diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch new file mode 100644 index 0000000..303e7cf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 84b86b1a4dd6f8e535c4b9b4ac2bfa38d202d9d3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 14:52:43 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator: | ||
5 | make systemd_generator_t MLS trusted for writing from files up to its | ||
6 | clearance | ||
7 | |||
8 | Fixes: | ||
9 | audit: type=1400 audit(1592892455.376:3): avc: denied { write } for | ||
10 | pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 | ||
11 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
12 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
13 | permissive=0 | ||
14 | audit: type=1400 audit(1592892455.381:4): avc: denied { write } for | ||
15 | pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
16 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
18 | permissive=0 | ||
19 | audit: type=1400 audit(1592892455.382:5): avc: denied { read write } | ||
20 | for pid=119 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" | ||
21 | ino=10127 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 | ||
23 | audit: type=1400 audit(1592892455.382:6): avc: denied { write } for | ||
24 | pid=124 comm="systemd-system-" name="kmsg" dev="devtmpfs" ino=10032 | ||
25 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
26 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
27 | permissive=0 | ||
28 | audit: type=1400 audit(1592892455.383:7): avc: denied { write } for | ||
29 | pid=122 comm="systemd-rc-loca" name="kmsg" dev="devtmpfs" ino=10032 | ||
30 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
31 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
32 | permissive=0 | ||
33 | audit: type=1400 audit(1592892455.385:8): avc: denied { write } for | ||
34 | pid=118 comm="systemd-fstab-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
35 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
36 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
37 | permissive=0 | ||
38 | audit: type=1400 audit(1592892455.385:9): avc: denied { write } for | ||
39 | pid=121 comm="systemd-hiberna" name="kmsg" dev="devtmpfs" ino=10032 | ||
40 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
41 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
42 | permissive=0 | ||
43 | audit: type=1400 audit(1592892455.386:10): avc: denied { write } for | ||
44 | pid=123 comm="systemd-run-gen" name="kmsg" dev="devtmpfs" ino=10032 | ||
45 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
46 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
47 | permissive=0 | ||
48 | |||
49 | Upstream-Status: Inappropriate [embedded specific] | ||
50 | |||
51 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
52 | --- | ||
53 | policy/modules/system/systemd.te | 1 + | ||
54 | 1 file changed, 1 insertion(+) | ||
55 | |||
56 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
57 | index e82a1e64a..7e573645b 100644 | ||
58 | --- a/policy/modules/system/systemd.te | ||
59 | +++ b/policy/modules/system/systemd.te | ||
60 | @@ -401,6 +401,7 @@ storage_raw_read_fixed_disk(systemd_generator_t) | ||
61 | systemd_log_parse_environment(systemd_generator_t) | ||
62 | |||
63 | term_dontaudit_use_unallocated_ttys(systemd_generator_t) | ||
64 | +mls_file_write_to_clearance(systemd_generator_t) | ||
65 | |||
66 | optional_policy(` | ||
67 | fstools_exec(systemd_generator_t) | ||
68 | -- | ||
69 | 2.17.1 | ||
70 | |||