blob: e7ce3889c50040418492dcf9fe262099b6ee1678 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
From b3ff2e8572cd929c419775e57b547f309ba9d8fb Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 24 Aug 2020 11:29:09 +0800
Subject: [PATCH] policy/modules/system/modutils: allow mod_t to access
confidentiality of class lockdown
The SELinux lockdown implementation was introduced since kernel 5.6 by
commit 59438b46471ae6cdfb761afc8c9beaf1e428a331. We need to allow mod_t
and udev_t to access confidentiality of class lockdown to mount tracefs.
Fixes:
kernel: Could not create tracefs 'iwlwifi_data/filter' entry
kernel: Could not create tracefs 'enable' entry
kernel: Could not create tracefs 'id' entry
kernel: Could not create tracefs 'filter' entry
kernel: Could not create tracefs 'trigger' entry
kernel: Could not create tracefs 'format' entry
audit[170]: AVC avc: denied { confidentiality } for pid=170
comm="modprobe" lockdown_reason="use of tracefs"
scontext=system_u:system_r:kmod_t:s15:c0.c1023
tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown
permissive=0
audit[190]: AVC avc: denied { confidentiality } for pid=190
comm="systemd-udevd" lockdown_reason="use of tracefs"
scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=lockdown
permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/modutils.te | 2 ++
policy/modules/system/udev.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b0a419dc1..5b4f0aca1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -41,6 +41,8 @@ dontaudit kmod_t self:capability sys_admin;
allow kmod_t self:udp_socket create_socket_perms;
allow kmod_t self:rawip_socket create_socket_perms;
+allow kmod_t self:lockdown confidentiality;
+
# Read module config and dependency information
list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index c50ff68c1..4c5a690fb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -67,6 +67,8 @@ ifdef(`init_systemd',`
# for systemd-udevd to rename interfaces
allow udev_t self:netlink_route_socket nlmsg_write;
+allow udev_t self:lockdown confidentiality;
+
can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir list_dir_perms;
--
2.17.1
|
