diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch | 162 |
1 files changed, 0 insertions, 162 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch deleted file mode 100644 index cb8e821..0000000 --- a/recipes-security/refpolicy/refpolicy/0080-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ /dev/null | |||
@@ -1,162 +0,0 @@ | |||
1 | From 05ec2d78b44e57ecf188472b903fe66eeb568951 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 18 Jun 2020 09:59:58 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t | ||
5 | MLS trusted for writing/reading from files up to its clearance | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=219 comm="systemd-network" | ||
9 | name="journal" dev="tmpfs" ino=10956 | ||
10 | scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
12 | permissive=0 | ||
13 | |||
14 | avc: denied { search } for pid=220 comm="systemd-resolve" | ||
15 | name="journal" dev="tmpfs" ino=10956 | ||
16 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
17 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
18 | permissive=0 | ||
19 | avc: denied { search } for pid=220 comm="systemd-resolve" name="/" | ||
20 | dev="tmpfs" ino=15102 | ||
21 | scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 | ||
22 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
23 | |||
24 | avc: denied { search } for pid=142 comm="systemd-modules" | ||
25 | name="journal" dev="tmpfs" ino=10990 | ||
26 | scontext=system_u:system_r:systemd_modules_load_t:s0-s15:c0.c1023 | ||
27 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
28 | permissive=0 | ||
29 | |||
30 | audit: type=1400 audit(1592892455.376:3): avc: denied { write } for | ||
31 | pid=120 comm="systemd-gpt-aut" name="kmsg" dev="devtmpfs" ino=10032 | ||
32 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
33 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
34 | permissive=0 | ||
35 | |||
36 | audit: type=1400 audit(1592892455.381:4): avc: denied { write } for | ||
37 | pid=119 comm="systemd-getty-g" name="kmsg" dev="devtmpfs" ino=10032 | ||
38 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
39 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
40 | permissive=0 | ||
41 | |||
42 | avc: denied { read } for pid=125 comm="systemd-gpt-aut" name="sdb" | ||
43 | dev="devtmpfs" ino=42 | ||
44 | scontext=system_u:system_r:systemd_generator_t:s0-s15:c0.c1023 | ||
45 | tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 | ||
46 | tclass=blk_file permissive=0 | ||
47 | |||
48 | avc: denied { search } for pid=302 comm="systemd-hostnam" | ||
49 | name="journal" dev="tmpfs" ino=14165 | ||
50 | scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 | ||
51 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
52 | permissive=0 | ||
53 | |||
54 | avc: denied { search } for pid=302 comm="systemd-hostnam" name="/" | ||
55 | dev="tmpfs" ino=17310 | ||
56 | scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023 | ||
57 | tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
58 | |||
59 | avc: denied { search } for pid=233 comm="systemd-rfkill" | ||
60 | name="journal" dev="tmpfs" ino=14165 | ||
61 | scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 | ||
62 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
63 | permissive=0 | ||
64 | |||
65 | avc: denied { write } for pid=233 comm="systemd-rfkill" name="kmsg" | ||
66 | dev="devtmpfs" ino=2060 | ||
67 | scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023 | ||
68 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
69 | permissive=0 | ||
70 | |||
71 | avc: denied { search } for pid=354 comm="systemd-backlig" | ||
72 | name="journal" dev="tmpfs" ino=1183 | ||
73 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
74 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
75 | permissive=0 | ||
76 | |||
77 | avc: denied { write } for pid=354 comm="systemd-backlig" name="kmsg" | ||
78 | dev="devtmpfs" ino=3081 | ||
79 | scontext=system_u:system_r:systemd_backlight_t:s0-s15:c0.c1023 | ||
80 | tcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 tclass=chr_file | ||
81 | permissive=0 | ||
82 | |||
83 | Upstream-Status: Inappropriate [embedded specific] | ||
84 | |||
85 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
86 | --- | ||
87 | policy/modules/system/systemd.te | 17 +++++++++++++++++ | ||
88 | 1 file changed, 17 insertions(+) | ||
89 | |||
90 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
91 | index f0b0e8b92..7b2d359b7 100644 | ||
92 | --- a/policy/modules/system/systemd.te | ||
93 | +++ b/policy/modules/system/systemd.te | ||
94 | @@ -326,6 +326,9 @@ files_search_var_lib(systemd_backlight_t) | ||
95 | |||
96 | kernel_read_kernel_sysctls(systemd_backlight_t) | ||
97 | |||
98 | +mls_file_write_to_clearance(systemd_backlight_t) | ||
99 | +mls_file_read_to_clearance(systemd_backlight_t) | ||
100 | + | ||
101 | ####################################### | ||
102 | # | ||
103 | # Binfmt local policy | ||
104 | @@ -460,6 +463,9 @@ systemd_log_parse_environment(systemd_generator_t) | ||
105 | |||
106 | term_use_unallocated_ttys(systemd_generator_t) | ||
107 | |||
108 | +mls_file_write_to_clearance(systemd_generator_t) | ||
109 | +mls_file_read_to_clearance(systemd_generator_t) | ||
110 | + | ||
111 | ifdef(`distro_gentoo',` | ||
112 | corecmd_shell_entry_type(systemd_generator_t) | ||
113 | ') | ||
114 | @@ -497,6 +503,8 @@ sysnet_manage_config(systemd_hostnamed_t) | ||
115 | |||
116 | systemd_log_parse_environment(systemd_hostnamed_t) | ||
117 | |||
118 | +mls_file_read_to_clearance(systemd_hostnamed_t) | ||
119 | + | ||
120 | optional_policy(` | ||
121 | dbus_connect_system_bus(systemd_hostnamed_t) | ||
122 | dbus_system_bus_client(systemd_hostnamed_t) | ||
123 | @@ -818,6 +826,8 @@ modutils_read_module_deps(systemd_modules_load_t) | ||
124 | |||
125 | systemd_log_parse_environment(systemd_modules_load_t) | ||
126 | |||
127 | +mls_file_read_to_clearance(systemd_modules_load_t) | ||
128 | + | ||
129 | ######################################## | ||
130 | # | ||
131 | # networkd local policy | ||
132 | @@ -876,6 +886,8 @@ sysnet_read_config(systemd_networkd_t) | ||
133 | |||
134 | systemd_log_parse_environment(systemd_networkd_t) | ||
135 | |||
136 | +mls_file_read_to_clearance(systemd_networkd_t) | ||
137 | + | ||
138 | optional_policy(` | ||
139 | dbus_system_bus_client(systemd_networkd_t) | ||
140 | dbus_connect_system_bus(systemd_networkd_t) | ||
141 | @@ -1159,6 +1171,9 @@ udev_read_runtime_files(systemd_rfkill_t) | ||
142 | |||
143 | systemd_log_parse_environment(systemd_rfkill_t) | ||
144 | |||
145 | +mls_file_write_to_clearance(systemd_rfkill_t) | ||
146 | +mls_file_read_to_clearance(systemd_rfkill_t) | ||
147 | + | ||
148 | ######################################### | ||
149 | # | ||
150 | # Resolved local policy | ||
151 | @@ -1202,6 +1217,8 @@ init_dgram_send(systemd_resolved_t) | ||
152 | |||
153 | seutil_read_file_contexts(systemd_resolved_t) | ||
154 | |||
155 | +mls_file_read_to_clearance(systemd_resolved_t) | ||
156 | + | ||
157 | systemd_log_parse_environment(systemd_resolved_t) | ||
158 | systemd_read_networkd_runtime(systemd_resolved_t) | ||
159 | |||
160 | -- | ||
161 | 2.17.1 | ||
162 | |||