From 20b2608718064a92f9255adb459a97d95fdbc22e Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 4 Feb 2021 10:48:54 +0800 Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes Fixes: systemctl[1598]: Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and $XDG_RUNTIME_DIR not defined (consider using --machine=@.host --user to connect to bus of other user) avc: denied { connectto } for pid=293 comm="login" path="/run/systemd/userdb/io.systemd.Multiplexer" scontext=system_u:system_r:local_login_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=0 avc: denied { read } for pid=293 comm="login" name="io.systemd.DropIn" dev="tmpfs" ino=44 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file permissive=0 avc: denied { read } for pid=293 comm="login" name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file permissive=0 avc: denied { connectto } for pid=244 comm="systemd-logind" path="/run/systemd/userdb/io.systemd.Multiplexer" scontext=system_u:system_r:systemd_logind_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket permissive=0 avc: denied { read } for pid=244 comm="systemd-logind" name="io.systemd.DropIn" dev="tmpfs" ino=44 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file permissive=0 avc: denied { read } for pid=244 comm="systemd-logind" name="io.systemd.NameServiceSwitch" dev="tmpfs" ino=43 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=lnk_file permissive=0 avc: denied { mknod } for pid=297 comm="systemd" capability=27 scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 avc: denied { setrlimit } for pid=297 comm="systemd" scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=process permissive=0 avc: denied { bpf } for pid=297 comm="systemd" capability=39 scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 avc: denied { sys_admin } for pid=297 comm="systemd" capability=21 scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability permissive=0 avc: denied { perfmon } for pid=297 comm="systemd" capability=38 scontext=root:sysadm_r:sysadm_systemd_t tcontext=root:sysadm_r:sysadm_systemd_t tclass=capability2 permissive=0 avc: denied { watch } for pid=297 comm="systemd" path="/etc" dev="vda" ino=173 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:etc_t tclass=dir permissive=0 avc: denied { getattr } for pid=297 comm="systemd" name="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 avc: denied { read } for pid=297 comm="systemd" name="unix" dev="proc" ino=4026532057 scontext=root:sysadm_r:sysadm_systemd_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0 Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao --- policy/modules/roles/sysadm.te | 2 ++ policy/modules/system/init.if | 1 + policy/modules/system/systemd.if | 27 ++++++++++++++++++++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 46d3e2f0b..e1933a5bd 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -92,6 +92,8 @@ ifdef(`init_systemd',` # Allow sysadm to query and set networking settings on the system. systemd_dbus_chat_networkd(sysadm_t) fs_read_nsfs_files(sysadm_t) + + systemd_sysadm_user(sysadm_t) ') tunable_policy(`allow_ptrace',` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 0171ee299..8ca29f654 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -959,6 +959,7 @@ interface(`init_unix_stream_socket_connectto',` ') allow $1 init_t:unix_stream_socket connectto; + allow $1 initrc_t:unix_stream_socket connectto; ') ######################################## diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 38adf050c..5c44d8d8a 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -57,7 +57,7 @@ template(`systemd_role_template',` allow $1_systemd_t self:process { getsched signal }; allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) @@ -88,8 +88,11 @@ template(`systemd_role_template',` fs_manage_cgroup_files($1_systemd_t) fs_watch_cgroup_files($1_systemd_t) + files_watch_etc_dirs($1_systemd_t) + fs_getattr_xattr_fs($1_systemd_t) kernel_dontaudit_getattr_proc($1_systemd_t) + kernel_read_network_state($1_systemd_t) selinux_use_status_page($1_systemd_t) @@ -1052,6 +1055,7 @@ interface(`systemd_stream_connect_userdb', ` init_search_runtime($1) allow $1 systemd_userdb_runtime_t:dir list_dir_perms; allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms; + allow $1 systemd_userdb_runtime_t:lnk_file read_lnk_file_perms; init_unix_stream_socket_connectto($1) ') @@ -2003,3 +2007,24 @@ interface(`systemd_use_inherited_machined_ptys', ` allow $1 systemd_machined_t:fd use; allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; ') + +######################################### +## +## sysadm user for systemd --user +## +## +## +## Role allowed access. +## +## +# +interface(`systemd_sysadm_user',` + gen_require(` + type sysadm_systemd_t; + ') + + allow sysadm_systemd_t self:capability { mknod sys_admin }; + allow sysadm_systemd_t self:capability2 { bpf perfmon }; + allow sysadm_systemd_t self:process setrlimit; + allow $1 sysadm_systemd_t:system reload; +') -- 2.17.1