1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch
new file mode 100644
index 0000000..303e7cf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch
@@ -0,0 +1,70 @@
+From 84b86b1a4dd6f8e535c4b9b4ac2bfa38d202d9d3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 23 Jun 2020 14:52:43 +0800
+Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator:
+ make systemd_generator_t MLS trusted for writing from files up to its
+ clearance
+Fixes:
+audit: type=1400 audit(1592892455.376:3): avc:  denied  { write } for
+pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.381:4): avc:  denied  { write } for
+pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.382:5): avc:  denied  { read write }
+for  pid=119 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs"
+ino=10127 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
+audit: type=1400 audit(1592892455.382:6): avc:  denied  { write } for
+pid=124 comm="systemd-system-" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.383:7): avc:  denied  { write } for
+pid=122 comm="systemd-rc-loca" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.385:8): avc:  denied  { write } for
+pid=118 comm="systemd-fstab-g" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.385:9): avc:  denied  { write } for
+pid=121 comm="systemd-hiberna" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+audit: type=1400 audit(1592892455.386:10): avc:  denied  { write } for
+pid=123 comm="systemd-run-gen" name="kmsg" dev="devtmpfs" ino=10032
+scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
+permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index e82a1e64a..7e573645b 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -401,6 +401,7 @@ storage_raw_read_fixed_disk(systemd_generator_t)
+ systemd_log_parse_environment(systemd_generator_t)
+ 
+ term_dontaudit_use_unallocated_ttys(systemd_generator_t)
+mls_file_write_to_clearance(systemd_generator_t)
+ 
+ optional_policy(`
+        fstools_exec(systemd_generator_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch new file mode 100644 index 0000000..303e7cf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0078-policy-modules-system-systemd-systemd-gpt-auto-gener.patch
@@ -0,0 +1,70 @@
	1	From 84b86b1a4dd6f8e535c4b9b4ac2bfa38d202d9d3 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Tue, 23 Jun 2020 14:52:43 +0800
	4	Subject: [PATCH] policy/modules/system/systemd: systemd-gpt-auto-generator:
	5	make systemd_generator_t MLS trusted for writing from files up to its
	6	clearance
	7
	8	Fixes:
	9	audit: type=1400 audit(1592892455.376:3): avc: denied { write } for
	10	pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032
	11	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	12	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	13	permissive=0
	14	audit: type=1400 audit(1592892455.381:4): avc: denied { write } for
	15	pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032
	16	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	17	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	18	permissive=0
	19	audit: type=1400 audit(1592892455.382:5): avc: denied { read write }
	20	for pid=119 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs"
	21	ino=10127 scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	22	tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
	23	audit: type=1400 audit(1592892455.382:6): avc: denied { write } for
	24	pid=124 comm="systemd-system-" name="kmsg" dev="devtmpfs" ino=10032
	25	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	26	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	27	permissive=0
	28	audit: type=1400 audit(1592892455.383:7): avc: denied { write } for
	29	pid=122 comm="systemd-rc-loca" name="kmsg" dev="devtmpfs" ino=10032
	30	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	31	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	32	permissive=0
	33	audit: type=1400 audit(1592892455.385:8): avc: denied { write } for
	34	pid=118 comm="systemd-fstab-g" name="kmsg" dev="devtmpfs" ino=10032
	35	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	36	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	37	permissive=0
	38	audit: type=1400 audit(1592892455.385:9): avc: denied { write } for
	39	pid=121 comm="systemd-hiberna" name="kmsg" dev="devtmpfs" ino=10032
	40	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	41	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	42	permissive=0
	43	audit: type=1400 audit(1592892455.386:10): avc: denied { write } for
	44	pid=123 comm="systemd-run-gen" name="kmsg" dev="devtmpfs" ino=10032
	45	scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023
	46	tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file
	47	permissive=0
	48
	49	Upstream-Status: Inappropriate [embedded specific]
	50
	51	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	52	---
	53	policy/modules/system/systemd.te \| 1 +
	54	1 file changed, 1 insertion(+)
	55
	56	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	57	index e82a1e64a..7e573645b 100644
	58	--- a/policy/modules/system/systemd.te
	59	+++ b/policy/modules/system/systemd.te
	60	@@ -401,6 +401,7 @@ storage_raw_read_fixed_disk(systemd_generator_t)
	61	systemd_log_parse_environment(systemd_generator_t)
	62
	63	term_dontaudit_use_unallocated_ttys(systemd_generator_t)
	64	+mls_file_write_to_clearance(systemd_generator_t)
	65
	66	optional_policy(`
	67	fstools_exec(systemd_generator_t)
	68	--
	69	2.17.1
	70