diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..a6db8ca --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 2892de4636a61c237688d73c277edbf7a46163ab Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 | ||
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | ||
5 | lowering the level of files | ||
6 | |||
7 | The boot process hangs with the error while using MLS policy: | ||
8 | |||
9 | [!!!!!!] Failed to mount API filesystems, freezing. | ||
10 | [ 4.085349] systemd[1]: Freezing execution. | ||
11 | |||
12 | Make kernel_t mls trusted for lowering the level of files to fix below | ||
13 | avc denials and remove the hang issue. | ||
14 | |||
15 | op=security_validate_transition seresult=denied \ | ||
16 | oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ | ||
17 | newcontext=system_u:object_r:device_t:s0 \ | ||
18 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
19 | systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted | ||
20 | |||
21 | avc: denied { create } for pid=1 comm="systemd" name="shm" \ | ||
22 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
23 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
24 | systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory | ||
25 | |||
26 | avc: denied { create } for pid=1 comm="systemd" name="pts" \ | ||
27 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
28 | tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 | ||
29 | |||
30 | op=security_validate_transition seresult=denied \ | ||
31 | oldcontext=system_u:object_r:unlabeled_t:s0 \ | ||
32 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
33 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
34 | |||
35 | op=security_validate_transition seresult=denied \ | ||
36 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
37 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
38 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
39 | systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted | ||
40 | |||
41 | op=security_validate_transition seresult=denied \ | ||
42 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
43 | newcontext=system_u:object_r:cgroup_t:s0 \ | ||
44 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
45 | systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted | ||
46 | |||
47 | avc: denied { create } for pid=1 comm="systemd" name="pstore" \ | ||
48 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
49 | tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 | ||
50 | |||
51 | Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
52 | |||
53 | Upstream-Status: Inappropriate [embedded specific] | ||
54 | |||
55 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
56 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
57 | --- | ||
58 | policy/modules/kernel/kernel.te | 2 ++ | ||
59 | 1 file changed, 2 insertions(+) | ||
60 | |||
61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
62 | index f6ca775e6..b4b089823 100644 | ||
63 | --- a/policy/modules/kernel/kernel.te | ||
64 | +++ b/policy/modules/kernel/kernel.te | ||
65 | @@ -382,6 +382,8 @@ mls_file_write_all_levels(kernel_t) | ||
66 | mls_file_read_all_levels(kernel_t) | ||
67 | mls_socket_write_all_levels(kernel_t) | ||
68 | mls_fd_use_all_levels(kernel_t) | ||
69 | +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
70 | +mls_file_downgrade(kernel_t) | ||
71 | |||
72 | ifdef(`distro_redhat',` | ||
73 | # Bugzilla 222337 | ||
74 | -- | ||
75 | 2.25.1 | ||
76 | |||