1 files changed, 0 insertions, 172 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
deleted file mode 100644
index 108f62f..0000000
--- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
-Fixes:
-systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
-$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
--user to connect to bus of other user)
-avc: denied { connectto } for  pid=293 comm="login"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-avc: denied { read } for  pid=293 comm="login" name="io.systemd.DropIn"
-dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-avc: denied { read } for  pid=293 comm="login"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:local_login_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-avc: denied { connectto } for  pid=244 comm="systemd-logind"
-path="/run/systemd/userdb/io.systemd.Multiplexer"
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
-permissive=0
-avc: denied { read } for  pid=244 comm="systemd-logind"
-name="io.systemd.DropIn" dev="tmpfs" ino=44
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-avc: denied { read } for  pid=244 comm="systemd-logind"
-name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
-scontext=system_u:system_r:systemd_logind_t
-tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
-permissive=0
-avc: denied { mknod } for  pid=297 comm="systemd" capability=27
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-avc: denied { setrlimit } for pid=297 comm="systemd"
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
-avc: denied { bpf } for pid=297 comm="systemd" capability=39
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
-avc: denied { perfmon } for pid=297 comm="systemd" capability=38
-scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
-avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
-ino=173 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:etc_t tclass=dir permissive=0
-avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
-ino=2 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
-avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
-ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
-tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/roles/sysadm.te   |  2 ++
- policy/modules/system/init.if    |  1 +
- policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++-
- 3 files changed, 29 insertions(+), 1 deletion(-)
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 46d3e2f0b..e1933a5bd 100644
--- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
-        # Allow sysadm to query and set networking settings on the system.
-        systemd_dbus_chat_networkd(sysadm_t)
-        fs_read_nsfs_files(sysadm_t)
-+
-+       systemd_sysadm_user(sysadm_t)
- ')
- 
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 0171ee299..8ca29f654 100644
--- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
-        ')
- 
-        allow $1 init_t:unix_stream_socket connectto;
-+       allow $1 initrc_t:unix_stream_socket connectto;
- ')
- 
- ########################################
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 38adf050c..5c44d8d8a 100644
--- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -57,7 +57,7 @@ template(`systemd_role_template',`
-        allow $1_systemd_t self:process { getsched signal };
-        allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
-        allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
-       allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
-+       allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
-        corecmd_shell_domtrans($1_systemd_t, $3)
-        corecmd_bin_domtrans($1_systemd_t, $3)
- 
-@@ -88,8 +88,11 @@ template(`systemd_role_template',`
- 
-        fs_manage_cgroup_files($1_systemd_t)
-        fs_watch_cgroup_files($1_systemd_t)
-+       files_watch_etc_dirs($1_systemd_t)
-+       fs_getattr_xattr_fs($1_systemd_t)
- 
-        kernel_dontaudit_getattr_proc($1_systemd_t)
-+       kernel_read_network_state($1_systemd_t)
- 
-        selinux_use_status_page($1_systemd_t)
- 
-@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
-        init_search_runtime($1)
-        allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
-        allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+       allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
-        init_unix_stream_socket_connectto($1)
- ')
- 
-@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
-        allow $1 systemd_machined_t:fd use;
-        allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+## <summary>
-+##     sysadm user for systemd --user
-+## </summary>
-+## <param name="role">
-+##     <summary>
-+##  Role allowed access.
-+##     </summary>
-+## </param>
-+#
-+interface(`systemd_sysadm_user',`
-+       gen_require(`
-+               type sysadm_systemd_t;
-+       ')
-+
-+       allow sysadm_systemd_t self:capability { mknod sys_admin };
-+       allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+       allow sysadm_systemd_t self:process setrlimit;
-+       allow $1 sysadm_systemd_t:system reload;
-+')
-- 
-2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch deleted file mode 100644 index 108f62f..0000000 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch +++ /dev/null
@@ -1,172 +0,0 @@
1	From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Thu, 4 Feb 2021 10:48:54 +0800
4	Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes
5
6	Fixes:
7	systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and
8	$XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host
9	--user to connect to bus of other user)
10
11	avc: denied { connectto } for pid=293 comm="login"
12	path="/run/systemd/userdb/io.systemd.Multiplexer"
13	scontext=system_u:system_r:local_login_t
14	tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
