1 files changed, 42 insertions, 0 deletions

diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
new file mode 100644
index 0000000..3e75257
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch
@@ -0,0 +1,42 @@
+From 3d5751659380eb04b63f8fc1e6113132dd1310d7 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 22 Feb 2021 11:28:12 +0800
+Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted
+ for writing/reading from files at all levels
+
+Fixes:
+avc:  denied  { search } for  pid=1148 comm="systemd" name="journal"
+dev="tmpfs" ino=206
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc:  denied  { write } for  pid=1148 comm="systemd" name="kmsg"
+dev="devtmpfs" ino=3081
+scontext=root:sysadm_r:sysadm_systemd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.if | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index d7219dc37..7717e0034 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -226,6 +226,9 @@ template(`systemd_role_template',`
+                xdg_read_config_files($1_systemd_t)
+                xdg_read_data_files($1_systemd_t)
+        ')
++
++       mls_file_read_all_levels($1_systemd_t)
++       mls_file_write_all_levels($1_systemd_t)
+ ')
+ 
+ ######################################
+-- 
+2.25.1
+