1 files changed, 0 insertions, 189 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
deleted file mode 100644
index f7abefb..0000000
--- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Thu, 4 Feb 2021 10:48:54 +0800
-Subject: [PATCH] policy/modules/system/systemd: support systemd --user
-Fixes:
-$ systemctl status user@0.service
-* user@0.service - User Manager for UID 0
-     Loaded: loaded (/lib/systemd/system/user@.service; static)
-     Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
-     Docs: man:user@.service(5)
-     Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
-     Main PID: 1502 (code=exited, status=1/FAILURE)
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
-Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
-Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
-Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/roles/sysadm.te   |  2 +
- policy/modules/system/init.if    |  1 +
- policy/modules/system/logging.te |  5 ++-
- policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++-
- 4 files changed, 81 insertions(+), 2 deletions(-)
-diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 1642f3b93..1de7e441d 100644
--- a/policy/modules/roles/sysadm.te
-+++ b/policy/modules/roles/sysadm.te
-@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
-        # Allow sysadm to resolve the username of dynamic users by calling
-        # LookupDynamicUserByUID on org.freedesktop.systemd1.
-        init_dbus_chat(sysadm_t)
-+
-+       systemd_sysadm_user(sysadm_t)
- ')
- 
- tunable_policy(`allow_ptrace',`
-diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index ba533ba1a..98e94283f 100644
--- a/policy/modules/system/init.if
-+++ b/policy/modules/system/init.if
-@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
-        ')
- 
-        allow $1 init_t:unix_stream_socket connectto;
-+       allow $1 initrc_t:unix_stream_socket connectto;
- ')
- 
- ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index d864cfd3d..bdd97631c 100644
--- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
-        # for systemd-journal
-        allow syslogd_t self:netlink_audit_socket connected_socket_perms;
-        allow syslogd_t self:capability2 audit_read;
-       allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-+       allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
-        allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
- 
-        # remove /run/log/journal when switching to permanent storage
-@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
-        systemd_manage_journal_files(syslogd_t)
- 
-        udev_read_runtime_files(syslogd_t)
-+
-+       userdom_search_user_runtime(syslogd_t)
-+       systemd_search_user_runtime(syslogd_t)
- ')
- 
- ifdef(`distro_gentoo',`
-diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
-index 6a66a2d79..152139261 100644
--- a/policy/modules/system/systemd.if
-+++ b/policy/modules/system/systemd.if
-@@ -30,6 +30,7 @@ template(`systemd_role_template',`
-                attribute systemd_user_session_type, systemd_log_parse_env_type;
-                type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-                type systemd_run_exec_t, systemd_analyze_exec_t;
-+               type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
-        ')
- 
-        #################################
-@@ -55,10 +56,42 @@ template(`systemd_role_template',`
- 
-        allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- 
-+       allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+       allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+       allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+       allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
-+       allow $1_systemd_t self:process setrlimit;
-+
-+       kernel_getattr_proc($1_systemd_t)
-+       fs_watch_cgroup_files($1_systemd_t)
-+       files_watch_etc_dirs($1_systemd_t)
-+
-+       userdom_search_user_home_dirs($1_systemd_t)
-+       allow $1_systemd_t $3:dir search_dir_perms;
-+       allow $1_systemd_t $3:file read_file_perms;
-+
-+       allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
-+
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-+       allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+       allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+
-        # This domain is per-role because of the below transitions.
-        # See the systemd --user section of systemd.te for the
-        # remainder of the rules.
-       allow $1_systemd_t $3:process { setsched rlimitinh };
-+       allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
-        corecmd_shell_domtrans($1_systemd_t, $3)
-        corecmd_bin_domtrans($1_systemd_t, $3)
-        allow $1_systemd_t self:process signal;
-@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
-        init_search_runtime($1)
-        allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
-        allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
-+       allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
-        init_unix_stream_socket_connectto($1)
- ')
- 
-@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
-        allow $1 systemd_machined_t:fd use;
-        allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
- ')
-+
-+#########################################
-+## <summary>
-+##     sysadm user for systemd --user
-+## </summary>
-+## <param name="role">
-+##     <summary>
-+##  Role allowed access.
-+##     </summary>
-+## </param>
-+#
-+interface(`systemd_sysadm_user',`
-+       gen_require(`
-+               type sysadm_systemd_t;
-+       ')
-+
-+       allow sysadm_systemd_t self:capability { mknod sys_admin };
-+       allow sysadm_systemd_t self:capability2 { bpf perfmon };
-+       allow $1 sysadm_systemd_t:system reload;
-+')
-+
-+#######################################
-+## <summary>
-+##  Search systemd users runtime directories.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`systemd_search_user_runtime',`
-+       gen_require(`
-+               type systemd_user_runtime_t;
-+       ')
-+
-+       allow $1 systemd_user_runtime_t:dir search_dir_perms;
-+       allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
-+')
-- 
-2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch deleted file mode 100644 index f7abefb..0000000 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch +++ /dev/null
@@ -1,189 +0,0 @@
1	From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Thu, 4 Feb 2021 10:48:54 +0800
4	Subject: [PATCH] policy/modules/system/systemd: support systemd --user
5
6	Fixes:
7	$ systemctl status user@0.service
8	* user@0.service - User Manager for UID 0
9	Loaded: loaded (/lib/systemd/system/user@.service; static)
10	Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago
11	Docs: man:user@.service(5)
12	Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE)
13	Main PID: 1502 (code=exited, status=1/FAILURE)
14
15	Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0...
16	Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback.
17	Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied
18	Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE
19	Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'.
20	Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0.
