkill_t)
+ 
+fs_getattr_tmpfs(systemd_rfkill_t)
+fs_search_cgroup_dirs(systemd_rfkill_t)
+fs_getattr_cgroup(systemd_rfkill_t)
+
+ #########################################
+ #
+ # Resolved local policy
+@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
+ files_watch_root_dirs(systemd_resolved_t)
+ files_watch_runtime_dirs(systemd_resolved_t)
+ files_list_runtime(systemd_resolved_t)
+fs_getattr_tmpfs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+fs_getattr_cgroup(systemd_resolved_t)
+ 
+ init_dgram_send(systemd_resolved_t)
+ 
+@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
+ 
+ systemd_log_parse_environment(systemd_sessions_t)
+ 
+fs_getattr_tmpfs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+fs_getattr_cgroup(systemd_sessions_t)
+
+ ########################################
+ #
+ # sysctl local policy
+@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
+ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+ 
+ files_read_etc_files(systemd_sysctl_t)
+fs_getattr_tmpfs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+fs_getattr_cgroup(systemd_sysctl_t)
+ 
+ systemd_log_parse_environment(systemd_sysctl_t)
+ 
+@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
+ fs_getattr_xattr_fs(systemd_tmpfiles_t)
+ fs_list_tmpfs(systemd_tmpfiles_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_cgroup(systemd_tmpfiles_t)
+ 
+ selinux_get_fs_mount(systemd_tmpfiles_t)
+ selinux_use_status_page(systemd_tmpfiles_t)
+@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+ files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
+ 
+fs_getattr_tmpfs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+fs_getattr_cgroup(systemd_update_done_t)
+
+ kernel_read_kernel_sysctls(systemd_update_done_t)
+ 
+ selinux_use_status_page(systemd_update_done_t)
+@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
+ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
+ fs_read_cgroup_files(systemd_user_runtime_dir_t)
+ fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
+ 
+ kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+ kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch new file mode 100644 index 0000000..91588f1 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch
@@ -0,0 +1,156 @@
	1	From 81e63f86d6d030eaf0204796e32011c08e7b5e52 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Tue, 28 Sep 2021 10:03:04 +0800
	4	Subject: [PATCH] policy/modules/system/systemd: allow systemd_*_t to get the
	5	attributes of tmpfs and cgroups
	6
	7	Fixes:
	8	avc: denied { getattr } for pid=245 comm="systemd-network" name="/"
	9	dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_networkd_t
	10	tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
	11
	12	avc: denied { getattr } for pid=252 comm="systemd-resolve" name="/"
	13	dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
	14	tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
	15
	16	avc: denied { getattr } for pid=260 comm="systemd-user-se" name="/"
	17	dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_sessions_t
	18	tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
	19
	20	avc: denied { search } for pid=293 comm="systemd-user-ru" name="/"
	21	dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_user_runtime_dir_t
	22	tcontext=system_u:object_r:cgroup_t tclass=dir permissive=0
	23
	24	Upstream-Status: Inappropriate [embedded specific]
	25
	26	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	27	---
	28	policy/modules/system/systemd.te \| 35 ++++++++++++++++++++++++++++++++
	29	1 file changed, 35 insertions(+)
	30
	31	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	32	index 448905ff7..847895e63 100644
	33	--- a/policy/modules/system/systemd.te
	34	+++ b/policy/modules/system/systemd.te
	35	@@ -337,6 +337,10 @@ udev_read_runtime_files(systemd_backlight_t)
	36
	37	files_search_var_lib(systemd_backlight_t)
	38
	39	+fs_getattr_tmpfs(systemd_backlight_t)
	40	+fs_search_cgroup_dirs(systemd_backlight_t)
	41	+fs_getattr_cgroup(systemd_backlight_t)
	42	+
	43	#######################################
	44	#
	45	# Binfmt local policy
	46	@@ -447,6 +451,7 @@ files_list_usr(systemd_generator_t)
	47	fs_list_efivars(systemd_generator_t)
	48	fs_getattr_cgroup(systemd_generator_t)