15	permissive=0
16
17	avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn"
18	dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t
19	tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
20	permissive=0
21
22	avc: denied { read } for pid=293 comm="login"
23	name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
24	scontext=system_u:system_r:local_login_t
25	tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
26	permissive=0
27
28	avc: denied { connectto } for pid=244 comm="systemd-logind"
29	path="/run/systemd/userdb/io.systemd.Multiplexer"
30	scontext=system_u:system_r:systemd_logind_t
31	tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
32	permissive=0
33
34	avc: denied { read } for pid=244 comm="systemd-logind"
35	name="io.systemd.DropIn" dev="tmpfs" ino=44
36	scontext=system_u:system_r:systemd_logind_t
37	tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
38	permissive=0
39
40	avc: denied { read } for pid=244 comm="systemd-logind"
41	name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43
42	scontext=system_u:system_r:systemd_logind_t
43	tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file
44	permissive=0
45
46	avc: denied { mknod } for pid=297 comm="systemd" capability=27
47	scontext=root:sysadm_r:sysadm_systemd_t
48	tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
49
50	avc: denied { setrlimit } for pid=297 comm="systemd"
51	scontext=root:sysadm_r:sysadm_systemd_t
52	tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0
53
54	avc: denied { bpf } for pid=297 comm="systemd" capability=39
55	scontext=root:sysadm_r:sysadm_systemd_t
56	tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
57
58	avc: denied { sys_admin } for pid=297 comm="systemd" capability=21
59	scontext=root:sysadm_r:sysadm_systemd_t
60	tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0
61
62	avc: denied { perfmon } for pid=297 comm="systemd" capability=38
63	scontext=root:sysadm_r:sysadm_systemd_t
64	tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0
65
66	avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda"
67	ino=173 scontext=root:sysadm_r:sysadm_systemd_t
68	tcontext=system_u:object_r:etc_t tclass=dir permissive=0
69
70	avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda"
71	ino=2 scontext=root:sysadm_r:sysadm_systemd_t
72	tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
73
74	avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc"
75	ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t
76	tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
77
78	Upstream-Status: Inappropriate [embedded specific]
79
80	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
81	---
82	policy/modules/roles/sysadm.te \| 2 ++
83	policy/modules/system/init.if \| 1 +
84	policy/modules/system/systemd.if \| 27 ++++++++++++++++++++++++++-
85	3 files changed, 29 insertions(+), 1 deletion(-)
86
87	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
88	index 46d3e2f0b..e1933a5bd 100644
89	--- a/policy/modules/roles/sysadm.te
90	+++ b/policy/modules/roles/sysadm.te
91	@@ -92,6 +92,8 @@ ifdef(`init_systemd',`
92	# Allow sysadm to query and set networking settings on the system.
93	systemd_dbus_chat_networkd(sysadm_t)
94	fs_read_nsfs_files(sysadm_t)
95	+
96	+ systemd_sysadm_user(sysadm_t)
97	')
98
99	tunable_policy(`allow_ptrace',`
100	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
101	index 0171ee299..8ca29f654 100644
102	--- a/policy/modules/system/init.if
103	+++ b/policy/modules/system/init.if
104	@@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',`
105	')
106
107	allow $1 init_t:unix_stream_socket connectto;
108	+ allow $1 initrc_t:unix_stream_socket connectto;
109	')
110
111	########################################
112	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
113	index 38adf050c..5c44d8d8a 100644
114	--- a/policy/modules/system/systemd.if
115	+++ b/policy/modules/system/systemd.if
116	@@ -57,7 +57,7 @@ template(`systemd_role_template',`
117	allow $1_systemd_t self:process { getsched signal };
118	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
119	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
120	- allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
121	+ allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure };
122	corecmd_shell_domtrans($1_systemd_t, $3)
123	corecmd_bin_domtrans($1_systemd_t, $3)
124
125	@@ -88,8 +88,11 @@ template(`systemd_role_template',`
126
127	fs_manage_cgroup_files($1_systemd_t)
128	fs_watch_cgroup_files($1_systemd_t)
129	+ files_watch_etc_dirs($1_systemd_t)
130	+ fs_getattr_xattr_fs($1_systemd_t)
131
132	kernel_dontaudit_getattr_proc($1_systemd_t)
133	+ kernel_read_network_state($1_systemd_t)
134
135	selinux_use_status_page($1_systemd_t)
136
137	@@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', `
138	init_search_runtime($1)
139	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
140	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
141	+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
142	init_unix_stream_socket_connectto($1)
143	')
144
145	@@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', `
146	allow $1 systemd_machined_t:fd use;
147	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
148	')
149	+
150	+#########################################
151	+## <summary>
152	+## sysadm user for systemd --user
153	+## </summary>
154	+## <param name="role">
155	+## <summary>
156	+## Role allowed access.
157	+## </summary>
158	+## </param>
159	+#
160	+interface(`systemd_sysadm_user',`
161	+ gen_require(`
162	+ type sysadm_systemd_t;
163	+ ')
164	+
165	+ allow sysadm_systemd_t self:capability { mknod sys_admin };
166	+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
167	+ allow sysadm_systemd_t self:process setrlimit;
168	+ allow $1 sysadm_systemd_t:system reload;
169	+')
170	--
171	2.17.1
172