diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch | 189 |
1 files changed, 0 insertions, 189 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch deleted file mode 100644 index f7abefb..0000000 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-systemd-support-systemd-user.patch +++ /dev/null | |||
@@ -1,189 +0,0 @@ | |||
1 | From bd77e8e51962bb6a8c5708f3e5362007c915498e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: support systemd --user | ||
5 | |||
6 | Fixes: | ||
7 | $ systemctl status user@0.service | ||
8 | * user@0.service - User Manager for UID 0 | ||
9 | Loaded: loaded (/lib/systemd/system/user@.service; static) | ||
10 | Active: failed (Result: exit-code) since Thu 2021-02-04 02:57:32 UTC; 11s ago | ||
11 | Docs: man:user@.service(5) | ||
12 | Process: 1502 ExecStart=/lib/systemd/systemd --user (code=exited, status=1/FAILURE) | ||
13 | Main PID: 1502 (code=exited, status=1/FAILURE) | ||
14 | |||
15 | Feb 04 02:57:32 intel-x86-64 systemd[1]: Starting User Manager for UID 0... | ||
16 | Feb 04 02:57:32 intel-x86-64 systemd[1502]: selinux_status_open() failed to open the status page, using the netlink fallback. | ||
17 | Feb 04 02:57:32 intel-x86-64 systemd[1502]: Failed to initialize SELinux labeling handle: Permission denied | ||
18 | Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Main process exited, code=exited, status=1/FAILURE | ||
19 | Feb 04 02:57:32 intel-x86-64 systemd[1]: user@0.service: Failed with result 'exit-code'. | ||
20 | Feb 04 02:57:32 intel-x86-64 systemd[1]: Failed to start User Manager for UID 0. | ||
21 | |||
22 | Upstream-Status: Inappropriate [embedded specific] | ||
23 | |||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/roles/sysadm.te | 2 + | ||
27 | policy/modules/system/init.if | 1 + | ||
28 | policy/modules/system/logging.te | 5 ++- | ||
29 | policy/modules/system/systemd.if | 75 +++++++++++++++++++++++++++++++- | ||
30 | 4 files changed, 81 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
33 | index 1642f3b93..1de7e441d 100644 | ||
34 | --- a/policy/modules/roles/sysadm.te | ||
35 | +++ b/policy/modules/roles/sysadm.te | ||
36 | @@ -81,6 +81,8 @@ ifdef(`init_systemd',` | ||
37 | # Allow sysadm to resolve the username of dynamic users by calling | ||
38 | # LookupDynamicUserByUID on org.freedesktop.systemd1. | ||
39 | init_dbus_chat(sysadm_t) | ||
40 | + | ||
41 | + systemd_sysadm_user(sysadm_t) | ||
42 | ') | ||
43 | |||
44 | tunable_policy(`allow_ptrace',` | ||
45 | diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if | ||
46 | index ba533ba1a..98e94283f 100644 | ||
47 | --- a/policy/modules/system/init.if | ||
48 | +++ b/policy/modules/system/init.if | ||
49 | @@ -943,6 +943,7 @@ interface(`init_unix_stream_socket_connectto',` | ||
50 | ') | ||
51 | |||
52 | allow $1 init_t:unix_stream_socket connectto; | ||
53 | + allow $1 initrc_t:unix_stream_socket connectto; | ||
54 | ') | ||
55 | |||
56 | ######################################## | ||
57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
58 | index d864cfd3d..bdd97631c 100644 | ||
59 | --- a/policy/modules/system/logging.te | ||
60 | +++ b/policy/modules/system/logging.te | ||
61 | @@ -519,7 +519,7 @@ ifdef(`init_systemd',` | ||
62 | # for systemd-journal | ||
63 | allow syslogd_t self:netlink_audit_socket connected_socket_perms; | ||
64 | allow syslogd_t self:capability2 audit_read; | ||
65 | - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; | ||
66 | + allow syslogd_t self:capability { chown setgid setuid sys_ptrace dac_read_search }; | ||
67 | allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; | ||
68 | |||
69 | # remove /run/log/journal when switching to permanent storage | ||
70 | @@ -555,6 +555,9 @@ ifdef(`init_systemd',` | ||
71 | systemd_manage_journal_files(syslogd_t) | ||
72 | |||
73 | udev_read_runtime_files(syslogd_t) | ||
74 | + | ||
75 | + userdom_search_user_runtime(syslogd_t) | ||
76 | + systemd_search_user_runtime(syslogd_t) | ||
77 | ') | ||
78 | |||
79 | ifdef(`distro_gentoo',` | ||
80 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
81 | index 6a66a2d79..152139261 100644 | ||
82 | --- a/policy/modules/system/systemd.if | ||
83 | +++ b/policy/modules/system/systemd.if | ||
84 | @@ -30,6 +30,7 @@ template(`systemd_role_template',` | ||
85 | attribute systemd_user_session_type, systemd_log_parse_env_type; | ||
86 | type systemd_user_runtime_t, systemd_user_runtime_notify_t; | ||
87 | type systemd_run_exec_t, systemd_analyze_exec_t; | ||
88 | + type session_dbusd_runtime_t, systemd_user_runtime_dir_t; | ||
89 | ') | ||
90 | |||
91 | ################################# | ||