	49	fs_getattr_xattr_fs(systemd_generator_t)
	50	+fs_getattr_tmpfs(systemd_generator_t)
	51
	52	init_create_runtime_files(systemd_generator_t)
	53	init_manage_runtime_dirs(systemd_generator_t)
	54	@@ -515,6 +520,10 @@ systemd_log_parse_environment(systemd_hostnamed_t)
	55	# Allow reading /run/udev/data/+dmi:id
	56	udev_read_runtime_files(systemd_hostnamed_t)
	57
	58	+fs_getattr_tmpfs(systemd_hostnamed_t)
	59	+fs_search_cgroup_dirs(systemd_hostnamed_t)
	60	+fs_getattr_cgroup(systemd_hostnamed_t)
	61	+
	62	optional_policy(`
	63	dbus_connect_system_bus(systemd_hostnamed_t)
	64	dbus_system_bus_client(systemd_hostnamed_t)
	65	@@ -835,6 +844,10 @@ dev_read_sysfs(systemd_modules_load_t)
	66	files_mmap_read_kernel_modules(systemd_modules_load_t)
	67	files_read_etc_files(systemd_modules_load_t)
	68
	69	+fs_getattr_tmpfs(systemd_modules_load_t)
	70	+fs_search_cgroup_dirs(systemd_modules_load_t)
	71	+fs_getattr_cgroup(systemd_modules_load_t)
	72	+
	73	modutils_read_module_config(systemd_modules_load_t)
	74	modutils_read_module_deps(systemd_modules_load_t)
	75
	76	@@ -885,6 +898,7 @@ files_watch_runtime_dirs(systemd_networkd_t)
	77	files_watch_root_dirs(systemd_networkd_t)
	78	files_list_runtime(systemd_networkd_t)
	79	fs_getattr_xattr_fs(systemd_networkd_t)
	80	+fs_getattr_tmpfs(systemd_networkd_t)
	81	fs_getattr_cgroup(systemd_networkd_t)
	82	fs_search_cgroup_dirs(systemd_networkd_t)
	83	fs_read_nsfs_files(systemd_networkd_t)
	84	@@ -1185,6 +1199,10 @@ udev_read_runtime_files(systemd_rfkill_t)
	85
	86	systemd_log_parse_environment(systemd_rfkill_t)
	87
	88	+fs_getattr_tmpfs(systemd_rfkill_t)
	89	+fs_search_cgroup_dirs(systemd_rfkill_t)
	90	+fs_getattr_cgroup(systemd_rfkill_t)
	91	+
	92	#########################################
	93	#
	94	# Resolved local policy
	95	@@ -1224,6 +1242,9 @@ auth_use_nsswitch(systemd_resolved_t)
	96	files_watch_root_dirs(systemd_resolved_t)
	97	files_watch_runtime_dirs(systemd_resolved_t)
	98	files_list_runtime(systemd_resolved_t)
	99	+fs_getattr_tmpfs(systemd_resolved_t)
	100	+fs_search_cgroup_dirs(systemd_resolved_t)
	101	+fs_getattr_cgroup(systemd_resolved_t)
	102
	103	init_dgram_send(systemd_resolved_t)
	104
	105	@@ -1288,6 +1309,10 @@ seutil_read_file_contexts(systemd_sessions_t)
	106
	107	systemd_log_parse_environment(systemd_sessions_t)
	108
	109	+fs_getattr_tmpfs(systemd_sessions_t)
	110	+fs_search_cgroup_dirs(systemd_sessions_t)
	111	+fs_getattr_cgroup(systemd_sessions_t)
	112	+
	113	########################################
	114	#
	115	# sysctl local policy
	116	@@ -1304,6 +1329,9 @@ kernel_rw_all_sysctls(systemd_sysctl_t)
	117	kernel_dontaudit_getattr_proc(systemd_sysctl_t)
	118
	119	files_read_etc_files(systemd_sysctl_t)
	120	+fs_getattr_tmpfs(systemd_sysctl_t)
	121	+fs_search_cgroup_dirs(systemd_sysctl_t)
	122	+fs_getattr_cgroup(systemd_sysctl_t)
	123
	124	systemd_log_parse_environment(systemd_sysctl_t)
	125
	126	@@ -1409,6 +1437,8 @@ fs_getattr_tmpfs(systemd_tmpfiles_t)
	127	fs_getattr_xattr_fs(systemd_tmpfiles_t)
	128	fs_list_tmpfs(systemd_tmpfiles_t)
	129	fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
	130	+fs_search_cgroup_dirs(systemd_tmpfiles_t)
	131	+fs_getattr_cgroup(systemd_tmpfiles_t)
	132
	133	selinux_get_fs_mount(systemd_tmpfiles_t)
	134	selinux_use_status_page(systemd_tmpfiles_t)
	135	@@ -1497,6 +1527,10 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
	136	files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
	137	files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
	138
	139	+fs_getattr_tmpfs(systemd_update_done_t)
	140	+fs_search_cgroup_dirs(systemd_update_done_t)
	141	+fs_getattr_cgroup(systemd_update_done_t)
	142	+
	143	kernel_read_kernel_sysctls(systemd_update_done_t)
	144
	145	selinux_use_status_page(systemd_update_done_t)
	146	@@ -1601,6 +1635,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
	147	fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
	148	fs_read_cgroup_files(systemd_user_runtime_dir_t)
	149	fs_getattr_cgroup(systemd_user_runtime_dir_t)
	150	+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
	151
	152	kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
	153	kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
	154	--
	155	2.17.1
	156