diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch | 172 |
1 files changed, 0 insertions, 172 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch deleted file mode 100644 index 108f62f..0000000 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-systemd-systemd-user-fixes.patch +++ /dev/null | |||
@@ -1,172 +0,0 @@ | |||
1 | From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes | ||
5 | |||
6 | Fixes: | ||
7 | systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and | ||
8 | $XDG_RUNTIME_DIR not defined (consider using --machine=<user>@.host | ||
9 | --user to connect to bus of other user) | ||
10 | |||
11 | avc: denied { connectto } for pid=293 comm="login" | ||
12 | path="/run/systemd/userdb/io.systemd.Multiplexer" | ||
13 | scontext=system_u:system_r:local_login_t | ||
14 | tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket | ||
15 | permissive=0 | ||
16 | |||
17 | avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn" | ||
18 | dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t | ||
19 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
20 | permissive=0 | ||
21 | |||
22 | avc: denied { read } for pid=293 comm="login" | ||
23 | name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 | ||
24 | scontext=system_u:system_r:local_login_t | ||
25 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
26 | permissive=0 | ||
27 | |||
28 | avc: denied { connectto } for pid=244 comm="systemd-logind" | ||
29 | path="/run/systemd/userdb/io.systemd.Multiplexer" | ||
30 | scontext=system_u:system_r:systemd_logind_t | ||
31 | tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket | ||
32 | permissive=0 | ||
33 | |||
34 | avc: denied { read } for pid=244 comm="systemd-logind" | ||
35 | name="io.systemd.DropIn" dev="tmpfs" ino=44 | ||
36 | scontext=system_u:system_r:systemd_logind_t | ||
37 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
38 | permissive=0 | ||
39 | |||
40 | avc: denied { read } for pid=244 comm="systemd-logind" | ||
41 | name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 | ||
42 | scontext=system_u:system_r:systemd_logind_t | ||
43 | tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file | ||
44 | permissive=0 | ||
45 | |||
46 | avc: denied { mknod } for pid=297 comm="systemd" capability=27 | ||
47 | scontext=root:sysadm_r:sysadm_systemd_t | ||
48 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
49 | |||
50 | avc: denied { setrlimit } for pid=297 comm="systemd" | ||
51 | scontext=root:sysadm_r:sysadm_systemd_t | ||
52 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0 | ||
53 | |||
54 | avc: denied { bpf } for pid=297 comm="systemd" capability=39 | ||
55 | scontext=root:sysadm_r:sysadm_systemd_t | ||
56 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
57 | |||
58 | avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 | ||
59 | scontext=root:sysadm_r:sysadm_systemd_t | ||
60 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 | ||
61 | |||
62 | avc: denied { perfmon } for pid=297 comm="systemd" capability=38 | ||
63 | scontext=root:sysadm_r:sysadm_systemd_t | ||
64 | tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 | ||
65 | |||
66 | avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda" | ||
67 | ino=173 scontext=root:sysadm_r:sysadm_systemd_t | ||
68 | tcontext=system_u:object_r:etc_t tclass=dir permissive=0 | ||
69 | |||
70 | avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda" | ||
71 | ino=2 scontext=root:sysadm_r:sysadm_systemd_t | ||
72 | tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 | ||
73 | |||
74 | avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc" | ||
75 | ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t | ||
76 | tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 | ||
77 | |||
78 | Upstream-Status: Inappropriate [embedded specific] | ||
79 | |||
80 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
81 | --- | ||
82 | policy/modules/roles/sysadm.te | 2 ++ | ||
83 | policy/modules/system/init.if | 1 + | ||
84 | policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++- | ||
85 | 3 files changed, 29 insertions(+), 1 deletion(-) | ||
86 | |||
87 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
88 | index 46d3e2f0b..e1933a5bd 100644 | ||
89 | --- a/policy/modules/roles/sysadm.te | ||
90 | +++ b/policy/modules/roles/sysadm.te | ||
91 | @@ -92,6 +92,8 @@ ifdef(`init_systemd',` | ||
92 | # Allow sysadm to query and set networking settings on the system. | ||
93 | systemd_dbus_chat_networkd(sysadm_t) | ||
94 | fs_read_nsfs_files(sysadm_t) | ||
95 | + | ||
96 | + systemd_sysadm_user(sysadm_t) | ||
97 | ') | ||
98 | |||
99 | tunable_policy(`allow_ptrace',` | ||
100 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
101 | index 0171ee299..8ca29f654 100644 | ||
102 | --- a/policy/modules/system/init.if | ||
103 | +++ b/policy/modules/system/init.if | ||
104 | @@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',` | ||
105 | ') | ||
106 | |||
107 | allow $1 init_t:unix_stream_socket connectto; | ||
108 | + allow $1 initrc_t:unix_stream_socket connectto; | ||
109 | ') | ||
110 | |||
111 | ######################################## | ||
112 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
113 | index 38adf050c..5c44d8d8a 100644 | ||
114 | --- a/policy/modules/system/systemd.if | ||
115 | +++ b/policy/modules/system/systemd.if | ||
116 | @@ -57,7 +57,7 @@ template(`systemd_role_template',` | ||
117 | allow $1_systemd_t self:process { getsched signal }; | ||
118 | allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
119 | allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; | ||
120 | - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; | ||
121 | + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; | ||
122 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
123 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
124 | |||
125 | @@ -88,8 +88,11 @@ template(`systemd_role_template',` | ||
126 | |||
127 | fs_manage_cgroup_files($1_systemd_t) | ||
128 | fs_watch_cgroup_files($1_systemd_t) | ||
129 | + files_watch_etc_dirs($1_systemd_t) | ||
130 | + fs_getattr_xattr_fs($1_systemd_t) | ||
131 | |||
132 | kernel_dontaudit_getattr_proc($1_systemd_t) | ||
133 | + kernel_read_network_state($1_systemd_t) | ||
134 | |||
135 | selinux_use_status_page($1_systemd_t) | ||
136 | |||
137 | @@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', ` | ||
138 | init_search_runtime($1) | ||
139 | allow $1 systemd_userdb_runtime_t:dir list_dir_perms; | ||
140 | allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; | ||
141 | + allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; | ||
142 | init_unix_stream_socket_connectto($1) | ||
143 | ') | ||
144 | |||
145 | @@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
146 | allow $1 systemd_machined_t:fd use; | ||
147 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
148 | ') | ||
149 | + | ||
150 | +######################################### | ||
151 | +## <summary> | ||
152 | +## sysadm user for systemd --user | ||
153 | +## </summary> | ||
154 | +## <param name="role"> | ||
155 | +## <summary> | ||
156 | +## Role allowed access. | ||
157 | +## </summary> | ||
158 | +## </param> | ||
159 | +# | ||
160 | +interface(`systemd_sysadm_user',` | ||
161 | + gen_require(` | ||
162 | + type sysadm_systemd_t; | ||
163 | + ') | ||
164 | + | ||
165 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | ||
166 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | ||
167 | + allow sysadm_systemd_t self:process setrlimit; | ||
168 | + allow $1 sysadm_systemd_t:system reload; | ||
169 | +') | ||
170 | -- | ||
171 | 2.17.1 | ||
172 | |||