diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch new file mode 100644 index 0000000..3e75257 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 3d5751659380eb04b63f8fc1e6113132dd1310d7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 22 Feb 2021 11:28:12 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted | ||
5 | for writing/reading from files at all levels | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=1148 comm="systemd" name="journal" | ||
9 | dev="tmpfs" ino=206 | ||
10 | scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | avc: denied { write } for pid=1148 comm="systemd" name="kmsg" | ||
14 | dev="devtmpfs" ino=3081 | ||
15 | scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
17 | permissive=0 | ||
18 | |||
19 | Upstream-Status: Inappropriate [embedded specific] | ||
20 | |||
21 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
22 | --- | ||
23 | policy/modules/system/systemd.if | 3 +++ | ||
24 | 1 file changed, 3 insertions(+) | ||
25 | |||
26 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
27 | index d7219dc37..7717e0034 100644 | ||
28 | --- a/policy/modules/system/systemd.if | ||
29 | +++ b/policy/modules/system/systemd.if | ||
30 | @@ -226,6 +226,9 @@ template(`systemd_role_template',` | ||
31 | xdg_read_config_files($1_systemd_t) | ||
32 | xdg_read_data_files($1_systemd_t) | ||
33 | ') | ||
34 | + | ||
35 | + mls_file_read_all_levels($1_systemd_t) | ||
36 | + mls_file_write_all_levels($1_systemd_t) | ||
37 | ') | ||
38 | |||
39 | ###################################### | ||
40 | -- | ||
41 | 2.25.1 | ||
42 | |||