diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch new file mode 100644 index 0000000..3a2c235 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0065-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From fdc58fd666915aba89cb07fe6e7eb43a7fbec2ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 13 Oct 2017 07:20:40 +0000 | ||
4 | Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for | ||
5 | lowering the level of files | ||
6 | |||
7 | The boot process hangs with the error while using MLS policy: | ||
8 | |||
9 | [!!!!!!] Failed to mount API filesystems, freezing. | ||
10 | [ 4.085349] systemd[1]: Freezing execution. | ||
11 | |||
12 | Make kernel_t mls trusted for lowering the level of files to fix below | ||
13 | avc denials and remove the hang issue. | ||
14 | |||
15 | op=security_validate_transition seresult=denied \ | ||
16 | oldcontext=system_u:object_r:device_t:s15:c0.c1023 \ | ||
17 | newcontext=system_u:object_r:device_t:s0 \ | ||
18 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
19 | systemd[1]: Unable to fix SELinux security context of /dev: Operation not permitted | ||
20 | |||
21 | avc: denied { create } for pid=1 comm="systemd" name="shm" \ | ||
22 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
23 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
24 | systemd[1]: Failed to mount tmpfs at /dev/shm: No such file or directory | ||
25 | |||
26 | avc: denied { create } for pid=1 comm="systemd" name="pts" \ | ||
27 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
28 | tcontext=system_u:object_r:devpts_t:s0-s15:c0.c1023 tclass=dir permissive=0 | ||
29 | |||
30 | op=security_validate_transition seresult=denied \ | ||
31 | oldcontext=system_u:object_r:unlabeled_t:s0 \ | ||
32 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
33 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
34 | |||
35 | op=security_validate_transition seresult=denied \ | ||
36 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
37 | newcontext=system_u:object_r:var_run_t:s0-s15:c0.c1023 \ | ||
38 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
39 | systemd[1]: Unable to fix SELinux security context of /run: Operation not permitted | ||
40 | |||
41 | op=security_validate_transition seresult=denied \ | ||
42 | oldcontext=system_u:object_r:tmpfs_t:s15:c0.c1023 \ | ||
43 | newcontext=system_u:object_r:cgroup_t:s0 \ | ||
44 | taskcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir | ||
45 | systemd[1]: Unable to fix SELinux security context of /sys/fs/cgroup: Operation not permitted | ||
46 | |||
47 | avc: denied { create } for pid=1 comm="systemd" name="pstore" \ | ||
48 | scontext=system_u:system_r:kernel_t:s15:c0.c1023 \ | ||
49 | tcontext=system_u:object_r:pstore_t:s0 tclass=dir permissive=0 | ||
50 | |||
51 | Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
52 | |||
53 | Upstream-Status: Inappropriate [embedded specific] | ||
54 | |||
55 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
56 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
57 | --- | ||
58 | policy/modules/kernel/kernel.te | 3 +++ | ||
59 | 1 file changed, 3 insertions(+) | ||
60 | |||
61 | diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te | ||
62 | index 44c031a39..4dffaef76 100644 | ||
63 | --- a/policy/modules/kernel/kernel.te | ||
64 | +++ b/policy/modules/kernel/kernel.te | ||
65 | @@ -359,6 +359,9 @@ mls_file_read_all_levels(kernel_t) | ||
66 | mls_socket_write_all_levels(kernel_t) | ||
67 | mls_fd_use_all_levels(kernel_t) | ||
68 | |||
69 | +# https://bugzilla.redhat.com/show_bug.cgi?id=667370 | ||
70 | +mls_file_downgrade(kernel_t) | ||
71 | + | ||
72 | ifdef(`distro_redhat',` | ||
73 | # Bugzilla 222337 | ||
74 | fs_rw_tmpfs_chr_files(kernel_t) | ||
75 | -- | ||
76 | 2.17.1 | ||
77 | |||