1 files changed, 63 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
new file mode 100644
index 0000000..1b90ba6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -0,0 +1,63 @@
+From 3fab5273a7721e603f2034badeaf73949aaa59a2 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 4 Feb 2016 06:03:19 -0500
+Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
+ MLS trusted for raising/lowering the level of files
+Fixes:
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \
+  dev="proc" ino=7987 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
+  tclass=dir
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+  name="journal" dev="tmpfs" ino=8226 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \
+  tclass=dir
+  avc: denied { write } for pid=92 comm="systemd-tmpfile" \
+  name="kmsg" dev="devtmpfs" ino=7242 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \
+  tclass=chr_file
+  avc: denied { read } for pid=92 comm="systemd-tmpfile" \
+  name="kmod.conf" dev="tmpfs" ino=8660 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:var_run_t:s0 \
+  tclass=file
+  avc: denied { search } for pid=92 comm="systemd-tmpfile" \
+  name="kernel" dev="proc" ino=8731 \
+  scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
+  tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 03aeb8515..e483d8aea 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1877,6 +1877,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
+ 
+ systemd_log_parse_environment(systemd_tmpfiles_t)
+ 
+mls_file_write_all_levels(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_downgrade(systemd_tmpfiles_t)
+mls_file_upgrade(systemd_tmpfiles_t)
+
+ userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+ userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+ 
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch new file mode 100644 index 0000000..1b90ba6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch
@@ -0,0 +1,63 @@
	1	From 3fab5273a7721e603f2034badeaf73949aaa59a2 Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Thu, 4 Feb 2016 06:03:19 -0500
	4	Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain
	5	MLS trusted for raising/lowering the level of files
	6
	7	Fixes:
	8	avc: denied { search } for pid=92 comm="systemd-tmpfile" name="1" \
	9	dev="proc" ino=7987 \
	10	scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
	11	tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 \
	12	tclass=dir
	13
	14	avc: denied { search } for pid=92 comm="systemd-tmpfile" \
	15	name="journal" dev="tmpfs" ino=8226 \
	16	scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
	17	tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 \
	18	tclass=dir
	19
	20	avc: denied { write } for pid=92 comm="systemd-tmpfile" \
	21	name="kmsg" dev="devtmpfs" ino=7242 \
	22	scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
	23	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 \
	24	tclass=chr_file
	25
	26	avc: denied { read } for pid=92 comm="systemd-tmpfile" \
	27	name="kmod.conf" dev="tmpfs" ino=8660 \
	28	scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
	29	tcontext=system_u:object_r:var_run_t:s0 \
	30	tclass=file
	31
	32	avc: denied { search } for pid=92 comm="systemd-tmpfile" \
	33	name="kernel" dev="proc" ino=8731 \
	34	scontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 \
	35	tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
	36
	37	Upstream-Status: Inappropriate [embedded specific]
	38
	39	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	40	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	41	---
	42	policy/modules/system/systemd.te \| 5 +++++
	43	1 file changed, 5 insertions(+)
	44
	45	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	46	index 03aeb8515..e483d8aea 100644
	47	--- a/policy/modules/system/systemd.te
	48	+++ b/policy/modules/system/systemd.te
	49	@@ -1877,6 +1877,11 @@ sysnet_relabel_config(systemd_tmpfiles_t)
	50
	51	systemd_log_parse_environment(systemd_tmpfiles_t)
	52
	53	+mls_file_write_all_levels(systemd_tmpfiles_t)
	54	+mls_file_read_all_levels(systemd_tmpfiles_t)
	55	+mls_file_downgrade(systemd_tmpfiles_t)
	56	+mls_file_upgrade(systemd_tmpfiles_t)
	57	+
	58	userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
	59	userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
	60
	61	--
	62	2.25.1
	63