21
22	Upstream-Status: Inappropriate [embedded specific]
23
24	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
25	---
26	policy/modules/roles/sysadm.te \| 2 +
27	policy/modules/system/init.if \| 1 +
28	policy/modules/system/logging.te \| 5 ++-
29	policy/modules/system/systemd.if \| 75 +++++++++++++++++++++++++++++++-
30	4 files changed, 81 insertions(+), 2 deletions(-)
31
32	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
33	index 1642f3b93..1de7e441d 100644
34	--- a/policy/modules/roles/sysadm.te
35	+++ b/policy/modules/roles/sysadm.te
36	@@ -81,6 +81,8 @@ ifdef(`init_systemd',`
37	# Allow sysadm to resolve the username of dynamic users by calling
38	# LookupDynamicUserByUID on org.freedesktop.systemd1.
39	init_dbus_chat(sysadm_t)
40	+
41	+ systemd_sysadm_user(sysadm_t)
42	')
43
44	tunable_policy(`allow_ptrace',`
45	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
46	index ba533ba1a..98e94283f 100644
47	--- a/policy/modules/system/init.if
48	+++ b/policy/modules/system/init.if
49	@@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',`
50	')
51
52	allow $1 init_t:unix_stream_socket connectto;
53	+ allow $1 initrc_t:unix_stream_socket connectto;
54	')
55
56	########################################
57	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
58	index d864cfd3d..bdd97631c 100644
59	--- a/policy/modules/system/logging.te
60	+++ b/policy/modules/system/logging.te
61	@@ -519,7 +519,7 @@ ifdef(`init_systemd',`
62	# for systemd-journal
63	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
64	allow syslogd_t self:capability2 audit_read;
65	- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
66	+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search };
67	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
68
69	# remove /run/log/journal when switching to permanent storage
70	@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
71	systemd_manage_journal_files(syslogd_t)
72
73	udev_read_runtime_files(syslogd_t)
74	+
75	+ userdom_search_user_runtime(syslogd_t)
76	+ systemd_search_user_runtime(syslogd_t)
77	')
78
79	ifdef(`distro_gentoo',`
80	diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
81	index 6a66a2d79..152139261 100644
82	--- a/policy/modules/system/systemd.if
83	+++ b/policy/modules/system/systemd.if
84	@@ -30,6 +30,7 @@ template(`systemd_role_template',`
85	attribute systemd_user_session_type, systemd_log_parse_env_type;
86	type systemd_user_runtime_t, systemd_user_runtime_notify_t;
87	type systemd_run_exec_t, systemd_analyze_exec_t;
88	+ type session_dbusd_runtime_t, systemd_user_runtime_dir_t;
89	')
90
91	#################################
92	@@ -55,10 +56,42 @@ template(`systemd_role_template',`
93
94	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
95
96	+ allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
97	+ allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
98	+ allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
99	+ allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
100	+ allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
101	+ allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
102	+ allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
103	+ allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
104	+ allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
105	+ allow $1_systemd_t self:netlink_kobject_uevent_socket getopt;
106	+ allow $1_systemd_t self:process setrlimit;
107	+
108	+ kernel_getattr_proc($1_systemd_t)
109	+ fs_watch_cgroup_files($1_systemd_t)
110	+ files_watch_etc_dirs($1_systemd_t)
111	+
112	+ userdom_search_user_home_dirs($1_systemd_t)
113	+ allow $1_systemd_t $3:dir search_dir_perms;
114	+ allow $1_systemd_t $3:file read_file_perms;
115	+
116	+ allow $3 $1_systemd_t:unix_stream_socket { getattr read write };
117	+
118	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
119	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms };
120	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
121	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
122	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
123	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
124	+ allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
125	+ allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
126	+ allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
127	+
128	# This domain is per-role because of the below transitions.
129	# See the systemd --user section of systemd.te for the
130	# remainder of the rules.
131	- allow $1_systemd_t $3:process { setsched rlimitinh };
132	+ allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh };
133	corecmd_shell_domtrans($1_systemd_t, $3)
134	corecmd_bin_domtrans($1_systemd_t, $3)
135	allow $1_systemd_t self:process signal;
136	@@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', `
137	init_search_runtime($1)
138	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
139	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
140	+ allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms;
141	init_unix_stream_socket_connectto($1)
142	')
143
144	@@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', `
145	allow $1 systemd_machined_t:fd use;
146	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
147	')
148	+
149	+#########################################
150	+## <summary>
151	+## sysadm user for systemd --user
152	+## </summary>
153	+## <param name="role">
154	+## <summary>
155	+## Role allowed access.
156	+## </summary>
157	+## </param>
158	+#
159	+interface(`systemd_sysadm_user',`
160	+ gen_require(`
161	+ type sysadm_systemd_t;
162	+ ')
163	+
164	+ allow sysadm_systemd_t self:capability { mknod sys_admin };
165	+ allow sysadm_systemd_t self:capability2 { bpf perfmon };
166	+ allow $1 sysadm_systemd_t:system reload;
167	+')
168	+
169	+#######################################
170	+## <summary>
171	+## Search systemd users runtime directories.
172	+## </summary>
173	+## <param name="domain">
174	+## <summary>
175	+## Domain allowed access.
176	+## </summary>
177	+## </param>
178	+#
179	+interface(`systemd_search_user_runtime',`
180	+ gen_require(`
181	+ type systemd_user_runtime_t;
182	+ ')
183	+
184	+ allow $1 systemd_user_runtime_t:dir search_dir_perms;
185	+ allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms;
186	+')
187	--
188	2.17.1
189