92 | @@ -55,10 +56,42 @@ template(`systemd_role_template',` | ||
93 | |||
94 | allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
95 | |||
96 | + allow $1_systemd_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; | ||
97 | + allow $1_systemd_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; | ||
98 | + allow $1_systemd_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; | ||
99 | + allow $1_systemd_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; | ||
100 | + allow $1_systemd_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
101 | + allow $1_systemd_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; | ||
102 | + allow $1_systemd_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; | ||
103 | + allow $1_systemd_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
104 | + allow $1_systemd_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
105 | + allow $1_systemd_t self:netlink_kobject_uevent_socket getopt; | ||
106 | + allow $1_systemd_t self:process setrlimit; | ||
107 | + | ||
108 | + kernel_getattr_proc($1_systemd_t) | ||
109 | + fs_watch_cgroup_files($1_systemd_t) | ||
110 | + files_watch_etc_dirs($1_systemd_t) | ||
111 | + | ||
112 | + userdom_search_user_home_dirs($1_systemd_t) | ||
113 | + allow $1_systemd_t $3:dir search_dir_perms; | ||
114 | + allow $1_systemd_t $3:file read_file_perms; | ||
115 | + | ||
116 | + allow $3 $1_systemd_t:unix_stream_socket { getattr read write }; | ||
117 | + | ||
118 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; | ||
119 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; | ||
120 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; | ||
121 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; | ||
122 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
123 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; | ||
124 | + allow systemd_user_runtime_dir_t systemd_user_runtime_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; | ||
125 | + allow systemd_user_runtime_dir_t systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
126 | + allow systemd_user_runtime_dir_t session_dbusd_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
127 | + | ||
128 | # This domain is per-role because of the below transitions. | ||
129 | # See the systemd --user section of systemd.te for the | ||
130 | # remainder of the rules. | ||
131 | - allow $1_systemd_t $3:process { setsched rlimitinh }; | ||
132 | + allow $1_systemd_t $3:process { setsched rlimitinh noatsecure siginh }; | ||
133 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
134 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
135 | allow $1_systemd_t self:process signal; | ||
136 | @@ -479,6 +512,7 @@ interface(`systemd_stream_connect_userdb', ` | ||
137 | init_search_runtime($1) | ||
138 | allow $1 systemd_userdb_runtime_t:dir list_dir_perms; | ||
139 | allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; | ||
140 | + allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; | ||
141 | init_unix_stream_socket_connectto($1) | ||
142 | ') | ||
143 | |||
144 | @@ -1353,3 +1387,42 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
145 | allow $1 systemd_machined_t:fd use; | ||
146 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
147 | ') | ||
148 | + | ||
149 | +######################################### | ||
150 | +## <summary> | ||
151 | +## sysadm user for systemd --user | ||
152 | +## </summary> | ||
153 | +## <param name="role"> | ||
154 | +## <summary> | ||
155 | +## Role allowed access. | ||
156 | +## </summary> | ||
157 | +## </param> | ||
158 | +# | ||
159 | +interface(`systemd_sysadm_user',` | ||
160 | + gen_require(` | ||
161 | + type sysadm_systemd_t; | ||
162 | + ') | ||
163 | + | ||
164 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | ||
165 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | ||
166 | + allow $1 sysadm_systemd_t:system reload; | ||
167 | +') | ||
168 | + | ||
169 | +####################################### | ||
170 | +## <summary> | ||
171 | +## Search systemd users runtime directories. | ||
172 | +## </summary> | ||
173 | +## <param name="domain"> | ||
174 | +## <summary> | ||
175 | +## Domain allowed access. | ||
176 | +## </summary> | ||
177 | +## </param> | ||
178 | +# | ||
179 | +interface(`systemd_search_user_runtime',` | ||
180 | + gen_require(` | ||
181 | + type systemd_user_runtime_t; | ||
182 | + ') | ||
183 | + | ||
184 | + allow $1 systemd_user_runtime_t:dir search_dir_perms; | ||
185 | + allow $1 systemd_user_runtime_t:lnk_file read_lnk_file_perms; | ||
186 | +') | ||
187 | -- | ||
188 | 2.17.1 | ||
189 | |||