1 files changed, 42 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch
new file mode 100644
index 0000000..1e5b474
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch
@@ -0,0 +1,42 @@
+From 212156df805a24852a4762737f7040f1c7bb9b9a Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 23 Jan 2017 08:42:44 +0000
+Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS
+ trusted for reading from files up to its clearance.
+Fixes:
+avc:  denied  { search } for  pid=184 comm="systemd-logind"
+name="journal" dev="tmpfs" ino=10949
+scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=1
+avc:  denied  { watch } for  pid=184 comm="systemd-logind"
+path="/run/utmp" dev="tmpfs" ino=12725
+scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 57f4dc40d..1449d2808 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -621,6 +621,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
+ userdom_setattr_user_ttys(systemd_logind_t)
+ userdom_use_user_ttys(systemd_logind_t)
+ 
+mls_file_read_to_clearance(systemd_logind_t)
+
+ # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
+ # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
+ # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch new file mode 100644 index 0000000..1e5b474 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0073-policy-modules-system-systemd-make-systemd-logind-do.patch
@@ -0,0 +1,42 @@
	1	From 212156df805a24852a4762737f7040f1c7bb9b9a Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Mon, 23 Jan 2017 08:42:44 +0000
	4	Subject: [PATCH] policy/modules/system/systemd: make systemd-logind domain MLS
	5	trusted for reading from files up to its clearance.
	6
	7	Fixes:
	8	avc: denied { search } for pid=184 comm="systemd-logind"
	9	name="journal" dev="tmpfs" ino=10949
	10	scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
	11	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
	12	permissive=1
	13
	14	avc: denied { watch } for pid=184 comm="systemd-logind"
	15	path="/run/utmp" dev="tmpfs" ino=12725
	16	scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023
	17	tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=1
	18
	19	Upstream-Status: Inappropriate [embedded specific]
	20
	21	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	22	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	23	---
	24	policy/modules/system/systemd.te \| 2 ++
	25	1 file changed, 2 insertions(+)
	26
	27	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	28	index 57f4dc40d..1449d2808 100644
	29	--- a/policy/modules/system/systemd.te
	30	+++ b/policy/modules/system/systemd.te
	31	@@ -621,6 +621,8 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t)
	32	userdom_setattr_user_ttys(systemd_logind_t)
	33	userdom_use_user_ttys(systemd_logind_t)
	34
	35	+mls_file_read_to_clearance(systemd_logind_t)
	36	+
	37	# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
	38	# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
	39	# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
	40	--
	41	2.17.1
	42